tegwick
3f4f03e838
Add ops_bridge_pubkey to group_vars/all.yaml (public key only, safe to commit) and inject it via ansible.posix.authorized_key in the base role, immediately after SSH hardening. This ensures ops-bridge tunnel connectivity is available as soon as SSH infrastructure is up on any managed host — no manual key provisioning required for new nodes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
27 lines
1.3 KiB
YAML
27 lines
1.3 KiB
YAML
# Ansible group vars — applied to all managed hosts.
|
|
#
|
|
# custodian_agent_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/V9fe5MGKdhTBz9KwEvC1NE+HjdoCtQocpGxP6Pko9 custodian-agent"
|
|
#
|
|
# HOW TO SET THIS:
|
|
# 1. Generate the keypair on the workstation (one-time):
|
|
# cd ~/the-custodian && make custodian-keygen
|
|
# This creates ~/.ssh/id_custodian_agent (private, never committed)
|
|
# and writes the public key to:
|
|
# ~/railiance-infra/ansible/inventory/group_vars/all.yaml ← this file
|
|
#
|
|
# 2. Commit the updated all.yaml (public key only — safe to commit).
|
|
#
|
|
# 3. Deploy to all managed hosts:
|
|
# cd ~/railiance-infra && make provision-custodian-agent
|
|
#
|
|
# The key below is a placeholder — replace by running `make custodian-keygen`.
|
|
|
|
custodian_agent_user: tegwick
|
|
custodian_agent_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/V9fe5MGKdhTBz9KwEvC1NE+HjdoCtQocpGxP6Pko9 custodian-agent"
|
|
|
|
# ops-bridge tunnel key — injected by the base role so ops-bridge connectivity
|
|
# is available as early as SSH infrastructure is up.
|
|
# Private key lives at ~/.ssh/id_ops on the workstation. Never commit the private key.
|
|
ops_bridge_user: tegwick
|
|
ops_bridge_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQmXbAVlEa8dzGx8Hk2S7AITpz6sMWdCN0MeMOzL82u ops-bridge@custodian"
|