veza/ansible/roles/incus/tasks/main.yml

---
# file: roles/incus/tasks/main.yml

- name: "/etc/apt/sources.list.d/zabbly.sources"
  ansible.builtin.deb822_repository:
    name: zabbly
    types: deb
    uris: "https://pkgs.zabbly.com/incus/{{ incus_repository }}"
    suites: "{{ ansible_distribution_release }}"
    components: main
    architectures: amd64
    signed_by: https://pkgs.zabbly.com/key.asc
  register: incus_repository_out
  tags: incus

- name: "apt pin incus version"
  ansible.builtin.copy:
    content: |
      Package: incus*
      Pin: version {{ incus_version_epoch }}:{{ incus_version }}*
      Pin-Priority: 999
    dest: "/etc/apt/preferences.d/incus"
  register: incus_pin_out
  when: incus_version is defined
  tags: incus

- name: "apt update"
  ansible.builtin.apt:
    update_cache: true
  when: incus_repository_out.changed or incus_pin_out.changed
  tags: incus

- name: "install needed packages: bridge-utils and ifenslave for the network, jq/curl for monitoring and apparmor for security"
  ansible.builtin.apt:
    name:
      - bridge-utils
      - ifenslave
      - apparmor
      - curl
  tags: incus

- name: "install incus (and upgrade if incus_version is defined and incus_update_now)"
  ansible.builtin.apt:
    name:
      - incus
    state: "{{ 'latest' if incus_version is defined and incus_update_now else 'present' }}"
  tags: incus

- name: "/etc/sysctl.conf tunable that should alway be set"
  ansible.posix.sysctl:
    name: "{{ item['name'] }}"
    value: "{{ item['value'] }}"
  loop:
    - { 'name': 'fs.aio-max-nr', 'value': '524288' }
    - { 'name': 'fs.inotify.max_queued_events', 'value': '1048576' }
    - { 'name': 'fs.inotify.max_user_instances', 'value': '1048576' }
    - { 'name': 'fs.inotify.max_user_watches', 'value': '1048576' }
    - { 'name': 'kernel.dmesg_restrict', 'value': '1' }
    - { 'name': 'kernel.keys.maxbytes', 'value': '2000000' }
    - { 'name': 'kernel.keys.maxkeys', 'value': '2000' }
    - { 'name': 'vm.max_map_count', 'value': '262144' }
    - { 'name': 'net.core.bpf_jit_limit', 'value': '1000000000' }
    - { 'name': 'net.ipv4.neigh.default.gc_thresh3', 'value': '8192' }
    - { 'name': 'net.ipv6.neigh.default.gc_thresh3', 'value': '8192' }
  tags:
    - incus
    - sysctl

- name: "incus dataset"
  community.general.zfs:
    name: "{{ incus_zfs_root_dataset }}"
    state: present
    extra_zfs_properties:
      mountpoint: legacy
  when: incus_zfs_backend
  tags: incus

- name: "set default incus_ip"
  ansible.builtin.set_fact:
    incus_ip: "[::]"
  when: incus_ip is not defined
  tags: incus

- name: "dump current admin init"
  ansible.builtin.command: "/usr/bin/incus admin init --dump"
  register: incus_admin_init_dump
  changed_when: false
  check_mode: false
  tags: incus

- name: "display current incus configuration"
  ansible.builtin.debug:
    var: incus_admin_init_dump.stdout
    verbosity: 1
  tags: incus

- name: "set configuration if first standalone install"
  ansible.builtin.shell: 'echo "{{ incus_standalone_init_yaml }}" | /usr/bin/incus admin init --preseed'
  when:
    - incus_admin_init_dump.stdout == incus_yaml_unconfigured
    - incus_cluster_name is not defined
  tags: incus

- name: "install cluster"
  ansible.builtin.import_tasks: cluster.yml
  when: incus_cluster_name is defined
  tags: incus

- name: "incus profiles"
  ansible.builtin.import_tasks: profiles.yml
  when: incus_cluster_name is not defined
  tags:
    - incus
    - incus_profiles

- name: "administration scripts"
  ansible.builtin.import_tasks: scripts.yml
  tags:
    - incus
    - incus_scripts

