sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(base): codify AI-worker NOPASSWD sudo (ADR-015 amended)

Browse source 
Add base__ai_worker_user var (default empty), a new operational_access.yml
task file that drops a validated sudoers file for the named user, and wire it
into base/tasks/main.yml after the hardening includes under the `users` tag.

Set base__ai_worker_user: claude in group_vars/control so that applying base
to ubongo is idempotent with the manual /etc/sudoers.d/claude-ai-worker drop-in
already in place. Password remains locked; NOPASSWD is the only sudo path;
actions are attributed via auditd (ADR-021).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-18 21:36:31 +02:00
parent b1aa0f49d9
commit 3fe6f68316
4 changed files with 26 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
inventories/production/group_vars/control/vars.yml
View file

@ -12,6 +12,9 @@ dev_env__users:
# group only. # group only.
ansible_user: sjat ansible_user: sjat
# ubongo's AI-worker; passwordless sudo for the claude user (ADR-015 amended).
base__ai_worker_user: claude
# ubongo is a NetBird mesh peer (ADR-016, M5) — enrol the agent via base's `mesh` concern. # ubongo is a NetBird mesh peer (ADR-016, M5) — enrol the agent via base's `mesh` concern.
# Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening # Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening
# follow-on), so this brings up wt0 without changing SSH exposure. # follow-on), so this brings up wt0 without changing SSH exposure.

5
roles/base/defaults/main.yml
View file

@ -29,6 +29,11 @@ base__ssh_authorised_keys: []
base__ssh_listen_mesh_only: false base__ssh_listen_mesh_only: false
base__ssh_listen_addr: "" base__ssh_listen_addr: ""
# The automation/AI-worker user granted passwordless sudo (ADR-015 amended / ADR-021).
# Empty = no AI-worker sudo. Set per-group (e.g. group_vars/control: claude). The user's
# password should be locked so NOPASSWD is its only sudo path; actions are auditd-attributed.
base__ai_worker_user: ""
# NetBird mesh agent enrollment (ADR-016). Opt-in: default off so applying `base` to a # NetBird mesh agent enrollment (ADR-016). Opt-in: default off so applying `base` to a
# host not on the mesh is a no-op for this concern. The live actions (apt install over # host not on the mesh is a no-op for this concern. The live actions (apt install over
# the network, `netbird up` against the coordinator) are additionally gated by # the network, `netbird up` against the coordinator) are additionally gated by

7
roles/base/tasks/main.yml
View file

@ -23,6 +23,13 @@
tags: [hardening] tags: [hardening]
tags: [hardening] tags: [hardening]
- name: AI-worker operational access (sudoers drop-in)
ansible.builtin.include_tasks:
file: operational_access.yml
apply:
tags: [users]
tags: [users]
- name: NetBird mesh enrollment - name: NetBird mesh enrollment
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: mesh.yml file: mesh.yml

11
roles/base/tasks/operational_access.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: Grant the AI-worker user passwordless sudo (ADR-015 amended / ADR-021)
ansible.builtin.copy:
content: "{{ base__ai_worker_user }} ALL=(ALL) NOPASSWD:ALL\n"
dest: "/etc/sudoers.d/{{ base__ai_worker_user }}-ai-worker"
owner: root
group: root
mode: "0440"
validate: "visudo -cf %s"
when: base__ai_worker_user | length > 0
tags: [users]