stackhpc
diff --git a/‎README.md
+87 b/‎README.md
+87
diff --git a/‎defaults/main.yml
+77 b/‎defaults/main.yml
+77
diff --git a/‎handlers/main.yml
+2-2 b/‎handlers/main.yml
+2-2
diff --git a/‎molecule/default/converge.yml
+5-5 b/‎molecule/default/converge.yml
+5-5
diff --git a/‎molecule/default/molecule.yml
+1-1 b/‎molecule/default/molecule.yml
+1-1
diff --git a/‎molecule/default/tests/__pycache__/conftest.cpython-39-pytest-7.1.2.pyc
1008 Bytes b/‎molecule/default/tests/__pycache__/conftest.cpython-39-pytest-7.1.2.pyc
1008 Bytes
diff --git a/‎molecule/default/tests/__pycache__/test_default.cpython-39-pytest-7.1.2.pyc
2.79 KB b/‎molecule/default/tests/__pycache__/test_default.cpython-39-pytest-7.1.2.pyc
2.79 KB
diff --git a/‎molecule/kvm/converge.yml
+5-5 b/‎molecule/kvm/converge.yml
+5-5
diff --git a/‎tasks/client-config.yml
+20 b/‎tasks/client-config.yml
+20
@@ -104,6 +104,93 @@ daemon. Default is `true`.
 `libvirt_host_install_client`: Whether to install and enable the libvirt
 client. Default is `true`.
 
+`libvirt_host_extra_daemon_packages`: List of additional packages to install on
+libvirt daemon hosts.
+
+`libvirt_host_extra_client_packages`: List of additional packages to install on
+libvirt client hosts.
+
+`libvirt_host_libvirtd_conf_enabled`: Whether to configure `libvirtd.conf`.
+Default is `true`.
+
+`libvirt_host_libvirtd_conf`: Configuration for `libvirtd.conf`. Dict mapping
+option names to values. Default is an empty dict.
+
+`libvirt_host_qemu_conf_enabled`: Whether to configure `qemu.conf`. Default is
+`true`.
+
+`libvirt_host_qemu_conf`: Configuration for `qemu.conf`. Dict mapping option
+names to values. Default is an empty dict.
+
+`libvirt_host_enable_sasl_support`: Whether to enable SASL authentication
+support. Default is `false`.
+
+`libvirt_host_sasl_conf_enabled`: Whether to configure SASL authentication
+(`/etc/sasl2/libvirt.conf`). Default is the same as
+`libvirt_host_enable_sasl_support`.
+
+`libvirt_host_sasl_conf`: Configuration for SASL authentication
+(`/etc/sasl2/libvirt.conf`). String.
+
+`libvirt_host_sasl_mech_list`: List of enabled libvirt SASL authentication
+mechanisms. Default is `["SCRAM-SHA-256"]` when `libvirt_host_tls_listen` is
+`true`, otherwise `["DIGEST-MD5"]`.
+
+`libvirt_host_sasl_credentials`: List of SASL authentication credentials to
+create.  Each item is a dict containing `username` and `password` items.
+Default is a single item list containing `libvirt_host_sasl_authname` and
+`libvirt_host_sasl_password`.
+
+`libvirt_host_sasl_authname`: Username for SASL authentication. Default is
+`libvirt`.
+
+`libvirt_host_sasl_password`: Password for SASL authentication. Default is
+unset.
+
+`libvirt_host_sasl_auth_conf_enabled`: Whether to configure SASL authentication
+credentials (`/etc/libvirt/auth.conf`). Default is the same as
+`libvirt_host_enable_sasl_support`.
+
+`libvirt_host_sasl_auth_conf`: Configuration for SASL authentication
+credentials (`/etc/libvirt/auth.conf`). String.
+
+`libvirt_host_sasl_auth_conf_filename`: Name of file to write SASL
+authentication credentials to. Default is `"/etc/libvirt/auth.conf"`.
+
+`libvirt_host_sasl_auth_conf_owner`: Owner of file to write SASL
+authentication credentials to. Default is `"root"`.
+
+`libvirt_host_sasl_auth_conf_group`: Group of file to write SASL
+authentication credentials to. Default is `"root"`.
+
+`libvirt_host_sasl_auth_conf_mode`: Mode of file to write SASL
+authentication credentials to. Default is `"0600"`.
+
+`libvirt_host_tcp_listen`: Whether to enable the systemd TCP socket unit.
+Default is `false`.
+
+`libvirt_host_tcp_listen_address`: Systemd TCP socket ListenStream. See man
+systemd.socket for format. Default is unset.
+
+`libvirt_host_tls_listen`: Whether to enable the systemd TLS socket unit.
+Default is `false`.
+
+`libvirt_host_tls_listen_address`: Systemd TLS socket ListenStream. See man
+systemd.socket for format. Default is unset.
+
+`libvirt_host_tls_server_cert`: TLS server certificate. Default is unset.
+
+`libvirt_host_tls_server_key`: TLS server key. Default is unset.
+
+`libvirt_host_tls_client_cert`: TLS client certificate. Default is unset.
+
+`libvirt_host_tls_client_key`: TLS client key. Default is unset.
+
+`libvirt_host_tls_cacert`: TLS CA certificate. Default is unset.
+
+`libvirt_host_configure_apparmor`: Whether to configure AppArmor for directory
+storage pools.
+
 Dependencies
 ------------
 
