sjat
3fe6f68316
Add base__ai_worker_user var (default empty), a new operational_access.yml task file that drops a validated sudoers file for the named user, and wire it into base/tasks/main.yml after the hardening includes under the `users` tag. Set base__ai_worker_user: claude in group_vars/control so that applying base to ubongo is idempotent with the manual /etc/sudoers.d/claude-ai-worker drop-in already in place. Password remains locked; NOPASSWD is the only sudo path; actions are attributed via auditd (ADR-021). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| production | ||
| staging | ||
| README.md | ||
inventories/
Ansible inventories, one directory per environment (staging/, production/).
Defines which hosts exist and their group membership; group_vars/ and host_vars/
hold per-group and per-host configuration.
hosts.ymlis generated from Terraform outputs bymake tf-inventory— do not hand-edit. The control node is the one manual exception.offsite.yml(inproduction/) is a second generated inventory file, written bymake tf-inventory-offsitefrom the offsite Terraform env; it holds theoffsite_hostsgroup (askari). Ansible merges it withhosts.yml, so both can declare the same group names harmlessly (the offsite generator emits all four groups, most empty).- Host groups:
all,control,docker_hosts,proxmox_hosts,offsite_hosts. - Terraform→inventory data flow and the data contract: ADR-009.
- Addressing conventions (subnets, ranges): ADR-007.
- Layout and host groups: see CLAUDE.md ("Inventory structure").