diff --git a/ansible/roles/firewall/defaults/main.yml b/ansible/roles/firewall/defaults/main.yml
index 325619a..1583965 100644
--- a/ansible/roles/firewall/defaults/main.yml
+++ b/ansible/roles/firewall/defaults/main.yml
@@ -1,2 +1,4 @@
---
-firewall_package: ufw
\ No newline at end of file
+firewall_package: ufw
+firewall_ssh_interface: br22
+firewall_spice_interface: br22
\ No newline at end of file
diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml
index 053b899..0da9955 100644
--- a/ansible/roles/firewall/tasks/main.yml
+++ b/ansible/roles/firewall/tasks/main.yml
@@ -5,6 +5,54 @@
name: "{{ firewall_package }}"
state: latest
update_cache: true
- reason: explicit
when:
- - ansible_os_family == 'Arch'
\ No newline at end of file
+ - ansible_os_family == 'Arch'
+
+- name: start ufw in allow mode
+ become: true
+ community.general.ufw:
+ policy: allow
+ state: enabled
+
+- name: start and enable ufw service
+ become: true
+ ansible.builtin.service:
+ name: ufw.service
+ state: started
+ enabled: yes
+
+- name: add ssh rules
+ become: true
+ community.general.ufw:
+ comment: SSH access
+ rule: allow
+ to_port: '22'
+ proto: tcp
+ interface: "{{ firewall_ssh_interface }}"
+ direction: in
+ src: '{{ item }}'
+ loop:
+ - 192.168.20.0/24
+ - 192.168.72.0/24
+ - 2406:e001:a:cb20::/64
+
+- name: add spice rules
+ become: true
+ community.general.ufw:
+ comment: SPICE access to guests
+ rule: allow
+ to_port: 5901:5904
+ proto: tcp
+ interface: "{{ firewall_spice_interface }}"
+ direction: in
+ src: '{{ item }}'
+ loop:
+ - 192.168.20.0/24
+ - 192.168.72.0/24
+ - 2406:e001:a:cb20::/64
+
+- name: restore default deny policy
+ become: true
+ community.general.ufw:
+ policy: deny
+ logging: low
\ No newline at end of file
diff --git a/ansible/roles/libvirt-server/defaults/main.yml b/ansible/roles/libvirt-server/defaults/main.yml
index 5d40a60..7ccc28b 100644
--- a/ansible/roles/libvirt-server/defaults/main.yml
+++ b/ansible/roles/libvirt-server/defaults/main.yml
@@ -8,6 +8,12 @@ libvirt_server_packages:
- swtpm
libvirt_zfs_pool_name: zfs
+libvirt_zfs_pool_path: ssd/vhds
+
libvirt_iso_pool_name: iso
+libvirt_iso_pool_path: /iso
+
libvirt_qcow_pool_name: qcow
-libvirt_vm_network_name: br22
\ No newline at end of file
+libvirt_qcow_pool_path: /qcow
+
+libvirt_cluster_network_name: cluster
\ No newline at end of file
diff --git a/ansible/roles/libvirt-server/tasks/main.yml b/ansible/roles/libvirt-server/tasks/main.yml
index 9602672..06c3003 100644
--- a/ansible/roles/libvirt-server/tasks/main.yml
+++ b/ansible/roles/libvirt-server/tasks/main.yml
@@ -23,28 +23,56 @@
state: started
enabled: yes
-- name: define vm network
+- name: define vm cluster network
+ libvirt_network_name: "{{ libvirt_cluster_network_name }}"
+ libvirt_network_domain: "{{ libvirt_cluster_network_name }}"
community.libvirt.virt_net:
- name: "{{ libvirt_vm_network_name }}"
+ name: "{{ libvirt_cluster_network_name }}"
command: define
xml: '{{ lookup("template", "network.xml.j2") }}'
-- name: build vm network
+- name: build vm cluster network
community.libvirt.virt_net:
- name: "{{ libvirt_vm_network_name }}"
+ name: "{{ libvirt_cluster_network_name }}"
command: build
-- name: start vm network
+- name: start vm cluster network
community.libvirt.virt_net:
- name: "{{ libvirt_vm_network_name }}"
+ name: "{{ libvirt_cluster_network_name }}"
state: active
autostart: true
+- name: remove default libvirt network
+ community.libvirt.virt_net:
+ name: default
+ state: absent
+
+- name: create libvirt zfs dataset
+ community.general.zfs:
+ name: "{{ libvirt_zfs_pool_path }}"
+ state: present
+ extra_zfs_properties:
