- hosts: stamina remote_user: root roles: - sane_debian_system - sshd - ssd - comfortable-debian-system - self-updating-system - vmhost-minimal - unix_users - mail-client tasks: - apt: name: - jq - vmadm - python3-lxml - systemd-timesyncd - ifupdown - bridge-utils - moreutils - genisoimage - apt: name: ntp state: absent purge: yes - file: path: /etc/systemd/network/external.network state: absent - copy: content: | auto lo iface lo inet loopback dest: /etc/network/interfaces.d/lo - copy: content: | auto eth0 iface eth0 inet manual #set up bridge and give it a static ip auto br0 iface br0 inet dhcp bridge_ports eth0 bridge_stp off bridge_fd 0 bridge_maxwait 0 dest: /etc/network/interfaces.d/br0 - name: "set permission of /mnt/vms" file: path: /mnt/vms owner: root group: libvirt mode: 0775 - name: "remove git reps from ~liw" file: path: "{{ item }}" state: absent with_items: - /home/liw/ansibleness - /home/liw/liw-dot-files - name: "clone ansibleness to ~liw" git: repo: git://git.liw.fi/ansibleness dest: /home/liw/ansibleness - name: "clone liw-dot-files to ~liw" git: repo: git://git.liw.fi/liw-dot-files dest: /home/liw/liw-dot-files - name: "set ownership of everything in ~liw/ansibleness and liw-dot-files" shell: | chown -R liw:liw /home/liw/ansibleness /home/liw/liw-dot-files - name: "configure liw dot files" shell: | sudo -u liw -i bash -c "pwd && ./liw-dot-files/make-symlinks" sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig" - name: "remove vmadm config" file: state: absent path: /home/liw/.config/vmadm/config.yaml - name: "install vmadm config" copy: content: | image_directory: /mnt/vms default_autostart: true default_base_image: ~/base-images/bookworm-vm.qcow2 default_cpus: 4 default_generate_host_certificate: true default_image_gib: 100 default_memory_mib: 8192 default_networks: - bridge=br0 authorized_keys: - ~/.ssh/id_personal.pub ca_key: ~/.ssh/vmadm user_ca_pubkey: ~/.ssh/userca.pub dest: /home/liw/.config/vmadm/config.yaml owner: liw group: liw mode: 0644 - name: "create ~liw/base-images" file: state: directory path: /home/liw/base-images owner: liw group: liw mode: 0755 - name: "create ~liw/vm" file: state: directory path: /home/liw/vm owner: liw group: liw mode: 0755 - name: "create ~liw/.ssh" file: state: directory path: /home/liw/.ssh owner: liw group: liw mode: 0755 - name: install SSH public key for liw copy: content: "{{ liw_personal_ssh_pub }}" dest: /home/liw/.ssh/id_personal.pub owner: liw group: liw mode: 0644 - name: "install SSH CA key" copy: content: "{{ lookup('pipe', 'pass show sshca/vmadm-v1') }}" dest: /home/liw/.ssh/vmadm owner: liw group: liw mode: 0600 - name: "ensure SSH CA key file ends in a newline" shell: | if [ "$(tail -n1 /home/liw/.ssh/vmadm | wc -l)" = 0 ] then echo >> /home/liw/.ssh/vmadm fi - name: "install SSH user CA key" copy: content: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" dest: /home/liw/.ssh/userca.pub owner: liw group: liw mode: 0644 - name: "ensure SSH user CA key file ends in a newline" shell: | if [ "$(tail -n1 /home/liw/.ssh/userca.pub | wc -l)" = 0 ] then echo >> /home/liw/.ssh/userca.pub fi - name: "enable libvirt 'default' network" virt_net: name: default autostart: yes state: active vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: "{{ inventory_hostname}}" sane_debian_system_codename: bookworm sane_debian_system_sources_lists: - repo: | deb http://deb.debian.org/debian bookworm contrib non-free - repo: | deb http://security.debian.org/debian-security bookworm-security main contrib non-free - repo: deb http://apt.liw.fi/debian unstable main signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius sudo: yes groups: - libvirt - kvm authorized_keys: | {{ liw_personal_ssh_pub }} - username: root authorized_keys: | {{ liw_personal_ssh_pub }} mailname: "{{ sane_debian_system_hostname }}.liw.fi" relayhost: pieni.net:587 smarthost: pieni.net smarthost_user: pienirelay smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" sshd_version: 1