288 lines
7.7 KiB
YAML
288 lines
7.7 KiB
YAML
---
|
|
# FIXME #691138, better: prepare interfaces ready to use, c.f. down below, macvtap.
|
|
# This task needs to be run before the last apt run to provide a ready-to-use installation.
|
|
- name: Allow users to attach to bridge
|
|
ansible.builtin.copy:
|
|
dest: /etc/apt/apt.conf.d/94qemu-bridge-suid
|
|
mode: '0644'
|
|
content: |
|
|
## Modify permissions after installation/upgrade
|
|
## to run qemu-bridge as root
|
|
DPkg::Post-Invoke {"/usr/bin/chmod 4755 /usr/lib/qemu/qemu-bridge-helper || true"; };
|
|
|
|
|
|
- name: Install libvirt packages
|
|
ansible.builtin.apt:
|
|
name:
|
|
- aria2
|
|
- mktorrent
|
|
- libvirt-daemon-system
|
|
- virt-manager
|
|
- dialog # for vm-netboot menu
|
|
|
|
# - name: allow all users to use VMs
|
|
# lineinfile:
|
|
# dest: /etc/libvirt/libvirtd.conf
|
|
# line: 'auth_unix_rw = "none"'
|
|
# insertafter: '#auth_unix_rw = "polkit"'
|
|
# notify: reload libvirtd
|
|
|
|
- name: Configure pam_mount for VM bind mounts
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/security/pam_mount.conf.xml
|
|
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
|
|
block: |
|
|
<!-- bind mounts for the VMs, setting gid here does not work -->
|
|
<volume
|
|
path="~"
|
|
mountpoint="/lmn/media/%(USER)/home"
|
|
options="bind"
|
|
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
|
|
</volume>
|
|
<volume
|
|
path="/srv/samba/schools/default-school/share"
|
|
mountpoint="/lmn/media/%(USER)/share"
|
|
options="bind"
|
|
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
|
|
</volume>
|
|
insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
|
|
|
|
- name: Configure pam_mount for VM bind mounts
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/security/pam_mount.conf.xml
|
|
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mount school for VMs) -->"
|
|
block: |
|
|
<volume
|
|
path="/srv/samba/schools/default-school"
|
|
mountpoint="/lmn/media/%(USER)/school"
|
|
options="bind"
|
|
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
|
|
</volume>
|
|
insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
|
|
when: localhome is defined and localhome
|
|
|
|
- name: Use umount script for proper cleanup
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/security/pam_mount.conf.xml
|
|
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
|
|
block: |
|
|
<!-- Provide special umount script here to handle bind mounts and proper ordering -->
|
|
<umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>
|
|
insertafter: '^<mntoptions.*'
|
|
|
|
- name: Prepare umount script
|
|
ansible.builtin.copy:
|
|
src: pam-umount.sh
|
|
dest: /usr/local/sbin/pam-umount.sh
|
|
mode: '0755'
|
|
|
|
- name: Insert domain in default-network
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/libvirt/qemu/networks/default.xml
|
|
line: ' <domain name="{{ ansible_domain }}" localOnly="no"/>'
|
|
insertafter: '</ip>'
|
|
|
|
- name: Autostart default network for VMs
|
|
ansible.builtin.file:
|
|
src: /etc/libvirt/qemu/networks/default.xml
|
|
dest: /etc/libvirt/qemu/networks/autostart/default.xml
|
|
state: link
|
|
|
|
- name: Create system-user syncing VM-files and others
|
|
ansible.builtin.user:
|
|
name: lmnsynci
|
|
comment: lmn sync user
|
|
system: true
|
|
create_home: false
|
|
|
|
- name: Create /etc/lmn directory
|
|
ansible.builtin.file:
|
|
path: /etc/lmn
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Create /lmn directory
|
|
ansible.builtin.file:
|
|
path: /lmn
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Create /lmn/media directory
|
|
ansible.builtin.file:
|
|
path: /lmn/media
|
|
state: directory
|
|
mode: '1777'
|
|
|
|
- name: Create /var/vm directory
|
|
ansible.builtin.file:
|
|
path: /var/vm
|
|
state: directory
|
|
mode: '1777'
|
|
|
|
- name: Create vm directory
|
|
