From ce1a7e81c5b8136a4168f197a6c5df5160e1cbd4 Mon Sep 17 00:00:00 2001 From: Jared Hampson Date: Wed, 13 Oct 2021 20:56:57 -0500 Subject: [PATCH] feat(os_agent_auto_update): Configure automatic updating for OS Agent Fixes #25 --- README.md | 2 + roles/os_agent_auto_update/README.md | 47 +++++++++++++++++++ roles/os_agent_auto_update/defaults/main.yml | 4 ++ .../files/update_os_agent.yml | 30 ++++++++++++ roles/os_agent_auto_update/meta/main.yml | 37 +++++++++++++++ roles/os_agent_auto_update/tasks/main.yml | 27 +++++++++++ roles/os_agent_auto_update/tests/inventory | 1 + roles/os_agent_auto_update/tests/test.yml | 4 ++ roles/os_agent_auto_update/vars/main.yml | 17 +++++++ tests/sanity.yml | 7 ++- 10 files changed, 174 insertions(+), 2 deletions(-) create mode 100644 roles/os_agent_auto_update/README.md create mode 100644 roles/os_agent_auto_update/defaults/main.yml create mode 100644 roles/os_agent_auto_update/files/update_os_agent.yml create mode 100644 roles/os_agent_auto_update/meta/main.yml create mode 100644 roles/os_agent_auto_update/tasks/main.yml create mode 100644 roles/os_agent_auto_update/tests/inventory create mode 100644 roles/os_agent_auto_update/tests/test.yml create mode 100644 roles/os_agent_auto_update/vars/main.yml diff --git a/README.md b/README.md index 3f4f401..5542b0a 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ These roles provide additional functionality to secure and enhance the minimal i 1. [harden_os](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/harden_os/README.md) - Enable automated Debian security updates and restrict SSH access 1. [fail2ban](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/fail2ban/README.md) - Install fail2ban, configure it to blacklist IPs with excessive failed login attempts to Home Assistant, and add the fail2ban integration to Home Assistant 1. [install_hacs](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/install_hacs/README.md) - Install the [Home Assistant Comunity Store](https://hacs.xyz/), a marketplace of community-contributed custom components for Home Assistant +1. [os_agent_auto_update](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/os_agent_auto_update/README.md) - Configures automatic updates to OS Agent component using `ansible-playbook` scheduled with cron ### Example Playbook @@ -67,4 +68,5 @@ These roles provide additional functionality to secure and enhance the minimal i - name: jhampson_dbre.home_assistant.harden_os - name: jhampson_dbre.home_assistant.fail2ban - name: jhampson_dbre.home_assistant.install_hacs + - name: jhampson_dbre.home_assistant.os_agent_auto_update ``` \ No newline at end of file diff --git a/roles/os_agent_auto_update/README.md b/roles/os_agent_auto_update/README.md new file mode 100644 index 0000000..4a26d28 --- /dev/null +++ b/roles/os_agent_auto_update/README.md @@ -0,0 +1,47 @@ +os_agent_auto_update +========= + +Schedule ansible-playbook to check for and install OS Agent updates with cron + +Requirements +------------ + +- Ansible must be installed on the remote host to run the auto update playbook from cron. The role will complete successfully without Ansible being installed, but the cron job will not run successfully. By default, the role will automatically do a user install of ansible with pip. +- A playbook is copied to the remote host that is scheduled in cron to check for and install OS Agent updates. This playbook has a task with `become: true`, so the user runs the schedule should have passwordless sudo configured to run non-interactively. + +Role Variables +-------------- + +The following varaibles are defined in `defaults/main.yml` + +```yaml +# The path that the automatic update playbook will be copied to for scheduling +os_agent_auto_update_playbook_dir: /home/homeassistant/playbooks + +# Install ansible on the remote host so that the update playbook can run in cron. Set to false to you already have ansible installed, or need a specific Ansible version. +os_agent_auto_update_install_ansible: true +``` + +Dependencies +------------ + +none + +Example Playbook +---------------- + +```yaml +- hosts: pi + roles: + - name: jhampson_dbre.home_assistant.os_agent_auto_update +``` + +License +------- + +MIT + +Author Information +------------------ + +@jhampson-dbre \ No newline at end of file diff --git a/roles/os_agent_auto_update/defaults/main.yml b/roles/os_agent_auto_update/defaults/main.yml