- name: check for lxc container dir stat: path: '/var/lib/lxc/{{ vm_name }}' register: lxc_existance - name: check for lxc container existance container_exists: name: "{{ vm_name }}" register: container_exists - block: - name: create the lxc container lxc_container: name: "{{ vm_name }}" backing_store: lvm vg_name: "{{ inventory_hostname }}vg" lv_name: "vm_{{ vm_name }}" fs_type: xfs container_log: true template: debian template_options: --release {{ distro }} --packages=ssh,python # container_command: | # echo "ssh-rsa {{ user_ca_key }}" > /etc/ssh/user_ca.pub # echo "TrustedUserCAKeys /etc/ssh/user_ca.pub" >> /etc/ssh/sshd_config # sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces state: stopped - name: deploy container config template: src=config.j2 dest="/var/lib/lxc/{{ vm_name }}/config" - name: start container lxc_container: name: "{{ vm_name }}" state: started when: auto_start|bool when: not (container_exists.exists and lxc_existance.stat.isdir) - name: update container config template: src: config.j2 dest: "/var/lib/lxc/{{ vm_name }}/config" register: container_config - name: set container running state lxc_container: name: "{{ vm_name }}" state: "{{ container_state }}" register: container_running_state - name: update container DNS configuration shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep '^nameserver {{ hostvars[ext_gateway].ansible_host }}$' /etc/resolv.conf || echo 'nameserver {{ hostvars[ext_gateway].ansible_host }}' > /etc/resolv.conf" register: container_dns_configuration changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'" - name: Check if host certificate exists container_file_exists: name: "{{ vm_name }}" path: "/etc/ssh/ssh_host_ed25519_key-cert.pub" register: host_certificate_exists - name: check if cert key exist shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "ls /etc/ssh/ssh_host_ed25519_key-cert.pub" register: cert_key_existance ignore_errors: true changed_when: "cert_key_existance.rc != 0" - block: - name: get pub key shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "cat /etc/ssh/ssh_host_ed25519_key.pub" register: pub_key - debug: var=pub_key verbosity=2 - name: generate host request set_fact: cert_request: type: 'sign_request' request: keyType: 'ssh_host' hostName: '{{ vm_name }}' keyData: '{{ pub_key.stdout }}' - debug: var=cert_request verbosity=2 - name: start sign request raw: "{{ cert_request | to_json }}" delegate_to: "{{ item }}" delegate_facts: True with_items: "{{ groups['cas'] }}" register: request_result - debug: var=request_result verbosity=2 - set_fact: request_output: "{{ request_result.results[0].stdout|string|from_json }}" - debug: var=request_output verbosity=2 - name: generate get request set_fact: get_request: type: 'get_certificate' requestID: '{{ request_output.requestID }}' - debug: var: get_request verbosity: 2 - debug: msg: "Please manualy confirm sign request with id {{ request_output.requestID }}" - name: wait for cert raw: "{{ get_request | to_json }}" delegate_to: "{{ item }}" delegate_facts: True with_items: "{{ groups['cas'] }}" register: cert_result - debug: var=cert_result verbosity=2 - set_fact: cert_key: "{{ cert_result.results[0].stdout|string|from_json }}" - debug: var: request_output verbosity: 2 - name: set cert key shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "echo '{{ cert_key.result }}' > /etc/ssh/ssh_host_ed25519_key-cert.pub" register: set_pub_key when: "cert_key_existance.rc != 0" - name: update container network configuration shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces" register: container_network changed_when: "container_network.stdout != 'iface eth0 inet manual'" - name: install packages shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get install python ssh -y" register: install_packages changed_when: "install_packages.stdout.find('0 newly installed') == -1" - name: lookup user ca key set_fact: user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}" - name: update container user ca key shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'ssh-rsa {{ user_ca_key }}' /etc/ssh/user_ca.pub || echo 'ssh-rsa {{ user_ca_key }}' > /etc/ssh/user_ca.pub" register: update_user_ca_key changed_when: "update_user_ca_key.stdout != 'ssh-rsa {{ user_ca_key }}'" - name: trust user ca key shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config" register: trust_ca_key changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'" - name: restart-container lxc_container: name: "{{ vm_name }}" state: restarted register: container_restart when: set_pub_key.changed or install_packages.changed or update_user_ca_key.changed or trust_ca_key.changed or container_network.changed or container_config.changed or container_dns_configuration.changed - name: "waiting for ssh on {{ vm_name }} vm to start" wait_for: host: "{{ hostvars[vm_name]['ansible_host'] }}" port: 22 timeout: 30 delegate_to: "{{ inventory_hostname }}" delegate_facts: True - pause: seconds=20 when: container_restart.changed or container_running_state.changed