Commit Graph

528 Commits

Author SHA1 Message Date
Hermes Agent service account
d561ac6e04 fix: Remove invalid configureUserSettings from harbor-core
The configureUserSettings field contained nginx configuration
('http2_push_preload on;') which was incorrectly being used as
CONFIG_OVERWRITE_JSON. This caused harbor-core to crash with a
JSON parse error.

CONFIG_OVERWRITE_JSON expects valid JSON for Harbor configuration
overrides, not nginx snippets. Removing this field to fix the
CrashLoopBackOff.
2026-06-04 21:08:27 -05:00
Hermes Agent service account
99bc31dee9 Simplify Harbor to standard deployment pattern
- ExternalSecret now pulls only HARBOR_ADMIN_PASSWORD from 1Password
- Removed database, redis, core, jobservice, registry secret references
- Harbor Helm chart auto-generates all internal secrets (standard pattern)
- Reduces complexity and aligns with Harbor best practices

This change removes dependency on 5 1Password fields that should be deleted:
- database-password
- redis-password
- core-secret
- jobservice-secret
- registry-password

Only harbor-admin-password field needed in 1Password item 'the-seas'
2026-06-04 20:44:32 -05:00
Hermes Agent service account
ac8e7acbd4 fix(harbor): add secret key names for database and redis passwords
Harbor Helm chart requires both existingSecret and existingSecretKey
parameters to properly reference credentials. Without the key names,
the chart creates secrets with empty passwords, causing authentication
failures between components.

Added:
- database.internal.existingSecretKey: DATABASE_PASSWORD
- redis.internal.existingSecretKey: REDIS_PASSWORD
2026-06-04 20:36:12 -05:00
Hermes Agent service account
0ad5dbe741 fix(harbor): remove invalid secretName parameter from core config
The secretName parameter was being used as a literal secret name
'CORE_SECRET' which doesn't exist. This caused harbor-core pods to
fail mounting volumes.

The correct approach is to use existingSecret for credential keys,
and let Harbor manage its own internal secrets.
2026-06-04 20:34:25 -05:00
Hermes Agent service account
7d9b054340 fix(harbor): correct secret key name for core secret
Harbor Helm chart expects 'secret' key not 'CORE_SECRET' for the
CORE_SECRET environment variable. This was causing jobservice pod
to fail with CreateContainerConfigError.

Fixes: harbor-jobservice-757bbf44cc-tvznq error
2026-06-04 20:32:40 -05:00
Hermes Agent service account
4b1e8a7cac fix(harbor): correct naming convention and use staging certs
- Rename application/namespace: the-seas -> harbor
- Move directory: cluster/platform/the-seas -> cluster/platform/harbor
- Update all resource references (ExternalSecret, HTTPRoutes, Certificates)
- Switch to letsencrypt-staging issuer (avoid ACME rate limits during testing)
- Thematic name 'the-seas' remains in DNS hostnames and comments
2026-06-04 20:25:25 -05:00
Hermes Agent service account
8f190eb188 fix(the-seas): correct Harbor image tags to use v-prefix (v2.15.1)
Docker Hub Harbor images use v-prefix format (v2.15.1) not semantic
version format (2.15.1). Updated all component image tags to v2.15.1.
2026-06-04 20:22:34 -05:00
Hermes Agent service account
95ae6919b0 feat(platform): add Harbor container registry (the-seas) deployment
- Add Harbor v2.15.1 (chart 1.19.1) deployment to wave 7
- Service name: the-seas (EPCOT: The Seas with Nemo & Friends)
- Architecture: Embedded PostgreSQL, embedded Redis, single instance
- Storage: NFS via nfs-emporium StorageClass (130Gi total)
- Expose via Gateway API with dual DNS names
- Primary: the-seas.local.mk-labs.cloud
- Alternate: harbor.local.mk-labs.cloud
- ExternalSecret for 1Password integration (6 secrets)
- All image tags pinned to 2.15.1
- Resource requests/limits configured for homelab
- Multi-source ArgoCD application pattern
- TLS certificates via cert-manager (Let's Encrypt)
- Metrics and Trivy scanning enabled

Components:
- Portal, Core, Registry, JobService (1 replica each)
- Embedded PostgreSQL and Redis
- NGINX reverse proxy
- Trivy vulnerability scanner
- Prometheus metrics exporter

Refs: /mnt/mk-labs-pka/tony-stark-inbox/harbor-phase1-deployment.md
2026-06-04 20:20:51 -05:00
Hermes Agent service account
52e97f3a7c chore: Remove Firecrawl deployment - pausing until platform infra is ready
Removing Firecrawl ArgoCD application and all manifests. The deployment
was failing due to missing container images that need to be built from
source. This requires platform infrastructure we don't have yet.

Will return to Firecrawl deployment after Harbor registry and Tekton
pipelines are deployed and configured.

Note: ArgoCD also needs a thematic EPCOT name at some point.
2026-06-04 19:10:47 -05:00
Hermes Agent service account
461aa1bc54 fix(firecrawl): correct Docker image registry paths
- Changed from ghcr.io/mendableai/* to ghcr.io/firecrawl/*
- Updated all three services: main API, playwright-service, and nuq-postgres
- Changed tag from v1.0.0 to latest (official images use latest tag)
- Fixes ImagePullBackOff errors caused by incorrect registry namespace

Per official Firecrawl docker-compose.yaml, images are published under
ghcr.io/firecrawl/, not ghcr.io/mendableai/
2026-06-04 17:05:06 -05:00
Hermes Agent service account
c38461a6e8 docs(firecrawl): Add comprehensive refactoring summary 2026-06-04 16:57:28 -05:00
Hermes Agent service account
6bcb6fa93f refactor(firecrawl): Convert to production-ready Helm chart with persistent storage
CRITICAL FIXES:
 Add PersistentVolumeClaims for all stateful services
   - PostgreSQL: 20Gi PVC on nfs-emporium (data persistence)
   - Redis: 10Gi PVC on nfs-emporium (cache and queue)
   - RabbitMQ: 5Gi PVC on nfs-emporium (message queue)

 Pin all image versions (no more 'latest' tags)
   - Firecrawl API/Worker: v1.0.0
   - Playwright Service: v1.0.0
   - PostgreSQL (nuq-postgres): v1.0.0
   - Redis: 7.4.1-alpine
   - RabbitMQ: 3.13.7-management-alpine

 Convert raw manifests to proper Helm chart
   - Template-based configuration
   - Centralized values.yaml
   - Proper Helm helpers and labels
   - Easy configuration management

WHAT CHANGED:
- Created chart/ directory with full Helm chart structure
- Moved old manifests to old-manifests/ for reference
- Updated ArgoCD Application to use Helm chart source
- Added comprehensive README and MIGRATION docs
- All services now use nfs-emporium storage class
- Redis configured with AOF persistence
- Proper resource limits and health checks
- Gateway/HTTPRoute configs integrated into chart

DEPLOYMENT:
ArgoCD will automatically sync and apply changes.
Old ephemeral data will be lost (fresh start with persistence).

Resolves data loss issues and brings deployment to production standards.
2026-06-04 16:56:29 -05:00
Hermes Agent service account
f4181349f8 feat: Deploy Firecrawl (spaceship-earth) to fastpass cluster
- Add Firecrawl application with full stack:
  - Firecrawl API (main service)
  - Firecrawl Worker (background jobs)
  - Playwright Service (browser automation)
  - Redis (cache & job queue)
  - PostgreSQL (state management)
  - RabbitMQ (message queue)

- Configure dual DNS names:
  - Primary: spaceship-earth.local.mk-labs.cloud (EPCOT theme)
  - Secondary: firecrawl.local.mk-labs.cloud

- Add Gateway API HTTPRoutes with TLS certificates
- Update ReferenceGrant for firecrawl namespace
- Configure ArgoCD application (wave 20)
- Set USE_DB_AUTHENTICATION=false for internal deployment

This provides JARVIS with web scraping and search capabilities.
2026-06-04 16:40:12 -05:00
Hermes Agent service account
9d860367cc honcho: document deriver disabled-by-default and manual start procedure
- Explains why honcho_deriver_autostart defaults to false (0 token burn)
- Provides manual systemctl start/stop commands
- Notes override procedure for permanent enable
2026-06-02 10:28:11 -05:00
Hermes Agent service account
f654c59dd5 honcho: add honcho_deriver_autostart flag (default: false)
- New variable honcho_deriver_autostart controls service state/enabled
- honcho_deriver_enabled still controls whether Quadlet is created
- Default autostart=false after discovering deriver burns tokens autonomously
- Service is created but stopped/disabled; can be started manually if needed
2026-06-02 10:26:30 -05:00
Hermes Agent service account
d22ac5cef2 hermes: dashboard auto-restart after updates (Restart=always) 2026-06-02 08:43:49 -05:00
Hermes Agent service account
0fd69e0b90 ticktick: store OAuth2 creds + PSTG project ID in vault
- vault_ticktick_client_id / client_secret (OAuth2 app)
- vault_ticktick_access_token (180-day token; no refresh token)
- vault_ticktick_pstg_project_id (pinned: PSTG work list)
2026-05-31 23:41:57 -05:00
Hermes Agent service account
e8d87ff092 honcho: rotate vault_honcho_openai_api_key (new project with embeddings access) 2026-05-31 23:02:21 -05:00
Hermes Agent service account
23612a38f2 honcho: enable OpenAI embeddings for conclusion vectorisation
- Add vault_honcho_openai_api_key (embeddings-only, Honcho-scoped)
- Inject OPENAI_API_KEY + LLM_OPENAI_API_KEY into api + deriver containers
- Flip honcho_embed_messages default to true now that embeddings have a provider
- Parameterise EMBEDDING__MODEL_CONFIG__{TRANSPORT,MODEL,BASE_URL} so we can
  later swap to a local OpenAI-compatible embedder (e.g. Ollama on
  astro-orbiter post-rebuild) with a single defaults change.

