feat: add metric support and fix net-persist issues with multiple NICs

2025-08-26 00:31:24 +02:00 · 2025-08-26 00:31:24 +02:00 · 117978fe52
commit 117978fe52
parent b5886e1a7b
9 changed files with 141 additions and 67 deletions
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ ansible-galaxy collection install -r requirements.yml
 ## Usage
 ```sh
-ansible-playbook -i inventory.yml playbook.yml --ask-become-pass
+ansible-playbook -i inventory/hosts.yml playbook.yml --ask-become-pass
 ```
 ## Target devices configuration
--- a/roles/archlinux/defaults/main.yml
+++ b/roles/archlinux/defaults/main.yml
@ -1,5 +1,6 @@
 arch_locale: en_US.UTF-8
 yay_src_path: /opt/yay
 yay_git_repo: https://aur.archlinux.org/yay.git
 paru_git_repo: Morganamilo/paru
 paru_src_path: /opt/paru
-paru_git_repo: https://aur.archlinux.org/paru.git
+os_arch: x86_64 # or aarch64
--- a/roles/archlinux/tasks/paru.yml
+++ b/roles/archlinux/tasks/paru.yml
@ -6,55 +6,100 @@
 - name: Install paru
  block:
-    - name: Install build dependencies
+    - name: Get the last github release
-      package:
+      ansible.builtin.uri:
-        name:
+        url: "https://api.github.com/repos/{{ paru_git_repo }}/releases/latest"
-          - base-devel
+        return_content: true
-          - git
+      register: paru_release
        state: present
-    - name: Disable sudo password prompt (makepkg sudoers hack)
+    - name: Extract tag_name
-      lineinfile:
+      set_fact:
-        dest: /etc/sudoers
+        paru_version: "{{ (paru_release.json.tag_name | regex_replace('^v', '')) }}"
        state: present
        regexp: "^#?%wheel"
        line: "%wheel ALL=(ALL) NOPASSWD: ALL"
        validate: /usr/sbin/visudo -cf %s
-    - command:
+    - name: Get the binary URL ({{ os_arch }})
-        cmd: whoami
+      set_fact:
-      no_log: true
+        paru_url: "{{ item.browser_download_url }}"
-      become: false
+      loop: "{{ paru_release.json.assets }}"
-      register: main_user
+      when: "'{{ os_arch }}.tar.zst' in item.name"
-    - set_fact:
+    - name: Download
-        main_user: "{{ main_user.stdout }}"
+      ansible.builtin.get_url:
-      no_log: true
+        url: "{{ paru_url }}"
        dest: "/tmp/paru-{{ os_arch }}.tar.zst"
        mode: "0644"
-    - name: Create paru sources dir
+    - name: Extract paru
-      file:
+      ansible.builtin.command:
-        path: "{{ paru_src_path }}"
+        cmd: "tar -xf /tmp/paru-{{ os_arch }}.tar.zst paru -C /tmp"
        state: directory
        owner: "{{ main_user }}"
-    - name: Clone git sources
+    - name: Install paru binary
-      become: false
+      ansible.builtin.command:
-      git:
+        cmd: "mv /tmp/paru /usr/bin/paru"
        repo: "{{ paru_git_repo }}"
        dest: "{{ paru_src_path }}"
-    # note: this only works because SUDOERS password prompt is disabled
+    - name: Ensure permissions
-    - name: Build and install
+      ansible.builtin.file:
-      become: false
+        path: /usr/bin/paru
-      command:
+        mode: "0755"
        chdir: "{{ paru_src_path }}"
        cmd: "makepkg -si -f --noconfirm"
-    - name: Restore sudo with password prompt
+    - name: Cleanup
-      lineinfile:
+      ansible.builtin.file:
