michael/IaC
1
0
Fork 0
Code Packages

Compare commits

base: michael:cffbcaea8cb1f5a6468d84d0714670002bd2713f
Branches Tags
michael:main
..
compare: michael:a2ec933cf834bdf34211fec54559633229e51d1b
Branches Tags
michael:main

No commits in common. "cffbcaea8cb1f5a6468d84d0714670002bd2713f" and "a2ec933cf834bdf34211fec54559633229e51d1b" have entirely different histories.
cffbcaea8c ... a2ec933cf8

25 changed files with 164 additions and 306 deletions
Show Stats Expand all files Collapse all files

23
ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml
View File

@ -1,7 +1,16 @@
$ANSIBLE_VAULT;1.1;AES256
ansible_connection: ssh 30653030376238643536303332376530306565363333613230303263653935626332383862646539
ansible_host: 192.168.1.250 3739623265323837613333343363343461353837643637650a616637656563313265636366616134
ansible_fqdn: hv00.balsillie.house 61636335613330393239656262663735316365613435303766643964353964666537353338646666
ansible_port: 22 3536363034316632390a363234343466363937613631316130333566313037306636386130303137
ansible_become_method: sudo 33366462303461393866633233643033356231343232313832636335336232383234626163623533
static_fqdn: hv00.balsillie.house 64656339346264306265353839373362373034306261316238346365373639326566313866363263
62613639313566373233303734666331633038383638316361353838313634383163626563333137
62393835663963646431353431396238663062363031613735623937373835383630653165373634
32356365363162333661323765333236363934636461366664666431333338326362656439366339
62313265616666386164343336623032386536343134336232613164363236656236646332356335
36643362613832656666376233363436313030626566356134306533643862333536336662653630
32663936333434346530343639383330633538306536346432333136393765316366356362353735
30636536333436346166616232643238373964306139313265623934616636663234336162306338
34343934613136623837353436353462303036643837656636386533333266663265643538633333
373133383866666465383332373336343739

13
ansible/inventory/host_vars/hv00.balsillie.house/credentials.yaml
View File

@ -1,13 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
65303065306531633065386131316639323033623166636331386435393231623763356336646337
3430333966353561336334333332343130643065323663610a393664353431623037363731373837
61653866666536383365393434613933393437343135346430643136396236313138613762316438
3439303064366639380a316563666330306636613734666136633066656234363936623536383130
65363364393937343231346133343435383336366464666661663432663663316337356637643165
34303238653334663764633534393237643639636435633436353862663533346634396339343935
34396363306461623564623566356139613564633136313965386337373138316365383732663139
34396438636436376566323435316430376261323835303231663735373465326666666161616330
33663132613733663337393636643736313863643566343366633032396134303462656162376432
62666563376663323537396638306233346238306434643434366131656438303035666265613336
37336135373061393036326633333137356531303038613061373638306435396135383365323265
33623061633139626431

1
ansible/inventory/host_vars/hv00.balsillie.house/hypervisor.yaml
View File

@ -1,5 +1,6 @@
hypervisor: hypervisor:
storage: dir storage: dir
device: /dev/sda
qemu_bridges: qemu_bridges:
- br0 - br0

16
ansible/inventory/host_vars/hv00.balsillie.house/sshd_setup.yaml
View File

@ -1,16 +0,0 @@
sshd:
config_path: home
auth:
pubkey: 'yes'
password: 'no'
empty: 'no'
listen:
port: '22'
family: inet
ipv4:
- '192.168.1.250'
- '10.192.110.100'
forwarding:
agent: 'no'
x11: 'no'
nickname: vault

10
ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml
View File

@ -8,7 +8,7 @@ systemd_networkd_configs:
- name: 00-eth2.link - name: 00-eth2.link
src: ethernet.link.j2 src: ethernet.link.j2
mac_address: 64-62-66-21-e9-c5 mac_address: 64-62-66-21-e9-c5
- name: 00-wan.link - name: 00-eth3.link
src: ethernet.link.j2 src: ethernet.link.j2
mac_address: 64-62-66-21-e9-c6 mac_address: 64-62-66-21-e9-c6
- name: 01-eth0.network - name: 01-eth0.network
@ -47,10 +47,10 @@ systemd_networkd_configs:
- 210 - 210
- 220 - 220
- 230 - 230
- name: 01-wan.network - name: 01-eth3.network
src: ethernet.network.j2 src: ethernet.network.j2
mac_address: 64-62-66-21-e9-c6 mac_address: 64-62-66-21-e9-c6
arp: true arp: false
lldp: false lldp: false
dhcp: true dhcp: true
- name: 10-br0.netdev - name: 10-br0.netdev
@ -63,7 +63,7 @@ systemd_networkd_configs:
dhcp: false dhcp: false
lldp: true lldp: true
vlans: vlans:
- 110 - vlan110
- name: 20-vlan110.netdev - name: 20-vlan110.netdev
src: vlan.netdev.j2 src: vlan.netdev.j2
vlan_id: 110 vlan_id: 110
@ -74,7 +74,7 @@ systemd_networkd_configs:
dhcp: false dhcp: false
address: address:
ipv4: ipv4:
- 10.192.110.100/24 - 10.192.110.1/24
gateway: gateway:
ipv4: 10.192.110.254 ipv4: 10.192.110.254
nameserver: nameserver:

0
ansible/inventory/host_vars/localhost_bak/localhost.yaml → ansible/inventory/host_vars/localhost/localhost.yaml
View File

13
ansible/inventory/host_vars/localhost/vault.yaml Normal file
View File

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
32663239363537353936346439323334373561303531343365356338626336626237386562376335
3637303166393236323236623637613632313831373065620a646639336130613534666633643633
33393032356261393764646166643465366164356236666464333439333039633934643732616666
6537396433663666650a316266393334656534323135643939336662626563646461363131336437
32383963366163323065376230633366383830626539396563323661643266643139316334616237
35633264626637346635613262383236396530313335346139653239316433646338613339303638
65326134306438333265636337376538313337356164663865653036343666353335663336376463
61616465333461656461313464623635336533363132626534373230633139373064636634613136
33633134313538326662323534386533363833326337383837393036653637663561323837373162
32613733353637313862323837653663343134323761363339333032383239643633666632663563
39366362663334316634346339663337386439386162636639393137306138303163333538616664
64333366663134356435

32
ansible/playbooks/vp2420.yaml
View File

@ -4,38 +4,22 @@
# Systemd networking # Systemd networking
# - name: Setup systemd-networkd - name: Setup systemd-networkd
# hosts: hv00.balsillie.house hosts: hv00.balsillie.house
# become: true become: true
# roles: roles:
# - name: systemd_networkd - name: systemd_networkd
# vars: vars:
# ansible_host: 192.168.1.106 ansible_host: 192.168.1.106
# Serial console # Serial console
# - name: Setup serial console # - name: Setup serial console
# hosts: hv00.balsillie.house # hosts: hv00_balsillie_house
# become: true # become: true
# roles: # roles:
# - name: serial_console # - name: serial_console
# Hypervisor setup # Hypervisor setup
# - name: Configure hypervisor
# hosts: hv00.balsillie.house
# gather_facts: true
# become: true
# roles:
# - name: hypervisor
# SSHd setup
- name: Configure sshd
hosts: hv00.balsillie.house
gather_facts: true
become: true
roles:
- name: sshd_setup
# VM setup # VM setup

