o Importing bitraf-base, packages and postfix-satellite from Bitraf.

o Configuring nextcloud.

5 files changed, 313 insertions, 44 deletions

diff --git a/ansible/roles/lxc-host/defaults/main.yml b/ansible/roles/lxc-host/defaults/main.yml
new file mode 100644
index 0000000..462ba8c
--- /dev/null
+++ b/ansible/roles/lxc-host/defaults/main.yml
@@ -0,0 +1 @@
+lxc_host__backing_store: dir
diff --git a/ansible/roles/lxc-host/handlers/main.yml b/ansible/roles/lxc-host/handlers/main.yml
new file mode 100644
index 0000000..7e7dc9c
--- /dev/null
+++ b/ansible/roles/lxc-host/handlers/main.yml
@@ -0,0 +1,22 @@
+- name: restart sysctl
+  become: yes
+  service:
+    name: systemd-sysctl.service
+    state: restarted
+
+- name: restart radvd
+  become: yes
+  service:
+    name: radvd.service
+    state: restarted
+
+- name: systemctl restart systemd-networkd
+  become: yes
+  service:
+    name: systemd-networkd
+    state: restarted
+
+- name: reload ufw
+  become: yes
+  ufw:
+    state: reloaded
diff --git a/ansible/roles/lxc-host/tasks/main.yml b/ansible/roles/lxc-host/tasks/main.yml
index ba511c9..ab86969 100644
--- a/ansible/roles/lxc-host/tasks/main.yml
+++ b/ansible/roles/lxc-host/tasks/main.yml
@@ -1,11 +1,71 @@
-- name: Remove default network setup packages
+- name: Install packages
+  tags:
+    - lxc-host
+    - lxc-host-packages
+    - radvd
+  become: yes
   apt:
-    name: "{{ item }}"
+    name: "{{ items }}"
     install_recommends: no
-  with_items:
-    - python-lxc
+  vars:
+    items:
+      - lxc
+      - python-lxc
+      - radvd
+
+#- debug:
+#    msg: "item={{ item }}, host={{ host }}, lan={{ lan }}"
+#  tags:
+#    - lxc-host
+#  with_dict: "{{ lxc_host_containers }}"
+#  vars:
+#    i: "{{ item }}"
+#    host: "{{ host_database[item.key] }}"
+#    lan: "{{ host_database | json_query(item.key + '.interfaces | * | [?role==`lan`]') | first }}"
+
+- name: Configure radvd
+  become: yes
+  tags:
+    - lxc-host
+    - radvd
+  vars:
+    ipv6: "{{ host_database[ansible_hostname].interfaces[lxc_host__internal_if].ipv6 }}"
+  notify: restart radvd
+  copy:
+    dest: /etc/radvd.conf
+    content: |
+      interface {{ lxc_host__br_if }}
+      {
+         AdvSendAdvert on;
+         MinRtrAdvInterval 5;
+         MaxRtrAdvInterval 10;
+         MinDelayBetweenRAs 1;
+
+         AdvDefaultPreference medium;
+         AdvLinkMTU 1500;
+
+         prefix {{ ipv6.address }}/{{ ipv6.netmask }}
+         {
+              AdvOnLink on;
+              AdvAutonomous on;
+
+              AdvValidLifetime 14400;
+              AdvPreferredLifetime 3600;
+              AdvRouterAddr on;
+         };
+      };
+
+- name: Configure host networking
+  when: lxc_host__enable_network_cfg
+  tags:
+    - lxc-host
+    - lxc-host-network
+  include_tasks: networkd.yml
 
