Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

200 lines
6.1 KiB

- name: check for lxc container dir
stat:
path: '/var/lib/lxc/{{ vm_name }}'
register: lxc_existance
- name: check for lxc container existance
container_exists:
name: "{{ vm_name }}"
register: container_exists
- block:
- name: create the lxc container
lxc_container:
name: "{{ vm_name }}"
backing_store: lvm
fs_size: "{{ vm_size }}"
vg_name: "{{ inventory_hostname }}vg"
lv_name: "vm_{{ vm_name }}"
fs_type: xfs
container_log: true
template: debian
template_options: --release {{ distro }} --packages=ssh,python
# container_command: |
# echo "ssh-rsa {{ user_ca_key }}" > /etc/ssh/user_ca.pub
# echo "TrustedUserCAKeys /etc/ssh/user_ca.pub" >> /etc/ssh/sshd_config
# sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces
state: stopped
- name: deploy container config
template:
src: config.j2
dest: "/var/lib/lxc/{{ vm_name }}/config"
- name: start container
lxc_container:
name: "{{ vm_name }}"
state: started
when: auto_start|bool
when: not (container_exists.exists and lxc_existance.stat.isdir)
- name: update container config
template:
src: config.j2
dest: "/var/lib/lxc/{{ vm_name }}/config"
register: container_config
- name: set container running state
lxc_container:
name: "{{ vm_name }}"
state: "{{ container_state }}"
register: container_running_state
- name: Read container DNS configuration
container_file_read:
name: "{{ vm_name }}"
path: /etc/resolv.conf
register: vm_resolv_conf
- debug:
var: vm_resolv_conf
verbosity: 2
- name: update container DNS configuration
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep '^nameserver {{ hostvars[ext_gateway].ansible_host }}$' /etc/resolv.conf || echo 'nameserver {{ hostvars[ext_gateway].ansible_host }}' > /etc/resolv.conf"
register: container_dns_configuration
changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'"
- name: Check if host certificate exists
container_file_exists:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: vm_ssh_certificate_exists
- debug:
var: vm_ssh_certificate_exists
verbosity: 2
- block:
- name: Read host public key
container_file_read:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key
verbosity: 2
- name: generate host request
set_fact:
cert_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: '{{ vm_name }}'
keyData: '{{ vm_public_key.text }}'
- debug:
var: cert_request
verbosity: 2
- name: start sign request
raw: "{{ cert_request | to_json }}"
delegate_to: "{{ item }}"
delegate_facts: True
with_items: "{{ groups['cas'] }}"
register: request_result
failed_when: "( request_result.stdout | from_json ).failed"
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.stdout | string | from_json }}"
- debug:
var: request_output
verbosity: 2
- name: generate get request
set_fact:
get_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: get_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
raw: "{{ get_request | to_json }}"
delegate_to: "{{ item }}"
delegate_facts: True
with_items: "{{ groups['cas'] }}"
register: cert_result
failed_when: "(cert_result | from_json).stdout.failed"
- debug:
var: cert_result
verbosity: 2
- set_fact:
cert_key: "{{ cert_result.stdout | string | from_json }}"
- name: Write certificate to container
container_file_write:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
text: "{{ cert_key.result }}"
register: set_pub_key
when: "not vm_ssh_certificate_exists.exists"
- name: update container network configuration
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces"
register: container_network
changed_when: "container_network.stdout != 'iface eth0 inet manual'"
- name: install packages
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get install python ssh -y"
register: install_packages
changed_when: "install_packages.stdout.find('0 newly installed') == -1"
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
container_file_write:
name: "{{ vm_name }}"
path: "/etc/ssh/user_ca.pub"
text: "ssh-rsa {{ user_ca_key }}"
- name: trust user ca key
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config"
register: trust_ca_key
changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'"
- name: restart-container
lxc_container:
name: "{{ vm_name }}"
state: restarted
register: container_restart
when: set_pub_key.changed or install_packages.changed or update_user_ca_key.changed or trust_ca_key.changed or container_network.changed or container_config.changed or container_dns_configuration.changed
- name: "waiting for ssh on {{ vm_name }} vm to start"
wait_for:
host: "{{ hostvars[vm_name]['ansible_host'] }}"
port: 22
timeout: 30
delegate_to: "{{ inventory_hostname }}"
delegate_facts: True
- pause: seconds=20
when: container_restart.changed or container_running_state.changed