updated preseed

2025-06-13 23:00:46 +08:00 · 2025-06-13 23:00:46 +08:00 · f0b62a0b2a
commit f0b62a0b2a
parent 18449d13ea
3 changed files with 104 additions and 90 deletions
--- a/README.md
+++ b/README.md
@ -25,7 +25,7 @@ This playbook automates the installation and setup of the **stable** version of
    ```
    *   `--ask-become-pass`: This flag tells Ansible to prompt for the password needed for privilege escalation (`sudo`).

-## Post-Installation Steps
+## Post-Installation Instructions

 After the playbook completes successfully:

@ -45,7 +45,13 @@ After the playbook completes successfully:
    incus --version
    ```

-3.  **Access the Incus Web UI:** 
+3.  **Enable and Access the Incus Web UI:**
+
+    Enable port 8443:
+
+    ```bash
+    incus config set core.https_address "[::]:8443"
+    ```

    Access the Web UI at:

--- a/init-preseed.yml
+++ b/init-preseed.yml
@ -1,45 +1,32 @@
+# This file contains the complete preseed configuration for Incus.
 config:
-  core.https_address: :8443
-networks:
- config:
-    ipv4.address: 10.69.69.1/24
-    ipv4.nat: "true"
-    ipv6.address: fd42:4e03:3ced:c255::1/64
-    ipv6.nat: "true"
-  description: ""
-  name: incusbr0
-  type: bridge
-  project: default
-storage_pools:
- config:
-    source: /var/lib/incus/storage-pools/default
-  description: ""
-  name: default
-  driver: dir
-storage_volumes: []
-profiles:
- config: {}
-  description: Default Incus profile
-  devices:
-    eth0:
-      name: eth0
-      network: incusbr0
-      type: nic
-    root:
-      path: /
-      pool: default
-      type: disk
-  name: default
-  project: ""
-projects:
- config:
-    features.images: "true"
-    features.networks: "true"
-    features.networks.zones: "true"
-    features.profiles: "true"
-    features.storage.buckets: "true"
-    features.storage.volumes: "true"
-  description: Default Incus project
-  name: default
-certificates: []
+  # This is for global daemon configuration
+  core.https_address: :8443 # We will set this here instead of a separate command

+storage_pools:
+  - name: default
+    driver: zfs
+    config:
+      source: /var/lib/incus/disks/default.img
+      size: 20GiB
+      zfs.pool_name: incus
+
+networks:
+  - name: incusbr0
+    type: bridge
+    config:
+      ipv4.address: auto
+      ipv6.address: auto
+
+profiles:
+  - name: default
+    devices:
+      root:
+        path: /
+        pool: default
+        type: disk
+      eth0:
+        name: eth0
+        nictype: bridged
+        parent: incusbr0
+        type: nic
--- a/playbook.yml
+++ b/playbook.yml
@ -1,6 +1,7 @@
 ---
 - name: Install and Initialize Incus from Zabbly Stable Repository
  hosts: localhost
+  connection: local
  become: yes

  vars:
@ -11,14 +12,13 @@
    repo_file: "/etc/apt/sources.list.d/zabbly-incus-stable.sources"
    os_codename: "{{ ansible_lsb.codename }}"
    arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
+    # Get the non-root user who invoked sudo for group membership
+    target_user: "{{ lookup('env', 'SUDO_USER') | default(lookup('env', 'USER'), true) }}"

  tasks:
    - name: Ensure required tools are installed
      apt:
-        name:
-          - curl
-          - gnupg
-          - lsb-release
+        name: [curl, gnupg, lsb-release]
        state: present
        update_cache: yes

@ -50,67 +50,88 @@
          Components: main
          Architectures: {{ arch }}
          Signed-By: {{ keyring_gpg }}
+      register: repo_added

-    - name: Update APT cache
+    - name: Update APT cache if repository was added
      apt:
        update_cache: yes
+      when: repo_added.changed

