ubuntu-server-01 (10.40.40.2) runs Portainer itself and is already
managed via local Docker socket (Portainer endpoint ID=3). Deploying
a Portainer Agent there is redundant and port 9001 binding fails.
Add portainer_skip_agent: true flag to the inventory and check it in
both Play 2 (deploy agent) and Play 3 (register endpoint) to exclude
the host from agent-based enrollment.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove /var/lib/docker/volumes mount (fails on nested Docker hosts)
- Add AGENT_HOST env var so agent cert is valid for host's real IP
- Add TLSSkipVerify/TLSSkipClientVerify to Portainer endpoint registration
to handle existing agents with bridge-IP certs
- Remove final delegate_to: localhost (wait_for now runs on remote host)
- Add ignore_errors: true to agent deploy and enrollment tasks
- Guard existing_endpoints.json with | default([]) for failed API calls
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Play 3: Run Portainer API calls from remote hosts directly (no
delegate_to: localhost). Add validate_certs: false for self-signed cert.
- Play 4: Replace localhost file report with debug output using run_once.
No filesystem writes = no privilege escalation needed on the runner.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansible_become: true in host inventory vars leaks into delegate_to: localhost
tasks in Ansible 2.18, causing those tasks to try sudo on the Semaphore
runner (which has no sudo). Instead, become: true is set at the play level
in the playbook where needed, which does NOT propagate to delegated tasks.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
delegate_to: localhost tasks inherit the Semaphore host's system ansible.cfg
which has become=True. An explicit localhost inventory entry with
ansible_become: false overrides this at inventory precedence level.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add ansible_become_pass to all hosts (sudo uses same password as SSH)
- Remove truenas-scale and vyos from children groups (no connection info)
- Add ansible.cfg: host_key_checking=False, become=False as default
- Add become: false to wait_for_connection to avoid sudo during SSH test
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add become: false to Play 4 (report) to prevent sudo on Semaphore host
- Add become: false to all delegate_to: localhost tasks in Plays 2 & 3
- Update usage comment to reflect correct inventory path (inventory/hosts.yml)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- host_credentials.yml.example: template for per-device SSH creds,
matched by IP, subnet CIDR, or global default (actual file is gitignored)
- inventory/hosts.yml: refreshed with 162 hosts (31 NetBox + 135 UniFi)
- .gitignore: exclude host_credentials.yml and run reports
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- find_docker_enroll_portainer.yml: discover Docker hosts across all VLANs,
deploy Portainer Agent, register in Portainer, write discovery report
- inventory/hosts.yml: auto-generated from NetBox (31 hosts) + UniFi clients
(135 unmanaged hosts not in NetBox) across vlan1/vlan40/vlan20
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
