feat: add Ansible playbook to mask avahi-daemon on all Ubuntu VMs (#28)
All checks were successful
Auto-merge docs-only PRs / auto-merge-docs (pull_request) Successful in 2s
All checks were successful
Auto-merge docs-only PRs / auto-merge-docs (pull_request) Successful in 2s
Closes #28 Adds mask-avahi.yml targeting the vms:physical inventory groups (all Ubuntu QEMU VMs + ubuntu-manticore). Also adds avahi masking to the cloud-init template so future VMs are hardened from first boot. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Cal Corum
parent
a97f443f60
commit
4234351cfa
43
ansible/playbooks/mask-avahi.yml
Normal file
43
ansible/playbooks/mask-avahi.yml
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
# Mask avahi-daemon on all Ubuntu hosts
|
||||
#
|
||||
# Avahi (mDNS/Bonjour) is not needed in a static-IP homelab with Pi-hole DNS.
|
||||
# A kernel busy-loop bug in avahi-daemon was found consuming ~1.7 CPU cores
|
||||
# across 5 VMs. Masking prevents it from ever starting again, surviving reboots.
|
||||
#
|
||||
# Targets: vms + physical (all Ubuntu QEMU VMs and ubuntu-manticore)
|
||||
# Controller: ansible-controller (LXC 304 at 10.10.0.232)
|
||||
#
|
||||
# Usage:
|
||||
# # Dry run
|
||||
# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --check
|
||||
#
|
||||
# # Test on a single host first
|
||||
# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --limit discord-bots
|
||||
#
|
||||
# # Roll out to all Ubuntu hosts
|
||||
# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml
|
||||
#
|
||||
# To undo: systemctl unmask avahi-daemon
|
||||
|
||||
- name: Mask avahi-daemon on all Ubuntu hosts
|
||||
hosts: vms:physical
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Stop avahi-daemon
|
||||
ansible.builtin.systemd:
|
||||
name: avahi-daemon
|
||||
state: stopped
|
||||
ignore_errors: true
|
||||
|
||||
- name: Mask avahi-daemon
|
||||
ansible.builtin.systemd:
|
||||
name: avahi-daemon
|
||||
masked: true
|
||||
|
||||
- name: Verify avahi is masked
|
||||
ansible.builtin.command: systemctl is-enabled avahi-daemon
|
||||
register: avahi_status
|
||||
changed_when: false
|
||||
failed_when: avahi_status.stdout | trim != 'masked'
|
||||
@ -67,10 +67,15 @@ runcmd:
|
||||
|
||||
# Add cal user to docker group (will take effect after next login)
|
||||
- usermod -aG docker cal
|
||||
|
||||
|
||||
# Test Docker installation
|
||||
- docker run --rm hello-world
|
||||
|
||||
# Mask avahi-daemon — not needed in a static-IP homelab with Pi-hole DNS,
|
||||
# and has a known kernel busy-loop bug that wastes CPU
|
||||
- systemctl stop avahi-daemon || true
|
||||
- systemctl mask avahi-daemon
|
||||
|
||||
# Write configuration files
|
||||
write_files:
|
||||
# SSH hardening configuration
|
||||
|
||||
Loading…
Reference in New Issue
Block a user