marito/LXC-Incus-stable-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated preseed

Browse Source
This commit is contained in:
marito 2025-06-13 23:00:46 +08:00
parent 18449d13ea
commit f0b62a0b2a
3 changed files with 104 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -25,7 +25,7 @@ This playbook automates the installation and setup of the **stable** version of
``` ```
* `--ask-become-pass`: This flag tells Ansible to prompt for the password needed for privilege escalation (`sudo`). * `--ask-become-pass`: This flag tells Ansible to prompt for the password needed for privilege escalation (`sudo`).
## Post-Installation Steps ## Post-Installation Instructions
After the playbook completes successfully: After the playbook completes successfully:
@ -45,7 +45,13 @@ After the playbook completes successfully:
incus --version incus --version
``` ```
3. **Access the Incus Web UI:** 3. **Enable and Access the Incus Web UI:**
Enable port 8443:
```bash
incus config set core.https_address "[::]:8443"
```
Access the Web UI at: Access the Web UI at:

61
init-preseed.yml
View File

@ -1,45 +1,32 @@
# This file contains the complete preseed configuration for Incus.
config: config:
core.https_address: :8443 # This is for global daemon configuration
networks: core.https_address: :8443 # We will set this here instead of a separate command
- config:
ipv4.address: 10.69.69.1/24
ipv4.nat: "true"
ipv6.address: fd42:4e03:3ced:c255::1/64
ipv6.nat: "true"
description: ""
name: incusbr0
type: bridge
project: default
storage_pools: storage_pools:
- config: - name: default
source: /var/lib/incus/storage-pools/default driver: zfs
description: "" config:
name: default source: /var/lib/incus/disks/default.img
driver: dir size: 20GiB
storage_volumes: [] zfs.pool_name: incus
networks:
- name: incusbr0
type: bridge
config:
ipv4.address: auto
ipv6.address: auto
profiles: profiles:
- config: {} - name: default
description: Default Incus profile
devices: devices:
eth0:
name: eth0
network: incusbr0
type: nic
root: root:
path: / path: /
pool: default pool: default
type: disk type: disk
name: default eth0:
project: "" name: eth0
projects: nictype: bridged
- config: parent: incusbr0
features.images: "true" type: nic
features.networks: "true"
features.networks.zones: "true"
features.profiles: "true"
features.storage.buckets: "true"
features.storage.volumes: "true"
description: Default Incus project
name: default
certificates: []

111
playbook.yml
View File

@ -1,6 +1,7 @@
--- ---
- name: Install and Initialize Incus from Zabbly Stable Repository - name: Install and Initialize Incus from Zabbly Stable Repository
hosts: localhost hosts: localhost
connection: local
become: yes become: yes
vars: vars:
@ -11,14 +12,13 @@
repo_file: "/etc/apt/sources.list.d/zabbly-incus-stable.sources" repo_file: "/etc/apt/sources.list.d/zabbly-incus-stable.sources"
os_codename: "{{ ansible_lsb.codename }}" os_codename: "{{ ansible_lsb.codename }}"
arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}" arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
# Get the non-root user who invoked sudo for group membership
target_user: "{{ lookup('env', 'SUDO_USER') | default(lookup('env', 'USER'), true) }}"
tasks: tasks:
- name: Ensure required tools are installed - name: Ensure required tools are installed
apt: apt:
name: name: [curl, gnupg, lsb-release]
- curl
- gnupg
- lsb-release
state: present state: present
update_cache: yes update_cache: yes
@ -50,67 +50,88 @@
Components: main Components: main
Architectures: {{ arch }} Architectures: {{ arch }}
Signed-By: {{ keyring_gpg }} Signed-By: {{ keyring_gpg }}
register: repo_added
- name: Update APT cache - name: Update APT cache if repository was added
apt: apt:
update_cache: yes update_cache: yes
when: repo_added.changed
- name: Install Incus packages - name: Install Incus and UFW packages
apt: apt:
name: name: [incus, incus-client, incus-ui-canonical, ufw]
- incus
- incus-client
- incus-ui-canonical
state: present state: present
- name: Wait for incus daemon to be ready - name: Check if Incus is already initialized (by checking for default storage pool)
shell: | command: incus storage show default
until incus list &>/dev/null; do register: incus_check
sleep 1 failed_when: false
done changed_when: false
retries: 10
delay: 2
register: incus_ready
until: incus_ready.rc == 0
- name: Preseed network and storage - name: Initialize Incus daemon with preseed file (if not already initialized)
shell: incus admin init --preseed shell: "cat {{ playbook_dir }}/preseed-full.yml | incus admin init --preseed"
args: args:
chdir: "{{ playbook_dir }}" chdir: "{{ playbook_dir }}"
stdin: "{{ lookup('file', 'preseed-network-storage.yml') }}" when: incus_check.rc != 0
- name: Preseed profile and global config - name: Add target user to the incus-admin group for passwordless access
shell: incus admin init --preseed
args:
chdir: "{{ playbook_dir }}"
stdin: "{{ lookup('file', 'preseed-profile.yml') }}"
- name: Add current user to incus-admin group
user: user:
name: "{{ lookup('env', 'SUDO_USER') | default(lookup('env', 'USER'), true) }}" name: "{{ target_user }}"
groups: incus-admin groups: incus-admin
append: yes append: yes
- name: Ensure Incus listens on HTTPS port 8443 - name: Enable UFW and allow SSH to avoid getting locked out
command: incus config set core.https_address :8443 community.general.ufw:
state: enabled
policy: deny
rule: allow
name: OpenSSH
comment: 'Allow SSH to prevent lockout'
- name: Install UFW - name: Enable IP forwarding for UFW (required for container internet access)
apt: lineinfile:
name: ufw path: /etc/ufw/sysctl.conf
regexp: '^#?net/ipv4/ip_forward=1'
line: 'net/ipv4/ip_forward=1'
state: present state: present
notify: Reload UFW
- name: Enable UFW - name: Allow INCOMING traffic on the Incus bridge interface
command: ufw --force enable community.general.ufw:
rule: allow
interface: incusbr0
direction: in
comment: 'Allow incoming traffic to containers'
- name: Allow inbound traffic on incusbr0 - name: Allow OUTGOING traffic on the Incus bridge interface
command: ufw allow in on incusbr0 community.general.ufw:
rule: allow
interface: incusbr0
direction: out
comment: 'Allow outgoing traffic from containers'
- name: Allow routed inbound traffic on incusbr0 - name: Allow ROUTED INBOUND traffic on incusbr0
command: ufw route allow in on incusbr0 community.general.ufw:
route: yes
rule: allow
interface: incusbr0
direction: in
comment: 'Allow routed traffic into the container network'
- name: Allow routed outbound traffic on incusbr0 - name: Allow ROUTED OUTBOUND traffic on incusbr0
command: ufw route allow out on incusbr0 community.general.ufw:
route: yes
rule: allow
interface: incusbr0
direction: out
comment: 'Allow routed traffic out of the container network'
- name: "Post Installation Instructions" - name: Post Installation Instructions
debug: debug:
msg: "Post Installation Instructions: https://git.marmattheo.com/marmattheo/LXC-Incus-stable-playbook/src/branch/master/README.md" msg:
- "SUCCESS: Incus installation and configuration complete."
- "Post Installation Instructions: https://git.marmattheo.com/marmattheo/LXC-Incus-stable-playbook/src/branch/master/README.md"
handlers:
- name: Reload UFW
command: ufw reload