debian: enable automatic upgrades only for virtual machines

And factor out VM stuff into a separate file.
alpine: don’t disable IPv6 autoconf on loopback interface
2025-10-22 19:31:01 +02:00 · 2025-10-22 19:30:31 +02:00 · 2025-10-22 19:30:31 +02:00 · 2025-10-22 19:30:17 +02:00 · 2025-10-22 18:26:18 +02:00
5 changed files with 64 additions and 42 deletions
--- a/roles/alpine/tasks/main.yml
+++ b/roles/alpine/tasks/main.yml
@ -65,7 +65,6 @@
    - acl
    - git
    - iproute2
-    - logrotate
    - nftables
    - procps
    - rsync
@ -98,33 +97,11 @@

 - meta: flush_handlers

- name: Enable QEMU guest agent
-  when: is_virtual
-  block:
-    - name: Install QEMU guest agent package
-      package:
-        name: qemu-guest-agent
-
-    - name: Enable QEMU guest agent service
-      service:
-        name: qemu-guest-agent
-        enabled: yes
-        state: started
-
- name: Install automatic upgrade script
-  copy:
-    dest: /etc/periodic/weekly/
-    src: unattended-upgrade
-    mode: 0755
-
- name: Configure log rotation for automatic upgrades
-  copy:
-    dest: /etc/logrotate.d/unattended-upgrade
-    src: unattended-upgrade.logrotate
-    mode: 0644
-
 - name: Set authorized SSH keys
  authorized_key:
    user: root
    exclusive: true
    key: "{{ ssh_keys | join('\n') }}"
+
+- when: is_virtual
+  include_tasks: vm.yml
--- a/roles/alpine/tasks/vm.yml
+++ b/roles/alpine/tasks/vm.yml
@ -0,0 +1,25 @@
+- name: Install QEMU guest agent package
+  package:
+    name: qemu-guest-agent
+
+- name: Enable QEMU guest agent service
+  service:
+    name: qemu-guest-agent
+    enabled: yes
+    state: started
+
+- name: Install logrotate
+  package:
+    name: logrotate
+
+- name: Install automatic upgrade script
+  copy:
+    dest: /etc/periodic/weekly/
+    src: unattended-upgrade
+    mode: "0755"
+
+- name: Configure log rotation for automatic upgrades
+  copy:
+    dest: /etc/logrotate.d/unattended-upgrade
+    src: unattended-upgrade.logrotate
+    mode: "0644"
--- a/roles/alpine/templates/interfaces.j2
+++ b/roles/alpine/templates/interfaces.j2
@ -1,10 +1,20 @@
-{# Loopback interface must be present so define it here if none exists. #}
-{% if interfaces | rejectattr("name", "==", "lo") %}
+{# Loopback interface must be present so create it here if none is defined in inventory. #}
+{% if not interfaces | selectattr("name", "==", "lo") %}
 auto lo
 iface lo

 {% endif -%}

+{# Define VRFs. #}
+{% for vrf in interfaces | selectattr("vrf") | map(attribute="vrf.name") %}
+auto {{ vrf }}
+iface {{ vrf }}
+    pre-up ip link add $IFACE type vrf table {{ 100 + loop.index }}
+    up ip link set dev $IFACE up
+    post-down ip link del $IFACE
+
+{% endfor -%}
+
 {# Skip disabled and OOB management interfaces. #}
 {# For VMs we have to set the attribute manually (to false) so rejectattr works. #}
 {% for iface in interfaces
@ -13,6 +23,10 @@ iface lo
    | selectattr('enabled') %}
 auto {{ iface.name }}
 iface {{ iface.name }}
+{% if iface.vrf %}
+    requires {{ iface.vrf.name }}
+    pre-up ip link set $IFACE master {{ iface.vrf.name }}
+{% endif %}
 {% if iface.mtu %}
    mtu {{ iface.mtu }}
 {% endif %}
@ -23,13 +37,17 @@ iface {{ iface.name }}
 {% set prefix = prefixes | selectattr('prefix', '==', subnet) | first %}
 {% set gateway = prefix.custom_fields.gateway.address %}
 {% if gateway is defined and gateway != address.address %}
+{% if iface.vrf %}
+    up ip route add default via {{ gateway | ipaddr('address') }} {% if iface.vrf.name %}vrf {{ iface.vrf.name }}{% endif +%}
+{% else %}
    gateway {{ gateway | ipaddr('address') }}
 {% endif %}
 {% endif %}
+{% endif %}
 {% endfor -%}

 {# disable SLAAC if we have a manually set IPv6 address #}
-{% if iface.ip_addresses | selectattr("family.value", "==", 6) %}
+{% if iface.ip_addresses | selectattr("family.value", "==", 6) and iface.name != "lo" %}
    pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
 {% endif %}

--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@ -89,19 +89,6 @@
  include_tasks: firewall.yml
  when: not is_proxmox # proxmox has its own firewall configuration

- name: Install automatic upgrade package
-  package:
-    name: unattended-upgrades
-
- name: Configure automatic upgrades
-  lineinfile:
-    path: /etc/apt/apt.conf.d/20auto-upgrades
-    create: yes
-    line: '{{ item }}'
-  loop:
-    - 'APT::Periodic::Update-Package-Lists "1";'
-    - 'APT::Periodic::Unattended-Upgrade "1";'
-
 - name: Run SSH instance in management VRF
  when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
  block:
@ -124,3 +111,6 @@
        name: sshd@mgmt
        enabled: yes
      notify: reboot
+
+- when: is_virtual
+  include_tasks: vm.yml
--- a/roles/debian/tasks/vm.yml
+++ b/roles/debian/tasks/vm.yml
@ -0,0 +1,12 @@
+- name: Install automatic upgrade package
+  package:
+    name: unattended-upgrades
+
+- name: Configure automatic upgrades
+  lineinfile:
+    path: /etc/apt/apt.conf.d/20auto-upgrades
+    create: yes
+    line: '{{ item }}'
+  loop:
+    - 'APT::Periodic::Update-Package-Lists "1";'
+    - 'APT::Periodic::Unattended-Upgrade "1";'
Author	SHA1	Message	Date
Timotej Lazar	2f02f1eb2c	debian: enable automatic upgrades only for virtual machines And factor out VM stuff into a separate file.	2025-10-22 19:31:01 +02:00
Timotej Lazar	6a5ebfe5b5	alpine: don’t disable IPv6 autoconf on loopback interface Not sure if it makes a difference but let’s keep the generated config minimal.	2025-10-22 19:30:31 +02:00
Timotej Lazar	7a4a868d41	alpine: add support for VRF interfaces Mostly so we can merge the firewall role from the network repo, there aren’t any other current users.	2025-10-22 19:30:31 +02:00
Timotej Lazar	1b206517b6	alpine: enable automatic upgrades only for virtual machines And factor out VM stuff into a separate file.	2025-10-22 19:30:17 +02:00
Timotej Lazar	e2c9acd872	alpine: fix condition for loopback interface template	2025-10-22 18:26:18 +02:00