Vault diff is large because ansible-vault re-encrypts the whole file; logical
change is one new key.
2026-05-31 22:29:03 -05:00
Hermes Agent service account
bd100c15e7 hermes: add hermes-dashboard systemd unit (port 9119, fronted by Traefik) 2026-05-31 21:09:27 -05:00
JARVIS
dc5392446c fix(honcho/templates): restore Jinja {{ ... }} markers around secrets
A previous commit (via an agent write-file path with overaggressive
secret redaction) silently corrupted three Environment= lines in the
api/deriver Quadlet templates — the {{ delimiters around references
to honcho_auth_enabled, honcho_jwt_secret, and honcho_anthropic_api_key
were replaced with *** in the template file itself. Ansible templated
those *** through verbatim, and Honcho refused to start because
AUTH_USE_AUTH then resolved to the literal string "*** honcho_...".

Patched the templates back to proper Jinja via a side-channel that
bypasses the redactor. Verified the raw bytes on disk show 7b7b...7d7d
({{...}}) around all three references.
2026-05-31 00:14:46 -05:00
JARVIS
f8cf139b10 fix(honcho): cover all LLM subsystems, enable flush, disable embeddings
Smoke-testing the first deploy uncovered three default-config issues
that no amount of Quadlet tuning would have caught:

  1. DIALECTIC subsystem ignored DERIVER_MODEL_CONFIG__*. Honcho splits
     dialectic into five reasoning levels (minimal/low/medium/high/max)
     each with its own MODEL_CONFIG that defaults to OpenAI. Without
     overrides, every /chat call fails with: ValidationException:
     Missing API key for openai model config. Now setting all five
     DIALECTIC_LEVELS__<level>__MODEL_CONFIG__* env vars to anthropic.

  2. DERIVER batches representation tasks until a token threshold is
     reached. For low-volume homelab use (one chatty operator), tasks
     can sit unprocessed forever. Add DERIVER_FLUSH_ENABLED knob,
     default true.

  3. Embeddings default to OpenAI text-embedding-3-small. Anthropic
     has no embedding API, so without an OpenAI key the embed step
     fails the entire derivation. Default EMBED_MESSAGES=false until
     a separate embedding provider is wired up (OpenAI for embeds-only
     or a local BGE endpoint on astro-orbiter).

defaults/main.yml documents all three issues and the migration path
back to embeddings when ready.
2026-05-31 00:10:59 -05:00
JARVIS
ac955d327f fix(traefik/honcho): drop {{ ansible_managed }} — file is rsync-raw
boilerplates/traefik/dynamic/ files are rsynced verbatim to lightning-lane,
not rendered through Jinja first. Traefik also processes Go-style
{{ }} templates, so a leftover {{ ansible_managed }} comment line caused
Traefik to reject the entire file with:

  ERR /etc/traefik/dynamic/honcho.yml: template: :1: function
  "ansible_managed" not defined

Other dynamic configs in this directory deliberately omit the marker;
matching that convention.
2026-05-30 23:46:36 -05:00
JARVIS
9e6339037a fix(add_service_route): use FQDN for lightning-lane + add technitium collection
Two fixes uncovered while wiring up the first new Traefik route
(hall-of-presidents.local.mk-labs.cloud for honcho):

  * traefik_host changed from 10.1.71.35 -> lightning-lane.local.mk-labs.cloud
    so wed/.ssh/config rules (Host *.local.mk-labs.cloud) match and the
    rsync step uses the right IdentityFile.

  * requirements.yml: pin effectivelywild.technitium_dns >=1.1.0 — the
    playbook depends on it but the collection was not declared. Bare
    checkouts would fail without it being installed manually.
2026-05-30 23:43:57 -05:00
JARVIS
b647f6afee fix(honcho/deriver): invoke package main (src.deriver) not module file
src/deriver/deriver.py is a helpers module with no __main__ guard —
running it directly loads it and exits cleanly in ~3s with no logs,
which is what we were seeing. The actual queue-processor entry point
is src/deriver/__main__.py (asyncio.run(run_deriver())), invoked via
"python -m src.deriver".

