From 32e9eeb91fce2508760337305af8b8672648d984 Mon Sep 17 00:00:00 2001
From: Zolfa <zolfa@lilik.it>
Date: Fri, 17 Apr 2020 22:36:22 +0200
Subject: [PATCH] connection/ssh_lxc: new style for containers

Now which *host* is hosting a specific container is not defined in the
playbook yaml file but centrally in the invetory under the
`ansible_lxc_host` variable.

The `lxc_guest` role is runned directly against the guest, even if it
doesn't exist yet, and lxc tasks are delegated to the lxc-running
physical host.

In this way it should be easier to scale-up and configure multiple
istance of a service on different containers without changing the
playbook.

Look at `/ldap.yaml` for a commented example.
---
 connection_plugins/ssh_lxc.py |  1 +
 hosts.example                 |  6 +++---
 ldap.yaml                     | 40 +++++++++++++++++++++++++++++------
 projects.yaml                 | 28 ++++++++++++++++--------
 4 files changed, 56 insertions(+), 19 deletions(-)

diff --git a/connection_plugins/ssh_lxc.py b/connection_plugins/ssh_lxc.py
index 0839c94..c50d779 100644
--- a/connection_plugins/ssh_lxc.py
+++ b/connection_plugins/ssh_lxc.py
@@ -46,6 +46,7 @@ DOCUMENTATION = '''
               - name: ansible_lxc_name
               - name: ansible_ssh_lxc_name
               - name: ansible_docker_extra_args
+              - name: vm_name
           type: str
       host_key_checking:
           description: Determines if ssh should check host keys
diff --git a/hosts.example b/hosts.example
index 9d754a7..3c1f5b0 100644
--- a/hosts.example
+++ b/hosts.example
@@ -9,9 +9,9 @@ authorities_request   ansible_host=10.150.40.8         ansible_user=request
 black                 ansible_host=10.150.40.42        ansible_user=root        vg_name=black-vg
 ca                    ansible_host=10.150.40.8         ansible_user=root
 
-# LXC GUEST  ------------------------------------------------------------------ <LXC Running Host> ------ <LXC Container Name>
-#blogs                ansible_host=10.150.42.17        ansible_user=root        ansible_lxc_host=black    ansible_lxc_name=blogs
-ldap                  ansible_host=10.150.42.10        ansible_user=root        ansible_lxc_host=black    ansible_lxc_name=ldap
+# LXC GUEST  ------------------------------------------------------------------ <LXC Running Host>
+#blogs                ansible_host=10.150.42.17        ansible_user=root        ansible_lxc_host=black
+ldap                  ansible_host=10.150.42.10        ansible_user=root        ansible_lxc_host=black
 #lists                ansible_host=10.150.42.15        ansible_user=root
 #login                ansible_host=10.150.42.100       ansible_user=root
 #mail                 ansible_host=10.150.42.36        ansible_user=root
diff --git a/ldap.yaml b/ldap.yaml
index c841223..6bbc3b5 100644
--- a/ldap.yaml
+++ b/ldap.yaml
@@ -1,17 +1,43 @@
 ---
-- hosts: biff
-  roles:
-    - role: lxc_guest
-      vm_name: ldap
-    - role: ssh_server
-      ansible_connection: ssh_lxc
-      ansible_ssh_lxc_name: ldap
+# 1) Deploy the lxc container(s)
+- hosts: ldap
+  # The host may not exist yet: do not gather facts
+  gather_facts: false
+  tags:
+    - lxc
+  tasks:
+    # Delegate lxc container deployment to `ansible_lxc_host`
+    - import_role: name='lxc_guest'
+      vars:
+        vm_name: '{{ inventory_hostname }}'
+        vm_size: '1G'
+        vg_name: '{{ hostvars[ansible_lxc_host]["vg_name"] }}'
+      delegate_to: '{{ ansible_lxc_host }}'
+    # The host may not be directly reachable: use `ssh_lxc` proxy to
+    # gather facts (setup) and configure SSH.
+    - set_fact: ansible_connection='ssh_lxc'
+    - setup:
+    - include_role: name='ssh_server'
+    # Now the host should be ssh-reachable
+    - set_fact: ansible_connection='ssh'
+
+# 2) Deploy LDAP server(s)
 - hosts: ldap
   roles:
       - role: dns_record
       - role: ldap
         ldap_domain: 'lilik.it'
         ldap_organization: 'LILiK'
+        fqdn_domain: 'dmz.{{ domain }}'
+        x509_suffix: 'o=LILiK,l=Firenze,st=IT'
+        virtual_domains:
+          - '{{ domain }}'
+        # Default values:
+        #ldap_tls_enabled: true
+        #renew_rootdn_pw: true
+        #check_tree: true
+
+# 3) Enable monitoring
 - hosts: status
   roles:
     - role: icinga2-monitoring
diff --git a/projects.yaml b/projects.yaml
index f17d696..b28391e 100644
--- a/projects.yaml
+++ b/projects.yaml
@@ -1,17 +1,27 @@
 ---
-- hosts: emmett
-  roles:
-    - role: lxc_guest
-      vm_name: projects2
-    - role: ssh_server
-      ansible_connection: ssh_lxc
-      ansible_ssh_lxc_name: projects2
-- hosts: projects2
+- hosts: projects
+  gather_facts: false
+  tags:
+    - lxc
+  tasks:
+    - import_role: name='lxc_guest'
+      vars:
+        vm_name: '{{ inventory_hostname }}'
+        vm_size: '4G'
+        vg_name: '{{ hostvars[ansible_lxc_host]["vg_name"] }}'
+      delegate_to: '{{ ansible_lxc_host }}'
+    - set_fact: ansible_connection='ssh_lxc'
+    - setup:
+    - include_role: name='ssh_server'
+    - set_fact: ansible_connection='ssh'
+
+- hosts: projects
   roles:
     - role: dns_record
     - role: reverse_proxy
-      hostname: projects2
+      hostname: projects
     - role: gitlab
+
 - hosts: status
   roles:
     - role: icinga2-monitoring