- name: "handle /etc/subuid"
  ansible.builtin.lineinfile:
    path: "/etc/subuid"
    line: "root:{{ item }}:1"
  loop: "{{ incus_subuid_list }}"
  when: incus_subuid_list is defined
  tags: incus

- name: "handle /etc/subgid"
  ansible.builtin.lineinfile:
    path: "/etc/subgid"
    line: "root:{{ item }}:1"
  loop: "{{ incus_subgid_list }}"
  when: incus_subgid_list is defined
  tags: incus

- name: "get and set https_address"
  ansible.builtin.include_tasks:
    file: get_and_set.yml
    apply:
      tags:
        - incus
  loop:
    - { section: config, key: "core.https_address", value: "{{ incus_ip }}:8443" }
  tags: incus

- name: "get and set core.bgp_*"
  ansible.builtin.include_tasks:
    file: get_and_set.yml
    apply:
      tags:
        - incus
  loop:
    - { section: config, key: "core.bgp_address", value: "{{ incus_ip }}:179" }
    - { section: config, key: "core.bgp_asn", value: "{{ incus_bgp_asn }}" }
    - { section: config, key: "core.bgp_routerid", value: "{{ incus_ip }}" }
  when: incus_bgp_asn is defined
  tags: incus

- name: "incus trust configuration via openssl certificates"
  ansible.builtin.import_tasks: trust.yml
  when:
    - incus_trust_list is defined
    - incus_cluster_name is not defined or (incus_cluster_name is defined and ansible_hostname == incus_cluster_main_name)
  tags:
    - incus
    - incus_trust

- name: "cosinfo"
  ansible.builtin.import_tasks: cosinfo.yml
  tags:
    - incus
    - cosinfo
BASE: completing the initial repo state 2025-12-03 21:56:50 +00:00			`---`
			`# file: roles/incus/tasks/main.yml`

			`- name: "/etc/apt/sources.list.d/zabbly.sources"`
			`ansible.builtin.deb822_repository:`
			`name: zabbly`
			`types: deb`
			`uris: "https://pkgs.zabbly.com/incus/{{ incus_repository }}"`
			`suites: "{{ ansible_distribution_release }}"`
			`components: main`
			`architectures: amd64`
			`signed_by: https://pkgs.zabbly.com/key.asc`
			`register: incus_repository_out`
			`tags: incus`

			`- name: "apt pin incus version"`
			`ansible.builtin.copy:`
			`content: \|`
			`Package: incus*`
			`Pin: version {{ incus_version_epoch }}:{{ incus_version }}*`
			`Pin-Priority: 999`
			`dest: "/etc/apt/preferences.d/incus"`
			`register: incus_pin_out`
			`when: incus_version is defined`
			`tags: incus`

			`- name: "apt update"`
			`ansible.builtin.apt:`
			`update_cache: true`
			`when: incus_repository_out.changed or incus_pin_out.changed`
			`tags: incus`

			`- name: "install needed packages: bridge-utils and ifenslave for the network, jq/curl for monitoring and apparmor for security"`
			`ansible.builtin.apt:`
			`name:`
			`- bridge-utils`
			`- ifenslave`
			`- apparmor`
			`- curl`
			`tags: incus`

			`- name: "install incus (and upgrade if incus_version is defined and incus_update_now)"`
			`ansible.builtin.apt:`
			`name:`
			`- incus`
			`state: "{{ 'latest' if incus_version is defined and incus_update_now else 'present' }}"`
			`tags: incus`

			`- name: "/etc/sysctl.conf tunable that should alway be set"`
			`ansible.posix.sysctl:`
			`name: "{{ item['name'] }}"`
			`value: "{{ item['value'] }}"`
			`loop:`
			`- { 'name': 'fs.aio-max-nr', 'value': '524288' }`
			`- { 'name': 'fs.inotify.max_queued_events', 'value': '1048576' }`
			`- { 'name': 'fs.inotify.max_user_instances', 'value': '1048576' }`
			`- { 'name': 'fs.inotify.max_user_watches', 'value': '1048576' }`
			`- { 'name': 'kernel.dmesg_restrict', 'value': '1' }`
			`- { 'name': 'kernel.keys.maxbytes', 'value': '2000000' }`
			`- { 'name': 'kernel.keys.maxkeys', 'value': '2000' }`
			`- { 'name': 'vm.max_map_count', 'value': '262144' }`
			`- { 'name': 'net.core.bpf_jit_limit', 'value': '1000000000' }`
			`- { 'name': 'net.ipv4.neigh.default.gc_thresh3', 'value': '8192' }`
			`- { 'name': 'net.ipv6.neigh.default.gc_thresh3', 'value': '8192' }`
			`tags:`
			`- incus`
			`- sysctl`

