fix(bootstrap): commit full bootstrap.yml — Helm + kubeconfig tasks

The previous commit only included the staged portion (k3s tasks).
The working-tree additions (Helm install, kubeconfig fetch, version vars)
were never staged and were left behind.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ansible/bootstrap.yml

@@ -3,11 +3,16 @@
 # (`make converge` in that repo) before running this playbook.
 # OS hardening (SSH, UFW, fail2ban) is owned by railiance-infra — see ADR-003.
 
-# Install base packages and k3s.
+- name: Railiance host bootstrap — k3s + Helm
-- name: Railiance host bootstrap
   hosts: all
   become: true
+  vars:
+    k3s_version: "v1.35.1+k3s1"
+    helm_version: "v3.17.3"
+    kubeconfig_local_path: "~/.kube/config-hosteurope"
+
   tasks:
+    # ── Base packages ────────────────────────────────────────────────────────
     - name: Ensure base packages
       apt:
         name:
@@ -17,10 +22,25 @@
         update_cache: yes
         state: present
 
-    - name: Install k3s (server)
+    # ── k3s ──────────────────────────────────────────────────────────────────
+    - name: Install k3s (server, pinned version)
       shell: |
-        curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --write-kubeconfig-mode=644" sh -
+        curl -sfL https://get.k3s.io | \
-      args: { creates: /usr/local/bin/k3s }
+          INSTALL_K3S_VERSION="{{ k3s_version }}" \
+          INSTALL_K3S_EXEC="server --cluster-init --write-kubeconfig-mode=644" \
+          sh -
+      args:
+        creates: /usr/local/bin/k3s
+
+    - name: Wait for k3s service to be active
+      systemd:
+        name: k3s
+        state: started
+        enabled: true
+
+    - name: Wait for node to reach Ready state
+      shell: k3s kubectl wait node --all --for=condition=Ready --timeout=120s
+      changed_when: false
 
     - name: Verify k3s node
       shell: k3s kubectl get nodes
@@ -28,3 +48,46 @@
       changed_when: false
 
     - debug: var=nodes.stdout_lines
+
+    # ── Helm ─────────────────────────────────────────────────────────────────
+    - name: Check if Helm is already installed at correct version
+      shell: helm version --short 2>/dev/null || true
+      register: helm_installed
+      changed_when: false
+
+    - name: Download Helm archive and checksum
+      shell: |
+        cd /tmp
+        curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz"
+        curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum"
+        sha256sum -c "helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum"
+      when: helm_version not in helm_installed.stdout
+
+    - name: Extract and install Helm
+      shell: |
+        tar -xzf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz -C /tmp
+        install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
+        rm -rf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum /tmp/linux-amd64
+      when: helm_version not in helm_installed.stdout
+
+    - name: Verify Helm
+      shell: helm version --short
+      register: helm_ver
+      changed_when: false
+
+    - debug: var=helm_ver.stdout
+
+    # ── Kubeconfig ───────────────────────────────────────────────────────────
+    - name: Fetch kubeconfig to control node
+      fetch:
+        src: /etc/rancher/k3s/k3s.yaml
+        dest: "{{ kubeconfig_local_path }}"
+        flat: yes
+
+    - name: Fix server address in fetched kubeconfig
+      delegate_to: localhost
+      become: false
+      replace:
+        path: "{{ kubeconfig_local_path }}"
+        regexp: 'server: https://127\.0\.0\.1:6443'
+        replace: "server: https://{{ ansible_host }}:6443"