Fix ansible idempotency and document macOS network permission

- Check containerd registry config before writing to avoid unnecessary changes - Fix ansible_env deprecation warnings (use ansible_facts['env']) - Document macOS network permission popup for minikube mount - Document passwordless sudo configuration for indri - Add checks to skip sudo tasks when state already matches Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 16:03:38 -08:00 · 2026-01-21 11:24:44 -08:00 · 2026-01-21 11:24:44 -08:00
commit b096df4c71
3 changed files with 50 additions and 4 deletions
--- a/ansible/roles/minikube/handlers/main.yml
+++ b/ansible/roles/minikube/handlers/main.yml
@ -22,6 +22,6 @@

 - name: Load minikube mount LaunchAgent
  ansible.builtin.command:
-    cmd: launchctl load {{ ansible_env.HOME }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist
+    cmd: launchctl load {{ ansible_facts['env']['HOME'] }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist
  failed_when: false
  changed_when: true
--- a/ansible/roles/minikube/tasks/main.yml
+++ b/ansible/roles/minikube/tasks/main.yml
@ -20,6 +20,13 @@
    name: socket_vmnet
    state: present

+- name: Check if socket_vmnet process is running
+  ansible.builtin.command:
+    cmd: pgrep socket_vmnet
+  register: minikube_socket_vmnet_status
+  changed_when: false
+  failed_when: false
+
 - name: Start socket_vmnet service
  ansible.builtin.command:
    cmd: brew services start socket_vmnet
@ -27,6 +34,7 @@
  register: minikube_socket_vmnet_start
  changed_when: "'Successfully started' in minikube_socket_vmnet_start.stdout"
  failed_when: false
+  when: minikube_socket_vmnet_status.rc != 0

 - name: Install minikube via homebrew
  community.general.homebrew:
@ -94,6 +102,13 @@
  changed_when: false
  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout

+- name: Check containerd registry mirror config
+  ansible.builtin.command:
+    cmd: minikube ssh --native-ssh=false "cat /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml 2>/dev/null || echo ''"
+  register: minikube_registry_config_current
+  changed_when: false
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
 - name: Configure containerd registry mirror for zot
  ansible.builtin.command:
    cmd: |
@ -103,13 +118,23 @@
        capabilities = [\"pull\", \"resolve\"]
        skip_verify = true" | sudo tee /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml'
  register: minikube_registry_config
-  changed_when: minikube_registry_config.rc == 0
-  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+  changed_when: true
+  when:
+    - minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+    - "'host.minikube.internal:5050' not in minikube_registry_config_current.stdout"
  notify: Restart containerd in minikube

 # Set up persistent NFS mount from sifaka and minikube mount passthrough
 # NFS mount uses LaunchDaemon (runs as root at boot)
 # Minikube mount uses LaunchAgent (runs in user GUI session at login)
+#
+# NOTE: Tasks with become:true require passwordless sudo on indri
+# (configured via /etc/sudoers.d/erichblume)
+
+- name: Check if NFS mount point exists
+  ansible.builtin.stat:
+    path: /Volumes/torrents-nfs
+  register: minikube_nfs_mount_point

 - name: Create NFS mount point
  ansible.builtin.file:
@ -117,6 +142,12 @@
    state: directory
    mode: "0755"
  become: true
+  when: not minikube_nfs_mount_point.stat.exists
+
+- name: Check if NFS LaunchDaemon is installed
+  ansible.builtin.stat:
+    path: /Library/LaunchDaemons/com.blumeops.nfs-torrents.plist
+  register: minikube_nfs_launchdaemon

 - name: Install NFS mount LaunchDaemon
  ansible.builtin.copy:
@ -127,10 +158,11 @@
    mode: "0644"
  become: true
  notify: Load NFS mount LaunchDaemon
+  when: not minikube_nfs_launchdaemon.stat.exists

 - name: Install minikube mount LaunchAgent
  ansible.builtin.copy:
    src: com.blumeops.minikube-mount.plist
-    dest: "{{ ansible_env.HOME }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist"
+    dest: "{{ ansible_facts['env']['HOME'] }}/Library/LaunchAgents/com.blumeops.minikube-mount.plist"
    mode: "0644"
  notify: Load minikube mount LaunchAgent
--- a/plans/k8s-migration/P5.1_qemu2_migration.md
+++ b/plans/k8s-migration/P5.1_qemu2_migration.md
@ -274,6 +274,20 @@ The ansible role now configures containerd to redirect `registry.tail8d86e.ts.ne
 - Adds hosts file entry in VM
 - Creates containerd registry mirror config at `/etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml`

+### Passwordless Sudo on Indri
+
+Configured passwordless sudo for `erichblume` user to allow ansible `become: true` tasks to run without `-K` flag:
+
+```bash
+echo "erichblume ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/erichblume
+```
+
+This is acceptable given the security model - tailnet access is the trust boundary.
+
+### macOS Network Permission
+
+The first time `minikube mount` runs, macOS will show a GUI popup asking to allow network access. This must be approved from the indri console (not SSH). Once approved, subsequent runs won't prompt.
+
 ### Manual Steps Still Required

 These steps cannot be fully automated via ansible and must be done manually: