eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Fix ansible idempotency and document macOS network permission

Browse source 
- Check containerd registry config before writing to avoid unnecessary changes
- Fix ansible_env deprecation warnings (use ansible_facts['env'])
- Document macOS network permission popup for minikube mount
- Document passwordless sudo configuration for indri
- Add checks to skip sudo tasks when state already matches

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-01-21 11:24:44 -08:00
commit b096df4c71
3 changed files with 50 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ansible/roles/minikube/handlers/main.yml
View file

@ -22,6 +22,6 @@
- name: Load minikube mount LaunchAgent
ansible.builtin.command:
cmd: launchctl load {{ ansible_env.HOME }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist
cmd: launchctl load {{ ansible_facts['env']['HOME'] }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist
failed_when: false
changed_when: true

38
ansible/roles/minikube/tasks/main.yml
View file

@ -20,6 +20,13 @@
name: socket_vmnet
state: present
- name: Check if socket_vmnet process is running
ansible.builtin.command:
cmd: pgrep socket_vmnet
register: minikube_socket_vmnet_status
changed_when: false
failed_when: false
- name: Start socket_vmnet service
ansible.builtin.command:
cmd: brew services start socket_vmnet
@ -27,6 +34,7 @@
register: minikube_socket_vmnet_start
changed_when: "'Successfully started' in minikube_socket_vmnet_start.stdout"
failed_when: false
when: minikube_socket_vmnet_status.rc != 0
- name: Install minikube via homebrew
community.general.homebrew:
@ -94,6 +102,13 @@
changed_when: false
when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
- name: Check containerd registry mirror config
ansible.builtin.command:
cmd: minikube ssh --native-ssh=false "cat /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml 2>/dev/null || echo ''"
register: minikube_registry_config_current
changed_when: false
when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
- name: Configure containerd registry mirror for zot
ansible.builtin.command:
cmd: |
@ -103,13 +118,23 @@
capabilities = [\"pull\", \"resolve\"]
skip_verify = true" | sudo tee /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml'
register: minikube_registry_config
changed_when: minikube_registry_config.rc == 0
when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
changed_when: true
when:
- minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
- "'host.minikube.internal:5050' not in minikube_registry_config_current.stdout"
notify: Restart containerd in minikube
# Set up persistent NFS mount from sifaka and minikube mount passthrough
# NFS mount uses LaunchDaemon (runs as root at boot)
# Minikube mount uses LaunchAgent (runs in user GUI session at login)
#
# NOTE: Tasks with become:true require passwordless sudo on indri
# (configured via /etc/sudoers.d/erichblume)
- name: Check if NFS mount point exists
ansible.builtin.stat:
path: /Volumes/torrents-nfs
register: minikube_nfs_mount_point
- name: Create NFS mount point
ansible.builtin.file:
@ -117,6 +142,12 @@
state: directory
mode: "0755"
become: true
when: not minikube_nfs_mount_point.stat.exists
- name: Check if NFS LaunchDaemon is installed
ansible.builtin.stat:
path: /Library/LaunchDaemons/com.blumeops.nfs-torrents.plist
register: minikube_nfs_launchdaemon
- name: Install NFS mount LaunchDaemon
ansible.builtin.copy:
@ -127,10 +158,11 @@
mode: "0644"
become: true
notify: Load NFS mount LaunchDaemon
when: not minikube_nfs_launchdaemon.stat.exists
- name: Install minikube mount LaunchAgent
ansible.builtin.copy:
src: com.blumeops.minikube-mount.plist
dest: "{{ ansible_env.HOME }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist"
dest: "{{ ansible_facts['env']['HOME'] }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist"
mode: "0644"
notify: Load minikube mount LaunchAgent

14
plans/k8s-migration/P5.1_qemu2_migration.md
View file

@ -274,6 +274,20 @@ The ansible role now configures containerd to redirect `registry.tail8d86e.ts.ne
- Adds hosts file entry in VM
- Creates containerd registry mirror config at `/etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml`
### Passwordless Sudo on Indri
Configured passwordless sudo for `erichblume` user to allow ansible `become: true` tasks to run without `-K` flag:
```bash
echo "erichblume ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/erichblume
```
This is acceptable given the security model - tailnet access is the trust boundary.
### macOS Network Permission
The first time `minikube mount` runs, macOS will show a GUI popup asking to allow network access. This must be approved from the indri console (not SSH). Once approved, subsequent runs won't prompt.
### Manual Steps Still Required
These steps cannot be fully automated via ansible and must be done manually: