IaC/ansible/roles/hypervisor/tasks/main.yaml

---

- name: Format and mount the libvirt disk if it is not root
  when:
    - hypervisor.device is defined
    - hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
  ansible.builtin.include_tasks:
    file: libvirt_drive_mount.yaml

- name: Install libvirt packages (Archlinux)
  when: ansible_distribution == 'Archlinux'
  community.general.pacman:
    name: "{{ libvirt_packages['Archlinux'] }}"
    state: present
    update_cache: true

- name: Add user to libvirt group
  ansible.builtin.user:
    name: "{{ ansible_user }}"
    groups:
      - libvirt
      - libvirt-qemu
    append: true

- name: Load br_netfilter kernel module so sysctl flags can be set
  community.general.modprobe:
    name: br_netfilter
    state: present

- name: Set required sysctl flags for bridging
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    reload: true
    state: present
    sysctl_file: /etc/sysctl.d/bridge.conf
    sysctl_set: true
    value: "{{ item.value }}"
  loop:
    - name: net.ipv4.ip_forward
      value: 1
    - name: net.bridge.bridge-nf-call-iptables
      value: 0
    - name: net.bridge.bridge-nf-call-ip6tables
      value: 0
    - name: net.bridge.bridge-nf-call-arptables
      value: 0

- name: Add bridge(s) to qemu_bridge_helper
  when: qemu_bridges is defined
  ansible.builtin.lineinfile:
    path: /etc/qemu/bridge.conf
    line: "{{ item }}"
    state: present
    backup: false
    insertafter: EOF
  loop: "{{ qemu_bridges | default(['virbr0']) }}"

- name: Start and enable libvirt service
  ansible.builtin.service:
    name: libvirtd.service
    state: started
    enabled: true

- name: Stop the default libvirt network
  community.libvirt.virt_net:
    name: default
    state: inactive

- name: Remove default libvirt network
  community.libvirt.virt_net:
    name: default
    state: absent

- name: Remove the default libvirt storage pool
  community.libvirt.virt_pool:
    name: default
    state: deleted

- name: Create standard libvirt storage directories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: libvirt-qemu
    group: libvirt-qemu
    mode: '0775'
  loop:
    - /var/lib/libvirt/isos/
    - /var/lib/libvirt/nvram/

- name: Get libvirt storage pool facts
  community.libvirt.virt_pool:
    command: facts

- name: Define the standard libvirt storage pools # TODO add when condition against existing pools
  community.libvirt.virt_pool:
    name: "{{ item.name }}"
    command: define
    xml: "{{ lookup('template', 'dir_libvirt_pool.xml.j2') }}"
  loop:
    - name: isos
      path: /var/lib/libvirt/isos/
    - name: nvram
      path: /var/lib/libvirt/nvram/

- name: Create the standard libvirt storage pools
  community.libvirt.virt_pool:
    name: "{{ item }}"
    command: build
  loop:
    - isos
    - nvram

- name: Start the standard libvirt storage pools
  community.libvirt.virt_pool:
    name: "{{ item }}"
    state: active
    autostart: true
  loop:
    - isos
    - nvram

- name: Setup additional libvirt storage (dir)
  when: hypervisor.storage == 'dir'
  ansible.builtin.include_tasks:
    file: libvirt_dir.yaml

- name: Setup additional libvirt storage (zfs)
  when: hypervisor.storage == 'zfs'
  ansible.builtin.include_tasks:
    file: libvirt_zfs.yaml

# - name: Enroll libvirtd TLS certificate

# - name: Configure libvirtd TLS listener

# - name: Open libvirtd TLS firewall ports
hypervisor refinement 2023-08-10 20:52:27 -04:00			`---`

sshd setup 2023-08-14 08:27:29 -04:00			`- name: Format and mount the libvirt disk if it is not root`
			`when:`
			`- hypervisor.device is defined`
			- hypervisor.device not in (ansible_mounts \| json_query('[?mount == `/var/lib/libvirt`].device'))
			`ansible.builtin.include_tasks:`
			`file: libvirt_drive_mount.yaml`

			`- name: Install libvirt packages (Archlinux)`
			`when: ansible_distribution == 'Archlinux'`
hypervisor refinement 2023-08-10 20:52:27 -04:00			`community.general.pacman:`
sshd setup 2023-08-14 08:27:29 -04:00			`name: "{{ libvirt_packages['Archlinux'] }}"`
hypervisor refinement 2023-08-10 20:52:27 -04:00			`state: present`
			`update_cache: true`

