Add ops_bridge_pubkey to group_vars/all.yaml (public key only, safe to
commit) and inject it via ansible.posix.authorized_key in the base role,
immediately after SSH hardening. This ensures ops-bridge tunnel
connectivity is available as soon as SSH infrastructure is up on any
managed host — no manual key provisioning required for new nodes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- base role: allow UFW routing direction (required for k3s flannel
pod networking to function across nodes)
- docs/deploy-stack.md: full S1→S5 ordered deploy runbook with
pre-conditions checklist and layer-by-layer steps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ansible/playbooks/custodian-agent.yaml: minimal playbook with only
the custodian_agent role — avoids loading base/sops_agent/etc when
all we need is key injection
- Makefile: use custodian-agent.yaml in provision targets; remove
--tags workaround (was fragile; standalone playbook is correct)
Manual invocation (from CoulombCore):
cd ~/railiance-infra/ansible
ansible-playbook playbooks/custodian-agent.yaml -u tegwick --limit Railiance01
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/V9fe5MGKdhTBz9KwEvC1NE+HjdoCtQocpGxP6Pko9
Generated 2026-03-27 via make custodian-keygen. Private key at workstation
only (~/.ssh/id_custodian_agent), never committed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Establishes a dedicated SSH keypair for the Custodian automation agent:
- ansible/roles/custodian_agent/: authorized_key task (tagged custodian_agent)
- ansible/inventory/group_vars/all.yaml: custodian_agent_user/pubkey vars
- ansible/playbooks/bootstrap.yaml: custodian_agent role added
- Makefile: provision-custodian-agent / provision-custodian-agent-host targets
Keypair generation: cd ~/the-custodian && make custodian-keygen
Then deploy: cd ~/railiance-infra && make provision-custodian-agent
The private key lives at ~/.ssh/id_custodian_agent — never committed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The reverse SSH tunnel is State Hub infrastructure, not infra-layer
tooling. Use: cd ~/the-custodian/state-hub && make tunnel HOST=user@host
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Per ADR-003: cloud-init (S1 node provisioning) and host planning tool
belong at the Infrastructure Substrate layer. Moved from railiance-cluster.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update all operational references to reflect the new repo name per
ADR-003 (OAS S1 Infrastructure Substrate). Historical text in ADRs
and state-hub-inbox files preserved as-is. Gitea remote URL updated
locally (Gitea repo rename is a manual step).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Plans the rename of railiance-hosts→infra and railiance-bootstrap→cluster,
creation of railiance-platform/enablement/apps, ADR-003 (supersedes ADR-002),
content relocations, state hub re-registration, and resolution of the
pending railiance-apps decision (7cddead6).
7 tasks; state_hub_workstream_id: 3ae0afc5-13f2-4e6c-aea7-1c1fb9f1ab81
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add `make tunnel` to Makefile: reads first host from
inventory/servers.yaml and opens a reverse SSH tunnel
forwarding local state-hub (port 8000) to the remote host
- Mark T02 done and close WP-0001 (all tasks complete)
- WP-0002 T01/T02 task IDs backfilled by consistency checker
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- docs/verification.md: explains spec/server-baseline.yaml, goss/baseline.yaml,
make verify workflow, assertion mapping table, and how to add new checks
- docs/convergence.md: replace manual spot-check snippet with make verify reference
- workplans/RAIL-HO-WP-0002: mark completed (all tasks done, workstream closed)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
