feat(ansible): inject ops-bridge key in base role at bootstrap

Add ops_bridge_pubkey to group_vars/all.yaml (public key only, safe to
commit) and inject it via ansible.posix.authorized_key in the base role,
immediately after SSH hardening. This ensures ops-bridge tunnel
connectivity is available as soon as SSH infrastructure is up on any
managed host — no manual key provisioning required for new nodes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ansible/inventory/group_vars/all.yaml

@@ -18,3 +18,9 @@
 
 custodian_agent_user: tegwick
 custodian_agent_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/V9fe5MGKdhTBz9KwEvC1NE+HjdoCtQocpGxP6Pko9 custodian-agent"
+
+# ops-bridge tunnel key — injected by the base role so ops-bridge connectivity
+# is available as early as SSH infrastructure is up.
+# Private key lives at ~/.ssh/id_ops on the workstation. Never commit the private key.
+ops_bridge_user: tegwick
+ops_bridge_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQmXbAVlEa8dzGx8Hk2S7AITpz6sMWdCN0MeMOzL82u ops-bridge@custodian"

ansible/roles/base/tasks/main.yml

@@ -30,6 +30,22 @@
     name: ssh
     state: restarted
 
+- name: Ensure .ssh directory exists for ops_bridge_user
+  ansible.builtin.file:
+    path: "/home/{{ ops_bridge_user | default('tegwick') }}/.ssh"
+    state: directory
+    owner: "{{ ops_bridge_user | default('tegwick') }}"
+    group: "{{ ops_bridge_user | default('tegwick') }}"
+    mode: '0700'
+
+- name: Inject ops-bridge public key into authorized_keys
+  ansible.posix.authorized_key:
+    user: "{{ ops_bridge_user | default('tegwick') }}"
+    key: "{{ ops_bridge_pubkey }}"
+    comment: "ops-bridge@{{ inventory_hostname }}"
+    state: present
+  when: ops_bridge_pubkey is defined and ops_bridge_pubkey | length > 0
+
 - name: Configure UFW default incoming policy
   ansible.builtin.ufw:
     state: enabled