fix(ansible): replace steward key on reprovision + distinct agent update path
Provisioning review corrections + the matching frontend, plus breadcrumb header integration. - provision.yml: authorize the managed pubkey with a regexp match on the ' steward-managed' comment so rotating the key REPLACES the host's steward key in place instead of stacking a second authorized entry. Hand-added keys (other comments) are untouched. - update.yml (new): refresh agent.py + restart only. Does NOT rotate the token or rewrite /etc/steward-agent.conf — the host keeps its identity. Asserts the agent is already installed and fails clearly otherwise. - host_agent /update route: runs update.yml as the managed steward user (no token minting). Token rotation stays a deliberate action. - settings/ansible/generate-key honors a safe relative `next` redirect, so an inline trigger elsewhere returns to its page. - Host Agents settings: reworked into a clear lifecycle — an intro card that explains it runs Ansible to deploy the agent (+ inline "generate managed key" warning/trigger when none exists), then three labelled cards: 1 Provision, 2 Install/enroll, 3 Update. Each explains what it does. - base.html: breadcrumb now renders as a kicker line directly above the page title (moved below alerts, tightened margin) so nested and top-level views share one consistent header. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -50,9 +50,13 @@
|
||||
group: "{{ steward_user }}"
|
||||
mode: "0700"
|
||||
|
||||
- name: Authorize the managed public key
|
||||
- name: Authorize the managed public key (replace any prior steward-managed key)
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/home/{{ steward_user }}/.ssh/authorized_keys"
|
||||
# Match on the ' steward-managed' comment so a rotated key REPLACES the
|
||||
# old one in place rather than stacking a second authorized key. Any
|
||||
# keys the operator added by hand (different comment) are left untouched.
|
||||
regexp: ' steward-managed$'
|
||||
line: "{{ steward_pubkey }}"
|
||||
create: true
|
||||
owner: "{{ steward_user }}"
|
||||
|
||||
@@ -0,0 +1,47 @@
|
||||
---
|
||||
# Update an already-installed Steward host agent: refresh agent.py and restart.
|
||||
#
|
||||
# Deliberately does NOT touch the registration token or /etc/steward-agent.conf
|
||||
# — the host already has a working token, so an update leaves identity alone and
|
||||
# only swaps the agent binary. Connects as the managed `steward` account (set
|
||||
# globally as the SSH user); no bootstrap password or token injection needed.
|
||||
#
|
||||
# For a fresh host with no agent, use provision.yml (new host) or install.yml
|
||||
# (already-provisioned host) instead — those mint and install the token.
|
||||
- name: Update Steward host agent
|
||||
hosts: all
|
||||
become: true
|
||||
gather_facts: false
|
||||
vars:
|
||||
steward_url: ""
|
||||
tasks:
|
||||
- name: Require steward_url
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- steward_url | length > 0
|
||||
fail_msg: "Pass steward_url as an extra-var (the Update action sets it)."
|
||||
|
||||
- name: Confirm the agent is already installed
|
||||
ansible.builtin.stat:
|
||||
path: /usr/local/lib/steward-agent/agent.py
|
||||
register: agent_file
|
||||
|
||||
- name: Fail clearly if the agent is missing
|
||||
ansible.builtin.fail:
|
||||
msg: "No agent at /usr/local/lib/steward-agent — provision or install this host first."
|
||||
when: not agent_file.stat.exists
|
||||
|
||||
- name: Refresh agent.py
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ steward_url }}/plugins/host_agent/agent.py"
|
||||
dest: /usr/local/lib/steward-agent/agent.py
|
||||
mode: "0755"
|
||||
force: true
|
||||
notify: restart steward-agent
|
||||
|
||||
handlers:
|
||||
- name: restart steward-agent
|
||||
ansible.builtin.systemd:
|
||||
name: steward-agent
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
Reference in New Issue
Block a user