|
|
- - name: check for lxc container dir
- stat:
- path: '/var/lib/lxc/{{ vm_name }}'
- register: lxc_existance
-
- - name: check for lxc container existance
- container_exists:
- name: "{{ vm_name }}"
- register: container_exists
-
- - block:
- - name: create the lxc container
- lxc_container:
- name: "{{ vm_name }}"
- backing_store: lvm
- vg_name: "{{ inventory_hostname }}vg"
- lv_name: "vm_{{ vm_name }}"
- fs_type: xfs
- container_log: true
- template: debian
- template_options: --release {{ distro }} --packages=ssh,python
- # container_command: |
- # echo "ssh-rsa {{ user_ca_key }}" > /etc/ssh/user_ca.pub
- # echo "TrustedUserCAKeys /etc/ssh/user_ca.pub" >> /etc/ssh/sshd_config
- # sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces
- state: stopped
- - name: deploy container config
- template: src=config.j2 dest="/var/lib/lxc/{{ vm_name }}/config"
- - name: start container
- lxc_container:
- name: "{{ vm_name }}"
- state: started
- when: auto_start|bool
- when: not (container_exists.exists and lxc_existance.stat.isdir)
-
- - name: update container config
- template:
- src: config.j2
- dest: "/var/lib/lxc/{{ vm_name }}/config"
- register: container_config
-
- - name: set container running state
- lxc_container:
- name: "{{ vm_name }}"
- state: "{{ container_state }}"
- register: container_running_state
-
- - name: update container DNS configuration
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep '^nameserver {{ hostvars[ext_gateway].ansible_host }}$' /etc/resolv.conf || echo 'nameserver {{ hostvars[ext_gateway].ansible_host }}' > /etc/resolv.conf"
- register: container_dns_configuration
- changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'"
-
-
- - name: Check if host certificate exists
- container_file_exists:
- name: "{{ vm_name }}"
- path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
- register: host_certificate_exists
-
- - name: check if cert key exist
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "ls /etc/ssh/ssh_host_ed25519_key-cert.pub"
- register: cert_key_existance
- ignore_errors: true
- changed_when: "cert_key_existance.rc != 0"
- - block:
- - name: get pub key
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "cat /etc/ssh/ssh_host_ed25519_key.pub"
- register: pub_key
-
- - debug: var=pub_key verbosity=2
-
- - name: generate host request
- set_fact:
- cert_request:
- type: 'sign_request'
- request:
- keyType: 'ssh_host'
- hostName: '{{ vm_name }}'
- keyData: '{{ pub_key.stdout }}'
-
- - debug: var=cert_request verbosity=2
-
- - name: start sign request
- raw: "{{ cert_request | to_json }}"
- delegate_to: "{{ item }}"
- delegate_facts: True
- with_items: "{{ groups['cas'] }}"
- register: request_result
-
- - debug: var=request_result verbosity=2
-
- - set_fact:
- request_output: "{{ request_result.results[0].stdout|string|from_json }}"
-
- - debug: var=request_output verbosity=2
-
- - name: generate get request
- set_fact:
- get_request:
- type: 'get_certificate'
- requestID: '{{ request_output.requestID }}'
-
- - debug:
- var: get_request
- verbosity: 2
-
- - debug:
- msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
-
- - name: wait for cert
- raw: "{{ get_request | to_json }}"
- delegate_to: "{{ item }}"
- delegate_facts: True
- with_items: "{{ groups['cas'] }}"
- register: cert_result
-
- - debug: var=cert_result verbosity=2
-
- - set_fact:
- cert_key: "{{ cert_result.results[0].stdout|string|from_json }}"
-
- - debug:
- var: request_output
- verbosity: 2
-
- - name: set cert key
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "echo '{{ cert_key.result }}' > /etc/ssh/ssh_host_ed25519_key-cert.pub"
- register: set_pub_key
- when: "cert_key_existance.rc != 0"
-
- - name: update container network configuration
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces"
- register: container_network
- changed_when: "container_network.stdout != 'iface eth0 inet manual'"
-
- - name: install packages
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get install python ssh -y"
- register: install_packages
- changed_when: "install_packages.stdout.find('0 newly installed') == -1"
-
- - name: lookup user ca key
- set_fact:
- user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
-
- - name: update container user ca key
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'ssh-rsa {{ user_ca_key }}' /etc/ssh/user_ca.pub || echo 'ssh-rsa {{ user_ca_key }}' > /etc/ssh/user_ca.pub"
- register: update_user_ca_key
- changed_when: "update_user_ca_key.stdout != 'ssh-rsa {{ user_ca_key }}'"
-
- - name: trust user ca key
- shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config"
- register: trust_ca_key
- changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'"
-
- - name: restart-container
- lxc_container:
- name: "{{ vm_name }}"
- state: restarted
- register: container_restart
- when: set_pub_key.changed or install_packages.changed or update_user_ca_key.changed or trust_ca_key.changed or container_network.changed or container_config.changed or container_dns_configuration.changed
-
- - name: "waiting for ssh on {{ vm_name }} vm to start"
- wait_for:
- host: "{{ hostvars[vm_name]['ansible_host'] }}"
- port: 22
- timeout: 30
- delegate_to: "{{ inventory_hostname }}"
- delegate_facts: True
-
- - pause: seconds=20
- when: container_restart.changed or container_running_state.changed
|
