boma/roles/base/tasks
sjat 3fe6f68316 feat(base): codify AI-worker NOPASSWD sudo (ADR-015 amended)
Add base__ai_worker_user var (default empty), a new operational_access.yml
task file that drops a validated sudoers file for the named user, and wire it
into base/tasks/main.yml after the hardening includes under the `users` tag.

Set base__ai_worker_user: claude in group_vars/control so that applying base
to ubongo is idempotent with the manual /etc/sudoers.d/claude-ai-worker drop-in
already in place. Password remains locked; NOPASSWD is the only sudo path;
actions are attributed via auditd (ADR-021).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 21:36:31 +02:00
..
fail2ban.yml fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban 2026-06-14 16:54:23 +02:00
firewall.yml fix(base): make rollback snapshot restorable (flush-prefixed) 2026-06-06 19:15:38 +02:00
main.yml feat(base): codify AI-worker NOPASSWD sudo (ADR-015 amended) 2026-06-18 21:36:31 +02:00
mesh.yml feat(base): NetBird agent enrollment concern (mesh) 2026-06-17 16:08:23 +02:00
operational_access.yml feat(base): codify AI-worker NOPASSWD sudo (ADR-015 amended) 2026-06-18 21:36:31 +02:00
ssh.yml feat(base): opt-in sshd ListenAddress on the mesh IP (fail-closed) 2026-06-17 20:43:08 +02:00