new file mode 100644 index 0000000..e3f0b95 --- /dev/null +++ b/roles/os_agent_auto_update/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for os_agent_auto_update +os_agent_auto_update_playbook_dir: /home/homeassistant/playbooks +os_agent_auto_update_install_ansible: true diff --git a/roles/os_agent_auto_update/files/update_os_agent.yml b/roles/os_agent_auto_update/files/update_os_agent.yml new file mode 100644 index 0000000..ad9a9ed --- /dev/null +++ b/roles/os_agent_auto_update/files/update_os_agent.yml @@ -0,0 +1,30 @@ +- hosts: localhost + connection: local + vars: + update_os_agent_arch: + "i386": "i386" + "i686": "none" + "x86_64": "x86_64" + "arm": "armv5" + "armv6l": "none" + "armv7l": "armv7" + "aarch64": "aarch64" + + tasks: + - name: Get download url for latest os-agent .deb release + shell: | + curl -s https://api.github.com/repos/home-assistant/os-agent/releases/latest \ + | grep "browser_download_url.*{{ update_os_agent_arch[ansible_architecture] }}.deb" \ + | cut -d : -f 2,3 \ + | tr -d \" + register: os_agent_latest_url + failed_when: os_agent_latest_url.stdout is not search('os-agent_.*_linux_.*.deb') + changed_when: false + check_mode: no + args: + warn: false + + - name: Install os-agent + apt: + deb: "{{ os_agent_latest_url.stdout|trim }}" + become: true \ No newline at end of file diff --git a/roles/os_agent_auto_update/meta/main.yml b/roles/os_agent_auto_update/meta/main.yml new file mode 100644 index 0000000..59f9f26 --- /dev/null +++ b/roles/os_agent_auto_update/meta/main.yml @@ -0,0 +1,37 @@ +galaxy_info: + author: Jared Hampson + description: Automatic update for Home Assistant OS Agent + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + license: MIT + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Debian + versions: + - buster + + galaxy_tags: + - home + - assistant + - supervised + - raspberry + - pi + - hassio + - hacs + +dependencies: [] diff --git a/roles/os_agent_auto_update/tasks/main.yml b/roles/os_agent_auto_update/tasks/main.yml new file mode 100644 index 0000000..4c64e0c --- /dev/null +++ b/roles/os_agent_auto_update/tasks/main.yml @@ -0,0 +1,27 @@ +--- +# tasks file for os_agent_auto_update +- name: create directory for auto update playbook + file: + path: "{{ os_agent_auto_update_playbook_dir }}" + state: directory + mode: 0700 + +- name: copy OS Agent update playbook + copy: + src: update_os_agent.yml + dest: "{{ os_agent_auto_update_playbook_dir }}/update_os_agent.yml" + mode: 0700 + +- name: ensure ansible is installed + pip: + name: ansible<=2.10 + extra_args: --user + executable: pip3 + when: os_agent_auto_update_install_ansible|bool + +- name: schedule periodic update of OS Agent + cron: + name: "update OS Agent" + minute: "0" + hour: "5" + job: "ansible-playbook {{ os_agent_auto_update_playbook_dir }}/update_os_agent.yml" diff --git a/roles/os_agent_auto_update/tests/inventory b/roles/os_agent_auto_update/tests/inventory new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/roles/os_agent_auto_update/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/roles/os_agent_auto_update/tests/test.yml b/roles/os_agent_auto_update/tests/test.yml new file mode 100644 index 0000000..74278a7 --- /dev/null +++ b/roles/os_agent_auto_update/tests/test.yml @@ -0,0 +1,4 @@ +--- +- hosts: localhost + roles: + - name: os_agent_auto_update diff --git a/roles/os_agent_auto_update/vars/main.yml b/roles/os_agent_auto_update/vars/main.yml new file mode 100644 index 0000000..c13af9f --- /dev/null +++ b/roles/os_agent_auto_update/vars/main.yml @@ -0,0 +1,17 @@ +--- +# vars file for os_agent_auto_update +os_agent_auto_update_arch: + "i386": + os_agent: "i386" + "i686": + os_agent: "none" + "x86_64": + os_agent: "x86_64" + "arm": + os_agent: "armv5" + "armv6l": + os_agent: "none" + "armv7l": + os_agent: "armv7" + "aarch64": + os_agent: "aarch64" diff --git a/tests/sanity.yml b/tests/sanity.yml index f9831b0..0413955 100644 --- a/tests/sanity.yml +++ b/tests/sanity.yml @@ -1,7 +1,6 @@ - name: Import all roles for sanity tests hosts: all tasks: - - name: import harden_os import_role: name: ../roles/harden_os @@ -20,4 +19,8 @@ - name: import supervised_install import_role: - name: ../roles/supervised_install \ No newline at end of file + name: ../roles/supervised_install + + - name: import os_agent_auto_update + import_role: + name: ../roles/os_agent_auto_update