-        dest: /etc/sudoers
+        path: "/tmp/paru-{{ os_arch }}.tar.zst"
-        state: present
+        state: absent
        regexp: "^#?%wheel"
        line: "%wheel ALL=(ALL:ALL) ALL"
        validate: /usr/sbin/visudo -cf %s
  when: not paru.stat.exists
 ##
 ## Deprecated version with compilation
 ##
 # - name: Install paru
 #   block:
 #     - name: Install build dependencies
 #       package:
 #         name:
 #           - base-devel
 #           - git
 #         state: present
 #     - name: Disable sudo password prompt (makepkg sudoers hack)
 #       lineinfile:
 #         dest: /etc/sudoers
 #         state: present
 #         regexp: "^#?%wheel"
 #         line: "%wheel ALL=(ALL) NOPASSWD: ALL"
 #         validate: /usr/sbin/visudo -cf %s
 #     - command:
 #         cmd: whoami
 #       no_log: true
 #       become: false
 #       register: main_user
 #     - set_fact:
 #         main_user: "{{ main_user.stdout }}"
 #       no_log: true
 #     - name: Create paru sources dir
 #       file:
 #         path: "{{ paru_src_path }}"
 #         state: directory
 #         owner: "{{ main_user }}"
 #     - name: Clone git sources
 #       become: false
 #       git:
 #         repo: "{{ paru_git_repo }}"
 #         dest: "{{ paru_src_path }}"
 #     # note: this only works because SUDOERS password prompt is disabled
 #     - name: Build and install
 #       become: false
 #       command:
 #         chdir: "{{ paru_src_path }}"
 #         cmd: "makepkg -si -f --noconfirm"
 #     - name: Restore sudo with password prompt
 #       lineinfile:
 #         dest: /etc/sudoers
 #         state: present
 #         regexp: "^#?%wheel"
 #         line: "%wheel ALL=(ALL:ALL) ALL"
 #         validate: /usr/sbin/visudo -cf %s
 #   when: not paru.stat.exists
--- a/roles/net-config/templates/etc-interfaces.j2
+++ b/roles/net-config/templates/etc-interfaces.j2
@ -1,9 +0,0 @@
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 # The primary network interface
 allow-hotplug {{ interface.name }}
 iface {{ interface.name }} inet dhcp
 # This is an autoconfigured IPv6 interface
 iface {{ interface.name }} inet6 auto
--- a/roles/net-config/templates/systemd.network.j2
+++ b/roles/net-config/templates/systemd.network.j2
@ -1,9 +1,24 @@
 # {{ ansible_managed }}
 # systemd.network(5)
 [Match]
 Name={{ interface.name }}
-[Network]
+[Address]
 Address={{ interface.ipv4.address }}
-Gateway={{ interface.ipv4.gateway }}
+{% if interface.ipv4.metric is defined %}
 RouteMetric={{ interface.ipv4.metric }}
 {% endif %}
 [Network]
 {% for dns in interface.ipv4.nameservers %}
 DNS={{ dns }}
 {% endfor %}
 {% if interface.ipv4.gateway is defined %}
 [Route]
 Gateway={{ interface.ipv4.gateway }}
 {% if interface.ipv4.metric is defined %}
 Metric={{ interface.ipv4.metric }}
 {% endif %}
 {% endif %}
--- a/roles/net-persist/tasks/main.yml
+++ b/roles/net-persist/tasks/main.yml
@ -1,5 +1,5 @@
 ---
- name: Check if the interface is already named as expected
+- name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule"
  set_fact:
    interface_original_name: "{{ ansible_facts.interfaces
      | select('in', ansible_facts)
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@ -1,5 +1,5 @@
 ---
- name: "Setup persistent network interface(s)"
