commit 70007a299177cf2db2e3aa28ce90fd11f7634f2d Author: Sven Velt Date: Tue Mar 12 21:39:29 2024 +0100 Initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..f22b5f5 --- /dev/null +++ b/README.md @@ -0,0 +1,36 @@ +prepare_lxc_host +================ + +Prepare Debian/Devuan machine as LXC host + +Requirements +------------ + +- FIXME + +Role Variables +-------------- + +- FIXME + +Dependencies +------------ + +- FIXME + +Example Playbook +---------------- + + FIXME + +License +------- + +AGPL3.0-or-later + +Author Information +------------------ + +- Sven Velt +- https://git.velt.biz/ + diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..10b1e47 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,15 @@ +--- +lxc_host_ipv4_addr: 192.168.1.1/24 + +lxc_host_ipv4_dhcp_start: "{{ lxc_host_ipv4_addr|ansible.utils.ipaddr(99)|ansible.utils.ipaddr('address') }}" +lxc_host_ipv4_dhcp_end: "{{ lxc_host_ipv4_addr|ansible.utils.ipaddr(198)|ansible.utils.ipaddr('address') }}" + +lxc_host_ipv6_addr: fd00::1/64 + +# FIXME: lxc_host_bridge: lxcbr0 // br-lxc +lxc_host_bridge: lxcbr0 + +lxc_host_domain: "{{ lxc_host_bridge }}.invalid" + +lxc_mac_template: "fe:fe:fe:xx:xx:xx" + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..99f631c --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: Restart dnsmasq + service: + name: dnsmasq + state: restarted + + +- name: Restart lxc-net + service: + name: lxc-net + state: restarted + + diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..3fd0be6 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,24 @@ +galaxy_info: + author: Sven Velt + description: Prepare Debian/Devuan machine as LXC host + company: velt.biz + issue_tracker_url: https://git.velt.biz/Ansible/role.prepare_lxc_host/issues + license: AGPL-3.0-or-later + min_ansible_version: '2.10' + platforms: + - name: Debian + versions: + - buster + - bullseye + - trixie + - name: Devuan + versions: + - chimaera + - daedalus + galaxy_tags: [] + namespace: velt + +dependencies: + - velt.deapparmor + - velt.grub_add_cmdlineparameter + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..4dddf8e --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,62 @@ +--- +# tasks file for svelt.prepare_lxc_host +- name: Sanity check + assert: + that: + - ansible_pkg_mgr == "apt" + fail_msg: "Sorry, Debian-like hosts only!" + + +- name: Install packages + package: + name: + - bridge-utils + - lxc + - python3-lxc + # OLD: - dnsmasq + # OLD: - iptables + state: latest + + +- name: Raise inotify limit + sysctl: + name: fs.inotify.max_user_instances + value: '2048' + sysctl_file: 30-lxc-inotify.conf + sysctl_set: yes + state: present + reload: yes + + +- name: Enable CAP_SYS_TIME in Container + lineinfile: + dest: /usr/share/lxc/config/common.conf + backrefs: yes + regexp: '(^\s*[^#].*)sys_time ?(.*)$' + line: '\1\2' + backup: yes + + +- name: Template config files + template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - etc/lxc/ansible.conf + + +- name: "Include network via lxc-net" + include_tasks: net_lxc-net.yml + # FIXME: + when: True + + +- name: "Include network manual" + include_tasks: net_manual.yml + # FIXME: + when: False + + diff --git a/tasks/net_lxc-net.yml b/tasks/net_lxc-net.yml new file mode 100644 index 0000000..b8fd1bd --- /dev/null +++ b/tasks/net_lxc-net.yml @@ -0,0 +1,11 @@ +--- +- name: Write variables to /etc/default/lxc-net + ansible.builtin.blockinfile: + path: /etc/default/lxc-net + block: "{{ lookup('ansible.builtin.template', 'etc/default/lxc-net.j2') }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK - custom network settings" + insertafter: EOF + backup: yes + notify: Restart lxc-net + + diff --git a/tasks/net_manual.yml b/tasks/net_manual.yml new file mode 100644 index 0000000..853a4e9 --- /dev/null +++ b/tasks/net_manual.yml @@ -0,0 +1,85 @@ +--- +- name: Install packages + package: + name: + - dnsmasq + - iptables + state: latest + + +- name: Template dnsmasq.d config file + template: + src: "etc/dnsmasq.d/bridge.j2" + dest: "/etc/dnsmasq.d/{{ lxc_host_bridge }}" + owner: root + group: root + mode: 0644 + notify: + - Restart dnsmasq + + +- name: Template network interface config file + template: + src: "etc/network/interfaces.d/bridge.j2" + dest: "/etc/network/interfaces.d/{{ lxc_host_bridge }}" + owner: root + group: root + mode: 0644 + + +- name: dnsmasq should use /etc/resolv.conf + lineinfile: + path: /etc/default/dnsmasq + line: 'IGNORE_RESOLVCONF=yes' + regexp: '^\s*#*\s*IGNORE_RESOLVCONF=yes' + backup: yes + notify: + - Restart dnsmasq + + +- name: IPv4-Forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_file: /etc/sysctl.d/lxc.conf + sysctl_set: yes + state: present + reload: yes + + +- name: Disable lxc-net with systemd + when: ansible_service_mgr == "systemd" + block: + - name: Stop lxc-net service + systemd: + name: lxc-net + state: stopped + + - name: Disable lxc-net service + systemd: + name: lxc-net + enabled: no + + - name: Mask lxc-net service + systemd: + name: lxc-net + masked: yes + + +- name: Disable lxc-net without systemd + when: ansible_service_mgr != "systemd" + block: + - name: Disable lxc-net + service: + name: lxc-net + enabled: no + state: stopped + ignore_errors: yes + + +- name: "Bring up {{ lxc_host_bridge }}" + command: "ifup {{ lxc_host_bridge }}" + args: + creates: "/sys/devices/virtual/net/{{ lxc_host_bridge }}" + + diff --git a/templates/etc/default/lxc-net.j2 b/templates/etc/default/lxc-net.j2 new file mode 100644 index 0000000..60b02ea --- /dev/null +++ b/templates/etc/default/lxc-net.j2 @@ -0,0 +1,12 @@ +LXC_ADDR="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("address") }}" +LXC_NETMASK="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("netmask") }}" +LXC_NETWORK="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }}" + +LXC_DHCP_RANGE="{{ lxc_host_ipv4_dhcp_start }},{{ lxc_host_ipv4_dhcp_end }}" +LXC_DHCP_MAX="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("size") }}" + +LXC_DOMAIN="{{ lxc_host_domain }}" + +LXC_IPV6_ADDR="{{ lxc_host_ipv6_addr|ansible.utils.ipaddr("address") }}" +LXC_IPV6_MASK="{{ lxc_host_ipv6_addr|ansible.utils.ipaddr("prefix") }}" +LXC_IPV6_NETWORK="{{ lxc_host_ipv6_addr|ansible.utils.ipaddr("network/prefix") }}" diff --git a/templates/etc/dnsmasq.d/bridge.j2 b/templates/etc/dnsmasq.d/bridge.j2 new file mode 100644 index 0000000..8b97a32 --- /dev/null +++ b/templates/etc/dnsmasq.d/bridge.j2 @@ -0,0 +1,17 @@ +#strict-order +local=/{{ lxc_host_bridge }}/ +domain={{ lxc_host_bridge }} +expand-hosts + +#except-interface=lo + +#bind-interfaces +interface={{ lxc_host_bridge }} + +dhcp-range={{ lxc_host_bridge }},{{ lxc_host_ipv4_dhcp_start }},{{ lxc_host_ipv4_dhcp_end }},2m + +dhcp-no-override +dhcp-authoritative + +dhcp-option=option:dns-server,{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("address") }} + diff --git a/templates/etc/lxc/ansible.conf.j2 b/templates/etc/lxc/ansible.conf.j2 new file mode 100644 index 0000000..20bc242 --- /dev/null +++ b/templates/etc/lxc/ansible.conf.j2 @@ -0,0 +1,13 @@ +lxc.group = ansible + +lxc.start.auto = 1 + +### 2020-09 wg. NTP in Debian 10 +lxc.apparmor.profile = unconfined + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = eth0 +lxc.net.0.link = {{ lxc_host_bridge }} +lxc.net.0.hwaddr = {{ lxc_mac_template }} + diff --git a/templates/etc/network/interfaces.d/bridge.j2 b/templates/etc/network/interfaces.d/bridge.j2 new file mode 100644 index 0000000..937ccc6 --- /dev/null +++ b/templates/etc/network/interfaces.d/bridge.j2 @@ -0,0 +1,9 @@ +auto {{ lxc_host_bridge }} +iface {{ lxc_host_bridge }} inet static + address {{ lxc_host_ipv4_addr }} + + bridge_ports none + + up /sbin/iptables -t nat -A POSTROUTING -s {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} ! -o {{ lxc_host_bridge }} ! -d {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} -j MASQUERADE + down /sbin/iptables -t nat -D POSTROUTING -s {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} ! -o {{ lxc_host_bridge }} ! -d {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} -j MASQUERADE +