+ - canmount: off
+ - mountpoint: none
+ - compression: off
+ - primarycache: metadata
+ - secondarycache: none
+ - reservation: none
+ - refreservation: none
+ - dedup: off
+ - encryption: off
+ - volmode: dev
+ - devices: off
+ - atime: off
+
- name: define zfs storage pool
+ libvirt_pool_type: zfs
+ libvirt_pool_name: "{{ libvirt_zfs_pool_name }}"
+ libvirt_pool_path: "{{ libvirt_zfs_pool_path }}"
community.libvirt.virt_pool:
name: "{{ libvirt_zfs_pool_name }}"
command: define
- xml: '{{ lookup("template", "zfs.xml.j2") }}'
+ xml: '{{ lookup("template", "pool.xml.j2") }}'
- name: build zfs storage pool
community.libvirt.virt_pool:
@@ -57,11 +85,23 @@
state: active
autostart: true
+- name: create iso storage dir
+ become: true
+ ansible.builtin.file:
+ path: "{{ libvirt_iso_pool_path }}"
+ state: directory
+ owner: root
+ group: libvirt
+ mode: 0775
+
- name: define iso storage pool
+ libvirt_pool_type: dir
+ libvirt_pool_name: "{{ libvirt_iso_pool_name }}"
+ libvirt_pool_path: "{{ libvirt_iso_pool_path }}"
community.libvirt.virt_pool:
name: "{{ libvirt_iso_pool_name }}"
command: define
- xml: '{{ lookup("template", "iso.xml.j2") }}'
+ xml: '{{ lookup("template", "pool.xml.j2") }}'
- name: build iso storage pool
community.libvirt.virt_pool:
@@ -74,11 +114,23 @@
state: active
autostart: true
+- name: create qcow storage dir
+ become: true
+ ansible.builtin.file:
+ path: "{{ libvirt_qcow_pool_path }}"
+ state: directory
+ owner: root
+ group: libvirt
+ mode: 0775
+
- name: define qcow storage pool
+ libvirt_pool_type: dir
+ libvirt_pool_name: "{{ libvirt_qcow_pool_name }}"
+ libvirt_pool_path: "{{ libvirt_qcow_pool_path }}"
community.libvirt.virt_pool:
name: "{{ libvirt_qcow_pool_name }}"
command: define
- xml: '{{ lookup("template", "qcow.xml.j2") }}'
+ xml: '{{ lookup("template", "pool.xml.j2") }}'
- name: build qcow storage pool
community.libvirt.virt_pool:
diff --git a/ansible/roles/libvirt-server/templates/iso.xml.j2 b/ansible/roles/libvirt-server/templates/iso.xml.j2
deleted file mode 100644
index f39f621..0000000
--- a/ansible/roles/libvirt-server/templates/iso.xml.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-
- iso
- c7be6440-728c-4181-b7e8-68bf3094740a
- 208525328384
- 31027101696
- 177498226688
-
-
-
- /mnt/smb/isos
-
- 0755
- 1000
- 1000
-
-
-
\ No newline at end of file
diff --git a/ansible/roles/libvirt-server/templates/network.xml.j2 b/ansible/roles/libvirt-server/templates/network.xml.j2
index 2827dae..3924073 100644
--- a/ansible/roles/libvirt-server/templates/network.xml.j2
+++ b/ansible/roles/libvirt-server/templates/network.xml.j2
@@ -1,12 +1,4 @@
- default
- ea5ab2e3-1c95-49de-af3b-131a836f4b7b
-
-
-
-
-
-
-
-
+ {{ libvirt_network_name }}
+
\ No newline at end of file
diff --git a/ansible/roles/libvirt-server/templates/pool.xml.j2 b/ansible/roles/libvirt-server/templates/pool.xml.j2
new file mode 100644
index 0000000..5c3064a
--- /dev/null
+++ b/ansible/roles/libvirt-server/templates/pool.xml.j2
@@ -0,0 +1,6 @@
+
+ {{ libvirt_pool_name }}
+
+ {{ libvirt_pool_path }}
+
+
diff --git a/ansible/roles/libvirt-server/templates/qcow.xml.j2 b/ansible/roles/libvirt-server/templates/qcow.xml.j2
deleted file mode 100644
index e69de29..0000000
diff --git a/ansible/roles/libvirt-server/templates/zfs.xml.j2 b/ansible/roles/libvirt-server/templates/zfs.xml.j2
deleted file mode 100644
index 9a03618..0000000
--- a/ansible/roles/libvirt-server/templates/zfs.xml.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-
- zfs-nvme
- 026cccc9-ee79-467a-bf19-91e6f3d2531d
- 498216206336
- 185811460096
- 312404746240
-
- nvme/vhds
-
-
- /dev/zvol/nvme/vhds
-
-