From 87fb0ebe02af51d8d791a2d09478955ebc7a2317 Mon Sep 17 00:00:00 2001 From: "F.R.I.D.A.Y." Date: Fri, 5 Jun 2026 20:58:05 -0400 Subject: [PATCH] Ansible: add fleet_update play, managed_nodes group, refactor to roles (prepare, nfs_client, lxc_common) --- procedures/ansible-playbook/inventory.yml | 9 +++ procedures/ansible-playbook/main.yml | 74 ++++++------------- .../roles/lxc_common/tasks/main.yml | 69 +++++++++++++++++ .../roles/prepare/tasks/main.yml | 12 +++ 4 files changed, 111 insertions(+), 53 deletions(-) create mode 100644 procedures/ansible-playbook/roles/lxc_common/tasks/main.yml create mode 100644 procedures/ansible-playbook/roles/prepare/tasks/main.yml diff --git a/procedures/ansible-playbook/inventory.yml b/procedures/ansible-playbook/inventory.yml index 72fb03e..f27c9a9 100644 --- a/procedures/ansible-playbook/inventory.yml +++ b/procedures/ansible-playbook/inventory.yml @@ -113,6 +113,15 @@ all: - src: "192.168.16.254:/mnt/Ice/Repo" path: "/home/jarvis/repo" + # ────────────────────────────────────────── + # Managed nodes (apt update/upgrade target) + # Physical agents + core services, NOT PVE, NOT Neo, NOT igor, NOT ephemeral LXCs + # ────────────────────────────────────────── + managed_nodes: + children: + physical_agents: + core_services: + # Tailscale fallback aliases (uncomment if LAN fails) # tailscale_fallback: # hosts: diff --git a/procedures/ansible-playbook/main.yml b/procedures/ansible-playbook/main.yml index afa7003..29b4dd9 100644 --- a/procedures/ansible-playbook/main.yml +++ b/procedures/ansible-playbook/main.yml @@ -1,59 +1,27 @@ -- name: Install nfs-common - ansible.builtin.apt: - name: nfs-common - state: present +- name: Prepare Systems + hosts: physical_agents:core_services become: true - when: ansible_os_family == "Debian" + roles: + - prepare -- name: Ensure NFS mount directories exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: '0755' - owner: jarvis - group: jarvis - become: true - loop: "{{ nfs_shares }}" - loop_control: - label: "Directory: {{ item.path }}" - when: ansible_os_family == "Debian" +- name: Install NFS client + hosts: fleet_nodes:!pve_hosts:!igor + become: false + roles: + - nfs_client -- name: Create local repogroup matching TrueNAS GID 568 - ansible.builtin.group: - name: repogroup - gid: 568 - state: present +- name: Fleet update (apt update + upgrade) + hosts: managed_nodes become: true + tags: + - fleet_update + roles: + - prepare -- name: Add jarvis to repogroup - ansible.builtin.user: - name: jarvis - groups: - - repogroup - append: true +- name: LXC common provisioning (git + ansible) + hosts: lxcs become: true - -- name: Mount an NFS volume (root, because kernel mount) - ansible.posix.mount: - src: "{{ item.src }}" - path: "{{ item.path }}" - opts: "vers=4.2,proto=tcp,_netdev" - state: mounted - fstype: nfs - become: true - loop: "{{ nfs_shares }}" - loop_control: - label: "Mounted: {{ item.src }}" - when: ansible_os_family == "Debian" - -- name: Set mount permissions so jarvis (repogroup member) can write - ansible.builtin.file: - path: "{{ item.path }}" - mode: '0770' - owner: root - group: repogroup - become: true - loop: "{{ nfs_shares }}" - loop_control: - label: "Permission fix: {{ item.path }}" - when: ansible_os_family == "Debian" + tags: + - lxc_common + roles: + - lxc_common diff --git a/procedures/ansible-playbook/roles/lxc_common/tasks/main.yml b/procedures/ansible-playbook/roles/lxc_common/tasks/main.yml new file mode 100644 index 0000000..fc603b9 --- /dev/null +++ b/procedures/ansible-playbook/roles/lxc_common/tasks/main.yml @@ -0,0 +1,69 @@ +- name: Ensure apt cache is updated + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 3600 + become: true + no_log: true + when: ansible_os_family == "Debian" + +- name: Install git + ansible.builtin.apt: + name: git + state: present + become: true + no_log: true + when: ansible_os_family == "Debian" + +- name: Install Python pip (needed for ansible via pip) + ansible.builtin.apt: + name: python3-pip + state: present + become: true + no_log: true + when: ansible_os_family == "Debian" + +- name: Create jarvis user with UID 1000 + ansible.builtin.user: + name: jarvis + uid: 1000 + shell: /bin/bash + create_home: true + groups: sudo + append: true + become: true + +- name: Ensure jarvis .ssh directory exists + ansible.builtin.file: + path: /home/jarvis/.ssh + state: directory + owner: jarvis + group: jarvis + mode: "0700" + become: true + +- name: Copy root authorized_keys to jarvis + ansible.builtin.copy: + src: /root/.ssh/authorized_keys + dest: /home/jarvis/.ssh/authorized_keys + owner: jarvis + group: jarvis + mode: "0600" + remote_src: true + become: true + +- name: Ensure jarvis has passwordless sudo + ansible.builtin.lineinfile: + path: /etc/sudoers.d/jarvis + line: "jarvis ALL=(ALL) NOPASSWD:ALL" + create: true + mode: "0440" + validate: "visudo -cf %s" + become: true + +- name: Install ansible via pip as jarvis + ansible.builtin.pip: + name: ansible + state: present + break_system_packages: true + become: true + no_log: true diff --git a/procedures/ansible-playbook/roles/prepare/tasks/main.yml b/procedures/ansible-playbook/roles/prepare/tasks/main.yml new file mode 100644 index 0000000..afa6e76 --- /dev/null +++ b/procedures/ansible-playbook/roles/prepare/tasks/main.yml @@ -0,0 +1,12 @@ +- name: Run "apt update" + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 3600 + when: ansible_os_family == "Debian" + +- name: Upgrade the OS (apt-get dist-upgrade) + ansible.builtin.apt: + upgrade: dist + when: + - ansible_os_family == "Debian" + - not (gpu | default(false))