Initial commit

tasks/container-setup.yml

@@ -0,0 +1,105 @@
+---
+- name: Create maatma container
+  community.general.lxc_container:
+    name: "{{ ctr_name }}"
+    backing_store: dir
+    container_log: true
+    container_log_level: DEBUG
+    template: download
+    template_options: "--dist alpine --release 3.17 --arch armhf"
+    state: stopped
+
+- name: Erase container configuration
+  copy:
+    content: |
+      # Template used to create this container: /usr/share/lxc/templates/lxc-download
+      # Parameters passed to the template: --dist alpine --release 3.17 --arch armhf
+      # For additional config options, please look at lxc.container.conf(5)
+
+      # Uncomment the following line to support nesting containers:
+      #lxc.include = /usr/share/lxc/config/nesting.conf
+      # (Be aware this has security implications)
+
+
+      # Distribution configuration
+      lxc.include = /usr/share/lxc/config/common.conf
+      lxc.arch = linux32
+
+      # Container specific configuration
+      lxc.rootfs.path = dir:/var/lib/lxc/{{ ctr_name }}/rootfs
+      lxc.uts.name = {{ ctr_name }}
+
+      lxc.net.0.type = macvlan
+      lxc.net.0.macvlan.mode = vepa
+      lxc.net.0.flags = up
+      lxc.net.0.link = eth0
+      lxc.net.0.hwaddr = de:de:d7:8e:36:5e
+      lxc.net.0.ipv4.address = {{ local_network.prefix4 }}201/{{ local_network.netmask4 }}
+      lxc.net.0.ipv4.gateway = {{ local_network.gateway }}
+      lxc.net.0.ipv6.address = {{ local_network.prefix6 }}:1:a/64
+      lxc.net.0.ipv6.gateway = {{ local_network.gateway6 }}
+
+      lxc.net.2.type = phys
+      lxc.net.2.flags = up
+      lxc.net.2.link = wg-adlin
+      lxc.net.2.ipv6.address = {{ maatma_network.gateway6 }}/{{ maatma_network.netmask6 }}
+
+      lxc.net.1.type = veth
+      lxc.net.1.flags = up
+      lxc.net.1.veth.pair = veth_sshpipper
+      lxc.net.1.ipv4.address = 169.254.42.1/30
+
+      lxc.sysctl.net.ipv6.conf.eth0.autoconf = 0
+      lxc.sysctl.net.ipv6.conf.all.forwarding = 1
+
+      lxc.cap.drop = setgid
+      lxc.cap.drop = setuid
+      lxc.cap.drop = setpcap
+      lxc.cap.drop = sys_resource
+      lxc.cap.drop = sys_boot
+    dest: "/var/lib/lxc/{{ ctr_name }}/config"
+
+- name: Update runlevels
+  file:
+    path: "/var/lib/lxc/{{ ctr_name }}/rootfs{{ item }}"
+    state: absent
+  loop:
+    - "/etc/runlevels/boot/syslog"
+    - "/etc/runlevels/default/crond"
+    - "/etc/runlevels/default/networking"
+
+- name: Copy init scripts
+  template:
+    src: "{{ item }}.init.j2"
+    dest: "/var/lib/lxc/{{ ctr_name }}/rootfs/etc/init.d/{{ item }}"
+    mode: 0755
+  loop:
+    - token-validator
+    - checker
+    - clean-wg
+
+- name: Setup runlevels
+  file:
+    path: "/var/lib/lxc/{{ ctr_name }}/rootfs/etc/runlevels/{{ item.runlevel }}/{{ item.filename }}"
+    src: "/etc/init.d/{{ item.filename }}"
+    state: link
+    force: yes
+  loop:
+    - { filename: "token-validator", runlevel: "default" }
+    - { filename: "checker", runlevel: "default" }
+    - { filename: "clean-wg", runlevel: "default" }
+
+# Does not work
+- name: Setup maatma container
+  community.general.lxc_container:
+    name: "{{ ctr_name }}"
+    container_command: |
+      echo nameserver 192.168.0.254 > /etc/resolv.conf;
+      apk add --no-cache wireguard-tools-wg nftables;
+    state: started
+
+- name: Create symlink for service
+  file:
+    path: "/etc/init.d/lxc.{{ ctr_name }}"
+    src: "/etc/init.d/lxc"
+    state: link

tasks/main.yml

@@ -0,0 +1,52 @@
+---
+# 1. Setup LXC
+- include_tasks: pkg.yml
+
+# 2. Setup networking
+- include_tasks: networking.yml
+
+# 2. Create maatma container from alpine ctr
+- include_tasks: container-setup.yml
+
+- name: "Ensure container's directory is traversable by srs-deploy"
+  file:
+    path: "/var/lib/lxc/maatma"
+    group: srs-deploy
+    state: directory
+
+# 3. Install others scripts
+- name: Retrieve clean-wg.sh
+  get_url:
+    url: https://git.nemunai.re/teach/adlin/raw/branch/master/token-validator/clean-wg.sh
+    dest: "/var/lib/lxc/{{ ctr_name }}/rootfs/usr/sbin/clean-wg.sh"
+    mode: 0755
+
+- name: Add update-adlin script
+  template:
+    src: update-adlin
+    dest: /sbin/update-adlin
+    mode: 0755
+
+- name: Define authorized key for srs-deploy
+  ansible.posix.authorized_key:
+    user: srs-deploy
+    state: present
+    key: "{{ ssh_key_srs_deploy }}"
+
+- name: Ensure directory exists for receiving new builds
+  file:
+    path: "/var/lib/lxc/{{ ctr_name }}/rootfs/home/newbuilds"
+    owner: srs-deploy
+    state: directory
+
+- name: Ensure directory exists for receiving maatma error pages
+  file:
+    path: "/var/www/nemunai.re/adlin/.error-pages"
+    owner: srs-deploy
+    state: directory
+
+- name: Launch maatma container
+  service:
+    name: "lxc.{{ ctr_name }}"
+    state: started
+    enabled: true

tasks/networking.yml

@@ -0,0 +1,28 @@
+---
+- name: Install wg-tools on host
+  apk:
+    name:
+      - wireguard-tools-wg
+    state: present
+
+- name: Enable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_file: /etc/sysctl.d/maatma.conf
+
+- name: ensure /etc/wireguard exists
+  file:
+    path: /etc/wireguard
+    state: directory
+
+- name: configure wg-adlin
+  template:
+    src: "wg.conf.j2"
+    dest: "/etc/wireguard/wg-adlin.conf"
+
+- name: enable wg-adlin
+  template:
+    src: networking.j2
+    dest: "/etc/network/interfaces.d/wg-adlin"
+  notify: restart networking

tasks/pkg.yml

@@ -0,0 +1,9 @@
+---
+- name: Install dependancies
+  apk:
+    name:
+      - lxc
+      - lxc-download
+      - py3-lxc
+      - xz
+    state: present