feat: add Ansible playbook to mask avahi-daemon on all Ubuntu VMs (#28)
All checks were successful
Auto-merge docs-only PRs / auto-merge-docs (pull_request) Successful in 2s
All checks were successful
Auto-merge docs-only PRs / auto-merge-docs (pull_request) Successful in 2s
Closes #28 Adds mask-avahi.yml targeting the vms:physical inventory groups (all Ubuntu QEMU VMs + ubuntu-manticore). Also adds avahi masking to the cloud-init template so future VMs are hardened from first boot. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Cal Corum
parent
a97f443f60
commit
4234351cfa
43
ansible/playbooks/mask-avahi.yml
Normal file
43
ansible/playbooks/mask-avahi.yml
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
---
|
||||||
|
# Mask avahi-daemon on all Ubuntu hosts
|
||||||
|
#
|
||||||
|
# Avahi (mDNS/Bonjour) is not needed in a static-IP homelab with Pi-hole DNS.
|
||||||
|
# A kernel busy-loop bug in avahi-daemon was found consuming ~1.7 CPU cores
|
||||||
|
# across 5 VMs. Masking prevents it from ever starting again, surviving reboots.
|
||||||
|
#
|
||||||
|
# Targets: vms + physical (all Ubuntu QEMU VMs and ubuntu-manticore)
|
||||||
|
# Controller: ansible-controller (LXC 304 at 10.10.0.232)
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# # Dry run
|
||||||
|
# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --check
|
||||||
|
#
|
||||||
|
# # Test on a single host first
|
||||||
|
# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --limit discord-bots
|
||||||
|
#
|
||||||
|
# # Roll out to all Ubuntu hosts
|
||||||
|
# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml
|
||||||
|
#
|
||||||
|
# To undo: systemctl unmask avahi-daemon
|
||||||
|
|
||||||
|
- name: Mask avahi-daemon on all Ubuntu hosts
|
||||||
|
hosts: vms:physical
|
||||||
|
become: true
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Stop avahi-daemon
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: avahi-daemon
|
||||||
|
state: stopped
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Mask avahi-daemon
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: avahi-daemon
|
||||||
|
masked: true
|
||||||
|
|
||||||
|
- name: Verify avahi is masked
|
||||||
|
ansible.builtin.command: systemctl is-enabled avahi-daemon
|
||||||
|
register: avahi_status
|
||||||
|
changed_when: false
|
||||||
|
failed_when: avahi_status.stdout | trim != 'masked'
|
||||||
@ -67,10 +67,15 @@ runcmd:
|
|||||||
|
|
||||||
# Add cal user to docker group (will take effect after next login)
|
# Add cal user to docker group (will take effect after next login)
|
||||||
- usermod -aG docker cal
|
- usermod -aG docker cal
|
||||||
|
|
||||||
# Test Docker installation
|
# Test Docker installation
|
||||||
- docker run --rm hello-world
|
- docker run --rm hello-world
|
||||||
|
|
||||||
|
# Mask avahi-daemon — not needed in a static-IP homelab with Pi-hole DNS,
|
||||||
|
# and has a known kernel busy-loop bug that wastes CPU
|
||||||
|
- systemctl stop avahi-daemon || true
|
||||||
|
- systemctl mask avahi-daemon
|
||||||
|
|
||||||
# Write configuration files
|
# Write configuration files
|
||||||
write_files:
|
write_files:
|
||||||
# SSH hardening configuration
|
# SSH hardening configuration
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user