From: Tom Hughes <tom@compton.nu>
Date: Sun, 16 Feb 2020 17:56:27 +0000 (+0000)
Subject: Use systemd-resolved stub resolver for nginx resolver
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/1fb771a75fb2aa2932b5afce2b424e3f86791bc2?hp=0c9f5bd5159b093b68e518b2fa0830fe60222b66

Use systemd-resolved stub resolver for nginx resolver

This ensures that nginx queries follow the same path as everything
else and are subject to DNSSEC validation as well as allowing us to
simplify the tests that use nginx.
---

diff --git a/.kitchen.yml b/.kitchen.yml
index e9350cc01..f46a4d1f8 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -123,10 +123,6 @@ suites:
   - name: nginx
     run_list:
       - recipe[nginx::default]
-    attributes:
-      networking:
-        nameservers:
-          - 127.0.0.1
   - name: nodejs
     run_list:
       - recipe[nodejs::default]
@@ -175,10 +171,6 @@ suites:
   - name: tilecache
     run_list:
       - recipe[tilecache::default]
-    attributes:
-      networking:
-        nameservers:
-          - 127.0.0.1
   - name: tools
     run_list:
       - recipe[tools::default]
diff --git a/cookbooks/nginx/recipes/default.rb b/cookbooks/nginx/recipes/default.rb
index 94754546c..a55dc14be 100644
--- a/cookbooks/nginx/recipes/default.rb
+++ b/cookbooks/nginx/recipes/default.rb
@@ -22,16 +22,11 @@ include_recipe "munin"
 
 package "nginx"
 
-resolvers = node[:networking][:nameservers].map do |resolver|
-  IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
-end
-
 template "/etc/nginx/nginx.conf" do
   source "nginx.conf.erb"
   owner "root"
   group "root"
   mode 0o644
-  variables :resolvers => resolvers
 end
 
 directory node[:nginx][:cache][:fastcgi][:directory] do
diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb
index a3f6b2411..5e09d846b 100644
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -47,7 +47,7 @@ http {
     ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    resolver <%= @resolvers.join(" ") %>;
+    resolver 127.0.0.53;
     resolver_timeout 5s;
 
     <% if node['nginx']['cache']['fastcgi']['enable'] -%>