lmn-client/roles/lmn_vm/tasks/main.yml

---
# FIXME #691138, better: prepare interfaces ready to use, c.f. down below, macvtap.
# This task needs to be run before the last apt run to provide a ready-to-use installation.
- name: Allow users to attach to bridge
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/94qemu-bridge-suid
    mode: '0644'
    content: |
      ## Modify permissions after installation/upgrade
      ## to run qemu-bridge as root
      DPkg::Post-Invoke {"/usr/bin/chmod 4755 /usr/lib/qemu/qemu-bridge-helper || true"; };


- name: Install libvirt packages
  ansible.builtin.apt:
    name:
      - aria2
      - mktorrent
      - libvirt-daemon-system
      - virt-manager
      - dialog # for vm-netboot menu
      - python3-impacket

    # - name: allow all users to use VMs
    #   lineinfile:
    #     dest: /etc/libvirt/libvirtd.conf
    #     line: 'auth_unix_rw = "none"'
    #     insertafter: '#auth_unix_rw = "polkit"'
    #   notify: reload libvirtd

- name: Configure pam_mount for VM bind mounts
  ansible.builtin.blockinfile:
    dest: /etc/security/pam_mount.conf.xml
    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
    block: |
      <!-- bind mounts for the VMs, setting gid here does not work -->
      <volume
        path="~"
        mountpoint="/lmn/media/%(USER)/home"
        options="bind"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
      </volume>
      <volume
        path="/srv/samba/schools/default-school/share"
        mountpoint="/lmn/media/%(USER)/share"
        options="bind"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
      </volume>
      <volume
        path="/srv/samba/schools/default-school"
        mountpoint="/lmn/media/%(USER)/school"
        options="bind"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
      </volume>
    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"

- name: Use umount script for proper cleanup
  ansible.builtin.blockinfile:
    dest: /etc/security/pam_mount.conf.xml
    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
    block: |
      <!-- Provide special umount script here to handle bind mounts and proper ordering -->
      <umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>
    insertafter: '^<mntoptions.*'

- name: Prepare umount script
  ansible.builtin.copy:
    src: pam-umount.sh
    dest: /usr/local/sbin/pam-umount.sh
    mode: '0755'

- name: Insert domain in default-network
  ansible.builtin.lineinfile:
    path: /etc/libvirt/qemu/networks/default.xml
    line: '  <domain name="{{ ansible_domain }}" localOnly="no"/>'
    insertafter: '</ip>'

- name: Autostart default network for VMs
  ansible.builtin.file:
    src: /etc/libvirt/qemu/networks/default.xml
    dest: /etc/libvirt/qemu/networks/autostart/default.xml
    state: link

- name: Create system-user syncing VM-files and others
  ansible.builtin.user:
    name: lmnsynci
    comment: lmn sync user
    system: true
    create_home: false

- name: Create /etc/lmn directory
  ansible.builtin.file:
    path: /etc/lmn
    state: directory
    mode: '0755'

- name: Create /lmn directory
  ansible.builtin.file:
    path: /lmn
    state: directory
    mode: '0755'

- name: Create /lmn/media directory
  ansible.builtin.file:
    path: /lmn/media
    state: directory
    mode: '1777'

- name: Create /var/vm directory
  ansible.builtin.file:
    path: /var/vm
    state: directory
    mode: '1777'

- name: Create vm directory
  ansible.builtin.file:
    path: /lmn/vm
    state: directory
    owner: lmnsynci
    group: lmnsynci
    mode: '0755'

- name: Create cleanup-vm.conf
  ansible.builtin.copy:
    dest: /etc/tmpfiles.d/clean-vm.conf
    mode: '0644'
    content: |
      D /var/tmp/vm 1777 root root -

- name: Deploy sudo configurations
  ansible.builtin.copy:
    src: lmn-vm
    dest: /etc/sudoers.d/90-lmn-vm
    owner: root
    group: root
    mode: '0700'

- name: Deploy vmimages scripts
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /usr/local/bin/
    owner: root
    group: root
    mode: '0755'
  loop:
    - vm-create
    - vm-rebase
    - vm-run
    - vm-upload
    - vm-sync
    - vm-link-images
    - vm-virtiofsd
    - vm-vminfo
    - virtiofsd
    - vm-aria2
    - uploadseed
    - desktop-sync

- name: Deploy vm configuration file vm.conf
  ansible.builtin.template:
    src: vm.conf.j2
    dest: /etc/lmn/vm.conf
    owner: root
    group: root
    mode: '0644'

- name: Deploy aria2 RPC password file
  ansible.builtin.copy:
    dest: /etc/lmn/uploadseed.conf
    owner: root
    group: lmnsynci
    mode: '0640'
    content: |
      {{ vm_uploadseed_pwd }}

- name: Prepare directory for aria2 dht.dat
  ansible.builtin.file:
    path: /var/cache/aria2/
    state: directory
    owner: lmnsynci
    group: lmnsynci
    mode: '0755'

- name: Prepare directory for qemu bridge config
  ansible.builtin.file:
    path: /etc/qemu/
    state: directory
    mode: '0755'

- name: Deploy bridge.conf needed for qemu session mode
  ansible.builtin.copy:
    dest: /etc/qemu/bridge.conf
    mode: '0644'
    content: |
      allow virbr0
      allow virbr1
      allow virbr2

- name: Configure macvtap interface
  ansible.builtin.copy:
    dest: "/etc/NetworkManager/system-connections/macvlan-vm-macvtap-{{ item }}.nmconnection"
    mode: '0600'
    content: |
      [connection]
      id=macvlan-macvtap-{{ item[3:9] }}
      type=macvlan
      interface-name=macvtap-{{ item[3:9] }}
      [macvlan]
      mode=2
      parent={{ item }}
      tap=true
      [ipv4]
      method=disabled
      [ipv6]
      method=disabled
      [proxy]
  loop: "{{ ansible_interfaces | select('search', '^en[pso].+') }}"

- name: Adjust interface permissions for user mode VMs
  ansible.builtin.copy:
    dest: /etc/udev/rules.d/80-macvlan.rules
    mode: '0644'
    content: |
      {% for interface in (ansible_interfaces | select('search', '^en[pso].+')) %}
      SUBSYSTEMS=="net", KERNELS=="macvtap-{{ interface[3:9] }}", MODE="0666"
      {% endfor %}

- name: Start virt-manager in session mode by default
  ansible.builtin.copy:
    dest: /usr/local/bin/virt-manager
    content: |
      #!/usr/bin/sh
      exec /usr/bin/virt-manager --connect qemu:///session $@
    mode: '0755'

- name: Copy vm-netboot script
  ansible.builtin.copy:
    src: vm-netboot
    dest: /usr/local/bin/
    mode: '0755'

- name: Provide vminfo service
  ansible.builtin.copy:
    content: |
      [Unit]
      Description=Create .vminfo.json for VMs
      [Service]
      Type=simple
      ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
    dest: /etc/systemd/user/vminfo.service
    mode: '0644'

- name: Provide vminfo timer
  ansible.builtin.copy:
    content: |
      [Unit]
      Description=Timer for vm-info
      [Timer]
      OnActiveSec=0s
      OnUnitActiveSec=1h
      Persistent=true
    dest: /etc/systemd/user/vminfo.timer
    mode: '0644'