debian: enable automatic upgrades only for virtual machines

And factor out VM stuff into a separate file.
alpine: don’t disable IPv6 autoconf on loopback interface
2025-10-22 19:31:01 +02:00 · 2025-10-22 19:30:31 +02:00 · 2025-10-22 19:30:31 +02:00 · 2025-10-22 19:30:17 +02:00 · 2025-10-22 18:26:18 +02:00
5 changed files with 64 additions and 42 deletions
--- a/roles/alpine/tasks/main.yml
+++ b/roles/alpine/tasks/main.yml
@ -65,7 +65,6 @@
    - acl
    - git
    - iproute2
    - logrotate
    - nftables
    - procps
    - rsync
@ -98,33 +97,11 @@
 - meta: flush_handlers
 - name: Enable QEMU guest agent
  when: is_virtual
  block:
    - name: Install QEMU guest agent package
      package:
        name: qemu-guest-agent
    - name: Enable QEMU guest agent service
      service:
        name: qemu-guest-agent
        enabled: yes
        state: started
 - name: Install automatic upgrade script
  copy:
    dest: /etc/periodic/weekly/
    src: unattended-upgrade
    mode: 0755
 - name: Configure log rotation for automatic upgrades
  copy:
    dest: /etc/logrotate.d/unattended-upgrade
    src: unattended-upgrade.logrotate
    mode: 0644
 - name: Set authorized SSH keys
  authorized_key:
    user: root
    exclusive: true
    key: "{{ ssh_keys | join('\n') }}"
 - when: is_virtual
  include_tasks: vm.yml
--- a/roles/alpine/tasks/vm.yml
+++ b/roles/alpine/tasks/vm.yml
@ -0,0 +1,25 @@
 - name: Install QEMU guest agent package
  package:
    name: qemu-guest-agent
 - name: Enable QEMU guest agent service
  service:
    name: qemu-guest-agent
    enabled: yes
    state: started
 - name: Install logrotate
  package:
    name: logrotate
 - name: Install automatic upgrade script
  copy:
    dest: /etc/periodic/weekly/
    src: unattended-upgrade
    mode: "0755"
 - name: Configure log rotation for automatic upgrades
  copy:
    dest: /etc/logrotate.d/unattended-upgrade
    src: unattended-upgrade.logrotate
    mode: "0644"
--- a/roles/alpine/templates/interfaces.j2
+++ b/roles/alpine/templates/interfaces.j2
@ -1,10 +1,20 @@
-{# Loopback interface must be present so define it here if none exists. #}
+{# Loopback interface must be present so create it here if none is defined in inventory. #}
-{% if interfaces | rejectattr("name", "==", "lo") %}
+{% if not interfaces | selectattr("name", "==", "lo") %}
 auto lo
 iface lo
 {% endif -%}
 {# Define VRFs. #}
 {% for vrf in interfaces | selectattr("vrf") | map(attribute="vrf.name") %}
 auto {{ vrf }}
 iface {{ vrf }}
    pre-up ip link add $IFACE type vrf table {{ 100 + loop.index }}
    up ip link set dev $IFACE up
    post-down ip link del $IFACE
 {% endfor -%}
 {# Skip disabled and OOB management interfaces. #}
 {# For VMs we have to set the attribute manually (to false) so rejectattr works. #}
 {% for iface in interfaces
@ -13,6 +23,10 @@ iface lo
    | selectattr('enabled') %}
 auto {{ iface.name }}
 iface {{ iface.name }}
 {% if iface.vrf %}
    requires {{ iface.vrf.name }}
    pre-up ip link set $IFACE master {{ iface.vrf.name }}
 {% endif %}
 {% if iface.mtu %}
    mtu {{ iface.mtu }}
 {% endif %}
@ -23,13 +37,17 @@ iface {{ iface.name }}
 {% set prefix = prefixes | selectattr('prefix', '==', subnet) | first %}
 {% set gateway = prefix.custom_fields.gateway.address %}
 {% if gateway is defined and gateway != address.address %}
 {% if iface.vrf %}
    up ip route add default via {{ gateway | ipaddr('address') }} {% if iface.vrf.name %}vrf {{ iface.vrf.name }}{% endif +%}
 {% else %}
    gateway {{ gateway | ipaddr('address') }}
 {% endif %}
 {% endif %}
 {% endif %}
 {% endfor -%}
 {# disable SLAAC if we have a manually set IPv6 address #}
-{% if iface.ip_addresses | selectattr("family.value", "==", 6) %}
+{% if iface.ip_addresses | selectattr("family.value", "==", 6) and iface.name != "lo" %}
    pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
 {% endif %}
--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@ -89,19 +89,6 @@
  include_tasks: firewall.yml
  when: not is_proxmox # proxmox has its own firewall configuration
 - name: Install automatic upgrade package
  package:
    name: unattended-upgrades
 - name: Configure automatic upgrades
  lineinfile:
    path: /etc/apt/apt.conf.d/20auto-upgrades
    create: yes
    line: '{{ item }}'
  loop:
    - 'APT::Periodic::Update-Package-Lists "1";'
    - 'APT::Periodic::Unattended-Upgrade "1";'
 - name: Run SSH instance in management VRF
  when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
  block:
@ -124,3 +111,6 @@
        name: sshd@mgmt
        enabled: yes
      notify: reboot
 - when: is_virtual
  include_tasks: vm.yml
--- a/roles/debian/tasks/vm.yml
+++ b/roles/debian/tasks/vm.yml
@ -0,0 +1,12 @@
 - name: Install automatic upgrade package
  package:
    name: unattended-upgrades
 - name: Configure automatic upgrades
  lineinfile:
    path: /etc/apt/apt.conf.d/20auto-upgrades
    create: yes
    line: '{{ item }}'
  loop:
    - 'APT::Periodic::Update-Package-Lists "1";'
    - 'APT::Periodic::Unattended-Upgrade "1";'
Author	SHA1	Message	Date
Timotej Lazar	2f02f1eb2c	debian: enable automatic upgrades only for virtual machines And factor out VM stuff into a separate file.	2025-10-22 19:31:01 +02:00
Timotej Lazar	6a5ebfe5b5	alpine: don’t disable IPv6 autoconf on loopback interface Not sure if it makes a difference but let’s keep the generated config minimal.	2025-10-22 19:30:31 +02:00
Timotej Lazar	7a4a868d41	alpine: add support for VRF interfaces Mostly so we can merge the firewall role from the network repo, there aren’t any other current users.	2025-10-22 19:30:31 +02:00
Timotej Lazar	1b206517b6	alpine: enable automatic upgrades only for virtual machines And factor out VM stuff into a separate file.	2025-10-22 19:30:17 +02:00
Timotej Lazar	e2c9acd872	alpine: fix condition for loopback interface template	2025-10-22 18:26:18 +02:00