0318f6423f
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
112 lines
6.4 KiB
HTML
112 lines
6.4 KiB
HTML
{# steward/templates/settings/ansible.html #}
|
|
{% extends "base.html" %}
|
|
{% from "_macros.html" import crumbs %}
|
|
{% block title %}Settings — Ansible — Steward{% endblock %}
|
|
{% block breadcrumb %}{{ crumbs([("Settings", "/settings/"), ("Ansible", "")]) }}{% endblock %}
|
|
{% block content %}
|
|
{% set active_tab = "ansible" %}
|
|
{% include "settings/_tabs.html" %}
|
|
|
|
<div style="max-width:720px;">
|
|
<div style="display:flex;align-items:baseline;justify-content:space-between;margin-bottom:0.75rem;">
|
|
<div class="section-title">Ansible Sources</div>
|
|
<a href="/ansible/" class="btn btn-ghost btn-sm" style="font-size:0.78rem;">Run History →</a>
|
|
</div>
|
|
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
|
|
Sources are directories of playbooks — either a local path or a git repository
|
|
cloned automatically. Add as many as you need; each can be browsed and run independently.
|
|
</p>
|
|
{% include "settings/_ansible_sources.html" %}
|
|
|
|
{# ── Credentials ──────────────────────────────────────────────────────────── #}
|
|
{% set cfg_badge = '<span style="color:var(--green);font-size:0.72rem;">(configured)</span>' %}
|
|
{% set not_set_badge = '<span style="color:var(--text-muted);font-size:0.72rem;">(not set)</span>' %}
|
|
|
|
{# ── Managed identity (provisioning) ───────────────────────────────────────── #}
|
|
<div style="margin-top:2.25rem;">
|
|
<div class="section-title" style="margin-bottom:0.75rem;">Managed SSH identity</div>
|
|
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
|
|
Steward's reusable Ansible identity. Provisioning installs the <strong>public</strong>
|
|
key into each host's <code>{{ ssh_user }}</code> account; steady-state runs authenticate
|
|
with the private half (stored encrypted). Generate it once, then provision hosts from
|
|
<a href="/plugins/host_agent/settings/">Host Agents</a>.
|
|
</p>
|
|
{% if ssh_public_key %}
|
|
<div class="form-group">
|
|
<label>Public key <span style="color:var(--green);font-size:0.72rem;">(active)</span></label>
|
|
<textarea readonly rows="3" onclick="this.select();"
|
|
style="width:100%;font-family:ui-monospace,monospace;font-size:0.78rem;color:var(--text-muted);">{{ ssh_public_key }}</textarea>
|
|
<span style="color:var(--text-muted);font-size:0.78rem;">Click to select — add to a host's <code>authorized_keys</code> to authorize Steward manually.</span>
|
|
</div>
|
|
<form method="post" action="/settings/ansible/generate-key"
|
|
onsubmit="return confirm('Regenerate the managed key? Already-provisioned hosts will reject Steward until you re-provision them.');">
|
|
<button type="submit" class="btn btn-ghost btn-sm">Regenerate key</button>
|
|
</form>
|
|
{% else %}
|
|
<form method="post" action="/settings/ansible/generate-key">
|
|
<button type="submit" class="btn">Generate managed key</button>
|
|
<span style="color:var(--text-muted);font-size:0.78rem;margin-left:0.5rem;">ed25519 — created server-side, nothing to paste.</span>
|
|
</form>
|
|
{% endif %}
|
|
</div>
|
|
|
|
<div style="margin-top:2.25rem;">
|
|
<div class="section-title" style="margin-bottom:0.75rem;">Credentials</div>
|
|
<p style="color:var(--text-muted);font-size:0.84rem;margin-bottom:1rem;">
|
|
Used by every playbook run (manual and alert-triggered). Stored on the server and
|
|
never shown again after saving — leave a field blank to keep the current value.
|
|
</p>
|
|
<form method="post" action="/settings/ansible/credentials">
|
|
<div class="form-group">
|
|
<label>SSH private key {{ (cfg_badge if ssh_key_set else not_set_badge) | safe }}</label>
|
|
<textarea name="ssh_private_key" rows="4"
|
|
placeholder="-----BEGIN OPENSSH PRIVATE KEY----- … (blank = keep current)"
|
|
style="width:100%;font-family:ui-monospace,monospace;font-size:0.8rem;"></textarea>
|
|
{% if ssh_key_set %}
|
|
<label style="font-weight:normal;font-size:0.8rem;color:var(--text-muted);">
|
|
<input type="checkbox" name="clear_ssh_private_key"> Clear stored key</label>
|
|
{% endif %}
|
|
</div>
|
|
<div class="form-group">
|
|
<label>Become / sudo password {{ (cfg_badge if become_set else not_set_badge) | safe }}</label>
|
|
<input type="password" name="become_password" autocomplete="new-password"
|
|
placeholder="blank = keep current">
|
|
{% if become_set %}
|
|
<label style="font-weight:normal;font-size:0.8rem;color:var(--text-muted);">
|
|
<input type="checkbox" name="clear_become_password"> Clear</label>
|
|
{% endif %}
|
|
</div>
|
|
<div class="form-group">
|
|
<label>Vault password {{ (cfg_badge if vault_set else not_set_badge) | safe }}</label>
|
|
<input type="password" name="vault_password" autocomplete="new-password"
|
|
placeholder="blank = keep current">
|
|
{% if vault_set %}
|
|
<label style="font-weight:normal;font-size:0.8rem;color:var(--text-muted);">
|
|
<input type="checkbox" name="clear_vault_password"> Clear</label>
|
|
{% endif %}
|
|
</div>
|
|
<div class="form-group">
|
|
<label>SSH user
|
|
<span style="color:var(--text-muted);font-size:0.78rem;font-weight:normal;">(default login for runs; a target's ansible_user overrides)</span>
|
|
</label>
|
|
<input type="text" name="ssh_user" value="{{ ssh_user }}" placeholder="steward" style="width:12rem;">
|
|
</div>
|
|
<div class="form-group">
|
|
<label style="display:flex;align-items:center;gap:0.5rem;font-weight:normal;">
|
|
<input type="checkbox" name="host_key_checking" {% if host_key_checking %}checked{% endif %}>
|
|
Enforce SSH host-key checking <span style="color:var(--text-muted);font-size:0.78rem;">(off by default for homelab convenience)</span>
|
|
</label>
|
|
</div>
|
|
<div class="form-group">
|
|
<label>Max concurrent runs
|
|
<span style="color:var(--text-muted);font-size:0.78rem;font-weight:normal;">(extra runs queue; applied on restart)</span>
|
|
</label>
|
|
<input type="number" name="max_concurrent_runs" min="1" max="50"
|
|
value="{{ max_concurrent_runs }}" style="width:7rem;">
|
|
</div>
|
|
<button type="submit" class="btn">Save credentials</button>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
{% endblock %}
|