-    - name: Install Incus packages
+    - name: Install Incus and UFW packages
      apt:
-        name:
-          - incus
-          - incus-client
-          - incus-ui-canonical
+        name: [incus, incus-client, incus-ui-canonical, ufw]
        state: present

-    - name: Wait for incus daemon to be ready
-      shell: |
-        until incus list &>/dev/null; do
-          sleep 1
-        done
-      retries: 10
-      delay: 2
-      register: incus_ready
-      until: incus_ready.rc == 0
+    - name: Check if Incus is already initialized (by checking for default storage pool)
+      command: incus storage show default
+      register: incus_check
+      failed_when: false
+      changed_when: false

-    - name: Preseed network and storage
-      shell: incus admin init --preseed
+    - name: Initialize Incus daemon with preseed file (if not already initialized)
+      shell: "cat {{ playbook_dir }}/preseed-full.yml | incus admin init --preseed"
      args:
        chdir: "{{ playbook_dir }}"
-      stdin: "{{ lookup('file', 'preseed-network-storage.yml') }}"
+      when: incus_check.rc != 0

-    - name: Preseed profile and global config
-      shell: incus admin init --preseed
-      args:
-        chdir: "{{ playbook_dir }}"
-      stdin: "{{ lookup('file', 'preseed-profile.yml') }}"
-
-    - name: Add current user to incus-admin group
+    - name: Add target user to the incus-admin group for passwordless access
      user:
-        name: "{{ lookup('env', 'SUDO_USER') | default(lookup('env', 'USER'), true) }}"
+        name: "{{ target_user }}"
        groups: incus-admin
        append: yes

-    - name: Ensure Incus listens on HTTPS port 8443
-      command: incus config set core.https_address :8443
+    - name: Enable UFW and allow SSH to avoid getting locked out
+      community.general.ufw:
+        state: enabled
+        policy: deny
+        rule: allow
+        name: OpenSSH
+        comment: 'Allow SSH to prevent lockout'

-    - name: Install UFW
-      apt:
-        name: ufw
+    - name: Enable IP forwarding for UFW (required for container internet access)
+      lineinfile:
+        path: /etc/ufw/sysctl.conf
+        regexp: '^#?net/ipv4/ip_forward=1'
+        line: 'net/ipv4/ip_forward=1'
        state: present
+      notify: Reload UFW

-    - name: Enable UFW
-      command: ufw --force enable
+    - name: Allow INCOMING traffic on the Incus bridge interface
+      community.general.ufw:
+        rule: allow
+        interface: incusbr0
+        direction: in
+        comment: 'Allow incoming traffic to containers'

-    - name: Allow inbound traffic on incusbr0
-      command: ufw allow in on incusbr0
+    - name: Allow OUTGOING traffic on the Incus bridge interface
+      community.general.ufw:
+        rule: allow
+        interface: incusbr0
+        direction: out
+        comment: 'Allow outgoing traffic from containers'

-    - name: Allow routed inbound traffic on incusbr0
-      command: ufw route allow in on incusbr0
+    - name: Allow ROUTED INBOUND traffic on incusbr0
+      community.general.ufw:
+        route: yes
+        rule: allow
+        interface: incusbr0
+        direction: in
+        comment: 'Allow routed traffic into the container network'

-    - name: Allow routed outbound traffic on incusbr0
-      command: ufw route allow out on incusbr0
+    - name: Allow ROUTED OUTBOUND traffic on incusbr0
+      community.general.ufw:
+        route: yes
+        rule: allow
+        interface: incusbr0
+        direction: out
+        comment: 'Allow routed traffic out of the container network'

-    - name: "Post Installation Instructions"
+    - name: Post Installation Instructions
      debug:
-        msg: "Post Installation Instructions: https://git.marmattheo.com/marmattheo/LXC-Incus-stable-playbook/src/branch/master/README.md"
+        msg:
+          - "SUCCESS: Incus installation and configuration complete."
+          - "Post Installation Instructions: https://git.marmattheo.com/marmattheo/LXC-Incus-stable-playbook/src/branch/master/README.md"
+
+  handlers:
+    - name: Reload UFW
+      command: ufw reload