veza/infra/ansible/roles/veza_app/tasks/os_deps.yml

# Install OS deps inside the freshly-created container. Wait briefly
# for cloud-init / debootstrap to finish first — apt locks held by
# `unattended-upgrades` on first boot would race a parallel
# `apt-get update`.
---
- name: Ensure /var/lib/veza state dir exists
  ansible.builtin.file:
    path: "{{ veza_state_root }}"
    state: directory
    owner: root
    group: root
    mode: "0755"
  tags: [veza_app, packages]

- name: Wait for any first-boot apt lock to clear
  ansible.builtin.shell: |
    set -e
    for i in $(seq 1 30); do
      if ! fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1 && \
         ! fuser /var/lib/apt/lists/lock >/dev/null 2>&1; then
        exit 0
      fi
      sleep 2
    done
    echo "apt locks still held after 60s"
    exit 1    
  args:
    executable: /bin/bash
  changed_when: false
  tags: [veza_app, packages]

- name: Refresh apt cache
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: 60
  tags: [veza_app, packages]

- name: Install OS packages (common + component-specific)
  ansible.builtin.apt:
    name: "{{ veza_common_os_packages + veza_app_extra_packages }}"
    state: present
  tags: [veza_app, packages]