-- include_tasks: per-host.yml
+- tags: lxc-host
+  with_dict: "{{ lxc_host_containers }}"
   vars:
     i: "{{ item }}"
-  with_dict: "{{ lxc_containers }}"
+    host: "{{ host_database[item.key] }}"
+    lan: "{{ host_database | json_query(item.key + '.interfaces | * | [?role==`lan`]') | first }}"
+  include_tasks: per-host.yml
diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml
new file mode 100644
index 0000000..41ddb3f
--- /dev/null
+++ b/ansible/roles/lxc-host/tasks/networkd.yml
@@ -0,0 +1,119 @@
+- tags:
+    - lxc-host
+    - lxc-host-network
+  become: yes
+  vars:
+    hardware_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__hardware_if) }}"
+    br_if: "{{ lxc_host__br_if }}"
+    internal_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__internal_if) }}"
+  block:
+    - debug: var=hardware_if
+    - debug: var=br_if
+    - debug: var=internal_if
+
+    - name: Configure sysctl, enable ipv4 and ipv6 forwarding
+      become: yes
+      copy:
+        dest: /etc/sysctl.d/99-lxc-host.conf
+        content: |
+          net.ipv4.ip_forward=1
+          net.ipv6.conf.all.forwarding=1
+      notify: restart sysctl
+
+    - name: Enable UFW
+      become: yes
+      ufw:
+        state: enabled
+
+    - become: yes
+      ufw:
+        policy: allow
+        direction: outgoing
+
+    - become: yes
+      ufw:
+        policy: allow
+        direction: routed
+
+    - become: yes
+      ufw:
+        policy: deny
+        direction: incoming
+
+    - name: Enable NAT configuration through UFW
+      become: yes
+      notify: reload ufw
+      blockinfile:
+        path: /etc/ufw/before.rules
+        insertbefore: "# Don't delete these required lines, otherwise there will be errors"
+        block: |
+          # NAT table rules
+          *nat
+          :POSTROUTING ACCEPT [0:0]
+
+          # Forward traffic through eth0 - Change to match you out-interface
+          -A POSTROUTING -s {{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} -o {{ lxc_host__hardware_if }} -j MASQUERADE
+
+          # don't delete the 'COMMIT' line or these nat table rules won't be processed
+          COMMIT
+
+    - name: enable systemd-networkd
+      service:
+        name: systemd-networkd
+        enabled: yes
+        state: started
+
+    - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
+      notify: systemctl restart systemd-networkd
+      copy:
+        dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
+        content: |
+          [Match]
+          Name={{ lxc_host__hardware_if }}
+
+          [Network]
+          Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }}
+          Gateway={{ hardware_if.ipv4.gateway }}
+
+    - name: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev"
+      notify: systemctl restart systemd-networkd
+      copy:
+        dest: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev"
+        content: |
+          [NetDev]
+          Name={{ lxc_host__internal_if }}
+          Kind=dummy
+
+    - name: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network"
+      notify: systemctl restart systemd-networkd
+      copy:
+        dest: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network"
+        content: |
+          [Match]
+          Name={{ lxc_host__internal_if }}
+
+          [Network]
+          Bridge={{ br_if }}
+
+    - name: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev"
+      notify: systemctl restart systemd-networkd
+      copy:
+        dest: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev"
+        content: |
+          [NetDev]
+          Name={{ br_if }}
+          Kind=bridge
+
+    - name: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network"
+      notify: systemctl restart systemd-networkd
+      copy:
+        dest: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network"
+        content: |
+          [Match]
+          Name={{ br_if }}
+
+          [Network]
+          Address={{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }}
+          {% if internal_if.ipv6 is defined %}
+          Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }}
+          {% endif %}
diff --git a/ansible/roles/lxc-host/tasks/per-host.yml b/ansible/roles/lxc-host/tasks/per-host.yml
index d38267e..817497b 100644
--- a/ansible/roles/lxc-host/tasks/per-host.yml
+++ b/ansible/roles/lxc-host/tasks/per-host.yml
@@ -1,48 +1,115 @@
 - debug:
     msg: "LXC HOST: {{ i.key }}"
+  tags: lxc-host
 
