blob: 713bef15a2e14e9bbe4201c51870ef1e10c0d2e7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
- hosts: stamina
remote_user: root
roles:
- sane_debian_system
- sshd
- ssd
- comfortable-debian-system
- self-updating-system
- vmhost-minimal
- unix_users
- mail-client
tasks:
- apt:
name:
- jq
- vmadm
- python3-lxml
- systemd-timesyncd
- ifupdown
- bridge-utils
- moreutils
- genisoimage
- apt:
name: ntp
state: absent
purge: yes
- file:
path: /etc/systemd/network/external.network
state: absent
- copy:
content: |
auto lo
iface lo inet loopback
dest: /etc/network/interfaces.d/lo
- copy:
content: |
auto eth0
iface eth0 inet manual
#set up bridge and give it a static ip
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0
dest: /etc/network/interfaces.d/br0
- name: "set permission of /mnt/vms"
file:
path: /mnt/vms
owner: root
group: libvirt
mode: 0775
- name: "remove git reps from ~liw"
file:
path: "{{ item }}"
state: absent
with_items:
- /home/liw/ansibleness
- /home/liw/liw-dot-files
- name: "clone ansibleness to ~liw"
git:
repo: git://git.liw.fi/ansibleness
dest: /home/liw/ansibleness
- name: "clone liw-dot-files to ~liw"
git:
repo: git://git.liw.fi/liw-dot-files
dest: /home/liw/liw-dot-files
- name: "set ownership of everything in ~liw/ansibleness and liw-dot-files"
shell: |
chown -R liw:liw /home/liw/ansibleness /home/liw/liw-dot-files
- name: "configure liw dot files"
shell: |
sudo -u liw -i bash -c "pwd && ./liw-dot-files/make-symlinks"
sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig"
- name: "remove vmadm config"
file:
state: absent
path: /home/liw/.config/vmadm/config.yaml
- name: "install vmadm config"
copy:
content: |
image_directory: /mnt/vms
default_autostart: true
default_base_image: ~/base-images/bookworm-vm.qcow2
default_cpus: 4
default_generate_host_certificate: true
default_image_gib: 100
default_memory_mib: 8192
default_networks:
- bridge=br0
authorized_keys:
- ~/.ssh/id_personal.pub
ca_key: ~/.ssh/vmadm
user_ca_pubkey: ~/.ssh/userca.pub
dest: /home/liw/.config/vmadm/config.yaml
owner: liw
group: liw
mode: 0644
- name: "create ~liw/base-images"
file:
state: directory
path: /home/liw/base-images
owner: liw
group: liw
mode: 0755
- name: "create ~liw/vm"
file:
state: directory
path: /home/liw/vm
owner: liw
group: liw
mode: 0755
- name: "create ~liw/.ssh"
file:
state: directory
path: /home/liw/.ssh
owner: liw
group: liw
mode: 0755
- name: install SSH public key for liw
copy:
content: "{{ liw_personal_ssh_pub }}"
dest: /home/liw/.ssh/id_personal.pub
owner: liw
group: liw
mode: 0644
- name: "install SSH CA key"
copy:
content: "{{ lookup('pipe', 'pass show sshca/vmadm-v1') }}"
dest: /home/liw/.ssh/vmadm
owner: liw
group: liw
mode: 0600
- name: "ensure SSH CA key file ends in a newline"
shell: |
if [ "$(tail -n1 /home/liw/.ssh/vmadm | wc -l)" = 0 ]
then
echo >> /home/liw/.ssh/vmadm
fi
- name: "install SSH user CA key"
copy:
content: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
dest: /home/liw/.ssh/userca.pub
owner: liw
group: liw
mode: 0644
- name: "ensure SSH user CA key file ends in a newline"
shell: |
if [ "$(tail -n1 /home/liw/.ssh/userca.pub | wc -l)" = 0 ]
then
echo >> /home/liw/.ssh/userca.pub
fi
- name: "enable libvirt 'default' network"
virt_net:
name: default
autostart: yes
state: active
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
sane_debian_system_hostname: "{{ inventory_hostname}}"
sane_debian_system_codename: bookworm
sane_debian_system_sources_lists:
- repo: |
deb http://deb.debian.org/debian bookworm contrib non-free
- repo: |
deb http://security.debian.org/debian-security bookworm-security main contrib non-free
- repo: deb http://apt.liw.fi/debian unstable main
signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
- username: liw
comment: Lars Wirzenius
sudo: yes
groups:
- libvirt
- kvm
authorized_keys: |
{{ liw_personal_ssh_pub }}
- username: root
authorized_keys: |
{{ liw_personal_ssh_pub }}
mailname: "{{ sane_debian_system_hostname }}.liw.fi"
relayhost: pieni.net:587
smarthost: pieni.net
smarthost_user: pienirelay
smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
sshd_version: 1
|