feat(ansible): add swapfile + resource_limits roles; add CoulombCore to inventory
T01: roles/swapfile — idempotent 4GB swapfile, vm.swappiness=10, fstab entry
T02: roles/resource_limits — PAM nproc caps (512/1024), systemd user-1000.slice
memory limits (1500M/512M); templated per-host via host_vars
- inventory/host_vars/CoulombCore.yml — host-specific vars for both roles
- inventory/servers.yaml — add CoulombCore with id_ops SSH key
- inventory_from_yaml.py — load host_vars files into Ansible hostvars
- playbooks/bootstrap.yaml — include swapfile + resource_limits roles
- workplans/WP-0004 — flag T04/T09/T10 needs_human, add CoulombCore-local convergence note
Codifies manual INC-002 hardening. See RAIL-HO-WP-0004-T01/T02.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -121,8 +121,15 @@ Role tasks:
|
||||
3. Ensure `/etc/fstab` entry present
|
||||
4. Set `vm.swappiness=10` via `sysctl` module (persist in `/etc/sysctl.d/`)
|
||||
|
||||
**Done when:** `make converge` is idempotent; `free -h` on CoulombCore shows
|
||||
4 GB swap; `make verify` passes.
|
||||
**Convergence pattern:** Ansible is not installed on the workstation. Run convergence
|
||||
directly on CoulombCore (local Ansible, connection=local):
|
||||
```bash
|
||||
ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \
|
||||
'cd ~/railiance-infra && git pull && ansible-playbook ansible/playbooks/bootstrap.yaml -c local -u tegwick --become -l CoulombCore'
|
||||
```
|
||||
|
||||
**Done when:** Convergence runs without errors; `free -h` on CoulombCore shows
|
||||
4 GB swap; Goss verify passes.
|
||||
|
||||
---
|
||||
|
||||
@@ -211,6 +218,8 @@ id: RAIL-HO-WP-0004-T04
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "4f4196b5-4d84-4648-b470-e6941444ea46"
|
||||
needs_human: true
|
||||
intervention_note: "Live Gitea DB migration — Gitea is the only git host. Requires explicit backup verification and operator approval before execution. Risk: data loss if migration fails mid-flight."
|
||||
```
|
||||
|
||||
**Pre-condition:** T03 done and gitea-db cluster healthy.
|
||||
@@ -432,6 +441,8 @@ id: RAIL-HO-WP-0004-T09
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "d2afe78a-eb51-4ce9-b332-f181323d2370"
|
||||
needs_human: true
|
||||
intervention_note: "Requires decisions: final hostname/domain for state-hub, whether to use Gitea container registry or ghcr.io, and approval before data migration from workstation postgres."
|
||||
```
|
||||
|
||||
**Pre-condition:** T04 done (cnpg Gitea DB working); T08 done (deploy sequence
|
||||
@@ -464,6 +475,8 @@ id: RAIL-HO-WP-0004-T10
|
||||
status: todo
|
||||
priority: low
|
||||
state_hub_task_id: "34d73215-f016-4750-8da5-69f82d63d619"
|
||||
needs_human: true
|
||||
intervention_note: "activity-core architecture needs review before packaging — needs confirmation of runtime (Rails/Go/other), whether it uses postgres, and what the migration strategy is for any existing on-node data."
|
||||
```
|
||||
|
||||
**Pre-condition:** T09 done (state-hub on cluster operational).
|
||||
|
||||
Reference in New Issue
Block a user