sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: sjat:f3f382ae69d27e7068e3fc30ce4ddc14cd0d07f7
Branches Tags
sjat:main
sjat:feat/m5-mesh-enrollment
sjat:chore/ubongo-control-host-docs
...
compare: sjat:620351322093180d2692fe8318fc9eddf9d468e9
Branches Tags
sjat:main
sjat:feat/m5-mesh-enrollment
sjat:chore/ubongo-control-host-docs

3 commits
f3f382ae69 ... 6203513220

Author SHA1 Message Date
sjat
6203513220 inventory: manage ubongo (control node) as the operator account 
group_vars/all assumes the ansible service user (created by bootstrap on
Terraform VMs). ubongo is the manually-provisioned control node (ADR-009/
ADR-015 exception) with no bootstrapped ansible user, so connect as sjat.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-11 14:09:15 +02:00
sjat
607423d0e7 dev_env: install acl for become_user file copies 
When the login user differs from the become_user (ubongo connects as sjat,
the role copies files as claude), Ansible needs ACLs on its temp files;
without the acl package it falls back to an unsupported chmod syntax and
fails. Molecule didn't catch it (root login can chown directly).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-11 14:09:12 +02:00
sjat
a2bb99928c fix(deploy): make check/deploy actually run 
Two latent bugs that blocked the documented deploy path (never exercised
end-to-end before applying dev_env to ubongo):
- Makefile: the PLAYBOOK variable was both the ansible-playbook BINARY path
  and the user-supplied playbook NAME, so `make check/deploy PLAYBOOK=<name>`
  overrode the binary. Renamed the binary var to PLAYBOOK_BIN.
- ansible.cfg: stdout_callback=yaml and callbacks_enabled=timer were
  community.general plugins (not installed; boma only ships ansible.posix).
  Use the built-in default callback with callback_result_format=yaml and
  ansible.posix.profile_tasks — same intent, no new heavy collection.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-11 14:09:12 +02:00
4 changed files with 13 additions and 5 deletions
Show stats Expand all files Collapse all files

6
Makefile
View file

@ -5,7 +5,7 @@ VENV := .venv
PYTHON := $(VENV)/bin/python
PIP := $(VENV)/bin/pip
ANSIBLE := $(VENV)/bin/ansible
PLAYBOOK := $(VENV)/bin/ansible-playbook
PLAYBOOK_BIN := $(VENV)/bin/ansible-playbook
GALAXY := $(VENV)/bin/ansible-galaxy
LINT := $(VENV)/bin/ansible-lint
MOLECULE := $(VENV)/bin/molecule
@ -89,13 +89,13 @@ check:
ifndef PLAYBOOK
$(error PLAYBOOK is required: make check PLAYBOOK=<name>)
endif
$(PLAYBOOK) $(INVENTORY) $(VAULT_ARGS) --check --diff playbooks/$(PLAYBOOK).yml
$(PLAYBOOK_BIN) $(INVENTORY) $(VAULT_ARGS) --check --diff playbooks/$(PLAYBOOK).yml
deploy:
ifndef PLAYBOOK
$(error PLAYBOOK is required: make deploy PLAYBOOK=<name>)
endif
$(PLAYBOOK) $(INVENTORY) $(VAULT_ARGS) playbooks/$(PLAYBOOK).yml
$(PLAYBOOK_BIN) $(INVENTORY) $(VAULT_ARGS) playbooks/$(PLAYBOOK).yml
# ── Vault ─────────────────────────────────────────────────────────────────────

5
ansible.cfg
View file

@ -4,8 +4,9 @@ roles_path = roles
collections_path = .collections
vault_password_file = scripts/vault-pass-client.sh
interpreter_python = auto_silent
stdout_callback = yaml
callbacks_enabled = timer, profile_tasks
stdout_callback = default
callback_result_format = yaml
callbacks_enabled = ansible.posix.profile_tasks
# Avoid slow DNS lookups
[ssh_connection]

6
inventories/production/group_vars/control/vars.yml
View file

@ -5,3 +5,9 @@
dev_env__users:
- sjat
- claude
# Connection: ubongo is the manually-provisioned control node (ADR-009/ADR-015 exception),
# not a Terraform VM bootstrapped with the `ansible` service user that group_vars/all
# assumes. Manage it as the operator account. Overrides the all-group default for this
# group only.
ansible_user: sjat

1
roles/dev_env/defaults/main.yml
View file

@ -14,6 +14,7 @@ dev_env__packages:
- tmux
- git
- stow
- acl # lets Ansible become_user an unprivileged user (sjat -> claude) for file copies
- build-essential
- curl
- ca-certificates