will/swarm-master
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c8aaa40cd83c733e7ff99c6beda6f5238672fc6e
swarm-master/ansible/playbooks/customize.yml
William Valentin c8aaa40cd8 Add Homebrew installation and packages to customize playbook 
Installs Homebrew as the openclaw user (idempotent via creates guard),
adds it to PATH in .bashrc, then installs the four leaf packages present
on zap: gogcli, himalaya, kubernetes-cli, opencode.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 13:50:48 -07:00

147 lines
5.0 KiB
YAML
Raw Blame History

---
# Post-provisioning customizations for OpenClaw VMs
# Run after playbooks/install.yml to apply host-specific tweaks
#
# Usage:
# ansible-playbook -i inventory.yml playbooks/customize.yml
# ansible-playbook -i inventory.yml playbooks/customize.yml --limit zap
- name: OpenClaw VM customizations
hosts: openclaw_servers
become: true
tasks:
- name: Set vm.swappiness=10 (live)
ansible.posix.sysctl:
name: vm.swappiness
value: "10"
state: present
reload: true
- name: Persist vm.swappiness in /etc/sysctl.conf
ansible.builtin.lineinfile:
path: /etc/sysctl.conf
regexp: '^vm\.swappiness'
line: 'vm.swappiness=10'
state: present
- name: Create virtiofs mount point
ansible.builtin.file:
path: /mnt/swarm
state: directory
mode: "0755"
- name: Mount virtiofs swarm share via fstab
ansible.posix.mount:
path: /mnt/swarm
src: swarm
fstype: virtiofs
opts: defaults
state: present
# Note: actual mount requires reboot after VM config update
- name: Ensure openclaw user lingering is enabled (for user systemd services)
ansible.builtin.command:
cmd: loginctl enable-linger openclaw
changed_when: false
# ── Homebrew ───────────────────────────────────────────────────────────────
- name: Install Homebrew dependencies
ansible.builtin.apt:
name:
- build-essential
- procps
- curl
- file
- git
state: present
- name: Install Homebrew (as openclaw user)
ansible.builtin.shell: |
NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
become_user: openclaw
args:
creates: /home/linuxbrew/.linuxbrew/bin/brew
- name: Add Homebrew to openclaw user PATH
ansible.builtin.blockinfile:
path: /home/openclaw/.bashrc
marker: "# {mark} HOMEBREW"
block: |
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
owner: openclaw
group: openclaw
create: true
- name: Install Homebrew packages
ansible.builtin.shell: |
brew list {{ item }} 2>/dev/null || brew install {{ item }}
become_user: openclaw
environment:
HOME: /home/openclaw
PATH: /home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
loop:
- gogcli
- himalaya
- kubernetes-cli
- opencode
register: brew_install
changed_when: "'Installing' in brew_install.stdout"
# ── Automatic security updates ─────────────────────────────────────────
# The upstream role installs unattended-upgrades with security-only updates.
# We extend it here to enable automatic reboots for kernel/libc updates,
# scheduled at 04:00 — after the 03:00 backup and the Sunday 03:10 e2scrub.
- name: Ensure unattended-upgrades is installed
ansible.builtin.apt:
name:
- unattended-upgrades
- apt-listchanges
state: present
- name: Configure unattended-upgrades
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: "0644"
content: |
// OpenClaw VM — automatic security updates
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::Package-Blacklist {};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Reboot at 04:00 if required (after 03:00 backup + Sunday 03:10 e2scrub)
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
notify: Restart unattended-upgrades
- name: Enable daily apt update and upgrade triggers
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: "0644"
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
- name: Ensure unattended-upgrades service is running and enabled
ansible.builtin.systemd:
name: unattended-upgrades
state: started
enabled: true
handlers:
- name: Restart unattended-upgrades
ansible.builtin.systemd:
name: unattended-upgrades
state: restarted
Reference in New Issue View Git Blame Copy Permalink