feat(ansible): host provisioning via steward managed SSH identity
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -178,11 +178,36 @@ async def ansible():
|
||||
ssh_key_set=bool(settings.get("ansible.ssh_private_key")),
|
||||
become_set=bool(settings.get("ansible.become_password")),
|
||||
vault_set=bool(settings.get("ansible.vault_password")),
|
||||
ssh_public_key=settings.get("ansible.ssh_public_key", ""),
|
||||
ssh_user=settings.get("ansible.ssh_user", "steward"),
|
||||
host_key_checking=settings.get("ansible.host_key_checking", False),
|
||||
max_concurrent_runs=settings.get("ansible.max_concurrent_runs", 3),
|
||||
)
|
||||
|
||||
|
||||
@settings_bp.post("/ansible/generate-key")
|
||||
@require_role(UserRole.admin)
|
||||
async def ansible_generate_key():
|
||||
"""Mint a fresh managed ed25519 keypair (private encrypted, public shown).
|
||||
|
||||
This is the reusable Steward identity: provisioning installs the public half
|
||||
on every host, and steady-state runs authenticate with the private half.
|
||||
Regenerating invalidates access to already-provisioned hosts until they are
|
||||
re-provisioned, so the UI confirms before calling this.
|
||||
"""
|
||||
from steward.core.crypto import generate_ssh_keypair
|
||||
|
||||
private_pem, public_line = generate_ssh_keypair()
|
||||
async with current_app.db_sessionmaker() as db:
|
||||
async with db.begin():
|
||||
await set_setting(db, "ansible.ssh_private_key", private_pem)
|
||||
await set_setting(db, "ansible.ssh_public_key", public_line)
|
||||
await _reload_app_config()
|
||||
await log_audit(current_app, session.get("user_id"), session.get("username", ""),
|
||||
"settings.saved", detail={"section": "ansible.managed_key"})
|
||||
return redirect(url_for("settings.ansible"))
|
||||
|
||||
|
||||
@settings_bp.post("/ansible/credentials")
|
||||
@require_role(UserRole.admin)
|
||||
async def ansible_save_credentials():
|
||||
@@ -203,6 +228,9 @@ async def ansible_save_credentials():
|
||||
val = raw.strip("\n") if field == "ssh_private_key" else raw.strip()
|
||||
if val:
|
||||
await set_setting(db, key, val)
|
||||
ssh_user = (form.get("ssh_user", "") or "").strip()
|
||||
if ssh_user:
|
||||
await set_setting(db, "ansible.ssh_user", ssh_user)
|
||||
await set_setting(db, "ansible.host_key_checking", "host_key_checking" in form)
|
||||
try:
|
||||
mcr = max(1, min(50, int(form.get("max_concurrent_runs", 3))))
|
||||
|
||||
Reference in New Issue
Block a user