feat(custodian-agent): Ansible role + Makefile for Custodian SSH identity
Establishes a dedicated SSH keypair for the Custodian automation agent: - ansible/roles/custodian_agent/: authorized_key task (tagged custodian_agent) - ansible/inventory/group_vars/all.yaml: custodian_agent_user/pubkey vars - ansible/playbooks/bootstrap.yaml: custodian_agent role added - Makefile: provision-custodian-agent / provision-custodian-agent-host targets Keypair generation: cd ~/the-custodian && make custodian-keygen Then deploy: cd ~/railiance-infra && make provision-custodian-agent The private key lives at ~/.ssh/id_custodian_agent — never committed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
caa6ae36da
commit
30a3f908aa
4 changed files with 83 additions and 1 deletions
16
Makefile
16
Makefile
|
|
@ -130,9 +130,23 @@ backup: ## Backup S1 OS config to /opt/backup/railiance/infra/ (age-encrypted, r
|
|||
sudo tools/cmd/railiance-backup-s1
|
||||
|
||||
# ---- Ansible ----
|
||||
ansible-bootstrap: ## Run base bootstrap play (users, ssh, ufw, sops-agent)
|
||||
ansible-bootstrap: ## Run base bootstrap play (users, ssh, ufw, sops-agent, custodian-agent)
|
||||
cd ansible && ansible-playbook playbooks/bootstrap.yaml -u admin
|
||||
|
||||
provision-custodian-agent: ## Deploy custodian agent SSH key to all managed hosts
|
||||
@python3 -c "import yaml; d=yaml.safe_load(open('ansible/inventory/group_vars/all.yaml')); k=d.get('custodian_agent_pubkey',''); exit(0 if k else 1)" \
|
||||
|| (echo "ERROR: custodian_agent_pubkey is empty. Run: cd ~/the-custodian && make custodian-keygen"; exit 1)
|
||||
cd ansible && ansible-playbook playbooks/bootstrap.yaml -u $(SSH_USER) \
|
||||
--tags custodian_agent \
|
||||
--extra-vars "@inventory/group_vars/all.yaml"
|
||||
|
||||
provision-custodian-agent-host: ## Deploy custodian agent key to one host: make provision-custodian-agent-host HOST=railiance01
|
||||
@test -n "$(HOST)" || (echo "Usage: make provision-custodian-agent-host HOST=<name>"; exit 1)
|
||||
cd ansible && ansible-playbook playbooks/bootstrap.yaml -u $(SSH_USER) \
|
||||
--limit "$(HOST)" \
|
||||
--tags custodian_agent \
|
||||
--extra-vars "@inventory/group_vars/all.yaml"
|
||||
|
||||
# ---- Orchestration ----
|
||||
apply: tf-fmt tf-apply ansible-bootstrap ## Provision via Terraform then converge via Ansible
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue