diff --git a/ansible/inventory/group_vars/all.yaml b/ansible/inventory/group_vars/all.yaml
index 6c6d089..13a6599 100644
--- a/ansible/inventory/group_vars/all.yaml
+++ b/ansible/inventory/group_vars/all.yaml
@@ -18,3 +18,9 @@
 
 custodian_agent_user: tegwick
 custodian_agent_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/V9fe5MGKdhTBz9KwEvC1NE+HjdoCtQocpGxP6Pko9 custodian-agent"
+
+# ops-bridge tunnel key — injected by the base role so ops-bridge connectivity
+# is available as early as SSH infrastructure is up.
+# Private key lives at ~/.ssh/id_ops on the workstation. Never commit the private key.
+ops_bridge_user: tegwick
+ops_bridge_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQmXbAVlEa8dzGx8Hk2S7AITpz6sMWdCN0MeMOzL82u ops-bridge@custodian"
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
index d2abbee..19660a4 100644
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -30,6 +30,22 @@
     name: ssh
     state: restarted
 
+- name: Ensure .ssh directory exists for ops_bridge_user
+  ansible.builtin.file:
+    path: "/home/{{ ops_bridge_user | default('tegwick') }}/.ssh"
+    state: directory
+    owner: "{{ ops_bridge_user | default('tegwick') }}"
+    group: "{{ ops_bridge_user | default('tegwick') }}"
+    mode: '0700'
+
+- name: Inject ops-bridge public key into authorized_keys
+  ansible.posix.authorized_key:
+    user: "{{ ops_bridge_user | default('tegwick') }}"
+    key: "{{ ops_bridge_pubkey }}"
+    comment: "ops-bridge@{{ inventory_hostname }}"
+    state: present
+  when: ops_bridge_pubkey is defined and ops_bridge_pubkey | length > 0
+
 - name: Configure UFW default incoming policy
   ansible.builtin.ufw:
     state: enabled