--- - name: Deploy KVM virtual machines ansible.builtin.import_playbook: include/deploy-kvm-guest.yml vars: myhosts: dnagw - name: Configure instance hosts: dnagw user: root gather_facts: true vars_files: - "{{ ansible_private }}/vars.yml" roles: - base - ifstated - dhcpd - nginx/server - role: nginx_site site: gw.home.foo.sh - tftp - websockify tasks: - name: Use configured dns servers and domain name ansible.builtin.copy: dest: /etc/dhclient.conf content: "ignore domain-name-servers, domain-name;\n" mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Disable resolvd ansible.builtin.service: name: resolvd state: stopped enabled: false - name: Enable ip forwarding ansible.posix.sysctl: name: "{{ item }}" sysctl_set: true value: "1" with_items: - net.inet.ip.forwarding - net.inet6.ip6.forwarding - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers - name: Create tftp boot directories ansible.builtin.file: path: /srv/tftpboot/etc state: directory mode: "0755" owner: root group: "{{ ansible_wheel }}" - name: Create tftp boot config for OpenBSD installs ansible.builtin.copy: dest: /srv/tftpboot/etc/boot.conf content: | stty com0 115200 set tty com0 boot tftp:bsd.rd mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot" checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d dest: /srv/tftpboot/pxeboot mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Create install.conf for OpenBSD installs ansible.builtin.get_url: url: "https://boot.foo.sh/openbsd/install.conf" checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4 dest: /srv/tftpboot/install.conf mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Copy custom to allow plaint http access with internal IP ansible.builtin.copy: dest: /etc/nginx/conf.d/172.20.20.1.conf content: | server { listen 172.20.20.10:80; server_name 172.20.20.10; access_log /var/www/logs/172.20.20.10.access.log combined; error_log /var/www/logs/172.20.20.10.error.log warn; location / { location /install.conf { alias /srv/tftpboot/install.conf; } location / { deny all; } } } mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - name: Copy DNS private key ansible.builtin.copy: dest: "{{ tls_private }}/dns.home.foo.sh.key" src: "{{ item }}" mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem - "/srv/ca/private/{{ inventory_hostname }}.key" tags: certificates notify: Restart unbound - name: Copy DNS certificate and ca cert ansible.builtin.copy: dest: "{{ tls_certs }}/dns.home.foo.sh.crt" src: "{{ item }}" mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" tags: certificates notify: Restart unbound - name: Copy DNS zone files ansible.builtin.copy: dest: "/var/unbound/db/{{ item }}" src: "/srv/dns/{{ item }}" mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns notify: Restart unbound with_items: - 20.172.in-addr.arpa - home.foo.sh - name: Import unbound role ansible.builtin.import_role: name: unbound