feat(ansible): add swapfile + resource_limits roles; add CoulombCore to inventory

T01: roles/swapfile — idempotent 4GB swapfile, vm.swappiness=10, fstab entry
T02: roles/resource_limits — PAM nproc caps (512/1024), systemd user-1000.slice
     memory limits (1500M/512M); templated per-host via host_vars
- inventory/host_vars/CoulombCore.yml — host-specific vars for both roles
- inventory/servers.yaml — add CoulombCore with id_ops SSH key
- inventory_from_yaml.py — load host_vars files into Ansible hostvars
- playbooks/bootstrap.yaml — include swapfile + resource_limits roles
- workplans/WP-0004 — flag T04/T09/T10 needs_human, add CoulombCore-local convergence note

Codifies manual INC-002 hardening. See RAIL-HO-WP-0004-T01/T02.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-27 01:49:35 +01:00
parent e10789bdd2
commit ff59d4e0f8
11 changed files with 163 additions and 6 deletions

View File

@@ -121,8 +121,15 @@ Role tasks:
3. Ensure `/etc/fstab` entry present
4. Set `vm.swappiness=10` via `sysctl` module (persist in `/etc/sysctl.d/`)
**Done when:** `make converge` is idempotent; `free -h` on CoulombCore shows
4 GB swap; `make verify` passes.
**Convergence pattern:** Ansible is not installed on the workstation. Run convergence
directly on CoulombCore (local Ansible, connection=local):
```bash
ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \
'cd ~/railiance-infra && git pull && ansible-playbook ansible/playbooks/bootstrap.yaml -c local -u tegwick --become -l CoulombCore'
```
**Done when:** Convergence runs without errors; `free -h` on CoulombCore shows
4 GB swap; Goss verify passes.
---
@@ -211,6 +218,8 @@ id: RAIL-HO-WP-0004-T04
status: todo
priority: high
state_hub_task_id: "4f4196b5-4d84-4648-b470-e6941444ea46"
needs_human: true
intervention_note: "Live Gitea DB migration — Gitea is the only git host. Requires explicit backup verification and operator approval before execution. Risk: data loss if migration fails mid-flight."
```
**Pre-condition:** T03 done and gitea-db cluster healthy.
@@ -432,6 +441,8 @@ id: RAIL-HO-WP-0004-T09
status: todo
priority: medium
state_hub_task_id: "d2afe78a-eb51-4ce9-b332-f181323d2370"
needs_human: true
intervention_note: "Requires decisions: final hostname/domain for state-hub, whether to use Gitea container registry or ghcr.io, and approval before data migration from workstation postgres."
```
**Pre-condition:** T04 done (cnpg Gitea DB working); T08 done (deploy sequence
@@ -464,6 +475,8 @@ id: RAIL-HO-WP-0004-T10
status: todo
priority: low
state_hub_task_id: "34d73215-f016-4750-8da5-69f82d63d619"
needs_human: true
intervention_note: "activity-core architecture needs review before packaging — needs confirmation of runtime (Rails/Go/other), whether it uses postgres, and what the migration strategy is for any existing on-node data."
```
**Pre-condition:** T09 done (state-hub on cluster operational).