feat(ansible): host provisioning via steward managed SSH identity
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -52,10 +52,17 @@ DEFAULTS: dict[str, Any] = {
|
||||
"webhook.template": _DEFAULT_WEBHOOK_TEMPLATE,
|
||||
"ansible.sources": [],
|
||||
# Ansible credentials — global, used by every run (manual + alert-triggered).
|
||||
# Plaintext at rest, masked in the UI (encryption-at-rest tracked separately).
|
||||
# ssh_private_key/become/vault are encrypted at rest (see SECRET_KEYS).
|
||||
"ansible.ssh_private_key": "",
|
||||
"ansible.become_password": "",
|
||||
"ansible.vault_password": "",
|
||||
# Public half of the managed keypair — non-secret, displayed so it can be
|
||||
# sprayed onto hosts (provisioning installs it into ~steward/.ssh).
|
||||
"ansible.ssh_public_key": "",
|
||||
# Default SSH login for steady-state runs — the dedicated account
|
||||
# provisioning creates. Acts as a floor (--user); a target's ansible_user
|
||||
# or a per-run bootstrap override still wins.
|
||||
"ansible.ssh_user": "steward",
|
||||
"ansible.host_key_checking": False,
|
||||
# Max simultaneous playbook runs; extra runs queue. Applied at app start.
|
||||
"ansible.max_concurrent_runs": 3,
|
||||
@@ -198,6 +205,8 @@ def to_ansible_cfg(settings: dict[str, Any]) -> dict:
|
||||
"ssh_private_key": settings.get("ansible.ssh_private_key", ""),
|
||||
"become_password": settings.get("ansible.become_password", ""),
|
||||
"vault_password": settings.get("ansible.vault_password", ""),
|
||||
"ssh_public_key": settings.get("ansible.ssh_public_key", ""),
|
||||
"ssh_user": settings.get("ansible.ssh_user", "steward"),
|
||||
"host_key_checking": settings.get("ansible.host_key_checking", False),
|
||||
"max_concurrent_runs": settings.get("ansible.max_concurrent_runs", 3),
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user