michael/IaC
1
0
Fork 0
Code Packages

libvirt and firewall additions

Browse Source
This commit is contained in:
michael 2022-09-05 15:28:28 +12:00
parent 21679647c6
commit 140749e34c
9 changed files with 129 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/roles/firewall/defaults/main.yml
View File

@ -1,2 +1,4 @@
--- ---
firewall_package: ufw firewall_package: ufw
firewall_ssh_interface: br22
firewall_spice_interface: br22

50
ansible/roles/firewall/tasks/main.yml
View File

@ -5,6 +5,54 @@
name: "{{ firewall_package }}" name: "{{ firewall_package }}"
state: latest state: latest
update_cache: true update_cache: true
reason: explicit
when: when:
- ansible_os_family == 'Arch' - ansible_os_family == 'Arch'
- name: start ufw in allow mode
become: true
community.general.ufw:
policy: allow
state: enabled
- name: start and enable ufw service
become: true
ansible.builtin.service:
name: ufw.service
state: started
enabled: yes
- name: add ssh rules
become: true
community.general.ufw:
comment: SSH access
rule: allow
to_port: '22'
proto: tcp
interface: "{{ firewall_ssh_interface }}"
direction: in
src: '{{ item }}'
loop:
- 192.168.20.0/24
- 192.168.72.0/24
- 2406:e001:a:cb20::/64
- name: add spice rules
become: true
community.general.ufw:
comment: SPICE access to guests
rule: allow
to_port: 5901:5904
proto: tcp
interface: "{{ firewall_spice_interface }}"
direction: in
src: '{{ item }}'
loop:
- 192.168.20.0/24
- 192.168.72.0/24
- 2406:e001:a:cb20::/64
- name: restore default deny policy
become: true
community.general.ufw:
policy: deny
logging: low

8
ansible/roles/libvirt-server/defaults/main.yml
View File

@ -8,6 +8,12 @@ libvirt_server_packages:
- swtpm - swtpm
libvirt_zfs_pool_name: zfs libvirt_zfs_pool_name: zfs
libvirt_zfs_pool_path: ssd/vhds
libvirt_iso_pool_name: iso libvirt_iso_pool_name: iso
libvirt_iso_pool_path: /iso
libvirt_qcow_pool_name: qcow libvirt_qcow_pool_name: qcow
libvirt_vm_network_name: br22 libvirt_qcow_pool_path: /qcow
libvirt_cluster_network_name: cluster

