From 0a42923ee78f476520591ce3486b3c63b0ab7254 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Max=20H=C3=B6sel?= <git@maxhoesel.de>
Date: Sun, 24 Jul 2022 15:53:48 +0200
Subject: [PATCH] add pcie passthrough config to pve role (#40)

---
 roles/pve/README.md                  | 26 +++++++++++++++++++++++---
 roles/pve/defaults/main.yml          |  3 +++
 roles/pve/files/intel-iommu.cfg      |  1 +
 roles/pve/files/vfio.conf            |  4 ++++
 roles/pve/handlers/main.yml          |  6 ++++++
 roles/pve/tasks/main.yml             |  2 ++
 roles/pve/tasks/pcie_passthrough.yml | 20 ++++++++++++++++++++
 7 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 roles/pve/files/intel-iommu.cfg
 create mode 100644 roles/pve/files/vfio.conf
 create mode 100644 roles/pve/handlers/main.yml
 create mode 100644 roles/pve/tasks/pcie_passthrough.yml

diff --git a/roles/pve/README.md b/roles/pve/README.md
index f98e7ea..86c9f04 100644
--- a/roles/pve/README.md
+++ b/roles/pve/README.md
@@ -1,13 +1,18 @@
 # maxhoesel.proxmox.pve
 
-Configure an existing Proxmox Virtual Environment hosts system.
+A role to perform basic setup tasks on a PVE node, such as repository and CPU configuration.
 
-Note that this role does not manage PVE settings itself (such as VMS and storage), but rather
-the underlying system. Right now, it manages the root users password and configures the PVE repository
+The following features are available and can be enabled/disabled individually:
+
+- Set a PVE repository (enterprise, no-subscription, test) (required)
+- Set the PVE root password (required)
+- Set the CPU governor to save power or improve performance
+- Support PCIe Passthrough by enabling the required modules
 
 ## Requirements
 
 - A PVE host accessible via SSH and a user with become privileges
+- This role needs to be run with `become: true`
 
 ## Role Variables
 
@@ -23,6 +28,8 @@ the underlying system. Right now, it manages the root users password and configu
 - Please note that this role does not configure your subscription key, you will have to do so yourself
 - Default: `no-subscription`
 
+### CPU Settings
+
 ##### `pve_set_cpu`
 - Whether to modify the CPU configuration, such as the chosen governor.
 - Default: `false`
@@ -37,3 +44,16 @@ the underlying system. Right now, it manages the root users password and configu
   - Proxmox defaults to `performance` due to potential [BSODs in Windows guests when running with variable frequency](https://forum.proxmox.com/threads/windows-7-x64-vms-crashing-randomly-during-process-termination.18238/#post-93273)
   - `ondemand` and `schedutil` both scale CPU frequency dynamically and may improve power consumption.
 - Default: `performance`. Set to `schedutil` if you want to save power and aware of the limitations mentioned above.
+
+### PCIe Passthrough
+
+##### `pve_enable_pcie_passthrough`
+- Whether to enable and configure PCIe passthrough on the host
+- If enabled, this will load the required kernel modules (and add intel_iommu=on to the kernel commandline on Intel CPUs)
+- Default: `false`
+
+##### `pve_pcie_reboot_for_kernel`
+- Whether to automatically reboot the node to load the required kernel modules
+- If set to `false`, you may have to manually reboot the node to enable PCIe passthrough
+- This has no effect if `pve_enable_pcie_passthrough` is disabled
+- Default: `true`
diff --git a/roles/pve/defaults/main.yml b/roles/pve/defaults/main.yml
index 996a4e8..607fa2a 100644
--- a/roles/pve/defaults/main.yml
+++ b/roles/pve/defaults/main.yml
@@ -2,3 +2,6 @@ pve_repo_type: no-subscription
 
 pve_set_cpu: no
 pve_cpu_governor: performance
+
+pve_enable_pcie_passthrough: no
+pve_pcie_reboot_for_kernel: yes
diff --git a/roles/pve/files/intel-iommu.cfg b/roles/pve/files/intel-iommu.cfg
new file mode 100644
index 0000000..debed22
--- /dev/null
+++ b/roles/pve/files/intel-iommu.cfg
@@ -0,0 +1 @@
+GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} intel_iommu=on"
diff --git a/roles/pve/files/vfio.conf b/roles/pve/files/vfio.conf
new file mode 100644
index 0000000..07cb4e0
--- /dev/null
+++ b/roles/pve/files/vfio.conf
@@ -0,0 +1,4 @@
+ vfio
+ vfio_iommu_type1
+ vfio_pci
+ vfio_virqfd
diff --git a/roles/pve/handlers/main.yml b/roles/pve/handlers/main.yml
new file mode 100644
index 0000000..8fb6475
--- /dev/null
+++ b/roles/pve/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: update initramfs
+  command: update-initramfs -u -k all
+
+- name: reboot host to enable vifo kernel modules
+  ansible.builtin.reboot:
+  when: pve_pcie_reboot_for_kernel
diff --git a/roles/pve/tasks/main.yml b/roles/pve/tasks/main.yml
index 72c43c4..52874a4 100644
--- a/roles/pve/tasks/main.yml
+++ b/roles/pve/tasks/main.yml
@@ -15,3 +15,5 @@
 - include_tasks: repo.yml
 - include_tasks: cpu.yml
   when: pve_set_cpu
+- include_tasks: pcie_passthrough.yml
+  when: pve_enable_pcie_passthrough
diff --git a/roles/pve/tasks/pcie_passthrough.yml b/roles/pve/tasks/pcie_passthrough.yml
new file mode 100644
index 0000000..ad1b5ef
--- /dev/null
+++ b/roles/pve/tasks/pcie_passthrough.yml
@@ -0,0 +1,20 @@
+- name: intel_iommu=on kernel parameter is enabled
+  copy:
+    src: intel-iommu.cfg
+    dest: /etc/default/grub.d/intel-iommu.cfg
+    owner: root
+    group: root
+    mode: "644"
+  when: '"GenuineIntel" in ansible_processor | unique'
+  notify: reboot host to enable vifo kernel modules
+
+- name: vfio kernel modules are enabled
+  copy:
+    src: vfio.conf
+    dest: /etc/modules-load.d/vfio.conf
+    owner: root
+    group: root
+    mode: "644"
+  notify:
+    - update initramfs
+    - reboot host to enable vifo kernel modules