tegwick
19661ca0c6
Some checks failed
railiance-tests / smoke (push) Has been cancelled
- workplans/RAIL-BS-WP-0002-hosteurope-bootstrap.md: new workplan for Secure Single-Server Bootstrap at HostEurope (repo goal d7092599). T01-T03 done; T04+T05 require ansible on a box with network access to 92.205.62.239 (hosts.ini is gitignored — recreate on new box). - ansible/harden.yml: new playbook — disables root/password SSH auth, enables UFW (allow 22/tcp 6443/tcp 8472/udp, deny-all default), installs fail2ban with SSH jail, sets HISTCONTROL=ignorespace. - ansible/bootstrap.yml: import_playbook harden.yml runs before k3s. - ansible/hosts.ini.example: add [hosteurope] group template. - QUICKSTART.md: document two-stage bootstrap (harden → k3s). - CLAUDE.md: add goal_guidance handling to session protocol (needs_workplan + alignment_warnings). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
30 lines
706 B
YAML
30 lines
706 B
YAML
---
|
|
# Stage 1: Harden the server before anything else is installed.
|
|
- import_playbook: harden.yml
|
|
|
|
# Stage 2: Install base packages and k3s.
|
|
- name: Railiance host bootstrap
|
|
hosts: all
|
|
become: true
|
|
tasks:
|
|
- name: Ensure base packages
|
|
apt:
|
|
name:
|
|
- curl
|
|
- git
|
|
- jq
|
|
update_cache: yes
|
|
state: present
|
|
|
|
- name: Install k3s (server)
|
|
shell: |
|
|
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --write-kubeconfig-mode=644" sh -
|
|
args: { creates: /usr/local/bin/k3s }
|
|
|
|
- name: Verify k3s node
|
|
shell: k3s kubectl get nodes
|
|
register: nodes
|
|
changed_when: false
|
|
|
|
- debug: var=nodes.stdout_lines
|