sjat
3fe6f68316
Add base__ai_worker_user var (default empty), a new operational_access.yml task file that drops a validated sudoers file for the named user, and wire it into base/tasks/main.yml after the hardening includes under the `users` tag. Set base__ai_worker_user: claude in group_vars/control so that applying base to ubongo is idempotent with the manual /etc/sudoers.d/claude-ai-worker drop-in already in place. Password remains locked; NOPASSWD is the only sudo path; actions are attributed via auditd (ADR-021). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
21 lines
957 B
YAML
21 lines
957 B
YAML
---
|
|
# Workstation-class control node (ubongo, ADR-015) — developer-environment users.
|
|
# The operator and the dedicated AI-worker user both get the dev_env role (dotfiles,
|
|
# zsh/tmux/nvim), so `sudo -iu claude` lands in the same clean shell.
|
|
dev_env__users:
|
|
- sjat
|
|
- claude
|
|
|
|
# Connection: ubongo is the manually-provisioned control node (ADR-009/ADR-015 exception),
|
|
# not a Terraform VM bootstrapped with the `ansible` service user that group_vars/all
|
|
# assumes. Manage it as the operator account. Overrides the all-group default for this
|
|
# group only.
|
|
ansible_user: sjat
|
|
|
|
# ubongo's AI-worker; passwordless sudo for the claude user (ADR-015 amended).
|
|
base__ai_worker_user: claude
|
|
|
|
# ubongo is a NetBird mesh peer (ADR-016, M5) — enrol the agent via base's `mesh` concern.
|
|
# Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening
|
|
# follow-on), so this brings up wt0 without changing SSH exposure.
|
|
base__mesh_enabled: true
|