ansible.builtin.file:
|
|
path: /lmn/vm
|
|
state: directory
|
|
owner: lmnsynci
|
|
group: lmnsynci
|
|
mode: '0755'
|
|
|
|
- name: Create cleanup-vm.conf
|
|
ansible.builtin.copy:
|
|
dest: /etc/tmpfiles.d/clean-vm.conf
|
|
mode: '0644'
|
|
content: |
|
|
D /var/tmp/vm 1777 root root -
|
|
|
|
- name: Install squid
|
|
ansible.builtin.apt:
|
|
name:
|
|
- squid
|
|
|
|
- name: Disable squid
|
|
ansible.builtin.systemd:
|
|
name: squid
|
|
enabled: false
|
|
state: stopped
|
|
|
|
- name: Deploy squid user mode configuration
|
|
ansible.builtin.template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/squid/{{ item }}"
|
|
mode: '0644'
|
|
loop:
|
|
- squid-usermode.conf
|
|
- squid-usermode-external.conf
|
|
|
|
- name: Deploy startusersquid script
|
|
ansible.builtin.template:
|
|
src: startusersquid.sh.j2
|
|
dest: /usr/local/bin/startusersquid.sh
|
|
mode: '0755'
|
|
|
|
- name: Provide usersquid service
|
|
ansible.builtin.copy:
|
|
src: usersquid.service
|
|
dest: /etc/systemd/user/usersquid.service
|
|
mode: '0644'
|
|
|
|
- name: Enable usersquid service
|
|
ansible.builtin.systemd:
|
|
name: usersquid.service
|
|
scope: global
|
|
enabled: true
|
|
|
|
- name: Deploy sudo configurations
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/etc/sudoers.d/90-{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0700'
|
|
loop:
|
|
- lmn-mounthome
|
|
- lmn-vm
|
|
|
|
- name: Deploy vmimages scripts
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: /usr/local/bin/
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
loop:
|
|
- mounthome.sh
|
|
- vm-create
|
|
- vm-rebase
|
|
- vm-run
|
|
- vm-upload
|
|
- vm-sync
|
|
- vm-link-images
|
|
- vm-virtiofsd
|
|
- virtiofsd
|
|
- vm-aria2
|
|
- uploadseed
|
|
- desktop-sync
|
|
|
|
- name: Deploy vm configuration file vm.conf
|
|
ansible.builtin.copy:
|
|
src: vm.conf
|
|
dest: /etc/lmn/vm.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Deploy aria2 RPC password file
|
|
ansible.builtin.copy:
|
|
dest: /etc/lmn/uploadseed.conf
|
|
owner: root
|
|
group: lmnsynci
|
|
mode: '0640'
|
|
content: |
|
|
{{ uploadseed_pwd }}
|
|
|
|
- name: Prepare directory for aria2 dht.dat
|
|
ansible.builtin.file:
|
|
path: /var/cache/aria2/
|
|
state: directory
|
|
owner: lmnsynci
|
|
group: lmnsynci
|
|
mode: '0755'
|
|
|
|
- name: Prepare directory for qemu bridge config
|
|
ansible.builtin.file:
|
|
path: /etc/qemu/
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Deploy bridge.conf needed for qemu session mode
|
|
ansible.builtin.copy:
|
|
dest: /etc/qemu/bridge.conf
|
|
mode: '0644'
|
|
content: |
|
|
allow virbr0
|
|
allow virbr1
|
|
allow virbr2
|
|
|
|
- name: Configure macvtap interface
|
|
ansible.builtin.copy:
|
|
dest: "/etc/NetworkManager/system-connections/macvlan-vm-macvtap-{{ item }}.nmconnection"
|
|
mode: '0600'
|
|
content: |
|
|
[connection]
|
|
id=macvlan-macvtap-{{ item[3:9] }}
|
|
type=macvlan
|
|
interface-name=macvtap-{{ item[3:9] }}
|
|
[macvlan]
|
|
mode=2
|
|
parent={{ item }}
|
|
tap=true
|
|
[ipv4]
|
|
method=disabled
|
|
[ipv6]
|
|
method=disabled
|
|
[proxy]
|
|
loop: "{{ ansible_interfaces | select('search', '^en[pso].+') }}"
|
|
|
|
- name: Adjust interface permissions for user mode VMs
|
|
ansible.builtin.copy:
|
|
dest: /etc/udev/rules.d/80-macvlan.rules
|
|
mode: '0644'
|
|
content: |
|
|
{% for interface in (ansible_interfaces | select('search', '^en[pso].+')) %}
|
|
SUBSYSTEMS=="net", KERNELS=="macvtap-{{ interface[3:9] }}", MODE="0666"
|
|
{% endfor %}
|
|
|
|
- name: Start virt-manager in session mode by default
|
|
ansible.builtin.copy:
|
|
dest: /usr/local/bin/virt-manager
|
|
content: |
|
|
#!/usr/bin/sh
|
|
exec /usr/bin/virt-manager --connect qemu:///session $@
|
|
mode: '0755'
|
|
|
|
- name: Copy vm-netboot script
|
|
ansible.builtin.copy:
|
|
src: vm-netboot
|
|
dest: /usr/local/bin/
|
|
mode: '0755'
|