-- name: lxc.network.type = veth
-  register: type
-  lineinfile:
-    path: "/var/lib/lxc/{{ i.key }}/config"
-    regexp: "lxc.network.type *="
-    line: "lxc.network.type = veth"
-- name: lxc.network.link = br0
-  register: link
-  lineinfile:
-    path: "/var/lib/lxc/{{ i.key }}/config"
-    regexp: "lxc.network.link *="
-    line: "lxc.network.link = br0"
-- name: Set IPv4 address {{ i.key }}
-  register: ipv4
-  lineinfile:
-    path: "/var/lib/lxc/{{ i.key }}/config"
-    regexp: "lxc.network.ipv4 *="
-    line: "lxc.network.ipv4 = {{ i.value.ipv4.address }}/{{ i.value.ipv4.netmask }}"
-- name: Set IPv4 gateway
-  register: ipv4_gateway
+- name: Create container
+  tags: lxc-host
+  become: yes
+  lxc_container:
+    name: "{{ i.key }}"
+    state: "{{ i.value.state }}"
+    template: debian
+    template_options: -r stretch --packages git,etckeeper,python,sudo
+    backing_store: "{{ lxc_host__backing_store }}"
+    zfs_root: "{{ lxc_host__zfs_root|default('') }}"
+  register: lxc
+
+- name: Connection info
+  tags: lxc-host
+  become: yes
+  when: lxc.changed
+  debug:
+    msg: "Container created! All keys for superusers are installed for
+      root user, so remember to add 'ansible_user=root' when running the
+      play for the host the first time."
+
+- name: Create /root/.ssh
+  tags: lxc-host
+  become: yes
+  when: lxc.changed
+  file:
+    path: "/var/lib/lxc/{{ i.key }}/rootfs/root/.ssh"
+    state: directory
+    mode: 0600
+    owner: root
+    group: root
+
+- name: Fill authorized_keys
+  tags: lxc-host
+  become: yes
+  when: lxc.changed
+  copy:
+    dest: "/var/lib/lxc/{{ i.key }}/rootfs/root/.ssh/authorized_keys"
+    content: |
+      {% for user in superusers %}
+      {% if users[user].authorized_keys is not none %}
+      {{ users[user].authorized_keys }}
+      {% endif %}
+      {% endfor %}
+
+- name: config-lxc-host
+  tags: lxc-host
+  become: yes
+  register: config_lxc_host
+  copy:
+    dest: "/var/lib/lxc/{{ i.key }}/config-lxc-host"
+    content: |
+      lxc.network.type = veth
+      lxc.network.link = br0
+      lxc.network.flags = up
+      lxc.network.hwaddr = {{ lan.hwaddr }}
+      {% if lan.ipv4 is defined %}
+      lxc.network.ipv4 = {{ lan.ipv4.address }}/{{ lan.ipv4.netmask }}
+      lxc.network.ipv4.gateway = {{ lan.ipv4.gateway }}
+      {% endif %}
+      # 0 = trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and 8 = fatal.
+      lxc.loglevel = 1
+      lxc.logfile = /var/lib/lxc/{{ i.key }}/{{ i.key }}.log
+
+- name: "include file: config-lxc-host"
+  tags: lxc-host
+  become: yes
+  register: include_lxc_host
   lineinfile:
     path: "/var/lib/lxc/{{ i.key }}/config"
-    regexp: "lxc.network.ipv4.gateway *="
-    line: "lxc.network.ipv4.gateway = {{ i.value.ipv4.gateway }}"
-    insertafter: "lxc.network.ipv4 *="
-- name: Set logfile
-  register: logfile
+    regexp: "^lxc.include *=.*/config-lxc-host$"
+    line: "lxc.include = /var/lib/lxc/{{ i.key }}/config-lxc-host"
+
+- name: "include file: config.d"
+  tags: lxc-host
+  become: yes
+  register: include_config_d
   lineinfile:
     path: "/var/lib/lxc/{{ i.key }}/config"
-    regexp: "lxc.logfile *="
-    line: "lxc.logfile = /var/lib/lxc/{{ i.key }}/{{ i.key }}.log"
-
-#- name: state?
-#  debug:
-#    msg: "state={{ i.value.state }}"
-#- name: do restart?
-#  debug:
-#    msg: "DO RESTART: {{ i.key }}"
-#  when: i.value.state == 'started'
-
-- name: restart lxc container {{ i.key }}
-  when: i.value.state == 'started' and (type.changed or link.changed or ipv4.changed or logfile.changed)
+    regexp: "^lxc.include *=.*/conf.d/$"
+    line: "lxc.include = /var/lib/lxc/{{ i.key }}/conf.d/"
+
+- name: "mkdir conf.d"
+  tags: lxc-host
+  become: yes
+  file:
+    path: "/var/lib/lxc/{{ i.key }}/conf.d"
+    state: "directory"
+
+- name: "fill conf.d"
+  tags: lxc-host
+  become: yes
+  register: fill_config_d
+  with_fileglob: "lxc-host/{{ i.key }}/*"
+  loop_control:
+    loop_var: file
+  copy:
+    dest: "/var/lib/lxc/{{ i.key }}/conf.d"
+    src: "{{ file }}"
+
+- name: "restart lxc container {{ i.key }}"
+  tags: lxc-host
+  become: yes
+  when: i.value.state == 'started' and (
+            lxc.changed or
+            config_lxc_host.changed or
+            include_config_d.changed or
+            fill_config_d.changed)
   lxc_container:
     name: "{{ i.key }}"
     state: restarted