fix(ansible): replace steward key on reprovision + distinct agent update path
CI / lint (push) Successful in 2s
CI / unit (push) Successful in 7s
CI / integration (push) Successful in 2m19s
CI / publish (push) Successful in 54s

Provisioning review corrections + the matching frontend, plus breadcrumb
header integration.

- provision.yml: authorize the managed pubkey with a regexp match on the
  ' steward-managed' comment so rotating the key REPLACES the host's steward
  key in place instead of stacking a second authorized entry. Hand-added keys
  (other comments) are untouched.
- update.yml (new): refresh agent.py + restart only. Does NOT rotate the token
  or rewrite /etc/steward-agent.conf — the host keeps its identity. Asserts the
  agent is already installed and fails clearly otherwise.
- host_agent /update route: runs update.yml as the managed steward user (no
  token minting). Token rotation stays a deliberate action.
- settings/ansible/generate-key honors a safe relative `next` redirect, so an
  inline trigger elsewhere returns to its page.
- Host Agents settings: reworked into a clear lifecycle — an intro card that
  explains it runs Ansible to deploy the agent (+ inline "generate managed key"
  warning/trigger when none exists), then three labelled cards: 1 Provision,
  2 Install/enroll, 3 Update. Each explains what it does.
- base.html: breadcrumb now renders as a kicker line directly above the page
  title (moved below alerts, tightened margin) so nested and top-level views
  share one consistent header.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-16 19:22:12 -04:00
parent a996cc6908
commit 6a8146b544
6 changed files with 161 additions and 43 deletions
@@ -50,9 +50,13 @@
group: "{{ steward_user }}"
mode: "0700"
- name: Authorize the managed public key
- name: Authorize the managed public key (replace any prior steward-managed key)
ansible.builtin.lineinfile:
path: "/home/{{ steward_user }}/.ssh/authorized_keys"
# Match on the ' steward-managed' comment so a rotated key REPLACES the
# old one in place rather than stacking a second authorized key. Any
# keys the operator added by hand (different comment) are left untouched.
regexp: ' steward-managed$'
line: "{{ steward_pubkey }}"
create: true
owner: "{{ steward_user }}"
@@ -0,0 +1,47 @@
---
# Update an already-installed Steward host agent: refresh agent.py and restart.
#
# Deliberately does NOT touch the registration token or /etc/steward-agent.conf
# — the host already has a working token, so an update leaves identity alone and
# only swaps the agent binary. Connects as the managed `steward` account (set
# globally as the SSH user); no bootstrap password or token injection needed.
#
# For a fresh host with no agent, use provision.yml (new host) or install.yml
# (already-provisioned host) instead — those mint and install the token.
- name: Update Steward host agent
hosts: all
become: true
gather_facts: false
vars:
steward_url: ""
tasks:
- name: Require steward_url
ansible.builtin.assert:
that:
- steward_url | length > 0
fail_msg: "Pass steward_url as an extra-var (the Update action sets it)."
- name: Confirm the agent is already installed
ansible.builtin.stat:
path: /usr/local/lib/steward-agent/agent.py
register: agent_file
- name: Fail clearly if the agent is missing
ansible.builtin.fail:
msg: "No agent at /usr/local/lib/steward-agent — provision or install this host first."
when: not agent_file.stat.exists
- name: Refresh agent.py
ansible.builtin.get_url:
url: "{{ steward_url }}/plugins/host_agent/agent.py"
dest: /usr/local/lib/steward-agent/agent.py
mode: "0755"
force: true
notify: restart steward-agent
handlers:
- name: restart steward-agent
ansible.builtin.systemd:
name: steward-agent
state: restarted
daemon_reload: true
+5
View File
@@ -197,6 +197,7 @@ async def ansible_generate_key():
"""
from steward.core.crypto import generate_ssh_keypair
form = await request.form
private_pem, public_line = generate_ssh_keypair()
async with current_app.db_sessionmaker() as db:
async with db.begin():
@@ -205,6 +206,10 @@ async def ansible_generate_key():
await _reload_app_config()
await log_audit(current_app, session.get("user_id"), session.get("username", ""),
"settings.saved", detail={"section": "ansible.managed_key"})
# Allow the inline trigger on other pages (e.g. Host Agents) to return there.
nxt = (form.get("next", "") or "").strip()
if nxt.startswith("/") and not nxt.startswith("//"):
return redirect(nxt)
return redirect(url_for("settings.ansible"))
+4 -2
View File
@@ -146,7 +146,9 @@ textarea { resize: vertical; }
.empty { color: var(--text-muted); font-size: 0.9rem; padding: 2rem; text-align: center; }
/* Breadcrumbs */
.breadcrumb { display:flex; align-items:center; flex-wrap:wrap; gap:0.35rem; font-size:0.8rem; color:var(--text-dim); margin-bottom:1rem; }
/* Breadcrumb renders as a kicker line tucked directly above the page header
(.page-title), so nested and top-level views share one consistent header. */
.breadcrumb { display:flex; align-items:center; flex-wrap:wrap; gap:0.35rem; font-size:0.78rem; color:var(--text-dim); margin:0 0 0.45rem; }
.breadcrumb a { color:var(--text-muted); }
.breadcrumb a:hover { color:var(--text); }
.breadcrumb-sep { color:var(--border-mid); }
@@ -235,7 +237,6 @@ function setTimeRange(val) {
</script>
<main>
{% block breadcrumb %}{% endblock %}
{% if plugin_failures and session.user_role == 'admin' %}
<div style="background:color-mix(in srgb,var(--yellow) 12%,var(--bg-elevated));
border:1px solid color-mix(in srgb,var(--yellow) 35%,var(--border));
@@ -253,6 +254,7 @@ function setTimeRange(val) {
{% if error %}
<div class="alert alert-error">{{ error }}</div>
{% endif %}
{% block breadcrumb %}{% endblock %}
{% block content %}{% endblock %}
</main>