--- - name: Install and Initialize Incus from Zabbly Stable Repository hosts: localhost become: yes vars: zabbly_key_url: "https://pkgs.zabbly.com/key.asc" keyring_dir: "/etc/apt/keyrings" keyring_asc: "/etc/apt/keyrings/zabbly.asc" keyring_gpg: "/etc/apt/keyrings/zabbly.gpg" repo_file: "/etc/apt/sources.list.d/zabbly-incus-stable.sources" os_codename: "{{ ansible_lsb.codename }}" arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}" target_user: "{{ lookup('env', 'SUDO_USER') | default(lookup('env', 'USER'), true) }}" tasks: - name: Ensure required tools are installed apt: name: [curl, gnupg, lsb-release] state: present update_cache: yes - name: Ensure ZFS support is installed apt: name: zfsutils-linux state: present - name: Create APT keyring directory file: path: "{{ keyring_dir }}" state: directory mode: '0755' - name: Download Zabbly GPG key (ASCII) get_url: url: "{{ zabbly_key_url }}" dest: "{{ keyring_asc }}" mode: '0644' - name: Convert ASCII key to GPG format command: gpg --dearmor -o "{{ keyring_gpg }}" "{{ keyring_asc }}" args: creates: "{{ keyring_gpg }}" - name: Add Zabbly Incus Stable APT repository copy: dest: "{{ repo_file }}" content: | Enabled: yes Types: deb URIs: https://pkgs.zabbly.com/incus/stable Suites: {{ os_codename }} Components: main Architectures: {{ arch }} Signed-By: {{ keyring_gpg }} register: repo_added - name: Update APT cache if repository was added apt: update_cache: yes when: repo_added.changed - name: Install Incus and UFW packages apt: name: [incus, incus-client, incus-ui-canonical, ufw] state: present - name: Check if Incus is already initialized (by checking for default storage pool) command: incus storage show default register: incus_check failed_when: false changed_when: false - name: Initialize Incus daemon with preseed file (if not already initialized) script: init-incus.sh args: chdir: "{{ playbook_dir }}" when: incus_check.rc != 0 - name: Add target user to the incus-admin group for passwordless access user: name: "{{ target_user }}" groups: incus-admin append: yes - name: Enable UFW and allow SSH to avoid getting locked out community.general.ufw: state: enabled policy: deny rule: allow name: OpenSSH comment: 'Allow SSH to prevent lockout' - name: Enable IP forwarding for UFW (required for container internet access) lineinfile: path: /etc/ufw/sysctl.conf regexp: '^#?net/ipv4/ip_forward=1' line: 'net/ipv4/ip_forward=1' state: present notify: Reload UFW - name: Allow INCOMING traffic on the Incus bridge interface community.general.ufw: rule: allow interface: incusbr0 direction: in comment: 'Allow incoming traffic to containers' - name: Allow OUTGOING traffic on the Incus bridge interface community.general.ufw: rule: allow interface: incusbr0 direction: out comment: 'Allow outgoing traffic from containers' - name: Allow ROUTED INBOUND traffic on incusbr0 community.general.ufw: route: yes rule: allow interface: incusbr0 direction: in comment: 'Allow routed traffic into the container network' - name: Allow ROUTED OUTBOUND traffic on incusbr0 community.general.ufw: route: yes rule: allow interface: incusbr0 direction: out comment: 'Allow routed traffic out of the container network' - name: Post Installation Instructions debug: msg: - "SUCCESS: Incus installation and configuration complete." - "Post Installation Instructions: https://git.marmattheo.com/marmattheo/LXC-Incus-stable-playbook/src/branch/master/README.md" handlers: - name: Reload UFW command: ufw reload