+- name: Setup persistent network interface(s)
  include_role:
    name: net-persist
    public: yes
@ -7,7 +7,7 @@
    interface: "{{ item }}"
  loop: "{{ hostvars[inventory_hostname].network_interfaces | default([]) }}"
- name: "Configure network interface(s)"
+- name: Configure network interface(s)
  include_role:
    name: net-config
    public: yes
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@ -19,7 +19,7 @@
    name: "{{ ssh_service_name }}"
    enabled: yes
- name: Allow SSH incoming connection on local network
+- name: Allow local network incoming connection
  ufw:
    rule: allow
    port: "{{ ssh_port }}"
@ -27,7 +27,7 @@
    from: "{{ ssh_allowed_network }}"
    direction: in
- name: Allow SSH incoming connection on vpn network
+- name: Allow SSH VPN incoming connection
  ufw:
    rule: allow
    port: "{{ ssh_port }}"
--- a/roles/sshd/templates/sshd_banner.j2
+++ b/roles/sshd/templates/sshd_banner.j2
@ -15,6 +15,9 @@
   ⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇
  ⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤
  ⠛⠛⠛⠛⠛⠁          ⠈⠛⠛⠛⠛⠛
 *******************************************
 Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
 *******************************************
 {% elif ansible_host == 'omega' %}
         ⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦
      ⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄
@ -29,6 +32,29 @@
     ⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏
      ⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄
         ⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉
 {% elif ansible_host == 'pinwheel' %}
 ⢀⣠⣄⣀⣀⣀               ⣀⣤⣴⣶⡾⠿⠿⠿⠿⢷⣶⣦⣤⣀⡀
 ⢰⣿⡟⠛⠛⠛⠻⠿⠿⢿⣶⣶⣦⣤⣤⣀⣀⡀⣀⣴⣾⡿⠟⠋⠉        ⠉⠙⠻⢿⣷⣦⣀         ⢀⣀⣀⣀⣀⣀⣀⣀⡀
 ⠻⣿⣦⡀ ⠉⠓⠶⢦⣄⣀⠉⠉⠛⠛⠻⠿⠟⠋⠁   ⣤⡀  ⢠   ⣠    ⠈⠙⠻⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠛⢻⣿
  ⠈⠻⣿⣦    ⠈⠙⠻⢷⣶⣤⡀    ⢀⣀⡀ ⠙⢷⡀⠸⡇ ⣰⠇ ⢀⣀⣀      ⣀⣠⣤⣤⣶⡶⠶⠶⠒⠂  ⣠⣾⠟
    ⠈⢿⣷⡀      ⠈⢻⣿⡄⣠⣴⣿⣯⣭⣽⣷⣆ ⠁    ⢠⣾⣿⣿⣿⣿⣦⡀ ⣠⣾⠟⠋⠁       ⣠⣾⡟⠁
     ⠈⢻⣷⣄       ⣿⡗⢻⣿⣧⣽⣿⣿⣿⣧  ⣀⣀ ⢠⣿⣧⣼⣿⣿⣿⣿⠗⠰⣿⠃        ⣠⣾⡿⠋
       ⠙⢿⣶⣄⡀    ⠸⠃⠈⠻⣿⣿⣿⣿⣿⡿⠃⠾⣥⡬⠗⠸⣿⣿⣿⣿⣿⡿⠛ ⢀⡟      ⣀⣠⣾⡿⠋
         ⠉⠛⠿⣷⣶⣤⣤⣄⣰⣄  ⠉⠉⠉⠁ ⢀⣀⣠⣄⣀⡀ ⠉⠉⠉  ⢀⣠⣾⣥⣤⣤⣤⣶⣶⡿⠿⠛⠉
             ⠈⠉⢻⣿⠛⢿⣷⣦⣤⣴⣶⣶⣦⣤⣤⣤⣤⣬⣥⡴⠶⠾⠿⠿⠿⠿⠛⢛⣿⣿⣿⣯⡉⠁
               ⠈⣿⣧⡀⠈⠉ ⠈⠁⣾⠛⠉⠉          ⣀⣴⣿⠟⠉⣹⣿⣇
               ⢀⣸⣿⣿⣦⣀   ⢻⡀       ⢀⣠⣤⣶⣿⠋⣿⠛⠃ ⣈⣿⣿
               ⣿⡿⢿⡀⠈⢹⡿⠶⣶⣼⡇ ⢀⣀⣀⣤⣴⣾⠟⠋⣡⣿⡟ ⢻⣶⠶⣿⣿⠛⢯
              ⠘⣿⣷⡈⢿⣦⣸⠇⢀⡿⠿⠿⡿⠿⠿⣿⠛⠋⠁ ⣴⠟⣿⣧⡀⠈⢁⣰⣿⠏ ⠏⡆
               ⢸⣿⢻⣦⣈⣽⣀⣾⠃ ⢸⡇ ⢸⡇ ⢀⣠⡾⠋⢰⣿⣿⣿⣿⡿⠟⠋
               ⠘⠿⢿⣿⣿⡟⠛⠃  ⣾  ⢸⡇⠐⠿⠋  ⣿⢻⣿⣿
                  ⢸⣿⠁⢀⡴⠋ ⣿  ⢸⠇     ⠁⢸⣿⣿
                 ⢀⣿⡿⠟⠋   ⣿  ⣸       ⢸⣿⣿
                 ⢸⣿⣁⣀    ⣿⡀ ⣿      ⢀⣈⣿⣿
                 ⠘⠛⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠋
 ******************************************************************
                 May the shell be with you
 ******************************************************************
 {% else %}
 ACCESS DENIED - UNKNOWN STAR SYSTEM
 {% endif %}
@ -39,9 +65,5 @@ will result in tracking and possible Force
 action.
 {% if ansible_hostname is defined %}
-Server: {{ ansible_hostname }}
+{{ group_names | first }}: {{ ansible_hostname }}
 {% endif %}
 *******************************************
 Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
 *******************************************