From c2b48aef4137e4a17617a292d02f6891dcf7f846 Mon Sep 17 00:00:00 2001 From: Sven Velt Date: Tue, 12 Mar 2024 21:52:22 +0100 Subject: [PATCH] Rebuilt with multiple roles --- .gitmodules | 9 ++ ansible.cfg | 2 + prepare_lxc_host.yml | 45 ++++++++ prepare_lxc_hosts.yml | 137 ------------------------- roles.extern/deapparmor | 1 + roles.extern/grub_add_cmdlineparameter | 1 + roles.extern/prepare_lxc_host | 1 + 7 files changed, 59 insertions(+), 137 deletions(-) create mode 100644 prepare_lxc_host.yml delete mode 100644 prepare_lxc_hosts.yml create mode 160000 roles.extern/deapparmor create mode 160000 roles.extern/grub_add_cmdlineparameter create mode 160000 roles.extern/prepare_lxc_host diff --git a/.gitmodules b/.gitmodules index 927e236..bd7a3a3 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,12 @@ [submodule ".submodules/ansible-lxc-ssh"] path = .submodules/ansible-lxc-ssh url = https://github.com/andreasscherbaum/ansible-lxc-ssh.git +[submodule "roles.extern/deapparmor"] + path = roles.extern/deapparmor + url = https://git.velt.biz/Ansible/role.deapparmor.git +[submodule "roles.extern/grub_add_cmdlineparameter"] + path = roles.extern/grub_add_cmdlineparameter + url = https://git.velt.biz/Ansible/role.grub_add_cmdlineparameter.git +[submodule "roles.extern/prepare_lxc_host"] + path = roles.extern/prepare_lxc_host + url = https://git.velt.biz/Ansible/role.prepare_lxc_host.git diff --git a/ansible.cfg b/ansible.cfg index 6e89840..310e31c 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,8 @@ [defaults] inventory = ./hosts +roles_path = ./roles.extern + connection_plugins = ./connection_plugins/ interpreter_python = auto diff --git a/prepare_lxc_host.yml b/prepare_lxc_host.yml new file mode 100644 index 0000000..c436d95 --- /dev/null +++ b/prepare_lxc_host.yml @@ -0,0 +1,45 @@ +--- +- hosts: all + + gather_facts: no + + + pre_tasks: + - name: 'Output configured connection plugin via "ansible_connection" variable' + debug: + var: ansible_connection + tags: + - never + - debug + + - name: End for non-LXContainer + meta: end_host + when: "'lxc' in ansible_connection|default('')" + tags: + - always + + - name: Manually gather facts (for LXC hosts only) + ansible.builtin.gather_facts: + tags: + - always + + + roles: + - role: deapparmor + deapparmor_reboot: True + tags: + - always + + - role: grub_add_cmdlineparameter + grub_add_cmdlineparameter: + systemd.unified_cgroup_hierarchy: 0 + cgroup_enable: memory + swapaccount: 1 + vsyscall: emulate + tags: + - always + + - role: prepare_lxc_host + tags: + - always + diff --git a/prepare_lxc_hosts.yml b/prepare_lxc_hosts.yml deleted file mode 100644 index a57283e..0000000 --- a/prepare_lxc_hosts.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- -- hosts: - - lxc_hosts - - tasks: - - assert: - that: - - ansible_pkg_mgr == "apt" - fail_msg: "Sorry, Debian-like hosts only!" - - - - name: Just to be sure python3-apt is installed - command: apt install -y python3-apt - args: - creates: /usr/lib/python3/dist-packages/apt - - - - name: Install packages - package: - name: "{{ packages }}" - state: latest - vars: - packages: - - bridge-utils - - dnsmasq - - iptables - - lxc - - python3-lxc - - - - name: Copy config files - copy: - src: "{{ item }}" - dest: "/{{ item }}" - owner: root - group: root - mode: 0644 - loop: - - etc/dnsmasq.d/br-lxc - - etc/lxc/ansible.conf - - etc/network/interfaces.d/br-lxc - notify: - - Restart dnsmasq - - - - - name: Fix evil Debian default /etc/network/interfaces - lineinfile: - dest: /etc/network/interfaces - regexp: 'source.*interfaces.d' - line: 'source-directory /etc/network/interfaces.d' - backup: yes - - - - name: dnsmasq should use /etc/resolv.conf - lineinfile: - path: /etc/default/dnsmasq - line: 'IGNORE_RESOLVCONF=yes' - regexp: '^\s*#*\s*IGNORE_RESOLVCONF=yes' - backup: yes - notify: - - Restart dnsmasq - - - - name: IPv4-Forwarding - sysctl: - name: net.ipv4.ip_forward - value: '1' - sysctl_file: /etc/sysctl.d/lxc.conf - sysctl_set: yes - state: present - reload: yes - - - - name: Raise inotify limit - sysctl: - name: fs.inotify.max_user_instances - value: '1024' - sysctl_file: 30-lxc-inotify.conf - sysctl_set: yes - state: present - reload: yes - - - - name: Enable CAP_SYS_TIME in Container - lineinfile: - dest: /usr/share/lxc/config/common.conf - backrefs: yes - regexp: '(^\s*[^#].*)sys_time ?(.*)$' - line: '\1\2' - backup: yes - - - - name: lxc-net with systemd - block: - - name: Stop lxc-net service - systemd: - name: lxc-net - state: stopped - - - name: Disable lxc-net service - systemd: - name: lxc-net - enabled: no - - - name: Mask lxc-net service - systemd: - name: lxc-net - masked: yes - when: ansible_service_mgr == "systemd" - - - - name: lxc-net without systemd - block: - - name: Disable lxc-net - service: - name: lxc-net - enabled: no - state: stopped - ignore_errors: yes - when: ansible_service_mgr != "systemd" - - - - name: Bring up br-lxc - command: ifup br-lxc - args: - creates: /sys/devices/virtual/net/br-lxc - - - - handlers: - - name: Restart dnsmasq - service: - name: dnsmasq - state: restarted - ignore_errors: yes - diff --git a/roles.extern/deapparmor b/roles.extern/deapparmor new file mode 160000 index 0000000..9cf7fca --- /dev/null +++ b/roles.extern/deapparmor @@ -0,0 +1 @@ +Subproject commit 9cf7fcaa026c3771b7740915d6151f18fdb7fc15 diff --git a/roles.extern/grub_add_cmdlineparameter b/roles.extern/grub_add_cmdlineparameter new file mode 160000 index 0000000..d401c51 --- /dev/null +++ b/roles.extern/grub_add_cmdlineparameter @@ -0,0 +1 @@ +Subproject commit d401c517fd71d2f828ee7c4757357dbd090e6dd1 diff --git a/roles.extern/prepare_lxc_host b/roles.extern/prepare_lxc_host new file mode 160000 index 0000000..70007a2 --- /dev/null +++ b/roles.extern/prepare_lxc_host @@ -0,0 +1 @@ +Subproject commit 70007a299177cf2db2e3aa28ce90fd11f7634f2d