gaschz/ansible-qubes
1
0
Fork 0
mirror of https://github.com/Rudd-O/ansible-qubes.git synced 2025-03-01 14:22:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
ansible-qubes/doc/Enhance your Ansible with Ansible Qubes.md
Manuel Amador (Rudd-O) 782c557cb6 Update documentation to catch up with Qubes 4.1 policy changes.
2023-02-25 18:24:58 +00:00

3.0 KiB
Raw Blame History

Enhance your Ansible with Ansible Qubes

This set of instructions assumes that you:

  • are running within a Qubes OS system
  • have an AppVM already set up (we'll call it managevm)
  • have cloned this repository into that VM
  • have Ansible installed in that VM
  • have an Ansible setup already going on within that VM

Deploy the software to the right places

Integrate this software into your Ansible setup (within your managevm) VM) by:

  1. setting up a connections_plugin = <directory> in your ansible.cfg file, pointing it to a directory you control, then
  2. placing the qubes.py connection plugin in your Ansible connection_plugins directory as defined above, then
  3. placing the qrun and bombshell-client executables in one of two locations:
  • Anywhere on your Ansible machine's PATH.
  • In a ../../bin directory relative to the qubes.py file.

Set up the policy file for qubes.VMShell

Edit (as root) the file /etc/qubes/policy.d/80-ansible-qubes.policy located on the file system of your dom0.

At the top of the file, add the following two lines:

qubes.VMShell    *    managevm     *      allow

This first line lets managevm execute any commands on any VM on your system. You can also supply an ask policy instead of the allow policy specified above. Note that ask will make Qubes OS bother you every time you run commands (and Ansible plays) with the standard security prompt to allow qubes.VMShell on the target VM you're managing.

Now save that file, and exit your editor.

If your dom0 has a file /etc/qubes-rpc/policy/qubes.VMShell, you can delete it now. It is obsolete.

Optional: allow managevm to manage dom0

The next step is to add the RPC service proper to dom0. Edit the file /etc/qubes-rpc/qubes.VMShell to have a single line that contains:

exec bash

Make the file executable.

That is it. dom0 should work now. Note you do this at your own risk.

Test qrun works

Test that qrun does the job. In the VM where you integrated your Ansible setup, run:

path/to/qrun <some VM> hostname

This should immediately return with the hostname of <some VM>, indicating that qrun successfully invoked bombshell-client on it, requesting the execution of hostname in <some VM>.

Register VMs on your Ansible inventory

After having done that, you can add Qubes VMs to your Ansible hosts file:

# The next line declares a simple connection to a domU on the same system.
workvm          ansible_connection=qubes
# The next line has a parameter which indicates to Ansible to first
# connect to the domU SSH at 1.2.3.4 before attempting to use
# bombshell-client to manage other VMs on the same system.
# See README.md for pointers to enabling remote management of Qubes servers.
vmonremotehost  ansible_connection=qubes management_proxy=1.2.3.4

You are now free to run ansible-playbook or ansible against those hosts. So long as those programs can find your ansible.cfg file, and your hosts file, it will work.