feat(ansible): host provisioning via steward managed SSH identity
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -19,6 +19,8 @@ import os
|
||||
from pathlib import Path
|
||||
|
||||
from cryptography.fernet import Fernet, InvalidToken
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -91,3 +93,26 @@ def decrypt_secret(value: str) -> str:
|
||||
except InvalidToken:
|
||||
logger.error("Could not decrypt a stored secret (wrong/rotated key?)")
|
||||
return value
|
||||
|
||||
|
||||
def generate_ssh_keypair(comment: str = "steward-managed") -> tuple[str, str]:
|
||||
"""Mint a fresh ed25519 keypair for Steward's managed Ansible identity.
|
||||
|
||||
Returns (private_openssh_pem, public_openssh_line). ed25519 is small, fast,
|
||||
and universally supported by modern OpenSSH. The private key is unencrypted
|
||||
OpenSSH PEM (Steward stores it encrypted-at-rest itself); the public key is
|
||||
the single-line ``ssh-ed25519 AAAA… comment`` form for authorized_keys.
|
||||
"""
|
||||
key = Ed25519PrivateKey.generate()
|
||||
private_pem = key.private_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PrivateFormat.OpenSSH,
|
||||
encryption_algorithm=serialization.NoEncryption(),
|
||||
).decode("ascii")
|
||||
public_line = key.public_key().public_bytes(
|
||||
encoding=serialization.Encoding.OpenSSH,
|
||||
format=serialization.PublicFormat.OpenSSH,
|
||||
).decode("ascii")
|
||||
if comment:
|
||||
public_line = f"{public_line} {comment}"
|
||||
return private_pem, public_line
|
||||
|
||||
Reference in New Issue
Block a user