40
ansible/roles/archinstall/tasks/main.yml
View File

@ -39,7 +39,7 @@
# pacstrap # pacstrap
# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup # pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup
# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils # sbctl fwupd fwupd-efi dmidecode udisks2
# gen fstab # gen fstab
# genfstab -L /mnt/root >> /mnt/root/etc/fstab # genfstab -L /mnt/root >> /mnt/root/etc/fstab
@ -51,11 +51,6 @@
# set hostname # set hostname
# echo hv00 > /etc/hostname # echo hv00 > /etc/hostname
# TODO add entries to /etc/hosts
# 127.0.0.1 localhost
# ::1 localhost
# 127.0.1.1 static_fqdn
# link timezone # link timezone
# ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime # ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime
@ -70,8 +65,6 @@
# locale-gen # locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf # echo LANG=en_US.UTF-8 > /etc/locale.conf
# uncomment wheel group in /etc/sudoers # uncomment wheel group in /etc/sudoers
# sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers # sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers
@ -86,39 +79,8 @@
# echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline # echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline
# echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline # echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline
# create a default systemd-networkd config
# enable systemd-networkd
# enable sshd
# enable ufw service
# enable ufw firewall
# create ufw config to allow ssh port 22
# modify mkinitcpio for encryption # modify mkinitcpio for encryption
# old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck) # old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)
# new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck) # new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
# sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf # sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf
# geneate sb keys with sbctl
# keys go to /usr/share/secureboot/keys/db/db.pem
# enroll sbctl keys
# add console= option to cmdline file
# create initcpio post hook /etc/initcpio/post/uki-sbsign
# make /etc/initcpio/post/uki-sbsign executable
# chmod +x /etc/initcpio/post/uki-sbsign
# make initcpio
# mkinitcpio -p linux-lts
# vfio and iommu
# add 'intel_iommu=on iommu=pt' to kernel cmdline
# add vfio binding
# vp2420 iGPU = 8086:4555
# add vfio-pci ids to /etc/kernel/cmdline
# vfio-pci.ids=8086:4555
# add vfio modules to mkinitcpio.conf
# MODULES=(vfio_pci vfio vfio_iommu_type1)
# ensure modconf hook is in mkinitcpio.conf
# HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)

28
ansible/roles/hypervisor/defaults/main.yaml
View File

@ -1,20 +1,16 @@
libvirt_packages: libvirt_packages:
Archlinux: arch:
- qemu-base qemu-base
- openbsd-netcat openbsd-netcat
- swtpm swtpm
- gettext gettext
- libvirt libvirt
- libvirt-python libvirt-python
- python-lxml
hypervisor: hypervisor:
storage: dir storage: dir
device: /dev/sdb device: /dev/sda
datasets:
# hypervisor: - name: tank/vhds
# storage: zfs compression: lz4
# datasets: encryption: 'off'
# - name: tank/vhds
# compression: lz4
# encryption: 'off'

7
ansible/roles/hypervisor/tasks/libvirt_dir.yaml
View File

@ -1,5 +1,12 @@
--- ---
- name: Format and mount the libvirt disk if it is not root
when:
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/`].device'))
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
ansible.builtin.include_tasks:
file: libvirt_dir_mount.yaml
- name: Create the libvirt storage directories - name: Create the libvirt storage directories
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"

37
ansible/roles/hypervisor/tasks/libvirt_drive_mount.yaml → ansible/roles/hypervisor/tasks/libvirt_dir_mount.yaml
View File

@ -12,8 +12,6 @@
part_start: 0% part_start: 0%
state: present state: present
# TODO disk encryption
- name: Format filesystem - name: Format filesystem
community.general.filesystem: community.general.filesystem:
device: "{{ hypervisor.device }}1" device: "{{ hypervisor.device }}1"
@ -21,24 +19,12 @@
resizefs: true resizefs: true
state: present state: present
- name: Get list of services - name: Stop the libvirt service
ansible.builtin.service_facts:
- name: Stop the libvirt services
when: item in ansible_facts.services
ansible.builtin.service: ansible.builtin.service:
name: "{{ item }}" name: libvirtd
state: stopped state: stopped
loop:
- libvirtd.service
- name: Check if libvirt storage directory exists
ansible.builtin.stat:
path: /var/lib/libvirt/
register: libvirt_storage
- name: Temp mount and copy block - name: Temp mount and copy block
when: libvirt_storage.stat.exists
block: block:
- name: Temporarily mount hypervisor storage - name: Temporarily mount hypervisor storage
@ -56,6 +42,13 @@
remote_src: true remote_src: true
mode: preserve mode: preserve
always:
- name: Unmount from temporary mount point
ansible.posix.mount:
path: /mnt/libvirt_temp/
state: absent
- name: Remove existing libvirt storage - name: Remove existing libvirt storage
ansible.builtin.file: ansible.builtin.file:
path: /var/lib/libvirt/ path: /var/lib/libvirt/
@ -67,13 +60,6 @@
- absent - absent
- directory - directory
always:
- name: Unmount from temporary mount point
ansible.posix.mount:
path: /mnt/libvirt_temp/
state: absent
- name: Mount hypervisor storage - name: Mount hypervisor storage
ansible.posix.mount: ansible.posix.mount:
path: /var/lib/libvirt/ path: /var/lib/libvirt/
@ -83,9 +69,6 @@
boot: true boot: true
- name: Start the libvirt service - name: Start the libvirt service
when: item in ansible_facts.services
ansible.builtin.service: ansible.builtin.service:
name: "{{ item }}" name: libvirtd
state: started state: started
loop:
- libvirtd.service

28
ansible/roles/hypervisor/tasks/main.yaml
View File

@ -1,32 +1,18 @@
--- ---
- name: Format and mount the libvirt disk if it is not root - name: Install libvirt packages (Arch)
when: when: ansible_os_distribution == 'Archlinux'
- hypervisor.device is defined
- hypervisor.device not in (ansible_mounts | json_query('[?mount == `/var/lib/libvirt`].device'))
ansible.builtin.include_tasks:
file: libvirt_drive_mount.yaml
- name: Install libvirt packages (Archlinux)
when: ansible_distribution == 'Archlinux'
community.general.pacman: community.general.pacman:
name: "{{ libvirt_packages['Archlinux'] }}" name: "{{ libvirt_packages['Arch'] }}"
state: present state: present
update_cache: true update_cache: true
- name: Add user to libvirt group - name: Add user to libvirt group
ansible.builtin.user: ansible.builtin.user:
name: "{{ ansible_user }}" name: "{{ ansible_user }}"
groups: groups: libvirt
- libvirt
- libvirt-qemu
append: true append: true
- name: Load br_netfilter kernel module so sysctl flags can be set
community.general.modprobe:
name: br_netfilter
state: present
- name: Set required sysctl flags for bridging - name: Set required sysctl flags for bridging
ansible.posix.sysctl: ansible.posix.sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
@ -34,7 +20,7 @@
state: present state: present
sysctl_file: /etc/sysctl.d/bridge.conf sysctl_file: /etc/sysctl.d/bridge.conf
sysctl_set: true sysctl_set: true
value: "{{ item.value }}" value: "{{ item.value }}}}"
loop: loop:
- name: net.ipv4.ip_forward - name: net.ipv4.ip_forward
value: 1 value: 1
@ -91,11 +77,11 @@
community.libvirt.virt_pool: community.libvirt.virt_pool:
command: facts command: facts
- name: Define the standard libvirt storage pools # TODO add when condition against existing pools - name: Define the standard libvirt storage pools
community.libvirt.virt_pool: community.libvirt.virt_pool:
name: "{{ item.name }}" name: "{{ item.name }}"
command: define command: define
xml: "{{ lookup('template', 'dir_libvirt_pool.xml.j2') }}" xml: "{{ lookup('template', 'dir_pool.xml.j2') }}"
loop: loop:
- name: isos - name: isos
path: /var/lib/libvirt/isos/ path: /var/lib/libvirt/isos/

6
ansible/roles/sshd/defaults/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
openssh_packages:
- openssh
openssh_service: sshd.service
openssh_configuration_file: /etc/ssh/sshd_config
openssh_configuration_mode: 0644

1
ansible/roles/sshd/files/lab_authorized_keys Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDSByUetRCOrrCRpyc0HMPVX8mKeJfXUcYH8+6NL2Md ladmin@lab.balsillie.net

48
ansible/roles/sshd_setup/templates/sshd_config.j2 → ansible/roles/sshd/files/sshd_config_arch
View File

@ -1,23 +1,19 @@
Port {{ sshd.listen.port | default('22') }} # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
AddressFamily {{ sshd.listen.family | default('any') }}
{% if (sshd.listen.family is defined and sshd.listen.family == 'inet') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%} # This is the sshd server system-wide configuration file. See
{% if sshd.listen.ipv4 is defined -%} # sshd_config(5) for more information.
{% for address in sshd.listen.ipv4 -%}
ListenAddress {{ address }} # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
{% endfor -%}
{% else -%} # The strategy used for options in the default sshd_config shipped with
ListenAddress 0.0.0.0 # OpenSSH is to specify options with their default value where
{% endif -%} # possible, but leave them commented. Uncommented options override the
{% endif -%} # default value.
{% if (sshd.listen.family is defined and sshd.listen.family == 'inet6') or (sshd.listen.family is defined and sshd.listen.family == 'any') -%}
{% if sshd.listen.ipv6 is defined -%} #Port 22
{% for address in sshd.listen.ipv6 -%} #AddressFamily any
ListenAddress {{ address }} #ListenAddress 0.0.0.0
{% endfor -%} #ListenAddress ::
{% else -%}
ListenAddress ::
{% endif -%}
{% endif -%}
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
@ -38,7 +34,7 @@ ListenAddress ::
#MaxAuthTries 6 #MaxAuthTries 6
#MaxSessions 10 #MaxSessions 10
PubkeyAuthentication {{ sshd.auth.pubkey | default('yes') }} PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys # but this is overridden so installations will only check .ssh/authorized_keys
@ -58,8 +54,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd.auth.password | default('yes') }} PasswordAuthentication no
PermitEmptyPasswords {{ sshd.auth.empty | default('no') }} #PermitEmptyPasswords no
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
KbdInteractiveAuthentication no KbdInteractiveAuthentication no
@ -85,10 +81,10 @@ KbdInteractiveAuthentication no
# and KbdInteractiveAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
UsePAM yes UsePAM yes
AllowAgentForwarding {{ sshd.forwarding.agent | default('no') }} #AllowAgentForwarding yes
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
X11Forwarding {{ sshd.forwarding.x11 | default('no') }} #X11Forwarding no
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes #PermitTTY yes
@ -107,7 +103,7 @@ PrintMotd no # pam does that
#VersionAddendum none #VersionAddendum none
# no default banner path # no default banner path
# Banner Connected to {{ ansible_fqdn | default('host.') }} #Banner none
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server Subsystem sftp /usr/lib/ssh/sftp-server

6
ansible/roles/sshd/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart openssh
ansible.builtin.service:
name: "{{ openssh_service }}"
state: restarted

39
ansible/roles/sshd/tasks/main.yml Normal file
View File

@ -0,0 +1,39 @@
---
- name: install openssh arch
become: true
community.general.pacman:
name: "{{ openssh_packages }}"
state: latest
update_cache: true
reason: explicit
when:
- ansible_os_family == 'Arch'
- name: add authorized keys
ansible.builtin.copy:
dest: "/home/{{ ansible_user }}/.ssh/authorized_keys"
src: "{{ authorized_keys_file }}"
mode: 0600
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
- name: configure openssh
become: true
ansible.builtin.copy:
dest: "{{ openssh_configuration_file }}"
src: "{{ openssh_configuration_src }}"
mode: "{{ openssh_configuration_mode }}"
owner: root
group: root
notify:
- restart openssh
- name: start and enable openssh
become: true
ansible.builtin.service:
name: "{{ openssh_service }}"
state: started
enabled: yes
- name: flush handlers
ansible.builtin.meta: flush_handlers

16
ansible/roles/sshd_setup/defaults/main.yaml
View File

@ -1,16 +0,0 @@
sshd:
config_path: default
auth:
pubkey: 'yes'
password: 'no'
empty: 'no'
listen:
port: '22'
family: any # 'any', 'inet' or 'inet6'
ipv4:
- '0.0.0.0'
ipv6:
- '::'
forwarding:
agent: 'no'
x11: 'no'

6
ansible/roles/sshd_setup/handlers/main.yaml
View File

@ -1,6 +0,0 @@
---
- name: Restart sshd
ansible.builtin.service:
name: sshd.service
state: restarted

76
ansible/roles/sshd_setup/tasks/main.yaml
View File

@ -1,76 +0,0 @@
---
# - name: Debug ansible facts
# ansible.builtin.debug:
# msg: "{{ ansible_facts }}"
# - name: Debug host vars
# ansible.builtin.debug:
# msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
- name: Ensure ssh config dir exists
delegate_to: localhost
become: false
ansible.builtin.file:
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: '0700'
- name: Generate local SSH key pair
delegate_to: localhost
become: false
community.crypto.openssh_keypair:
backend: opensshbin
comment: "{{ ansible_user }}@{{ static_fqdn }}"
mode: '0600'
passphrase: "{{ ssh_keygen_passphrase }}"
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}"
regenerate: full_idempotence
size: 521
state: present
type: ecdsa
register: ssh_keygen
- name: Copy SSH pubkey to target
ansible.posix.authorized_key:
key: "{{ ssh_keygen.public_key }}"
user: "{{ ansible_user }}"
state: present
- name: Template out sshd_config
ansible.builtin.template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify:
- Restart sshd
- name: Flush handlers for immediate shhd restart
ansible.builtin.meta: flush_handlers
- name: Add local ssh client config
delegate_to: localhost
become: false
community.general.ssh_config:
host: "{{ sshd.nickname | default(omit) }} {{ static_fqdn }}"
hostname: "{{ static_fqdn }}"
identity_file: "{{ ssh_keygen.filename }}"
port: "{{ sshd.listen.port | default('22') }}"
remote_user: "{{ ansible_user }}"
ssh_config_file: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
state: present
- name: Include generated ssh config in default config file
delegate_to: localhost
become: false
ansible.builtin.lineinfile:
path: "{{ lookup('env', 'HOME') }}/.ssh/config"
line: "Include {{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
mode: '0600'
state: present
create: true
insertafter: ^Include\s.*$

2
ansible/roles/systemd_networkd/tasks/main.yaml
View File

@ -14,7 +14,7 @@
- name: Create systemd-networkd config files - name: Create systemd-networkd config files
ansible.builtin.template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: /etc/systemd/network/{{ item.name }} dest: /etc/systemd/network/"{{ item.name }}"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'

5
ansible/roles/systemd_networkd/templates/bridge.network.j2
View File

@ -10,11 +10,6 @@ LinkLocalAddressing=False
LLDP={{ item.lldp | default(true) }} LLDP={{ item.lldp | default(true) }}
{% if item.vlans is defined -%} {% if item.vlans is defined -%}
{% for vlan in item.vlans -%} {% for vlan in item.vlans -%}
VLAN=vlan{{ vlan }}
{% endfor -%}
[BridgeVLAN]
{% for vlan in item.vlans -%}
VLAN={{ vlan }} VLAN={{ vlan }}
{% endfor -%} {% endfor -%}
{% endif -%} {% endif -%}

3
ansible/roles/systemd_networkd/templates/ethernet.link.j2
View File

@ -3,5 +3,6 @@ PermanentMACAddress={{ item.mac_address }}
[Link] [Link]
Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.link', '') }} Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.link', '') }}
MACAddressPolicy=persistent MACAddressPolicy=permanent
MACAddress={{ item.mac_address }}

4
ansible/roles/systemd_networkd/templates/ethernet.network.j2
View File

@ -1,5 +1,5 @@
[Match] [Match]
Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.network', '') }} MACAddress={{ item.mac_address }}
[Link] [Link]
ARP={{ item.arp | default(true) }} ARP={{ item.arp | default(true) }}
@ -62,7 +62,7 @@ Type=unicast
{% endif -%} {% endif -%}
{% if item.bridge is defined and item.bridge.vlans is defined %} {% if item.bridge is defined and item.bridge.vlans is defined %}
[BridgeVLAN] [BridgeVLANs]
{% for vlan in item.bridge.vlans -%} {% for vlan in item.bridge.vlans -%}
VLAN={{ vlan }} VLAN={{ vlan }}
{% endfor -%} {% endfor -%}