1 files changed, 52 insertions, 39 deletions

diff --git a/ansible/stamina.yml b/ansible/stamina.yml
index f2c0a30..713bef1 100644
--- a/ansible/stamina.yml
+++ b/ansible/stamina.yml
@@ -8,7 +8,7 @@
     - self-updating-system
     - vmhost-minimal
     - unix_users
-    - smarthost-client
+    - mail-client
   tasks:
     - apt:
         name:
@@ -19,6 +19,7 @@
           - ifupdown
           - bridge-utils
           - moreutils
+          - genisoimage
     - apt:
         name: ntp
         state: absent
@@ -50,6 +51,13 @@
         owner: root
         group: libvirt
         mode: 0775
+    - name: "remove git reps from ~liw"
+      file:
+        path: "{{ item }}"
+        state: absent
+      with_items:
+        - /home/liw/ansibleness
+        - /home/liw/liw-dot-files
     - name: "clone ansibleness to ~liw"
       git:
         repo: git://git.liw.fi/ansibleness
@@ -59,16 +67,36 @@
         repo: git://git.liw.fi/liw-dot-files
         dest: /home/liw/liw-dot-files
     - name: "set ownership of everything in ~liw/ansibleness and liw-dot-files"
-      args:
-        warn: false
       shell: |
         chown -R liw:liw /home/liw/ansibleness /home/liw/liw-dot-files
     - name: "configure liw dot files"
-      args:
-        warn: false
       shell: |
         sudo -u liw -i bash -c "pwd &&  ./liw-dot-files/make-symlinks"
         sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig"
+    - name: "remove vmadm config"
+      file:
+        state: absent
+        path: /home/liw/.config/vmadm/config.yaml
+    - name: "install vmadm config"
+      copy:
+        content: |
+          image_directory: /mnt/vms
+          default_autostart: true
+          default_base_image: ~/base-images/bookworm-vm.qcow2
+          default_cpus: 4
+          default_generate_host_certificate: true
+          default_image_gib: 100
+          default_memory_mib: 8192
+          default_networks:
+            - bridge=br0
+          authorized_keys:
+              - ~/.ssh/id_personal.pub
+          ca_key: ~/.ssh/vmadm
+          user_ca_pubkey: ~/.ssh/userca.pub
+        dest: /home/liw/.config/vmadm/config.yaml
+        owner: liw
+        group: liw
+        mode: 0644
     - name: "create ~liw/base-images"
       file:
         state: directory
@@ -83,18 +111,6 @@
         owner: liw
         group: liw
         mode: 0755
-    # - name: "fetch cloud images"
-    #   get_url:
-    #     url: "{{ item.url }}"
-    #     dest: "/home/liw/base-images/{{ item.file }}"
-    #     owner: liw
-    #     group: liw
-    #     mode: 0644
-    #   with_items:
-    #     - url: https://cloud.debian.org/images/cloud/bullseye/latest/debian-11-generic-amd64.qcow2
-    #       file: bullseye.qcow2
-    #     - url: https://cloud.debian.org/images/cloud/OpenStack/current-10/debian-10-openstack-amd64.qcow2
-    #       file: buster.qcow2
     - name: "create ~liw/.ssh"
       file:
         state: directory
@@ -122,20 +138,19 @@
         then
             echo >> /home/liw/.ssh/vmadm
         fi
-    # - name: "create ~liw/.config/vmadm"
-    #   file:
-    #     state: directory
-    #     path: /home/liw/.config/vmadm
-    #     owner: liw
-    #     group: liw
-    #     mode: 0755
-    # - name: "configure vmadm"
-    #   copy:
-    #     src: vmadm.yaml
-    #     dest: /home/liw/.config/vmadm/config.yaml
-    #     owner: liw
-    #     group: liw
-    #     mode: 0644
+    - name: "install SSH user CA key"
+      copy:
+        content: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
+        dest: /home/liw/.ssh/userca.pub
+        owner: liw
+        group: liw
+        mode: 0644
+    - name: "ensure SSH user CA key file ends in a newline"
+      shell: |
+        if [ "$(tail -n1 /home/liw/.ssh/userca.pub | wc -l)" = 0 ]
+        then
+            echo >> /home/liw/.ssh/userca.pub
+        fi
     - name: "enable libvirt 'default' network"
       virt_net:
         name: default
@@ -146,16 +161,16 @@
 
     sane_debian_system_version: 2
     sane_debian_system_hostname: "{{ inventory_hostname}}"
-    sane_debian_system_codename: bullseye
+    sane_debian_system_codename: bookworm
     sane_debian_system_sources_lists:
       - repo: |
-          deb http://security.debian.org/debian-security buster/updates main contrib non-free
+          deb http://deb.debian.org/debian bookworm contrib non-free
 
       - repo: |
-          deb http://deb.debian.org/debian buster contrib non-free
+          deb http://security.debian.org/debian-security bookworm-security main contrib non-free
 
-      - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
-        signing_key: "{{ ci_prod_signing_key }}"
+      - repo: deb http://apt.liw.fi/debian unstable main
+        signing_key: "{{ apt_liw_fi_signing_key }}"
 
     unix_users_version: 2
     unix_users:
@@ -164,6 +179,7 @@
         sudo: yes
         groups:
           - libvirt
+          - kvm
         authorized_keys: |
           {{ liw_personal_ssh_pub }}
       - username: root
@@ -177,6 +193,3 @@
     smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
 
     sshd_version: 1
-    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key stamina') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 stamina') }}"
-    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"