Fix linting to bring back 'production' status for all non-server k3s roles

      delegate_to: localhost

      ansible.builtin.stat:

        path: "{{ airgap_dir + '/k3s-install.sh' }}"

      register: host_install_script

      register: airgap_host_install_script

    - name: Download k3s install script

      become: false

      delegate_to: localhost

      # Workaround for https://github.com/ansible/ansible/issues/64016

      when: not host_install_script.stat.exists

      when: not airgap_host_install_script.stat.exists

      ansible.builtin.get_url:

        url: https://get.k3s.io/

        timeout: 120

        group: root

        mode: "0755"

    - name: Determine architecture and set k3s_arch

    - name: Determine architecture and set airgap_k3s_arch

      ansible.builtin.set_fact:

        k3s_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'arm' if ansible_architecture == 'armv7l' else 'amd64' }}"

        airgap_k3s_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'arm' if ansible_architecture == 'armv7l' else 'amd64' }}"

    - name: Distribute K3s binary {{ k3s_arch }}

    - name: Distribute K3s binary {{ airgap_k3s_arch }}

      ansible.builtin.copy:

        src: "{{ item }}"

        dest: /usr/local/bin/k3s

        mode: "0755"

      with_first_found:

        - files:

            - "{{ airgap_dir }}/k3s-{{ k3s_arch }}"

            - "{{ airgap_dir }}/k3s-{{ airgap_k3s_arch }}"

            - "{{ airgap_dir }}/k3s"

          # with_first_found always runs, even inside the when block

          # so we need to skip it if the file is not found

        mode: "0755"

      with_fileglob:

        - "{{ airgap_dir }}/k3s-selinux*.rpm"

      register: selinux_copy

      register: airgap_selinux_copy

      ignore_errors: true

    - name: Install K3s SELinux RPM

      when:

        - ansible_os_family == 'RedHat'

        - selinux_copy.skipped is false

        - airgap_selinux_copy.skipped is false

      ansible.builtin.dnf:

        name: "{{ selinux_copy.results[0].dest }}"

        name: "{{ airgap_selinux_copy.results[0].dest }}"

        state: present

        disable_gpg_check: true

        disablerepo: "*"

---

- name: Get k3s installed version

  ansible.builtin.command: k3s --version

  register: k3s_version_output

  register: k3s_agent_version_output

  changed_when: false

  ignore_errors: true

- name: Set k3s installed version

  when: not ansible_check_mode and k3s_version_output.rc == 0

  when: not ansible_check_mode and k3s_agent_version_output.rc == 0

  ansible.builtin.set_fact:

    installed_k3s_version: "{{ k3s_version_output.stdout_lines[0].split(' ')[2] }}"

    k3s_agent_installed_version: "{{ k3s_agent_version_output.stdout_lines[0].split(' ')[2] }}"

# If airgapped, all K3s artifacts are already on the node.

# We should be downloading and installing the newer version only if we are in one of the following cases :

#   - we couldn't get k3s installed version in the first task of this role

#   - the installed version of K3s on the nodes is older than the requested version in ansible vars

- name: Download artifact only if needed

  when: not ansible_check_mode and airgap_dir is undefined and ( k3s_version_output.rc != 0 or installed_k3s_version is version(k3s_version, '<') )

  when: not ansible_check_mode and airgap_dir is undefined and ( k3s_agent_version_output.rc != 0 or k3s_agent_installed_version is version(k3s_version, '<') )

  block:

    - name: Download K3s install script

      ansible.builtin.get_url:

        mode: "0755"

        state: directory

    - name: Copy config values

      # noqa var-naming[no-role-prefix]

      ansible.builtin.copy:

        content: "{{ agent_config_yaml }}"

        dest: "/etc/rancher/k3s/config.yaml"

      register: _agent_config_result

- name: Get the token from the first server

  # noqa var-naming[no-role-prefix]

  ansible.builtin.set_fact:

    token: "{{ hostvars[groups[server_group][0]].token }}"

# local control-plane instead of the remote host. Shell supports wildcards.

- name: Get k3s installed version

  ansible.builtin.command: k3s --version

  register: k3s_version_output

  register: k3s_upgrade_version_output

  changed_when: false

  check_mode: false

- name: Set k3s installed version

  ansible.builtin.set_fact:

    installed_k3s_version: "{{ k3s_version_output.stdout_lines[0].split(' ')[2] }}"

    k3s_upgrade_current_version: "{{ k3s_upgrade_version_output.stdout_lines[0].split(' ')[2] }}"

  check_mode: false

# We should be downloading and installing the newer version only if we are in the following case :

#   - the installed version of K3s on the nodes is older than the requested version in ansible vars

- name: Update node only if needed

  when: installed_k3s_version is version(k3s_version, '<')

  when: k3s_upgrade_current_version is version(k3s_version, '<')

  block:

    - name: Find K3s service files

      # noqa var-naming[no-role-prefix]

      ansible.builtin.find:

        paths: "{{ systemd_dir }}"

        patterns: "k3s*.service"

      ansible.builtin.command:

        cmd: ufw status

      changed_when: false

      register: ufw_status

      register: prereq_ufw_status

    - name: If ufw enabled, open api port

      when:

        - "'Status: active' in ufw_status['stdout']"

        - "'Status: active' in prereq_ufw_status['stdout']"

      community.general.ufw:

        rule: allow

        port: "{{ api_port }}"

    - name: If ufw enabled, open etcd ports

      when:

        - "'Status: active' in ufw_status['stdout']"

        - "'Status: active' in prereq_ufw_status['stdout']"

        - groups[server_group] | length > 1

      community.general.ufw:

        rule: allow

    - name: If ufw enabled, allow default CIDRs

      when:

        - "'Status: active' in ufw_status['stdout']"

        - "'Status: active' in prereq_ufw_status['stdout']"

      community.general.ufw:

        rule: allow

        src: '{{ item }}'

- name: Check for Apparmor existence

  ansible.builtin.stat:

    path: /sys/module/apparmor/parameters/enabled

  register: apparmor_enabled

  register: prereq_apparmor_enabled

- name: Check if Apparmor is enabled

  when: apparmor_enabled.stat.exists

  when: prereq_apparmor_enabled.stat.exists

  ansible.builtin.command: cat /sys/module/apparmor/parameters/enabled

  register: apparmor_status

  register: prereq_apparmor_status

  changed_when: false

- name: Install Apparmor Parser [Suse]

  when:

    - ansible_os_family == 'Suse'

    - apparmor_status is defined

    - apparmor_status.stdout == "Y"

    - prereq_apparmor_status is defined

    - prereq_apparmor_status.stdout == "Y"

  ansible.builtin.package:

    name: apparmor-parser

    state: present

  when:

    - ansible_distribution == 'Debian'

    - ansible_facts['distribution_major_version'] == "11"

    - apparmor_status is defined

    - apparmor_status.stdout == "Y"

    - prereq_apparmor_status is defined

    - prereq_apparmor_status.stdout == "Y"

  ansible.builtin.package:

    name: apparmor

    state: present

---

- name: Test for raspberry pi /proc/cpuinfo

  ansible.builtin.command: grep -E "Raspberry Pi|BCM2708|BCM2709|BCM2835|BCM2836" /proc/cpuinfo

  register: grep_cpuinfo_raspberrypi

  register: raspberrypi_grep_cpuinfo

  failed_when: false

  changed_when: false

- name: Test for raspberry pi /proc/device-tree/model

  ansible.builtin.command: grep -E "Raspberry Pi" /proc/device-tree/model

  register: grep_device_tree_model_raspberrypi

  register: raspberrypi_grep_device_tree_model

  failed_when: false

  changed_when: false

- name: Set raspberry_pi fact to true

  ansible.builtin.set_fact:

    raspberry_pi: true

- name: Run Raspberry Pi-specific tasks

  when:

    grep_cpuinfo_raspberrypi.rc == 0 or grep_device_tree_model_raspberrypi.rc == 0

    - raspberrypi_grep_cpuinfo.rc == 0 or raspberrypi_grep_device_tree_model.rc == 0

  block:

    - name: Set detected_distribution to Raspbian

      # noqa var-naming[no-role-prefix]

      ansible.builtin.set_fact:

        detected_distribution: Raspbian

      when: >

    raspberry_pi|default(false) and

    ( ansible_facts.lsb.id|default("") == "Raspbian" or

      ansible_facts.lsb.description|default("") is match("[Rr]aspbian.*") )

        ansible_facts.lsb.id|default("") == "Raspbian" or

        ansible_facts.lsb.description|default("") is match("[Rr]aspbian.*")

    - name: Set detected_distribution to Debian

      # noqa var-naming[no-role-prefix]

      ansible.builtin.set_fact:

        detected_distribution: Debian

      when: >

    raspberry_pi|default(false) and

    ( ansible_facts.lsb.id|default("") == "Debian" or

      ansible_facts.lsb.description|default("") is match("Debian") )

        ansible_facts.lsb.id|default("") == "Debian" or

        ansible_facts.lsb.description|default("") is match("Debian")

    - name: Set detected_distribution to ArchLinux (ARM64)

      # noqa var-naming[no-role-prefix]

      ansible.builtin.set_fact:

        detected_distribution: Archlinux

      when:

        - ansible_facts.architecture is search("aarch64")

    - raspberry_pi|default(false)

        - ansible_facts.os_family is match("Archlinux")

    - name: Execute OS related tasks on the Raspberry Pi

        - "prereq/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"

        - "prereq/{{ ansible_distribution }}.yml"

        - "prereq/default.yml"

  when:

    - raspberry_pi|default(false)