Initial commit

README.md

@@ -0,0 +1,36 @@
+prepare_lxc_host
+================
+
+Prepare Debian/Devuan machine as LXC host
+
+Requirements
+------------
+
+- FIXME
+
+Role Variables
+--------------
+
+- FIXME
+
+Dependencies
+------------
+
+- FIXME
+
+Example Playbook
+----------------
+
+    FIXME
+
+License
+-------
+
+AGPL3.0-or-later
+
+Author Information
+------------------
+
+- Sven Velt <sven-ansiblerole@velt.biz>
+- https://git.velt.biz/
+

defaults/main.yml

@@ -0,0 +1,15 @@
+---
+lxc_host_ipv4_addr: 192.168.1.1/24
+
+lxc_host_ipv4_dhcp_start: "{{ lxc_host_ipv4_addr|ansible.utils.ipaddr(99)|ansible.utils.ipaddr('address') }}"
+lxc_host_ipv4_dhcp_end: "{{ lxc_host_ipv4_addr|ansible.utils.ipaddr(198)|ansible.utils.ipaddr('address') }}"
+
+lxc_host_ipv6_addr: fd00::1/64
+
+# FIXME: lxc_host_bridge: lxcbr0 // br-lxc
+lxc_host_bridge: lxcbr0
+
+lxc_host_domain: "{{ lxc_host_bridge }}.invalid"
+
+lxc_mac_template: "fe:fe:fe:xx:xx:xx"
+

handlers/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Restart dnsmasq
+  service:
+    name: dnsmasq
+    state: restarted
+
+
+- name: Restart lxc-net
+  service:
+    name: lxc-net
+    state: restarted
+
+

meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: Sven Velt
+  description: Prepare Debian/Devuan machine as LXC host
+  company: velt.biz
+  issue_tracker_url: https://git.velt.biz/Ansible/role.prepare_lxc_host/issues
+  license: AGPL-3.0-or-later
+  min_ansible_version: '2.10'
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+        - trixie
+    - name: Devuan
+      versions:
+        - chimaera
+        - daedalus
+  galaxy_tags: []
+  namespace: velt
+
+dependencies:
+  - velt.deapparmor
+  - velt.grub_add_cmdlineparameter
+

tasks/main.yml

@@ -0,0 +1,62 @@
+---
+# tasks file for svelt.prepare_lxc_host
+- name: Sanity check
+  assert:
+    that:
+      - ansible_pkg_mgr == "apt"
+    fail_msg: "Sorry, Debian-like hosts only!"
+
+
+- name: Install packages
+  package:
+    name:
+      - bridge-utils
+      - lxc
+      - python3-lxc
+      # OLD: - dnsmasq
+      # OLD: - iptables
+    state: latest
+
+
+- name: Raise inotify limit
+  sysctl:
+    name: fs.inotify.max_user_instances
+    value: '2048'
+    sysctl_file: 30-lxc-inotify.conf
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+
+- name: Enable CAP_SYS_TIME in Container
+  lineinfile:
+    dest: /usr/share/lxc/config/common.conf
+    backrefs: yes
+    regexp: '(^\s*[^#].*)sys_time ?(.*)$'
+    line: '\1\2'
+    backup: yes
+
+
+- name: Template config files
+  template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - etc/lxc/ansible.conf
+
+
+- name: "Include network via lxc-net"
+  include_tasks: net_lxc-net.yml
+  # FIXME:
+  when: True
+
+
+- name: "Include network manual"
+  include_tasks: net_manual.yml
+  # FIXME:
+  when: False
+
+

tasks/net_lxc-net.yml

@@ -0,0 +1,11 @@
+---
+- name: Write variables to /etc/default/lxc-net
+  ansible.builtin.blockinfile:
+    path: /etc/default/lxc-net
+    block: "{{ lookup('ansible.builtin.template', 'etc/default/lxc-net.j2') }}"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - custom network settings"
+    insertafter: EOF
+    backup: yes
+  notify: Restart lxc-net
+
+