 
@@ -73,3 +73,80 @@ libvirt_host_install_daemon: true
 
 # Whether to install and enable the libvirt client.
 libvirt_host_install_client: true
+
+# List of additional packages to install on libvirt daemon hosts.
+libvirt_host_extra_daemon_packages: []
+
+# List of additional packages to install on libvirt client hosts.
+libvirt_host_extra_client_packages: []
+
+# Whether to configure libvirtd.conf.
+libvirt_host_libvirtd_conf_enabled: true
+# Configuration for libvirtd.conf. Dict mapping option names to values.
+libvirt_host_libvirtd_conf: {}
+
+# Whether to configure qemu.conf.
+libvirt_host_qemu_conf_enabled: true
+# Configuration for qemu.conf. Dict mapping option names to values.
+libvirt_host_qemu_conf: {}
+
+# Whether to enable SASL authentication support.
+libvirt_host_enable_sasl_support: false
+
+# Whether to configure SASL authentication (/etc/sasl2/libvirt.conf).
+libvirt_host_sasl_conf_enabled: "{{ libvirt_host_enable_sasl_support | bool }}"
+# Configuration for SASL authentication (/etc/sasl2/libvirt.conf). String.
+libvirt_host_sasl_conf: |
+  mech_list: {{ libvirt_host_sasl_mech_list | join(' ') }}
+  sasldb_path: /etc/libvirt/passwd.db
+# List of enabled libvirt SASL authentication mechanisms.
+libvirt_host_sasl_mech_list:
+  - "{{ 'SCRAM-SHA-256' if libvirt_host_tls_listen | bool else 'DIGEST-MD5' }}"
+
+# List of SASL authentication credentials to create. Each item is a dict
+# containing "username" and "password" items.
+libvirt_host_sasl_credentials:
+  - username: "{{ libvirt_host_sasl_authname }}"
+    password: "{{ libvirt_host_sasl_password }}"
+# Username for SASL authentication.
+libvirt_host_sasl_authname: libvirt
+# Password for SASL authentication.
+libvirt_host_sasl_password:
+
+# Whether to configure SASL authentication credentials (/etc/libvirt/auth.conf).
+libvirt_host_sasl_auth_conf_enabled: "{{ libvirt_host_enable_sasl_support | bool }}"
+# Configuration for SASL authentication credentials (/etc/libvirt/auth.conf). String.
+libvirt_host_sasl_auth_conf: |
+  [credentials-default]
+  authname={{ libvirt_host_sasl_authname }}
+  password={{ libvirt_host_sasl_password }}
+
+  [auth-libvirt-default]
+  credentials=default
+# Name of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_filename: "/etc/libvirt/auth.conf"
+# Owner of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_owner: "root"
+# Group of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_group: "root"
+# Mode of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_mode: "0600"
+
+# Whether to enable the systemd TCP socket unit.
+libvirt_host_tcp_listen: false
+# Systemd TCP socket ListenStream. See man systemd.socket for format.
+libvirt_host_tcp_listen_address:
+
+# Whether to enable the systemd TLS socket unit.
+libvirt_host_tls_listen: false
+# Systemd TLS socket ListenStream. See man systemd.socket for format.
+libvirt_host_tls_listen_address:
+# TLS server and client certificates.
+libvirt_host_tls_server_cert:
+libvirt_host_tls_server_key:
+libvirt_host_tls_client_cert:
+libvirt_host_tls_client_key:
+libvirt_host_tls_cacert:
+
+# Whether to configure AppArmor for directory storage pools.
+libvirt_host_configure_apparmor: "{{ libvirt_host_install_daemon | bool }}"
@@ -1,11 +1,11 @@
 ---
 
