- name: check for lxc container dir
|
|
stat:
|
|
path: '/var/lib/lxc/{{ vm_name }}'
|
|
register: lxc_existance
|
|
|
|
- name: check for lxc container existance
|
|
container_exists:
|
|
name: "{{ vm_name }}"
|
|
register: container_exists
|
|
|
|
- block:
|
|
- name: create the lxc container
|
|
lxc_container:
|
|
name: "{{ vm_name }}"
|
|
backing_store: lvm
|
|
fs_size: "{{ vm_size }}"
|
|
vg_name: "{{ inventory_hostname }}vg"
|
|
lv_name: "vm_{{ vm_name }}"
|
|
fs_type: xfs
|
|
container_log: true
|
|
template: debian
|
|
template_options: --release {{ distro }} --packages=ssh,python
|
|
# container_command: |
|
|
# echo "ssh-rsa {{ user_ca_key }}" > /etc/ssh/user_ca.pub
|
|
# echo "TrustedUserCAKeys /etc/ssh/user_ca.pub" >> /etc/ssh/sshd_config
|
|
# sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces
|
|
state: stopped
|
|
|
|
- name: deploy container config
|
|
template:
|
|
src: config.j2
|
|
dest: "/var/lib/lxc/{{ vm_name }}/config"
|
|
|
|
- name: start container
|
|
lxc_container:
|
|
name: "{{ vm_name }}"
|
|
state: started
|
|
when: auto_start|bool
|
|
when: not (container_exists.exists and lxc_existance.stat.isdir)
|
|
|
|
- name: update container config
|
|
template:
|
|
src: config.j2
|
|
dest: "/var/lib/lxc/{{ vm_name }}/config"
|
|
register: container_config
|
|
|
|
- name: set container running state
|
|
lxc_container:
|
|
name: "{{ vm_name }}"
|
|
state: "{{ container_state }}"
|
|
register: container_running_state
|
|
|
|
- name: Read container DNS configuration
|
|
container_file_read:
|
|
name: "{{ vm_name }}"
|
|
path: /etc/resolv.conf
|
|
register: vm_resolv_conf
|
|
|
|
- debug:
|
|
var: vm_resolv_conf
|
|
verbosity: 2
|
|
|
|
- name: update container DNS configuration
|
|
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep '^nameserver {{ hostvars[ext_gateway].ansible_host }}$' /etc/resolv.conf || echo 'nameserver {{ hostvars[ext_gateway].ansible_host }}' > /etc/resolv.conf"
|
|
register: container_dns_configuration
|
|
changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'"
|
|
|
|
|
|
- name: Check if host certificate exists
|
|
container_file_exists:
|
|
name: "{{ vm_name }}"
|
|
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
register: vm_ssh_certificate_exists
|
|
|
|
- debug:
|
|
var: vm_ssh_certificate_exists
|
|
verbosity: 2
|
|
|
|
- block:
|
|
- name: Read host public key
|
|
container_file_read:
|
|
name: "{{ vm_name }}"
|
|
path: "/etc/ssh/ssh_host_ed25519_key.pub"
|
|
register: vm_public_key
|
|
|
|
- debug:
|
|
var: vm_public_key
|
|
verbosity: 2
|
|
|
|
- name: generate host request
|
|
set_fact:
|
|
cert_request:
|
|
type: 'sign_request'
|
|
request:
|
|
keyType: 'ssh_host'
|
|
hostName: '{{ vm_name }}'
|
|
keyData: '{{ vm_public_key.text }}'
|
|
|
|
- debug:
|
|
var: cert_request
|
|
verbosity: 2
|
|
|
|
- name: start sign request
|
|
raw: "{{ cert_request | to_json }}"
|
|
delegate_to: "{{ item }}"
|
|
delegate_facts: True
|
|
with_items: "{{ groups['cas'] }}"
|
|
register: request_result
|
|
failed_when: "( request_result.stdout | from_json ).failed"
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout | string | from_json }}"
|
|
|
|
- debug:
|
|
var: request_output
|
|
verbosity: 2
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
get_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
var: get_request
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: wait for cert
|
|
raw: "{{ get_request | to_json }}"
|
|
delegate_to: "{{ item }}"
|
|
delegate_facts: True
|
|
with_items: "{{ groups['cas'] }}"
|
|
register: cert_result
|
|
failed_when: "(cert_result | from_json).stdout.failed"
|
|
|
|
- debug:
|
|
var: cert_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
cert_key: "{{ cert_result.stdout | string | from_json }}"
|
|
|
|
- name: Write certificate to container
|
|
container_file_write:
|
|
name: "{{ vm_name }}"
|
|
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
text: "{{ cert_key.result }}"
|
|
register: set_pub_key
|
|
when: "not vm_ssh_certificate_exists.exists"
|
|
|
|
|
|
- name: update container network configuration
|
|
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces"
|
|
register: container_network
|
|
changed_when: "container_network.stdout != 'iface eth0 inet manual'"
|
|
|
|
- name: install packages
|
|
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get install python ssh -y"
|
|
register: install_packages
|
|
changed_when: "install_packages.stdout.find('0 newly installed') == -1"
|
|
|
|
- name: lookup user ca key
|
|
set_fact:
|
|
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
|
|
|
|
- name: Update container user CA key
|
|
container_file_write:
|
|
name: "{{ vm_name }}"
|
|
path: "/etc/ssh/user_ca.pub"
|
|
text: "ssh-rsa {{ user_ca_key }}"
|
|
|
|
- name: trust user ca key
|
|
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config"
|
|
register: trust_ca_key
|
|
changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'"
|
|
|
|
- name: restart-container
|
|
lxc_container:
|
|
name: "{{ vm_name }}"
|
|
state: restarted
|
|
register: container_restart
|
|
when: set_pub_key.changed or install_packages.changed or update_user_ca_key.changed or trust_ca_key.changed or container_network.changed or container_config.changed or container_dns_configuration.changed
|
|
|
|
- name: "waiting for ssh on {{ vm_name }} vm to start"
|
|
wait_for:
|
|
host: "{{ hostvars[vm_name]['ansible_host'] }}"
|
|
port: 22
|
|
timeout: 30
|
|
delegate_to: "{{ inventory_hostname }}"
|
|
delegate_facts: True
|
|
|
|
- pause: seconds=20
|
|
when: container_restart.changed or container_running_state.changed
|