0318f6423f
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
44 lines
1.5 KiB
Docker
44 lines
1.5 KiB
Docker
FROM python:3.13-slim
|
|
|
|
RUN DEBIAN_FRONTEND=noninteractive apt-get update \
|
|
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
|
iputils-ping \
|
|
# gosu — minimal privilege-drop tool used by entrypoint.sh
|
|
gosu \
|
|
# openssh-client — ansible-playbook reaches remote hosts over ssh
|
|
openssh-client \
|
|
# sshpass — Ansible shells out to it for first-contact password SSH
|
|
# (provisioning a fresh host before the managed key is installed)
|
|
sshpass \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Upgrade pip to suppress the version notice
|
|
RUN pip install --upgrade pip
|
|
|
|
WORKDIR /app
|
|
|
|
COPY pyproject.toml .
|
|
COPY steward/ steward/
|
|
# .[ansible] pulls the full Ansible package so the playbook runner works in-image.
|
|
RUN pip install --no-cache-dir '.[ansible]'
|
|
|
|
COPY alembic.ini .
|
|
# First-party plugins ship inside the image (bundled root at /app/plugins).
|
|
# Third-party plugins are mounted at runtime into the external root
|
|
# (STEWARD_PLUGIN_DIR, default /data/plugins).
|
|
COPY plugins/ plugins/
|
|
COPY entrypoint.sh /entrypoint.sh
|
|
RUN chmod +x /entrypoint.sh
|
|
|
|
# Runtime directories — owned by app user. The container starts as root
|
|
# so the entrypoint can fix up /data permissions if needed, then drops to
|
|
# 'app' (uid 1000) via gosu before launching steward.
|
|
RUN useradd -m -u 1000 app \
|
|
&& mkdir -p /data/playbook_cache /data/plugins \
|
|
&& chown -R app:app /data /app
|
|
|
|
EXPOSE 5000
|
|
|
|
ENTRYPOINT ["/entrypoint.sh"]
|
|
CMD ["steward", "--host", "0.0.0.0", "--port", "5000"]
|