 - name: restart libvirt
-  service:
+  ansible.builtin.service:
     name: libvirtd
     state: restarted
   become: true
 
 - name: reload libvirt qemu apparmor profile template
-  command: apparmor_parser -r /etc/apparmor.d/libvirt/TEMPLATE.qemu
+  ansible.builtin.command: apparmor_parser -r /etc/apparmor.d/libvirt/TEMPLATE.qemu
   become: true
@@ -30,7 +30,7 @@
     - role: tcharl.ansible_role_libvirt_host
   tasks:
     - name: "Post converge - Install vagrant"
-      package:
+      ansible.builtin.package:
         name:
          - qemu
          - libvirt
@@ -46,27 +46,27 @@
       become: true
 
     - name: Start libvirtd
-      service:
+      ansible.builtin.service:
         name: libvirtd
         state: started
       become: true
 
     - name: Copy vagrant file
-      copy:
+      ansible.builtin.copy:
         src: Vagrantfile
         dest: /home/vagrant/Vagrantfile
         owner: vagrant
         group: vagrant
         mode: '0644'
 
     - name: Execute Vagrant as daemon
-      command:
+      ansible.builtin.command:
         cmd: "daemonize -e /home/vagrant/myvmerr.log -o /home/vagrant/myvm.log -c /home/vagrant -E VAGRANT_LOG=info /usr/bin/vagrant up --provider=libvirt"
         chdir: /home/vagrant
         creates: /home/vagrant/myvm.log
 
     - name: Wait until the string "auth" is in the vagrant log
-      wait_for:
+      ansible.builtin.wait_for:
         path: /home/vagrant/myvmerr.log
         search_regex: SSH\sis\sready
         timeout: 1800
@@ -12,7 +12,7 @@ lint: |
   set -e
   yamllint .
   flake8
-  ANSIBLE_ROLES_PATH=${MOLECULE_PROJECT_DIRECTORY}/../community ANSIBLE_COLLECTIONS_PATH=${MOLECULE_PROJECT_DIRECTORY}/../community-collections ansible-lint
+  ANSIBLE_ROLES_PATH=${MOLECULE_PROJECT_DIRECTORY}/..:${MOLECULE_PROJECT_DIRECTORY}/../community:${ANSIBLE_ROLES_PATH} ANSIBLE_COLLECTIONS_PATH=${MOLECULE_PROJECT_DIRECTORY}/../community-collections:${ANSIBLE_COLLECTIONS_PATH} ansible-lint
 platforms:
   - name: Fedora-Molecule-libvirt-host
     box: fedora/35-cloud-base
 
@@ -26,7 +26,7 @@
     - role: tcharl.ansible_role_libvirt_host
   tasks:
     - name: "Post converge - Install vagrant"
-      package:
+      ansible.builtin.package:
         name:
          - qemu
          - libvirt
@@ -42,27 +42,27 @@
       become: true
 
     - name: Start libvirtd
-      service:
+      ansible.builtin.service:
         name: libvirtd
         state: started
       become: true
 
     - name: Copy vagrant file
-      copy:
+      ansible.builtin.copy:
         src: Vagrantfile
         dest: /home/vagrant/Vagrantfile
         owner: vagrant
         group: vagrant
         mode: '0644'
 
     - name: Execute Vagrant as daemon
-      command:
+      ansible.builtin.command:
         cmd: "daemonize -e /home/vagrant/myvmerr.log -o /home/vagrant/myvm.log -c /home/vagrant -E VAGRANT_LOG=info /usr/bin/vagrant up --provider=libvirt"
         chdir: /home/vagrant
         creates: /home/vagrant/myvm.log
 
     - name: Wait until the string "auth" is in the vagrant log
-      wait_for:
+      ansible.builtin.wait_for:
         path: /home/vagrant/myvmerr.log
         search_regex: SSH\sis\sready
         timeout: 1800
@@ -0,0 +1,20 @@
+---
+- name: Ensure client configuration files exist
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  become: true
+  loop: "{{ _libvirt_client_config_files | selectattr('enabled') }}"
+  loop_control:
+    label: "{{ item.dest | basename }}"
+  vars:
+    _libvirt_client_config_files:
+      - src: auth.conf.j2
+        dest: "{{ libvirt_host_sasl_auth_conf_filename }}"
+        enabled: "{{ libvirt_host_sasl_auth_conf_enabled | bool }}"
+        owner: "{{ libvirt_host_sasl_auth_conf_owner }}"
+        group: "{{ libvirt_host_sasl_auth_conf_group }}"
+        mode: "{{ libvirt_host_sasl_auth_conf_mode }}"