			`- name: Add user to libvirt group`
			`ansible.builtin.user:`
			`name: "{{ ansible_user }}"`
sshd setup 2023-08-14 08:27:29 -04:00			`groups:`
			`- libvirt`
			`- libvirt-qemu`
hypervisor refinement 2023-08-10 20:52:27 -04:00			`append: true`

sshd setup 2023-08-14 08:27:29 -04:00			`- name: Load br_netfilter kernel module so sysctl flags can be set`
			`community.general.modprobe:`
			`name: br_netfilter`
			`state: present`

hypervisor refinement 2023-08-10 20:52:27 -04:00			`- name: Set required sysctl flags for bridging`
			`ansible.posix.sysctl:`
			`name: "{{ item.name }}"`
			`reload: true`
			`state: present`
			`sysctl_file: /etc/sysctl.d/bridge.conf`
			`sysctl_set: true`
sshd setup 2023-08-14 08:27:29 -04:00			`value: "{{ item.value }}"`
hypervisor refinement 2023-08-10 20:52:27 -04:00			`loop:`
			`- name: net.ipv4.ip_forward`
			`value: 1`
			`- name: net.bridge.bridge-nf-call-iptables`
			`value: 0`
			`- name: net.bridge.bridge-nf-call-ip6tables`
			`value: 0`
			`- name: net.bridge.bridge-nf-call-arptables`
			`value: 0`

			`- name: Add bridge(s) to qemu_bridge_helper`
			`when: qemu_bridges is defined`
			`ansible.builtin.lineinfile:`
			`path: /etc/qemu/bridge.conf`
			`line: "{{ item }}"`
			`state: present`
			`backup: false`
			`insertafter: EOF`
			`loop: "{{ qemu_bridges \| default(['virbr0']) }}"`

			`- name: Start and enable libvirt service`
			`ansible.builtin.service:`
			`name: libvirtd.service`
			`state: started`
			`enabled: true`

			`- name: Stop the default libvirt network`
			`community.libvirt.virt_net:`
			`name: default`
			`state: inactive`

			`- name: Remove default libvirt network`
			`community.libvirt.virt_net:`
			`name: default`
			`state: absent`

			`- name: Remove the default libvirt storage pool`
			`community.libvirt.virt_pool:`
			`name: default`
			`state: deleted`

			`- name: Create standard libvirt storage directories`
			`ansible.builtin.file:`
			`path: "{{ item }}"`
			`state: directory`
			`owner: libvirt-qemu`
			`group: libvirt-qemu`
			`mode: '0775'`
			`loop:`
			`- /var/lib/libvirt/isos/`
			`- /var/lib/libvirt/nvram/`

			`- name: Get libvirt storage pool facts`
			`community.libvirt.virt_pool:`
			`command: facts`

sshd setup 2023-08-14 08:27:29 -04:00			`- name: Define the standard libvirt storage pools # TODO add when condition against existing pools`
hypervisor refinement 2023-08-10 20:52:27 -04:00			`community.libvirt.virt_pool:`
			`name: "{{ item.name }}"`
			`command: define`
sshd setup 2023-08-14 08:27:29 -04:00			`xml: "{{ lookup('template', 'dir_libvirt_pool.xml.j2') }}"`
hypervisor refinement 2023-08-10 20:52:27 -04:00			`loop:`
			`- name: isos`
			`path: /var/lib/libvirt/isos/`
			`- name: nvram`
			`path: /var/lib/libvirt/nvram/`

			`- name: Create the standard libvirt storage pools`
			`community.libvirt.virt_pool:`
			`name: "{{ item }}"`
			`command: build`
			`loop:`
			`- isos`
			`- nvram`

			`- name: Start the standard libvirt storage pools`
			`community.libvirt.virt_pool:`
			`name: "{{ item }}"`
			`state: active`
			`autostart: true`
			`loop:`
			`- isos`
			`- nvram`

			`- name: Setup additional libvirt storage (dir)`
			`when: hypervisor.storage == 'dir'`
			`ansible.builtin.include_tasks:`
			`file: libvirt_dir.yaml`

			`- name: Setup additional libvirt storage (zfs)`
			`when: hypervisor.storage == 'zfs'`
			`ansible.builtin.include_tasks:`
			`file: libvirt_zfs.yaml`

			`# - name: Enroll libvirtd TLS certificate`

			`# - name: Configure libvirtd TLS listener`

			`# - name: Open libvirtd TLS firewall ports`