Support systemd TCP and TLS sockets

Adds support for Systemd TCP and TLS sockets. These Systemd services
open a socket which is passed to libvirtd.

Author: markgoddard

README.md

@@ -115,6 +115,28 @@ option names to values. Default is an empty dict.
 `libvirt_host_qemu_conf`: Configuration for `qemu.conf`. Dict mapping option
 names to values. Default is an empty dict.
 
+`libvirt_host_tcp_listen`: Whether to enable the systemd TCP socket unit.
+Default is `false`.
+
+`libvirt_host_tcp_listen_address`: Systemd TCP socket ListenStream. See man
+systemd.socket for format. Default is unset.
+
+`libvirt_host_tls_listen`: Whether to enable the systemd TLS socket unit.
+Default is `false`.
+
+`libvirt_host_tls_listen_address`: Systemd TLS socket ListenStream. See man
+systemd.socket for format. Default is unset.
+
+`libvirt_host_tls_server_cert`: TLS server certificate. Default is unset.
+
+`libvirt_host_tls_server_key`: TLS server key. Default is unset.
+
+`libvirt_host_tls_client_cert`: TLS client certificate. Default is unset.
+
+`libvirt_host_tls_client_key`: TLS client key. Default is unset.
+
+`libvirt_host_tls_cacert`: TLS CA certificate. Default is unset.
+
 Dependencies
 ------------
 

defaults/main.yml

@@ -83,3 +83,19 @@ libvirt_host_libvirtd_conf: {}
 libvirt_host_qemu_conf_enabled: true
 # Configuration for qemu.conf. Dict mapping option names to values.
 libvirt_host_qemu_conf: {}
+
+# Whether to enable the systemd TCP socket unit.
+libvirt_host_tcp_listen: false
+# Systemd TCP socket ListenStream. See man systemd.socket for format.
+libvirt_host_tcp_listen_address:
+
+# Whether to enable the systemd TLS socket unit.
+libvirt_host_tls_listen: false
+# Systemd TLS socket ListenStream. See man systemd.socket for format.
+libvirt_host_tls_listen_address:
+# TLS server and client certificates.
+libvirt_host_tls_server_cert:
+libvirt_host_tls_server_key:
+libvirt_host_tls_client_cert:
+libvirt_host_tls_client_key:
+libvirt_host_tls_cacert:

handlers/main.yml

@@ -1,9 +1,34 @@
 ---
 
-- name: restart libvirt
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+  become: true
+
+# The socket units cannot be stopped or started if libvirt is running.
+- name: stop libvirt
+  service:
+    name: libvirtd
+    state: stopped
+  become: true
+  listen:
+    - restart libvirt
+
+- name: start libvirtd sockets
+  service:
+    name: "{{ item.service }}"
+    state: "{{ item.enabled | bool | ternary('started', 'stopped') }}"
+  become: true
+  loop: "{{ _libvirt_socket_services }}"
+  loop_control:
+    label: "{{ item.service }}"
+  listen:
+    - restart libvirt
+
+- name: start libvirt
   service:
     name: libvirtd
-    state: restarted
+    state: started
   become: true
 
 - name: reload libvirt qemu apparmor profile template

tasks/config.yml

@@ -43,12 +43,95 @@
   notify:
     - restart libvirt
 
+- name: Create systemd drop-in directory for socket listen address
+  file:
+    path: "/etc/systemd/system/{{ item.service }}.d"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  become: true
+  loop: "{{ _libvirt_socket_services | selectattr('enabled') }}"
+  when:
+    - item.listen_address is not none
+    - item.listen_address | length > 0
+  loop_control:
+    label: "{{ item.service }}"
+  vars:
+    _libvirt_listen_stream: "{{ item.listen_address }}"
+
+- name: Configure socket listen address
+  template:
+    src: socket.j2
+    dest: "/etc/systemd/system/{{ item.service }}.d/listen-address.conf"
+    owner: root
+    group: root
+    mode: 0644
+  become: true
+  loop: "{{ _libvirt_socket_services | selectattr('enabled') }}"
+  when:
+    - item.listen_address is not none
+    - item.listen_address | length > 0
+  loop_control:
+    label: "{{ item.service }}"
+  vars:
+    _libvirt_listen_stream: "{{ item.listen_address }}"
+  notify:
+    - reload systemd
+    - restart libvirt
+
+- name: Create directory for TLS certificates and keys
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+  become: true
+  loop: >-
+    {{ _libvirt_tls_certs.values() |
+       selectattr('content') |
+       map(attribute='dest') |
+       map('dirname') |
+       unique }}
+  when:
+    - libvirt_host_tls_listen | bool
+
+- name: Copy TLS certificates and keys
+  copy:
+    content: "{{ _libvirt_loop_item.content }}"
+    dest: "{{ _libvirt_loop_item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ _libvirt_loop_item.mode }}"
+  become: true
+  # NOTE: Loop over keys of _libvirt_tls_certs to avoid leaking the key
+  # contents.
+  loop: "{{ _libvirt_tls_certs.keys() }}"
+  when:
+    - libvirt_host_tls_listen | bool
+    - _libvirt_loop_item.content
+  vars:
+    _libvirt_loop_item: "{{ _libvirt_tls_certs[item] }}"
+  notify: restart libvirt
+
 - name: Flush handlers
   meta: flush_handlers
 
 - name: Ensure the libvirt daemon is started and enabled
   service:
-    name: libvirtd
-    state: started
-    enabled: yes
+    name: "{{ item.service }}"
+    state: "{{ item.enabled | bool | ternary('started', 'stopped') }}"
+    enabled: "{{ item.enabled | bool }}"
   become: True
+  loop: "{{ _libvirt_services }}"
+  loop_control:
+    label: "{{ item.service }}"
+  vars:
+    _libvirt_services:
+      - service: libvirtd-tcp.socket
+        enabled: "{{ libvirt_host_tcp_listen | bool }}"
+      - service: libvirtd-tls.socket
+        enabled: "{{ libvirt_host_tls_listen | bool }}"
+      - service: libvirtd
+        enabled: true

templates/socket.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Socket]
+ListenStream=
+ListenStream={{ _libvirt_listen_stream }}

vars/main.yml

@@ -0,0 +1,32 @@
+---
+# List of socket services.
+_libvirt_socket_services:
+  - service: libvirtd-tcp.socket
+    enabled: "{{ libvirt_host_tcp_listen | bool }}"
+    listen_address: "{{ libvirt_host_tcp_listen_address }}"
+  - service: libvirtd-tls.socket
+    enabled: "{{ libvirt_host_tls_listen | bool }}"
+    listen_address: "{{ libvirt_host_tls_listen_address }}"
+
+# List of TLS certificates.
+_libvirt_tls_certs:
+  servercert:
+    content: "{{ libvirt_host_tls_server_cert }}"
+    dest: /etc/pki/libvirt/servercert.pem
+    mode: "0600"
+  serverkey:
+    content: "{{ libvirt_host_tls_server_key }}"
+    dest: /etc/pki/libvirt/private/serverkey.pem
+    mode: "0600"
+  clientcert:
+    content: "{{ libvirt_host_tls_client_cert }}"
+    dest: /etc/pki/libvirt/clientcert.pem
+    mode: "0600"
+  clientkey:
+    content: "{{ libvirt_host_tls_client_key }}"
+    dest: /etc/pki/libvirt/private/clientkey.pem
+    mode: "0600"
+  cacert:
+    content: "{{ libvirt_host_tls_cacert }}"
+    dest: /etc/pki/CA/cacert.pem
+    mode: "0644"