70
ansible/roles/libvirt-server/tasks/main.yml
View File

@ -23,28 +23,56 @@
state: started state: started
enabled: yes enabled: yes
- name: define vm network - name: define vm cluster network
libvirt_network_name: "{{ libvirt_cluster_network_name }}"
libvirt_network_domain: "{{ libvirt_cluster_network_name }}"
community.libvirt.virt_net: community.libvirt.virt_net:
name: "{{ libvirt_vm_network_name }}" name: "{{ libvirt_cluster_network_name }}"
command: define command: define
xml: '{{ lookup("template", "network.xml.j2") }}' xml: '{{ lookup("template", "network.xml.j2") }}'
- name: build vm network - name: build vm cluster network
community.libvirt.virt_net: community.libvirt.virt_net:
name: "{{ libvirt_vm_network_name }}" name: "{{ libvirt_cluster_network_name }}"
command: build command: build
- name: start vm network - name: start vm cluster network
community.libvirt.virt_net: community.libvirt.virt_net:
name: "{{ libvirt_vm_network_name }}" name: "{{ libvirt_cluster_network_name }}"
state: active state: active
autostart: true autostart: true
- name: remove default libvirt network
community.libvirt.virt_net:
name: default
state: absent
- name: create libvirt zfs dataset
community.general.zfs:
name: "{{ libvirt_zfs_pool_path }}"
state: present
extra_zfs_properties:
- canmount: off
- mountpoint: none
- compression: off
- primarycache: metadata
- secondarycache: none
- reservation: none
- refreservation: none
- dedup: off
- encryption: off
- volmode: dev
- devices: off
- atime: off
- name: define zfs storage pool - name: define zfs storage pool
libvirt_pool_type: zfs
libvirt_pool_name: "{{ libvirt_zfs_pool_name }}"
libvirt_pool_path: "{{ libvirt_zfs_pool_path }}"
community.libvirt.virt_pool: community.libvirt.virt_pool:
name: "{{ libvirt_zfs_pool_name }}" name: "{{ libvirt_zfs_pool_name }}"
command: define command: define
xml: '{{ lookup("template", "zfs.xml.j2") }}' xml: '{{ lookup("template", "pool.xml.j2") }}'
- name: build zfs storage pool - name: build zfs storage pool
community.libvirt.virt_pool: community.libvirt.virt_pool:
@ -57,11 +85,23 @@
state: active state: active
autostart: true autostart: true
- name: create iso storage dir
become: true
ansible.builtin.file:
path: "{{ libvirt_iso_pool_path }}"
state: directory
owner: root
group: libvirt
mode: 0775
- name: define iso storage pool - name: define iso storage pool
libvirt_pool_type: dir
libvirt_pool_name: "{{ libvirt_iso_pool_name }}"
libvirt_pool_path: "{{ libvirt_iso_pool_path }}"
community.libvirt.virt_pool: community.libvirt.virt_pool:
name: "{{ libvirt_iso_pool_name }}" name: "{{ libvirt_iso_pool_name }}"
command: define command: define
xml: '{{ lookup("template", "iso.xml.j2") }}' xml: '{{ lookup("template", "pool.xml.j2") }}'
- name: build iso storage pool - name: build iso storage pool
community.libvirt.virt_pool: community.libvirt.virt_pool:
@ -74,11 +114,23 @@
state: active state: active
autostart: true autostart: true
- name: create qcow storage dir
become: true
ansible.builtin.file:
path: "{{ libvirt_qcow_pool_path }}"
state: directory
owner: root
group: libvirt
mode: 0775
- name: define qcow storage pool - name: define qcow storage pool
libvirt_pool_type: dir
libvirt_pool_name: "{{ libvirt_qcow_pool_name }}"
libvirt_pool_path: "{{ libvirt_qcow_pool_path }}"
community.libvirt.virt_pool: community.libvirt.virt_pool:
name: "{{ libvirt_qcow_pool_name }}" name: "{{ libvirt_qcow_pool_name }}"
command: define command: define
xml: '{{ lookup("template", "qcow.xml.j2") }}' xml: '{{ lookup("template", "pool.xml.j2") }}'
- name: build qcow storage pool - name: build qcow storage pool
community.libvirt.virt_pool: community.libvirt.virt_pool:

17
ansible/roles/libvirt-server/templates/iso.xml.j2
View File

@ -1,17 +0,0 @@
<pool type="dir">
<name>iso</name>
<uuid>c7be6440-728c-4181-b7e8-68bf3094740a</uuid>
<capacity unit="bytes">208525328384</capacity>
<allocation unit="bytes">31027101696</allocation>
<available unit="bytes">177498226688</available>
<source>
</source>
<target>
<path>/mnt/smb/isos</path>
<permissions>
<mode>0755</mode>
<owner>1000</owner>
<group>1000</group>
</permissions>
</target>
</pool>

12
ansible/roles/libvirt-server/templates/network.xml.j2
View File

@ -1,12 +1,4 @@
<network> <network>
<name>default</name> <name>{{ libvirt_network_name }}</name>
<uuid>ea5ab2e3-1c95-49de-af3b-131a836f4b7b</uuid> <domain name="{{ libvirt_network_domain }}"/>
<forward mode="nat"/>
<bridge name="virbr0" stp="on" delay="0"/>
<mac address="52:54:00:63:57:8d"/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
</network> </network>

6
ansible/roles/libvirt-server/templates/pool.xml.j2 Normal file
View File

@ -0,0 +1,6 @@
<pool type="{{ libvirt_pool_type }}">
<name>{{ libvirt_pool_name }}</name>
<source>
<name>{{ libvirt_pool_path }}</name>
</source>
</pool>

0
ansible/roles/libvirt-server/templates/qcow.xml.j2
View File

13
ansible/roles/libvirt-server/templates/zfs.xml.j2
View File

@ -1,13 +0,0 @@
<pool type="zfs">
<name>zfs-nvme</name>
<uuid>026cccc9-ee79-467a-bf19-91e6f3d2531d</uuid>
<capacity unit="bytes">498216206336</capacity>
<allocation unit="bytes">185811460096</allocation>
<available unit="bytes">312404746240</available>
<source>
<name>nvme/vhds</name>
</source>
<target>
<path>/dev/zvol/nvme/vhds</path>
</target>
</pool>