			`- name: "incus dataset"`
			`community.general.zfs:`
			`name: "{{ incus_zfs_root_dataset }}"`
			`state: present`
			`extra_zfs_properties:`
			`mountpoint: legacy`
			`when: incus_zfs_backend`
			`tags: incus`

			`- name: "set default incus_ip"`
			`ansible.builtin.set_fact:`
			`incus_ip: "[::]"`
			`when: incus_ip is not defined`
			`tags: incus`

			`- name: "dump current admin init"`
			`ansible.builtin.command: "/usr/bin/incus admin init --dump"`
			`register: incus_admin_init_dump`
			`changed_when: false`
			`check_mode: false`
			`tags: incus`

			`- name: "display current incus configuration"`
			`ansible.builtin.debug:`
			`var: incus_admin_init_dump.stdout`
			`verbosity: 1`
			`tags: incus`

			`- name: "set configuration if first standalone install"`
			`ansible.builtin.shell: 'echo "{{ incus_standalone_init_yaml }}" \| /usr/bin/incus admin init --preseed'`
			`when:`
			`- incus_admin_init_dump.stdout == incus_yaml_unconfigured`
			`- incus_cluster_name is not defined`
			`tags: incus`

			`- name: "install cluster"`
			`ansible.builtin.import_tasks: cluster.yml`
			`when: incus_cluster_name is defined`
			`tags: incus`

			`- name: "incus profiles"`
			`ansible.builtin.import_tasks: profiles.yml`
			`when: incus_cluster_name is not defined`
			`tags:`
			`- incus`
			`- incus_profiles`

			`- name: "administration scripts"`
			`ansible.builtin.import_tasks: scripts.yml`
			`tags:`
			`- incus`
			`- incus_scripts`

			`- name: "handle /etc/subuid"`
			`ansible.builtin.lineinfile:`
			`path: "/etc/subuid"`
			`line: "root:{{ item }}:1"`
			`loop: "{{ incus_subuid_list }}"`
			`when: incus_subuid_list is defined`
			`tags: incus`

			`- name: "handle /etc/subgid"`
			`ansible.builtin.lineinfile:`
			`path: "/etc/subgid"`
			`line: "root:{{ item }}:1"`
			`loop: "{{ incus_subgid_list }}"`
			`when: incus_subgid_list is defined`
			`tags: incus`

			`- name: "get and set https_address"`
			`ansible.builtin.include_tasks:`
			`file: get_and_set.yml`
			`apply:`
			`tags:`
			`- incus`
			`loop:`
			`- { section: config, key: "core.https_address", value: "{{ incus_ip }}:8443" }`
			`tags: incus`

			`- name: "get and set core.bgp_*"`
			`ansible.builtin.include_tasks:`
			`file: get_and_set.yml`
			`apply:`
			`tags:`
			`- incus`
			`loop:`
			`- { section: config, key: "core.bgp_address", value: "{{ incus_ip }}:179" }`
			`- { section: config, key: "core.bgp_asn", value: "{{ incus_bgp_asn }}" }`
			`- { section: config, key: "core.bgp_routerid", value: "{{ incus_ip }}" }`
			`when: incus_bgp_asn is defined`
			`tags: incus`

			`- name: "incus trust configuration via openssl certificates"`
			`ansible.builtin.import_tasks: trust.yml`
			`when:`
			`- incus_trust_list is defined`
			`- incus_cluster_name is not defined or (incus_cluster_name is defined and ansible_hostname == incus_cluster_main_name)`
			`tags:`
			`- incus`
			`- incus_trust`

			`- name: "cosinfo"`
			`ansible.builtin.import_tasks: cosinfo.yml`
			`tags:`
			`- incus`
			`- cosinfo`