tasks/net_manual.yml

@@ -0,0 +1,85 @@
+---
+- name: Install packages
+  package:
+    name:
+      - dnsmasq
+      - iptables
+    state: latest
+
+
+- name: Template dnsmasq.d config file
+  template:
+    src: "etc/dnsmasq.d/bridge.j2"
+    dest: "/etc/dnsmasq.d/{{ lxc_host_bridge }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Restart dnsmasq
+
+
+- name: Template network interface config file
+  template:
+    src: "etc/network/interfaces.d/bridge.j2"
+    dest: "/etc/network/interfaces.d/{{ lxc_host_bridge }}"
+    owner: root
+    group: root
+    mode: 0644
+
+
+- name: dnsmasq should use /etc/resolv.conf
+  lineinfile:
+    path: /etc/default/dnsmasq
+    line: 'IGNORE_RESOLVCONF=yes'
+    regexp: '^\s*#*\s*IGNORE_RESOLVCONF=yes'
+    backup: yes
+  notify:
+    - Restart dnsmasq
+
+
+- name: IPv4-Forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /etc/sysctl.d/lxc.conf
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+
+- name: Disable lxc-net with systemd
+  when: ansible_service_mgr == "systemd"
+  block:
+    - name: Stop lxc-net service
+      systemd:
+        name: lxc-net
+        state: stopped
+
+    - name: Disable lxc-net service
+      systemd:
+        name: lxc-net
+        enabled: no
+
+    - name: Mask lxc-net service
+      systemd:
+        name: lxc-net
+        masked: yes
+
+
+- name: Disable lxc-net without systemd
+  when: ansible_service_mgr != "systemd"
+  block:
+    - name: Disable lxc-net
+      service:
+        name: lxc-net
+        enabled: no
+        state: stopped
+      ignore_errors: yes
+
+
+- name: "Bring up {{ lxc_host_bridge }}"
+  command: "ifup {{ lxc_host_bridge }}"
+  args:
+    creates: "/sys/devices/virtual/net/{{ lxc_host_bridge }}"
+
+

templates/etc/default/lxc-net.j2

@@ -0,0 +1,12 @@
+LXC_ADDR="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("address") }}"
+LXC_NETMASK="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("netmask") }}"
+LXC_NETWORK="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }}"
+
+LXC_DHCP_RANGE="{{ lxc_host_ipv4_dhcp_start }},{{ lxc_host_ipv4_dhcp_end }}"
+LXC_DHCP_MAX="{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("size") }}"
+
+LXC_DOMAIN="{{ lxc_host_domain }}"
+
+LXC_IPV6_ADDR="{{ lxc_host_ipv6_addr|ansible.utils.ipaddr("address") }}"
+LXC_IPV6_MASK="{{ lxc_host_ipv6_addr|ansible.utils.ipaddr("prefix") }}"
+LXC_IPV6_NETWORK="{{ lxc_host_ipv6_addr|ansible.utils.ipaddr("network/prefix") }}"

templates/etc/dnsmasq.d/bridge.j2

@@ -0,0 +1,17 @@
+#strict-order
+local=/{{ lxc_host_bridge }}/
+domain={{ lxc_host_bridge }}
+expand-hosts
+
+#except-interface=lo
+
+#bind-interfaces
+interface={{ lxc_host_bridge }}
+
+dhcp-range={{ lxc_host_bridge }},{{ lxc_host_ipv4_dhcp_start }},{{ lxc_host_ipv4_dhcp_end }},2m
+
+dhcp-no-override
+dhcp-authoritative
+
+dhcp-option=option:dns-server,{{ lxc_host_ipv4_addr|ansible.utils.ipaddr("address") }}
+

templates/etc/lxc/ansible.conf.j2

@@ -0,0 +1,13 @@
+lxc.group = ansible
+
+lxc.start.auto = 1
+
+### 2020-09 wg. NTP in Debian 10
+lxc.apparmor.profile = unconfined
+
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.name = eth0
+lxc.net.0.link = {{ lxc_host_bridge }}
+lxc.net.0.hwaddr = {{ lxc_mac_template }}
+

templates/etc/network/interfaces.d/bridge.j2

@@ -0,0 +1,9 @@
+auto {{ lxc_host_bridge }}
+iface {{ lxc_host_bridge }} inet static
+	address {{ lxc_host_ipv4_addr }}
+
+	bridge_ports none
+
+	up	/sbin/iptables -t nat -A POSTROUTING -s {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} ! -o {{ lxc_host_bridge }} ! -d {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} -j MASQUERADE
+	down	/sbin/iptables -t nat -D POSTROUTING -s {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} ! -o {{ lxc_host_bridge }} ! -d {{ lxc_host_ipv4_addr|ansible.utils.ipaddr("network/prefix") }} -j MASQUERADE
+