# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-

---

- name: "proxy libvirt_whonix.yml"
  debug:
    verbosity: 1
    msg: "proxy libvirt_whonix.yml PROXY_FEATURES={{PROXY_FEATURES}}"

- name: "hulahoop .asc"
  environment: "{{ shell_proxy_env }}"
  shell: |
    base="hulahoop"
    URL="www.whonix.org/$base"
    dir="{{HARDEN_VAR_LOCAL}}/net/Http/"
    [ -d $dir ] || mkdir $dir
    [ -f $dir/$URL.asc ] || wget {{BASE_WGET_ARGS}} -xc -P $dir https://$URL.asc || exit 3
    # FixMe:
    gpg --import $dir/$URL.asc > /tmp/V$$.out 2>&1
    [ $? -eq 0 ] || exit 1$?
    grep 'imported: 1' /tmp/V$$.out
    exit 0
  args:
    creates: "{{HARDEN_VAR_LOCAL}}/net/Http/www.whonix.org/hulahoop.asc"
  when:
    - not ansible_check_mode
    - BASE_ARE_CONNECTED|default('') != ''
  ignore_errors: true

- block:

  - name: "/etc/libvirt/virtlogd.conf"
    lineinfile:
      path: /etc/libvirt/virtlogd.conf
      create: yes
      mode: 0755
      insertafter: BOF
      line: '{{item.key}}="{{item.val}}"'
      regexp: "^#{{item.key}}.*"
    with_items:
      - key: log_filters
        val: "1:logging 4:object 4:json 4:event 1:util"
      - key: log_outputs
        val: "3:file:/var/log/libvirt/virtlogd.log"

  when:
    - "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''"
    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"

- name: /etc/sysctl.d/70_testforge_libvirt.conf
  blockinfile:
    dest: /etc/sysctl.d/70_testforge_libvirt.conf
    create: yes
    marker: "# {mark} ANSIBLE MANAGED BLOCK ip_forward"
    block: |
      # enisables packet forwarding - required on the host for libvirt
      net.ipv4.ip_forward = 1
      # Disables IP dynaddr
      #net.ipv4.ip_dynaddr = 0
      # Disable ECN
      #net.ipv4.tcp_ecn = 0
  when:
    - false # use lineinfile on the file it is already in
    - "'hostvms' in ROLES|default([]) or 'toxcore' in ROLES|default([]) or 'privacy' in ROLES|default([])"
    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"
  # FixMe: WTF?
  # The destination directory (/etc/sysctl.d) is not writable by the current user.
  ignore_errors: true

- block:

  # https://www.whonix.org/wiki/KVM/Whonix_Signing_Key
  - name: verify an image download.whonix.org/libvirt
    shell: |
      HTTP_DIR=/g/Privacy/net/Http/
      URL=download.whonix.org/libvirt/{{PRIV_WHONIX_VERSION}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.libvirt.xz

      [ -f $HTTP_DIR/$URL ] || \
          wget -c {{ BASE_WGET_ARGS }} -P $HTTP_DIR https://$URL https://$URL.asc || exit 3
      gpg --verify  $HTTP_DIR/$URL.asc  $HTTP_DIR/$URL >/tmp/V$$.out
      [ $? -ne 0 ] && exit $?
      grep 'Good signature from' /tmp/V$$.out || exit 11
      grep ' key fingerprint: 04EF 2F66 6D36 C354 058B  9DD4 50C7 8B6F 9FF2 EC85'  /tmp/V$$.out || exit 12
    # FixMe:
    ignore_errors: true
    when:
      - BASE_ARE_CONNECTED|default('') != ''

  - name: untar
    shell: |
      HTTP_DIR=/g/Privacy/net/Http/
      URL=download.whonix.org/libvirt/{{PRIV_WHONIX_VERSION}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.libvirt.xz
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      [ -d $CDIR ] || mkdir -p $CDIR
      cd $CDIR || exit
      [ -f WHONIX_DISCLAIMER ] || tar xvfJ $HTTP_DIR/$URL
    args:
      creates: "{{PROXY_GATEWAY_QEMU_DIR}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc"

  - name: sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      [ -d $CDIR ] || exit 1
      gpg --verify Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums >/tmp/V$$.out
      [ $? -ne 0 ] && exit $?
      grep 'OK' /tmp/V$$.out || exit 11

  - name: sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      [ -d $CDIR ] || exit 1
      sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums

  - name: touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      cd $CDIR || exit 1
      [ -f WHONIX_BINARY_LICENSE_AGREEMENT_accepted  ] || \
        touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted

  - name: net-define $DIR/Whonix_external*.xml
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      virsh net-list --all | grep Whonix-External && exit 0
      cd $CDIR || exit 1
      virsh -c qemu:///system net-define $DIR/Whonix_external*.xml

  - name: virsh net-info Whonix-Internal
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      virsh net-list --all | grep Whonix-Internal && exit 0
      cd $CDIR || exit 1
      virsh -c qemu:///system net-define $DIR/Whonix_internal*.xml

  - name: virsh define Whonix-Gateway
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      virsh list --all | grep Whonix-Gateway && exit 0
      cd $CDIR || exit 1
      grep -q "{{PRIV_WHONIX_GATE_MEM}}"  Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml || \
        sed -e "s@<currentMemory unit='KiB'>524288</currentMemory>@<currentMemory unit='KiB'>{{PRIV_WHONIX_GATE_MEM}}</currentMemory>@" -i \
          Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml
      virsh define Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml --validate
    args:
      creates: /etc/libvirt/qemu/Whonix-Gateway.xml

  - name: virsh define Whonix-Workstation
    shell: |
      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
      virsh list --all | grep Whonix-Workstation && exit 0
      cd $CDIR || exit 1
      virsh define Whonix-Workstation-XFCE-{{PRIV_WHONIX_VERSION}}.xml --validate
    args:
      creates: /etc/libvirt/qemu/Whonix-Workstation.xml
    when:
      - false
  # FixMe should only edit if not running

  - name: /etc/libvirt/qemu/*xml
    blockinfile:
      dest: "{{item}}"
      marker: "<!-- {mark} ANSIBLE MANAGED BLOCK proxy whonix -->"
      mode:  0660
      owner: "{{BOX_ROOT_USER}}"
      group: "{{BOX_ROOT_GROUP}}"
      create: no
      block: |
        <channel type='unix'>
          <source mode='bind'/>
          <target type='virtio' name='org.qemu.guest_agent.0'/>
          <address type='virtio-serial' controller='0' bus='0' port='2'/>
        </channel>
    with_fileglob: /etc/libvirt/qemu/Whonix*.xml

  when:
    - false # use xml instead
    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"

# console=tty0 console=ttyS0,115200n8 spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy
# from Gateway

- block:

  # /usr/portage/app-emulation/libvirt/files/libvirtd.init-r19 after livirt-7.2.0a
  - name: /usr/local/sbin/proxy_whonix-libvirt-install.bash
    shell: |
      cp -p /usr/local/etc/init.d/libvirtd.openrc /etc/init.d/livirtd
      chmod 755 /etc/init.d/libvirtd
    args:
      creates: /etc/init.d/libvirtd

  - name: "/etc/libvirt/qemu.conf"
    blockinfile:
      dest: "/etc/libvirt/qemu.conf"
      create: false
      marker: "# {mark} ANSIBLE MANAGED BLOCK hostvms vms {{item.name}}"
      insertafter: '^#* *{{item.name}}.*'
      block: |
        {{ item.name }} = {{ item.val }}
    with_items:
      - { name: 'migration_address', val: '"0.0.0.0"' }
      - { name: 'user', val: '"root"' }
      #? why qemu - serverfault sez must be root for passthrough
      # root is not enough for passthorugh mounting rw
      - { name: 'group', val: '"root"' }
      #? why
      - { name: 'dynamic_ownership', val: '1' }
      #??  why
      # error : virGetUserID:1041 : invalid argument: Failed to parse user 'tss'
      # - { name: 'swtpm_user', val: '"tss"' }
      #??  why
      # error : virGetGroupID:1124 : invalid argument: Failed to parse group 'tss'
      # - { name: 'swtpm_group', val: '"tss"' }
      # - { name: '', val: '' }
    ignore_errors: true
    # required
    when: not ansible_check_mode

  - name: "/etc/libvirt/libvirtd.conf"
    blockinfile:
      dest: /etc/libvirt/libvirtd.conf
      create: yes
      marker: "# {mark} ANSIBLE MANAGED BLOCK hostvms vms {{item.name}}"
      insertafter: '^#* *{{item.name}}.*'
      block: |
        {{ item.name }} = "{{ item.val }}"
    with_items:
      #listen_addr = "192.168.0.1"
      - { name: "listen_addr", val: "127.0.0.1" }
      #_sock_group = "libvirt"
      - { name: "unix_sock_group", val: "libvirt" }
      - { name: "unix_sock_ro_perms", val: "0750" }
      - { name: "unix_sock_rw_perms", val: "0770" }
      #ca_file = "/etc/pki/CA/cacert.pem"
      - { name: "ca_file", val: "{{ PLAY_CA_CERT }}" }
      - { name: "auth_unix_ro", val: "none" }
      - { name: "auth_unix_rw", val: "none" }
      - { name: "log_filters", val: "1:qemu 1:libvirt 4:object 4:json 4:event 1:util" }
      - { name: "log_outputs", val: "3:file:/var/log/libvirtd.log" }
      #
      # - { name: "", val: "" }
    ignore_errors: true
    # required
    when: not ansible_check_mode
    notify: restart libvirtd

  - name: /etc/modprobe.d/nbd.conf"
    shell: |
      file="/etc/modprobe.d/nbd.conf"
      [ -f $file ] || echo >$file options nbd max_part=16
    args:
      creates: /etc/modprobe.d/nbd.conf

  - name: "/etc/default/libvirt-guests"
    lineinfile:
      path: /etc/default/libvirt-guests
      create: yes
      mode: 0755
      insertafter: BOF
      line: '{{item.key}}="{{item.val}}"'
      regexp: "^#{{item.key}}.*"
    with_items:
      - key: ON_BOOT
        val: ignore
    when:
      - "ansible_distribution == 'Debian'"

  - name: /usr/local/sbin/proxy_whonix-libvirt-install.bash
    shell: |
      /usr/local/sbin/proxy_whonix-libvirt-install.bash
    args:
      creates: /etc/libvirt/qemu/Whonix-Gateway.xml

  when:
    - ansible_virtualization_role|replace('NA', 'host') == 'host'