new-host runbook: control node ubongo is bare-metal
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
3fb780c286
commit
b89ca8835a
1 changed files with 24 additions and 18 deletions
|
|
@ -2,7 +2,8 @@
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
- Proxmox VM template exists (Debian 13 cloud-init image — see below if not)
|
- Proxmox VM template exists (Debian 13 cloud-init image — see below if not).
|
||||||
|
Not needed for the control node `ubongo`, which is bare-metal (Part E).
|
||||||
- `rbw` is installed and unlocked (`rbw unlock`) so the vault password resolves from Vaultwarden
|
- `rbw` is installed and unlocked (`rbw unlock`) so the vault password resolves from Vaultwarden
|
||||||
- The host's intended hostname and IP are decided
|
- The host's intended hostname and IP are decided
|
||||||
|
|
||||||
|
|
@ -110,27 +111,32 @@ make check PLAYBOOK=site
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Part E — Control node (manual exception)
|
## Part E — Control node (`ubongo`, manual exception)
|
||||||
|
|
||||||
The control node runs Terraform and Ansible, so it cannot be created by the
|
The control node runs Terraform and Ansible, so it cannot be created by the
|
||||||
Terraform it hosts (chicken-and-egg). It is the **one** host provisioned manually —
|
Terraform it hosts (chicken-and-egg). It is `ubongo`, a dedicated **physical**
|
||||||
see ADR-009 and the control-node section of ADR-005. Use the template from Part A:
|
machine outside the cluster — not a Proxmox guest. It is the **one** host
|
||||||
|
provisioned manually. Rationale, hardware target, and recovery model: ADR-015.
|
||||||
|
|
||||||
```bash
|
1. Install Debian 13 on the physical box by hand (no template to clone).
|
||||||
# Clone the template by hand (Proxmox UI or qm clone)
|
2. Create the `ansible` user and install its SSH public key.
|
||||||
qm clone 9000 <VMID> --name <hostname> --full
|
3. Set up the Ansible environment on it:
|
||||||
qm set <VMID> --memory 2048 --cores 2 \
|
```bash
|
||||||
--ciuser ansible \
|
git clone <repo> ~/ansible
|
||||||
--sshkeys /path/to/ansible_ed25519.pub \
|
cd ~/ansible
|
||||||
--ipconfig0 ip=<IP>/24,gw=<GATEWAY>
|
make setup # venv + Python deps
|
||||||
qm start <VMID>
|
make collections # Ansible collections
|
||||||
```
|
rbw login && rbw unlock # vault password from Vaultwarden (see rotate-secrets.md)
|
||||||
|
```
|
||||||
|
4. Join the mesh VPN (choice deferred — see ADR-015) so it is reachable over SSH
|
||||||
|
from elsewhere.
|
||||||
|
5. Add `ubongo` to `inventories/<env>/hosts.yml` under the `control` group.
|
||||||
|
|
||||||
Then set up the Ansible environment on it (`make setup`, `make collections`, set up
|
Because `ubongo` is not in `local.vms`, this is the only case where editing
|
||||||
`rbw` and `rbw unlock`) per ADR-005, and add it to `inventories/<env>/hosts.yml` under the
|
`hosts.yml` by hand is expected. **Known limitation:** `make tf-inventory`
|
||||||
`control` group. Because the control node is not in `local.vms`, this is the only
|
regenerates `hosts.yml` from Terraform outputs and will overwrite a hand-added
|
||||||
case where editing `hosts.yml` by hand is expected — every other host comes from
|
`control` entry — re-add `ubongo` after running it (preserving the control entry in
|
||||||
`make tf-inventory`.
|
the generator is tracked separately, not yet built).
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue