Add base__ai_worker_user var (default empty), a new operational_access.yml task file that drops a validated sudoers file for the named user, and wire it into base/tasks/main.yml after the hardening includes under the `users` tag. Set base__ai_worker_user: claude in group_vars/control so that applying base to ubongo is idempotent with the manual /etc/sudoers.d/claude-ai-worker drop-in already in place. Password remains locked; NOPASSWD is the only sudo path; actions are attributed via auditd (ADR-021). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
39 lines
995 B
YAML
39 lines
995 B
YAML
---
|
|
# `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on
|
|
# a dynamic include_tasks only selects the include itself, not its contents, so
|
|
# `--tags <concern>` would run nothing (Ansible gotcha).
|
|
- name: Configure host firewall (nftables)
|
|
ansible.builtin.include_tasks:
|
|
file: firewall.yml
|
|
apply:
|
|
tags: [firewall]
|
|
tags: [firewall]
|
|
|
|
- name: SSH hardening
|
|
ansible.builtin.include_tasks:
|
|
file: ssh.yml
|
|
apply:
|
|
tags: [hardening]
|
|
tags: [hardening]
|
|
|
|
- name: Fail2ban intrusion deterrence
|
|
ansible.builtin.include_tasks:
|
|
file: fail2ban.yml
|
|
apply:
|
|
tags: [hardening]
|
|
tags: [hardening]
|
|
|
|
- name: AI-worker operational access (sudoers drop-in)
|
|
ansible.builtin.include_tasks:
|
|
file: operational_access.yml
|
|
apply:
|
|
tags: [users]
|
|
tags: [users]
|
|
|
|
- name: NetBird mesh enrollment
|
|
ansible.builtin.include_tasks:
|
|
file: mesh.yml
|
|
apply:
|
|
tags: [mesh]
|
|
when: base__mesh_enabled | bool
|
|
tags: [mesh]
|