feat(ansible): host provisioning via steward managed SSH identity
CI / lint (push) Successful in 3s
CI / unit (push) Successful in 8s
CI / integration (push) Successful in 2m18s
CI / publish (push) Successful in 1m3s

Turn the agent-install playbook into a full provisioning + maintenance
path. Solves the bootstrap chicken-and-egg: first contact uses an
operator-supplied password (one run, never stored), which creates a
dedicated `steward` login account with NOPASSWD sudo + Steward's managed
public key. Every run thereafter connects as `steward` with the managed
key — fully unattended (scheduled prune, agent updates).

- core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats.
- settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user
  (default steward); to_ansible_cfg extended.
- settings UI + route: "Generate managed key" (private encrypted, public
  shown to copy) + SSH-user field.
- executor: build_bootstrap() writes a 0600 vars file (-e @file) for the
  per-run user/password — never argv, never DB, never logged; drops the
  managed key when a bootstrap password is given; --user floor from the
  global ssh_user when no override.
- runner.trigger_run: pass-through `connection` kwarg, deliberately NOT
  persisted on AnsibleRun.params (password stays out of the DB).
- bundled/host_agent/provision.yml: create steward user + authorized_keys
  + /etc/sudoers.d/steward (visudo-validated) + agent install.
- host_agent: /provision route + "Provision a fresh host" card (bootstrap
  user/password; injects pubkey + user + token as space-safe JSON hostvars).
- Dockerfile: add sshpass (Ansible shells out to it for password SSH).
- tests: keypair generation + build_bootstrap (secret stays off argv).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-16 17:17:38 -04:00
parent 6e91bdc82b
commit 0318f6423f
12 changed files with 492 additions and 5 deletions
+35
View File
@@ -21,6 +21,35 @@
{# ── Credentials ──────────────────────────────────────────────────────────── #}
{% set cfg_badge = '<span style="color:var(--green);font-size:0.72rem;">(configured)</span>' %}
{% set not_set_badge = '<span style="color:var(--text-muted);font-size:0.72rem;">(not set)</span>' %}
{# ── Managed identity (provisioning) ───────────────────────────────────────── #}
<div style="margin-top:2.25rem;">
<div class="section-title" style="margin-bottom:0.75rem;">Managed SSH identity</div>
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
Steward's reusable Ansible identity. Provisioning installs the <strong>public</strong>
key into each host's <code>{{ ssh_user }}</code> account; steady-state runs authenticate
with the private half (stored encrypted). Generate it once, then provision hosts from
<a href="/plugins/host_agent/settings/">Host Agents</a>.
</p>
{% if ssh_public_key %}
<div class="form-group">
<label>Public key <span style="color:var(--green);font-size:0.72rem;">(active)</span></label>
<textarea readonly rows="3" onclick="this.select();"
style="width:100%;font-family:ui-monospace,monospace;font-size:0.78rem;color:var(--text-muted);">{{ ssh_public_key }}</textarea>
<span style="color:var(--text-muted);font-size:0.78rem;">Click to select — add to a host's <code>authorized_keys</code> to authorize Steward manually.</span>
</div>
<form method="post" action="/settings/ansible/generate-key"
onsubmit="return confirm('Regenerate the managed key? Already-provisioned hosts will reject Steward until you re-provision them.');">
<button type="submit" class="btn btn-ghost btn-sm">Regenerate key</button>
</form>
{% else %}
<form method="post" action="/settings/ansible/generate-key">
<button type="submit" class="btn">Generate managed key</button>
<span style="color:var(--text-muted);font-size:0.78rem;margin-left:0.5rem;">ed25519 — created server-side, nothing to paste.</span>
</form>
{% endif %}
</div>
<div style="margin-top:2.25rem;">
<div class="section-title" style="margin-bottom:0.75rem;">Credentials</div>
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
@@ -56,6 +85,12 @@
<input type="checkbox" name="clear_vault_password"> Clear</label>
{% endif %}
</div>
<div class="form-group">
<label>SSH user
<span style="color:var(--text-muted);font-size:0.78rem;font-weight:normal;">(default login for runs; a target's ansible_user overrides)</span>
</label>
<input type="text" name="ssh_user" value="{{ ssh_user }}" placeholder="steward" style="width:12rem;">
</div>
<div class="form-group">
<label style="display:flex;align-items:center;gap:0.5rem;font-weight:normal;">
<input type="checkbox" name="host_key_checking" {% if host_key_checking %}checked{% endif %}>