feat(ansible): host provisioning via steward managed SSH identity
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -21,6 +21,35 @@
|
||||
{# ── Credentials ──────────────────────────────────────────────────────────── #}
|
||||
{% set cfg_badge = '<span style="color:var(--green);font-size:0.72rem;">(configured)</span>' %}
|
||||
{% set not_set_badge = '<span style="color:var(--text-muted);font-size:0.72rem;">(not set)</span>' %}
|
||||
|
||||
{# ── Managed identity (provisioning) ───────────────────────────────────────── #}
|
||||
<div style="margin-top:2.25rem;">
|
||||
<div class="section-title" style="margin-bottom:0.75rem;">Managed SSH identity</div>
|
||||
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
|
||||
Steward's reusable Ansible identity. Provisioning installs the <strong>public</strong>
|
||||
key into each host's <code>{{ ssh_user }}</code> account; steady-state runs authenticate
|
||||
with the private half (stored encrypted). Generate it once, then provision hosts from
|
||||
<a href="/plugins/host_agent/settings/">Host Agents</a>.
|
||||
</p>
|
||||
{% if ssh_public_key %}
|
||||
<div class="form-group">
|
||||
<label>Public key <span style="color:var(--green);font-size:0.72rem;">(active)</span></label>
|
||||
<textarea readonly rows="3" onclick="this.select();"
|
||||
style="width:100%;font-family:ui-monospace,monospace;font-size:0.78rem;color:var(--text-muted);">{{ ssh_public_key }}</textarea>
|
||||
<span style="color:var(--text-muted);font-size:0.78rem;">Click to select — add to a host's <code>authorized_keys</code> to authorize Steward manually.</span>
|
||||
</div>
|
||||
<form method="post" action="/settings/ansible/generate-key"
|
||||
onsubmit="return confirm('Regenerate the managed key? Already-provisioned hosts will reject Steward until you re-provision them.');">
|
||||
<button type="submit" class="btn btn-ghost btn-sm">Regenerate key</button>
|
||||
</form>
|
||||
{% else %}
|
||||
<form method="post" action="/settings/ansible/generate-key">
|
||||
<button type="submit" class="btn">Generate managed key</button>
|
||||
<span style="color:var(--text-muted);font-size:0.78rem;margin-left:0.5rem;">ed25519 — created server-side, nothing to paste.</span>
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
|
||||
<div style="margin-top:2.25rem;">
|
||||
<div class="section-title" style="margin-bottom:0.75rem;">Credentials</div>
|
||||
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
|
||||
@@ -56,6 +85,12 @@
|
||||
<input type="checkbox" name="clear_vault_password"> Clear</label>
|
||||
{% endif %}
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label>SSH user
|
||||
<span style="color:var(--text-muted);font-size:0.78rem;font-weight:normal;">(default login for runs; a target's ansible_user overrides)</span>
|
||||
</label>
|
||||
<input type="text" name="ssh_user" value="{{ ssh_user }}" placeholder="steward" style="width:12rem;">
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label style="display:flex;align-items:center;gap:0.5rem;font-weight:normal;">
|
||||
<input type="checkbox" name="host_key_checking" {% if host_key_checking %}checked{% endif %}>
|
||||
|
||||
Reference in New Issue
Block a user