coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
1,927 Commits 1 Branch 0 Tags
01e35898afb4ebcd3bb83fa8c3894de3104d5d20
Commit Graph

5 Commits

Author SHA1 Message Date
tegwick
8c08b4b806 fix(custodian-agent): dedicated playbook, correct working dir 
- ansible/playbooks/custodian-agent.yaml: minimal playbook with only
  the custodian_agent role — avoids loading base/sops_agent/etc when
  all we need is key injection
- Makefile: use custodian-agent.yaml in provision targets; remove
  --tags workaround (was fragile; standalone playbook is correct)

Manual invocation (from CoulombCore):
  cd ~/railiance-infra/ansible
  ansible-playbook playbooks/custodian-agent.yaml -u tegwick --limit Railiance01

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-27 02:20:33 +01:00
tegwick
ff59d4e0f8 feat(ansible): add swapfile + resource_limits roles; add CoulombCore to inventory 
T01: roles/swapfile — idempotent 4GB swapfile, vm.swappiness=10, fstab entry
T02: roles/resource_limits — PAM nproc caps (512/1024), systemd user-1000.slice
     memory limits (1500M/512M); templated per-host via host_vars
- inventory/host_vars/CoulombCore.yml — host-specific vars for both roles
- inventory/servers.yaml — add CoulombCore with id_ops SSH key
- inventory_from_yaml.py — load host_vars files into Ansible hostvars
- playbooks/bootstrap.yaml — include swapfile + resource_limits roles
- workplans/WP-0004 — flag T04/T09/T10 needs_human, add CoulombCore-local convergence note

Codifies manual INC-002 hardening. See RAIL-HO-WP-0004-T01/T02.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-27 01:49:35 +01:00
tegwick
30a3f908aa feat(custodian-agent): Ansible role + Makefile for Custodian SSH identity 
Establishes a dedicated SSH keypair for the Custodian automation agent:
- ansible/roles/custodian_agent/: authorized_key task (tagged custodian_agent)
- ansible/inventory/group_vars/all.yaml: custodian_agent_user/pubkey vars
- ansible/playbooks/bootstrap.yaml: custodian_agent role added
- Makefile: provision-custodian-agent / provision-custodian-agent-host targets

Keypair generation: cd ~/the-custodian && make custodian-keygen
Then deploy:        cd ~/railiance-infra && make provision-custodian-agent

The private key lives at ~/.ssh/id_custodian_agent — never committed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-27 01:21:57 +01:00
tegwick
8f5799553e feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002 
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
  (packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
  runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-09 12:38:48 +01:00
Bernd Worsch
9860735f82 feat: initial import of RailianceHosts starter 2025-09-13 20:26:11 +02:00