Add ops_bridge_pubkey to group_vars/all.yaml (public key only, safe to
commit) and inject it via ansible.posix.authorized_key in the base role,
immediately after SSH hardening. This ensures ops-bridge tunnel
connectivity is available as soon as SSH infrastructure is up on any
managed host — no manual key provisioning required for new nodes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- base role: allow UFW routing direction (required for k3s flannel
pod networking to function across nodes)
- docs/deploy-stack.md: full S1→S5 ordered deploy runbook with
pre-conditions checklist and layer-by-layer steps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Extend base role with fail2ban, UFW k3s/Flannel rules, HISTCONTROL
- Add handlers dir for fail2ban restart
- Fix inventory script to emit correct dynamic inventory JSON format
- Add roles_path to ansible.cfg so playbook finds roles
- Add Railiance01 (92.205.62.239) to inventory/servers.yaml
- Mark workplan T03/T04/T05 as done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
