diff --git a/capabilities/playbooks/railiance-infra.bootstrap-host.yaml b/capabilities/playbooks/railiance-infra.bootstrap-host.yaml new file mode 100644 index 0000000..5402442 --- /dev/null +++ b/capabilities/playbooks/railiance-infra.bootstrap-host.yaml @@ -0,0 +1,94 @@ +apiVersion: netkingdom.io/playbook-capability/v0.1 +kind: PlaybookCapabilityDeclaration +metadata: + id: railiance-infra.bootstrap-host + name: Railiance S1 host bootstrap + owner: railiance-infra + repo: railiance-infra + domain: railiance + contract_version: "0.1" + source_links: + - label: Bootstrap playbook + path: ansible/playbooks/bootstrap.yaml + - label: Railiance infra scope + path: SCOPE.md +spec: + playbook: + path: ansible/playbooks/bootstrap.yaml + type: ansible + invocation: make converge + description: Converges the Railiance S1 host baseline with base hardening, SOPS/age agent support, custodian-agent SSH access, swap, and resource limits. + capabilities: + - id: s1.os-baseline + tier: S1 + resource_kinds: + - infrastructure_resources + - secrets_credentials + description: Establishes the host OS baseline and bootstrap secret-handling substrate required before higher Railiance layers run. + parameters: + - name: target_hosts + type: array + required: true + constraints: + min_items: 1 + sensitivity: operational + tuning_authority: netkingdom_tunable + description: Inventory hosts selected for convergence. + - name: swapfile_size_mb + type: integer + required: false + default: 4096 + constraints: + minimum: 0 + maximum: 65536 + sensitivity: operational + tuning_authority: netkingdom_tunable + description: Swap file size applied through host variables. + - name: sops_age_secret_source + type: string + required: false + default: ansible/inventory/group_vars/secrets.sops.yaml + sensitivity: secret_reference + tuning_authority: platform_only + description: SOPS-encrypted variable source consumed by the bootstrap playbook. + - name: wireguard_enabled + type: boolean + required: false + default: false + sensitivity: security_sensitive + tuning_authority: platform_only + description: Whether to include the optional WireGuard role in this playbook mode. + responsibilities: + - resource_kind: infrastructure_resources + owner: railiance-infra + resources: + - server:target_hosts + - os-baseline + - ssh-access + repo_owns: Ansible convergence mechanics, role execution, and host baseline verification hooks. + netkingdom_orchestrates: Whether the S1 substrate capability is selected for a scenario and which security posture is required before higher layers run. + - resource_kind: secrets_credentials + owner: railiance-infra + resources: + - sops-age-bootstrap-material + - custodian-agent-ssh-key + repo_owns: Placement and convergence mechanics for encrypted bootstrap material and custodian-agent access. + netkingdom_orchestrates: Bootstrap secret-material placement policy and the requirement that tenant operators do not receive platform bootstrap authority. + trust: + requires: [] + satisfies: + - state: bare_host_trust + readiness_checks: + - id: os-baseline-converged + description: Base, sops_agent, custodian_agent, swapfile, and resource_limits roles converge successfully. + evidence: ansible/playbooks/bootstrap.yaml completes successfully for target_hosts. + - state: bootstrap_secret_trust + readiness_checks: + - id: sops-agent-ready + description: SOPS/age encrypted bootstrap variable source is available to the host convergence path. + evidence: sops_agent role converges with ansible/inventory/group_vars/secrets.sops.yaml. + catalog: + publish: capabilities/playbooks/railiance-infra.bootstrap-host.yaml + maturity: reference + consumers: + - netkingdom-meta-orchestration