From b096df4c71825832036ccdee229bab24df121ec0 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 21 Jan 2026 11:24:44 -0800 Subject: [PATCH] Fix ansible idempotency and document macOS network permission - Check containerd registry config before writing to avoid unnecessary changes - Fix ansible_env deprecation warnings (use ansible_facts['env']) - Document macOS network permission popup for minikube mount - Document passwordless sudo configuration for indri - Add checks to skip sudo tasks when state already matches Co-Authored-By: Claude Opus 4.5 --- ansible/roles/minikube/handlers/main.yml | 2 +- ansible/roles/minikube/tasks/main.yml | 38 +++++++++++++++++++-- plans/k8s-migration/P5.1_qemu2_migration.md | 14 ++++++++ 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/ansible/roles/minikube/handlers/main.yml b/ansible/roles/minikube/handlers/main.yml index 8af6513..7d62a8b 100644 --- a/ansible/roles/minikube/handlers/main.yml +++ b/ansible/roles/minikube/handlers/main.yml @@ -22,6 +22,6 @@ - name: Load minikube mount LaunchAgent ansible.builtin.command: - cmd: launchctl load {{ ansible_env.HOME }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist + cmd: launchctl load {{ ansible_facts['env']['HOME'] }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist failed_when: false changed_when: true diff --git a/ansible/roles/minikube/tasks/main.yml b/ansible/roles/minikube/tasks/main.yml index fec9a50..a471d82 100644 --- a/ansible/roles/minikube/tasks/main.yml +++ b/ansible/roles/minikube/tasks/main.yml @@ -20,6 +20,13 @@ name: socket_vmnet state: present +- name: Check if socket_vmnet process is running + ansible.builtin.command: + cmd: pgrep socket_vmnet + register: minikube_socket_vmnet_status + changed_when: false + failed_when: false + - name: Start socket_vmnet service ansible.builtin.command: cmd: brew services start socket_vmnet @@ -27,6 +34,7 @@ register: minikube_socket_vmnet_start changed_when: "'Successfully started' in minikube_socket_vmnet_start.stdout" failed_when: false + when: minikube_socket_vmnet_status.rc != 0 - name: Install minikube via homebrew community.general.homebrew: @@ -94,6 +102,13 @@ changed_when: false when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout +- name: Check containerd registry mirror config + ansible.builtin.command: + cmd: minikube ssh --native-ssh=false "cat /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml 2>/dev/null || echo ''" + register: minikube_registry_config_current + changed_when: false + when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout + - name: Configure containerd registry mirror for zot ansible.builtin.command: cmd: | @@ -103,13 +118,23 @@ capabilities = [\"pull\", \"resolve\"] skip_verify = true" | sudo tee /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml' register: minikube_registry_config - changed_when: minikube_registry_config.rc == 0 - when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout + changed_when: true + when: + - minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout + - "'host.minikube.internal:5050' not in minikube_registry_config_current.stdout" notify: Restart containerd in minikube # Set up persistent NFS mount from sifaka and minikube mount passthrough # NFS mount uses LaunchDaemon (runs as root at boot) # Minikube mount uses LaunchAgent (runs in user GUI session at login) +# +# NOTE: Tasks with become:true require passwordless sudo on indri +# (configured via /etc/sudoers.d/erichblume) + +- name: Check if NFS mount point exists + ansible.builtin.stat: + path: /Volumes/torrents-nfs + register: minikube_nfs_mount_point - name: Create NFS mount point ansible.builtin.file: @@ -117,6 +142,12 @@ state: directory mode: "0755" become: true + when: not minikube_nfs_mount_point.stat.exists + +- name: Check if NFS LaunchDaemon is installed + ansible.builtin.stat: + path: /Library/LaunchDaemons/com.blumeops.nfs-torrents.plist + register: minikube_nfs_launchdaemon - name: Install NFS mount LaunchDaemon ansible.builtin.copy: @@ -127,10 +158,11 @@ mode: "0644" become: true notify: Load NFS mount LaunchDaemon + when: not minikube_nfs_launchdaemon.stat.exists - name: Install minikube mount LaunchAgent ansible.builtin.copy: src: com.blumeops.minikube-mount.plist - dest: "{{ ansible_env.HOME }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist" + dest: "{{ ansible_facts['env']['HOME'] }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist" mode: "0644" notify: Load minikube mount LaunchAgent diff --git a/plans/k8s-migration/P5.1_qemu2_migration.md b/plans/k8s-migration/P5.1_qemu2_migration.md index 64c5be7..d4156c7 100644 --- a/plans/k8s-migration/P5.1_qemu2_migration.md +++ b/plans/k8s-migration/P5.1_qemu2_migration.md @@ -274,6 +274,20 @@ The ansible role now configures containerd to redirect `registry.tail8d86e.ts.ne - Adds hosts file entry in VM - Creates containerd registry mirror config at `/etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml` +### Passwordless Sudo on Indri + +Configured passwordless sudo for `erichblume` user to allow ansible `become: true` tasks to run without `-K` flag: + +```bash +echo "erichblume ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/erichblume +``` + +This is acceptable given the security model - tailnet access is the trust boundary. + +### macOS Network Permission + +The first time `minikube mount` runs, macOS will show a GUI popup asking to allow network access. This must be approved from the indri console (not SSH). Once approved, subsequent runs won't prompt. + ### Manual Steps Still Required These steps cannot be fully automated via ansible and must be done manually: