Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ansible: add fleet_update play, managed_nodes group, refactor to roles (prepare, nfs_client, lxc_common)

Browse Source
This commit is contained in:
F.R.I.D.A.Y.
2026-06-05 20:58:05 -04:00
parent 0e42f6189e
commit 87fb0ebe02
4 changed files with 111 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
procedures/ansible-playbook/inventory.yml
View File

@@ -113,6 +113,15 @@ all:
- src: "192.168.16.254:/mnt/Ice/Repo" - src: "192.168.16.254:/mnt/Ice/Repo"
path: "/home/jarvis/repo" path: "/home/jarvis/repo"
# ──────────────────────────────────────────
# Managed nodes (apt update/upgrade target)
# Physical agents + core services, NOT PVE, NOT Neo, NOT igor, NOT ephemeral LXCs
# ──────────────────────────────────────────
managed_nodes:
children:
physical_agents:
core_services:
# Tailscale fallback aliases (uncomment if LAN fails) # Tailscale fallback aliases (uncomment if LAN fails)
# tailscale_fallback: # tailscale_fallback:
# hosts: # hosts:

74
procedures/ansible-playbook/main.yml
View File

@@ -1,59 +1,27 @@
- name: Install nfs-common - name: Prepare Systems
ansible.builtin.apt: hosts: physical_agents:core_services
name: nfs-common
state: present
become: true become: true
when: ansible_os_family == "Debian" roles:
- prepare
- name: Ensure NFS mount directories exists - name: Install NFS client
ansible.builtin.file: hosts: fleet_nodes:!pve_hosts:!igor
path: "{{ item.path }}" become: false
state: directory roles:
mode: '0755' - nfs_client
owner: jarvis
group: jarvis
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Directory: {{ item.path }}"
when: ansible_os_family == "Debian"
- name: Create local repogroup matching TrueNAS GID 568 - name: Fleet update (apt update + upgrade)
ansible.builtin.group: hosts: managed_nodes
name: repogroup
gid: 568
state: present
become: true become: true
tags:
- fleet_update
roles:
- prepare
- name: Add jarvis to repogroup - name: LXC common provisioning (git + ansible)
ansible.builtin.user: hosts: lxcs
name: jarvis
groups:
- repogroup
append: true
become: true become: true
tags:
- name: Mount an NFS volume (root, because kernel mount) - lxc_common
ansible.posix.mount: roles:
src: "{{ item.src }}" - lxc_common
path: "{{ item.path }}"
opts: "vers=4.2,proto=tcp,_netdev"
state: mounted
fstype: nfs
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Mounted: {{ item.src }}"
when: ansible_os_family == "Debian"
- name: Set mount permissions so jarvis (repogroup member) can write
ansible.builtin.file:
path: "{{ item.path }}"
mode: '0770'
owner: root
group: repogroup
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Permission fix: {{ item.path }}"
when: ansible_os_family == "Debian"

69
procedures/ansible-playbook/roles/lxc_common/tasks/main.yml Normal file
View File

@@ -0,0 +1,69 @@
- name: Ensure apt cache is updated
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600
become: true
no_log: true
when: ansible_os_family == "Debian"
- name: Install git
ansible.builtin.apt:
name: git
state: present
become: true
no_log: true
when: ansible_os_family == "Debian"
- name: Install Python pip (needed for ansible via pip)
ansible.builtin.apt:
name: python3-pip
state: present
become: true
no_log: true
when: ansible_os_family == "Debian"
- name: Create jarvis user with UID 1000
ansible.builtin.user:
name: jarvis
uid: 1000
shell: /bin/bash
create_home: true
groups: sudo
append: true
become: true
- name: Ensure jarvis .ssh directory exists
ansible.builtin.file:
path: /home/jarvis/.ssh
state: directory
owner: jarvis
group: jarvis
mode: "0700"
become: true
- name: Copy root authorized_keys to jarvis
ansible.builtin.copy:
src: /root/.ssh/authorized_keys
dest: /home/jarvis/.ssh/authorized_keys
owner: jarvis
group: jarvis
mode: "0600"
remote_src: true
become: true
- name: Ensure jarvis has passwordless sudo
ansible.builtin.lineinfile:
path: /etc/sudoers.d/jarvis
line: "jarvis ALL=(ALL) NOPASSWD:ALL"
create: true
mode: "0440"
validate: "visudo -cf %s"
become: true
- name: Install ansible via pip as jarvis
ansible.builtin.pip:
name: ansible
state: present
break_system_packages: true
become: true
no_log: true

12
procedures/ansible-playbook/roles/prepare/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: Run "apt update"
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600
when: ansible_os_family == "Debian"
- name: Upgrade the OS (apt-get dist-upgrade)
ansible.builtin.apt:
upgrade: dist
when:
- ansible_os_family == "Debian"
- not (gpu | default(false))