Add sysexts role for installing system extensions via systemd-sysupdate

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: shanemcd

AGENTS.md

@@ -62,6 +62,7 @@ uvx --from ansible-core ansible-playbook shanemcd.toolbox.<playbook_name>
 - `inception` - Meta-playbook for full system setup (runs oh_my_zsh, dotfiles, flatpaks, fonts, emacs; requires `--ask-become-pass` or `-K`)
 - `sunshine` - Configure Sunshine game streaming with keybindings and enable systemd user service
 - `nfs` - Configure NFS server for media sharing (requires `--ask-become-pass` or `-K`)
+- `sysexts` - Install system extensions via systemd-sysupdate (requires `--ask-become-pass` or `-K`)
 
 ## Adding New Playbooks and Roles
 

ansible_collections/shanemcd/toolbox/playbooks/sysexts.yml

@@ -0,0 +1,8 @@
+---
+- name: Install system extensions
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  roles:
+    - shanemcd.toolbox.sysexts

ansible_collections/shanemcd/toolbox/roles/sysexts/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# Base URL for sysext configs
+sysexts_base_url: https://extensions.fcos.fr

ansible_collections/shanemcd/toolbox/roles/sysexts/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+- name: Create extensions directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  loop:
+    - /var/lib/extensions
+    - /var/lib/extensions.d
+  become: true
+
+- name: Restore SELinux context on extensions directories
+  ansible.builtin.command:
+    cmd: restorecon -RFv /var/lib/extensions /var/lib/extensions.d
+  become: true
+  changed_when: false
+
+- name: Create sysupdate config directories
+  ansible.builtin.file:
+    path: "/etc/sysupdate.{{ item.name }}.d"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  loop: "{{ sysexts }}"
+  become: true
+
+- name: Restore SELinux context on sysupdate directories
+  ansible.builtin.command:
+    cmd: "restorecon -RFv /etc/sysupdate.{{ item.name }}.d"
+  loop: "{{ sysexts }}"
+  become: true
+  changed_when: false
+
+- name: Download sysupdate configs
+  ansible.builtin.get_url:
+    url: "{{ sysexts_base_url }}/{{ item.repo }}/{{ item.name }}.conf"
+    dest: "/etc/sysupdate.{{ item.name }}.d/{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ sysexts }}"
+  become: true
+
+- name: Update system extensions
+  ansible.builtin.command:
+    cmd: "/usr/lib/systemd/systemd-sysupdate update --component {{ item.name }}"
+  loop: "{{ sysexts }}"
+  become: true
+  register: sysupdate_result
+  changed_when: "'No update available' not in sysupdate_result.stderr"
+
+- name: Enable and start systemd-sysext service
+  ansible.builtin.systemd:
+    name: systemd-sysext.service
+    enabled: true
+    state: started
+  become: true

ansible_collections/shanemcd/toolbox/roles/sysexts/vars/main.yml

@@ -0,0 +1,22 @@
+---
+# List of system extensions to install
+# These are downloaded from extensions.fcos.fr via systemd-sysupdate
+# repo: "fedora" or "community"
+sysexts:
+  - name: 1password-gui
+    repo: community
+  - name: docker-ce
+    repo: community
+  - name: emacs
+    repo: fedora
+  - name: gh
+    repo: fedora
+  - name: htop
+    repo: fedora
+  - name: libvirtd-desktop
+    repo: fedora
+  - name: tailscale
+    repo: community
+
+# Not yet available from extensions.fcos.fr (install manually):
+# - cursor (pending PR: https://github.com/fedora-sysexts/community/pull/25)