tegwick
ff59d4e0f8
T01: roles/swapfile — idempotent 4GB swapfile, vm.swappiness=10, fstab entry
T02: roles/resource_limits — PAM nproc caps (512/1024), systemd user-1000.slice
memory limits (1500M/512M); templated per-host via host_vars
- inventory/host_vars/CoulombCore.yml — host-specific vars for both roles
- inventory/servers.yaml — add CoulombCore with id_ops SSH key
- inventory_from_yaml.py — load host_vars files into Ansible hostvars
- playbooks/bootstrap.yaml — include swapfile + resource_limits roles
- workplans/WP-0004 — flag T04/T09/T10 needs_human, add CoulombCore-local convergence note
Codifies manual INC-002 hardening. See RAIL-HO-WP-0004-T01/T02.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 lines
511 B
YAML
13 lines
511 B
YAML
- hosts: all
|
|
become: true
|
|
vars_files:
|
|
- ../inventory/group_vars/all.yaml
|
|
- ../inventory/group_vars/secrets.sops.yaml
|
|
roles:
|
|
- role: base
|
|
- role: sops_agent
|
|
- role: custodian_agent # injects ~/.ssh/id_custodian_agent.pub into authorized_keys
|
|
- role: swapfile # provisions swap file (size + swappiness from host_vars)
|
|
- role: resource_limits # nproc PAM caps + systemd user slice memory limits
|
|
# - role: wireguard # enable if you configure WireGuard variables
|