From 3f4f03e838c2b3bd056e7fea9f55b31ef45f40b0 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 27 Mar 2026 23:52:54 +0100 Subject: [PATCH] feat(ansible): inject ops-bridge key in base role at bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add ops_bridge_pubkey to group_vars/all.yaml (public key only, safe to commit) and inject it via ansible.posix.authorized_key in the base role, immediately after SSH hardening. This ensures ops-bridge tunnel connectivity is available as soon as SSH infrastructure is up on any managed host — no manual key provisioning required for new nodes. Co-Authored-By: Claude Sonnet 4.6 --- ansible/inventory/group_vars/all.yaml | 6 ++++++ ansible/roles/base/tasks/main.yml | 16 ++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/ansible/inventory/group_vars/all.yaml b/ansible/inventory/group_vars/all.yaml index 6c6d089..13a6599 100644 --- a/ansible/inventory/group_vars/all.yaml +++ b/ansible/inventory/group_vars/all.yaml @@ -18,3 +18,9 @@ custodian_agent_user: tegwick custodian_agent_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/V9fe5MGKdhTBz9KwEvC1NE+HjdoCtQocpGxP6Pko9 custodian-agent" + +# ops-bridge tunnel key — injected by the base role so ops-bridge connectivity +# is available as early as SSH infrastructure is up. +# Private key lives at ~/.ssh/id_ops on the workstation. Never commit the private key. +ops_bridge_user: tegwick +ops_bridge_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQmXbAVlEa8dzGx8Hk2S7AITpz6sMWdCN0MeMOzL82u ops-bridge@custodian" diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index d2abbee..19660a4 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -30,6 +30,22 @@ name: ssh state: restarted +- name: Ensure .ssh directory exists for ops_bridge_user + ansible.builtin.file: + path: "/home/{{ ops_bridge_user | default('tegwick') }}/.ssh" + state: directory + owner: "{{ ops_bridge_user | default('tegwick') }}" + group: "{{ ops_bridge_user | default('tegwick') }}" + mode: '0700' + +- name: Inject ops-bridge public key into authorized_keys + ansible.posix.authorized_key: + user: "{{ ops_bridge_user | default('tegwick') }}" + key: "{{ ops_bridge_pubkey }}" + comment: "ops-bridge@{{ inventory_hostname }}" + state: present + when: ops_bridge_pubkey is defined and ops_bridge_pubkey | length > 0 + - name: Configure UFW default incoming policy ansible.builtin.ufw: state: enabled