diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2017-05-30 13:48:25 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2017-05-30 13:48:25 +0200 |
| commit | 789f4f2e1b01873b200b973584d1501ba32e3bfd (patch) | |
| tree | 0e8a72ecfd8cb987f3baca74eb286c2cba308454 | |
| parent | 39242fe991582f5f912912c2a12429f9d5c744c4 (diff) | |
Also install non-free firmwares on civett.
| -rw-r--r-- | group_vars/all.yml | 6 | ||||
| -rw-r--r-- | production | 2 | ||||
| -rw-r--r-- | roles/common/templates/etc/apt/preferences.j2 | 5 | ||||
| -rw-r--r-- | roles/common/templates/etc/apt/sources.list.j2 | 4 |
4 files changed, 11 insertions, 6 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 089c75f..97e2024 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,21 +1,27 @@ --- +non_free_packages: + civett: + - firmware-linux-nonfree + elefant: + - firmware-linux-nonfree + # Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted # in the absence of xfrm lookup (i.e., when there is no matching IPsec # Security Association) to avoid data leaks. ipsec_subnet: 172.16.0.0/24 ipsec: # Virtual (non-routable) addresses for IPsec. They all need to be # distinct and belong to the above subnet 'ipsec_subnet'. antilop: 172.16.0.1 benjamin: 172.16.0.2 civett: 172.16.0.3 elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. # For internal services, we also specify its (non-routable) IP address @@ -51,33 +51,31 @@ benjamin [bacula-sd:children] benjamin # webmail.fripost.org [webmail:children] elefant # lists.fripost.org [lists:children] antilop [wiki:children] civett [git:children] wiki [munin-master:children] benjamin -[non-free:children] -elefant [backports:children] webmail # machines behind NAT [NATed:children] benjamin # hostnames resolving to a dynamic IP [DynDNS:children] benjamin diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2 index ba10834..5d4b415 100644 --- a/roles/common/templates/etc/apt/preferences.j2 +++ b/roles/common/templates/etc/apt/preferences.j2 @@ -1,38 +1,39 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # Install updates as soon as they're available Package: * Pin: release a={{ ansible_lsb.codename }}-updates Pin-Priority: 990 {% if 'backports' in group_names -%} # Automatically packages from backports (those manually installed) Package: * Pin: release a={{ ansible_lsb.codename }}-backports Pin-Priority: 200 {% endif %} -{% if 'non-free' in group_names -%} +{% if inventory_hostname_short in non_free_packages.keys() -%} # Automatically upgrade non-free firmwares (when manually installed) -Package: firmware-linux-nonfree +Package: {{ non_free_packages[inventory_hostname_short] | join (' ') }} +Pin: version * Pin-Priority: 200 {% endif %} {% if ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') -%} # Automatically upgrade the microcode (when manually installed) Package: intel-microcode iucode-tool Pin: version * Pin-Priority: 200 {% endif %} # Never, ever install things from contrib or non-free unless they have been # whitelisted above Package: * Pin: release c=contrib Pin-Priority: -1 Package: * Pin: release c=non-free Pin-Priority: -1 diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2 index 565c2c2..2dbaee4 100644 --- a/roles/common/templates/etc/apt/sources.list.j2 +++ b/roles/common/templates/etc/apt/sources.list.j2 @@ -1,13 +1,13 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # vim: set filetype=debsources : -deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }} main{% if 'non-free' in group_names or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} +deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} -deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} +deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[0] | search("^(Genuine)?Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %} deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }}-updates main {% if 'backports' in group_names -%} deb http://ftp.{%if geoip is defined %}{{ geoip }}.{% endif %}debian.org/debian/ {{ ansible_lsb.codename }}-backports main {% endif %} |