Extend apparmor overrides for custom nova folder

In case arbitrary folder is being used for Nova, more folders needs to
be allowed in apparmor. With that, we don't need to
have any overrides by default, as they all are already
present in default aa-helper profile.

Change-Id: Ib7a03434dae9f838289fbb16bfeb6c640eeccfc2
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>

tasks/drivers/kvm/nova_compute_kvm.yml

@@ -134,15 +134,16 @@
     - nova-kvm
     - nova-libvirt
 
-- name: Set apparmor config (Ubuntu/Debian)
+# TODO(noonedeadpunk): Clean up in 2026.2 cycle
+- name: Clean up old apparmor config (Ubuntu/Debian)
   ansible.builtin.lineinfile:
     dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
     line: "  {{ nova_system_home_folder }}/instances/_base/* r,"
-    backup: true
     create: true
     owner: "root"
     group: "root"
     mode: "0644"
+    state: absent
   when:
     - ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
   notify: Reload apparmor profile
@@ -151,6 +152,28 @@
     - nova-kvm
     - nova-libvirt
 
+- name: Set apparmor overrides (Ubuntu/Debian)
+  ansible.builtin.blockinfile:
+    dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
+    block: |
+      # arbitrary path to nova home folder
+        {{ nova_system_home_folder }}/images/** r,
+        {{ nova_system_home_folder }}/instances/_base/** r,
+        {{ nova_system_home_folder }}/instances/snapshots/** r,
+    create: true
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    marker: "# {mark} OPENSTACK-ANSIBLE MANAGED BLOCK"
+  when:
+    - ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
+    - nova_system_home_folder != '/var/lib/nova'
+  notify: Reload apparmor profile
+  tags:
+    - nova-config
+    - nova-kvm
+    - nova-libvirt
+
 - name: Including nova_disable_smt tasks
   ansible.builtin.include_tasks: nova_disable_smt.yml
   when: