3 files changed, 70 insertions, 17 deletions

diff --git a/tasks/dnsmasq_setup.yaml b/tasks/dnsmasq_setup.yaml
new file mode 100644
index 0000000..a5863ba
--- /dev/null
+++ b/tasks/dnsmasq_setup.yaml
@@ -0,0 +1,57 @@
+- name: configure and enable dnsmasq if enabled
+  when: enable_dnsmasq | bool
+  block:
+    - name: install dnsmasq
+      apt:
+        name: dnsmasq
+        state: present
+        update_cache: true
+
+    - name: remove existing /etc/dnsmasq.d directory and all contents
+      file:
+        path: /etc/dnsmasq.d
+        state: absent
+
+    - name: recreate empty /etc/dnsmasq.d directory
+      file:
+        path: /etc/dnsmasq.d
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: deploy dnsmasq config from template
+      template:
+        src: vmbr1.conf.j2
+        dest: /etc/dnsmasq.d/vmbr1.conf
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: ensure dnsmasq group exists
+      group:
+        name: dnsmasq
+        system: yes
+
+    - name: ensure dnsmasq user exists
+      user:
+        name: dnsmasq
+        group: dnsmasq
+        system: yes
+        create_home: no
+
+    - name: insert dhcp allow rules for vmbr1 into /etc/ufw/before.rules
+      blockinfile:
+        path: /etc/ufw/before.rules
+        block: |
+          -A ufw-before-input -i vmbr1 -p udp --dport 67 -j ACCEPT
+          -A ufw-before-output -o vmbr1 -p udp --sport 67 -j ACCEPT
+        marker: "# {mark} ANSIBLE MANAGED DHCP VMBR1 ALLOW RULES"
+        insertafter: '^# End required lines'
+
+    - name: enable and restart dnsmasq service
+      systemd:
+        name: dnsmasq
+        enabled: true
+        state: restarted
+      when: ansible_service_mgr == 'systemd'
diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml
index bbc9abc..c19964a 100644
--- a/tasks/pve_configure.yaml
+++ b/tasks/pve_configure.yaml
@@ -132,20 +132,3 @@
 - name: add user to admin group
   command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
   register: add_to_group
-
-- name: ensure /etc/pve/priv directory exists
-  file:
-    path: /etc/pve/priv
-    state: directory
-    mode: '0700'
-    owner: root
-    group: root
-
-- name: copy /root/.ssh/authorized_keys to /etc/pve/priv/authorized_keys
-  copy:
-    src: /root/.ssh/authorized_keys
-    dest: /etc/pve/priv/authorized_keys
-    owner: root
-    group: root
-    mode: '0600'
-    remote_src: true
diff --git a/tasks/pve_setup.yaml b/tasks/pve_setup.yaml
index 9de9489..28fb8bc 100644
--- a/tasks/pve_setup.yaml
+++ b/tasks/pve_setup.yaml
@@ -97,6 +97,19 @@
   register: grub_update
   changed_when: "'Generating grub configuration file' in grub_update.stdout"
 
+- name: block all generic linux-image and linux-headers (non-pve)
+  copy:
+    dest: /etc/apt/preferences.d/no-debian-kernel
+    content: |
+      Package: linux-image-*
+      Pin: release *
+      Pin-Priority: -1
+
+      Package: linux-headers-*
+      Pin: release *
+      Pin-Priority: -1
+    mode: '0644'
+
 - name: remove problematic apt packages for pve
   apt:
     name: "{{ apt_packages_to_remove }}"