initial playbook and roles for beaker virthosts

inventory/group_vars/beaker-virthosts

@@ -0,0 +1,7 @@
+---
+virthost: true
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+libvirt_remote_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsxg20+vmLTt/U23x6yBtxU6N2Ool8ddlC5TFwr3FktCM7hcxkQ/funJ3VD5v9iN7Qg09g2YsPaPTfvmOPOP4bzX+/Fk8vJJb5nVg++XbS80Uw62eofr8g68ZPf6IWLEBiZ8/hmumK3TxTmsj/jn17bZBFTcQL7sB7Q4y7TxODt+5W9/0mJTLXbKoCvV+BCpxEfokx+50vVcX5CxXLHdgrdhPzKHcBHKtX6d2W8xzFj2dCThgAXl5tULYI1xP0BYTOtG+RaTNQWme4JxNlQZB8xbCxN2U+e1NpZl1Hn7Y9MbRL+nLfMIuWNJjYzUTGP3o9m2Tl9RCc2nhuS652rjfcQ== tflink@imagebuilder.qa.fedoraproject.org'
+libvirt_user: "{{ beaker_libvirt_user }}"

inventory/inventory

@@ -7,6 +7,9 @@
 [beaker]
 beaker01.qa.fedoraproject.org
 
+[beaker-virthosts]
+qa02.qa.fedoraproject.org
+
 [qadevel]
 qadevel.qa.fedoraproject.org
 
@@ -614,7 +617,6 @@ virthost16.phx2.fedoraproject.org
 virthost17.phx2.fedoraproject.org
 virthost18.phx2.fedoraproject.org
 qa01.qa.fedoraproject.org
-qa02.qa.fedoraproject.org
 qa03.qa.fedoraproject.org
 qa04.qa.fedoraproject.org
 qa05.qa.fedoraproject.org

playbooks/groups/beaker-virthosts.yml

@@ -0,0 +1,37 @@
+# create a new beaker virthost server system
+# NOTE: should be used with --limit most of the time
+# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
+# This has an extra role that configures the virthost to be used with beaker for
+# virtual machine clients
+
+- name: make virthost server system
+  hosts: beaker-virthosts
+  user: root
+  gather_facts: True
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - { role: denyhosts, when: ansible_distribution_major_version != '7' }
+  - nagios_client
+  - hosts
+  - fas_client
+  - collectd/base
+  - { role: iscsi_client, when: datacenter == "phx2" }
+  - sudo
+  - { role: openvpn/client, when: datacenter != "phx2" }
+  - role: beaker/virthost
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/virthost.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"

roles/beaker/virthost/files/polkit/10-libvirt.rules

@@ -0,0 +1,4 @@
+polkit.addRule(function (action, subject) {
+    if (action.id == "org.libvirt.unix.manage" && subject.isInGroup("kvm"))
+        return polkit.Result.YES;
+});

roles/beaker/virthost/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: add libvirt remote user
+  user:
+    name: "{{ libvirt_user }}"
+    groups: kvm
+
+- name: add ssh key for libvirt remote user
+  authorized_key:
+    user: "{{ libvirt_user }}"
+    path: /home/{{ libvirtuser }}/.ssh/authorized_keys
+    key: "{{ libvirt_remote_pubkey }}"
+
+- name: add polkit rule for users in kvm group
+  copy:
+    src: polkit/10-libvirt.rules
+    dest: /etc/polkit-1/rules.d/10-libvirt.rules
+    owner: root
+    group: root
+    mode: 0644
+