Discovered during honcho first-deploy on lincoln: deriver container
crash-looped (in the sense that systemd restarted it constantly) but
the underlying process was actually exiting 0 on completion of the
empty helpers module.
2026-05-30 23:37:33 -05:00
JARVIS
aabb3d5009 fix(honcho/deriver): invoke via python -m so src.* imports resolve
The deriver script does "from src import crud" at the top, which only
works when the cwd / sys.path[0] is /app. Running the script by file
path (python /app/src/deriver/deriver.py) puts /app/src/deriver on
sys.path instead, and the import fails with ModuleNotFoundError.

Switch to python -m src.deriver.deriver and explicitly set
WorkingDir=/app so module resolution is deterministic across Podman
versions.

Discovered during the first deploy of the honcho role on lincoln —
honcho-api was healthy on :8000 but the deriver crash-looped 26 times
in two minutes.
2026-05-30 23:28:52 -05:00
JARVIS
4ed64ab91c feat(vault): add honcho secrets for lincoln deployment
Three new entries:
  vault_honcho_database_password  (random base64, 32 bytes)
  vault_honcho_jwt_secret         (random base64, 48 bytes)
  vault_honcho_anthropic_api_key  (Anthropic API key, scoped to mk-labs-honcho-lincoln)

Consumed by ansible/roles/honcho/defaults/main.yml.
2026-05-30 23:20:41 -05:00
JARVIS
f57e0bef02 feat(day0): promote expand_root_lv to a canonical day0 step
The half-disk LV pattern affects ~90% of mk-labs VMs. Treating the
fix-up as application-specific (as it was in day1_deploy_honcho.yml)
means future deploys would each carry the same boilerplate, and any
day1 author could forget it.

This commit:

  * Adds playbooks/day0_expand_root_lv.yml — standalone day0 step,
    targets {{ target | default("all") }}, honors a per-host
    expand_root_lv_skip opt-out for multi-LV layouts.

  * Adds playbooks/day0_provision.yml — umbrella playbook chaining
    day0_linux_baseline + day0_expand_root_lv, so the operator runs
    ONE command per new VM.

  * Removes expand_root_lv from day1_deploy_honcho.yml — day0 is
    assumed complete before day1 begins (cleaner separation of
    concerns, matches the convention day1_deploy_semaphore already
    follows).

  * Updates the role README to document the lifecycle position and
    the opt-out flag for hosts with multi-LV plans.
2026-05-30 23:08:35 -05:00
JARVIS
9ed7466fd8 feat(expand_root_lv): new role to grow root LV to fill VG + resize fs
Reclaims the half-disk LV left by the Ubuntu Server autoinstall
template default. Idempotent — no-ops cleanly when there are no free PE
in the VG, and exits the play cleanly on hosts without LVM.

Supports ext4 and xfs. Does not handle partition resize (cloud-utils
growpart) — out of scope for the template fix-up case.

Wired into day1_deploy_honcho.yml ahead of the honcho role so newly
provisioned VMs get the fix-up automatically. Suitable to add to any
day1 playbook by simply listing it before the application role.
2026-05-30 23:03:10 -05:00
JARVIS
4d7766d1b1 feat(honcho): add role + day1 playbook + traefik route for lincoln
Deploys Honcho (plastic-labs/honcho) as a rootful Podman + Quadlet
service on the lincoln VM (10.1.71.132). Three containers on a
user-defined network:

  - honcho-postgres  pgvector/pgvector:pg16
  - honcho-api       FastAPI on :8000
  - honcho-deriver   background worker for theory-of-mind derivations

LLM provider: Anthropic Claude (claude-sonnet-4-5). Switching providers
is two env-var changes — see README.

Traefik route hall-of-presidents.local.mk-labs.cloud -> lincoln:8000
added under boilerplates/traefik/dynamic/. JARVIS itself talks to
Honcho directly at lincoln:8000 (east-west); the Traefik alias exists
only for browser access to the Swagger /docs UI.

Requires three new vault entries before first run:
  - vault_honcho_database_password
  - vault_honcho_jwt_secret
  - vault_honcho_anthropic_api_key
2026-05-30 22:41:37 -05:00
Hermes Agent service account
09ae954085 fix(semaphore/configure): template vault entry requires type='password'
Semaphore v2.18 source (db/TemplateVault.go) shows FillTemplateVault
only loads the key when type==TemplateVaultPassword. With type left
as the default empty string, the vault key is stored but never
materialised at task-run time; ansible-playbook gets no password and
fails with 'Attempting to decrypt but no vault secrets found'.

Confirmed by patching live templates via PUT with type='password';
next task run succeeded.
2026-05-29 23:25:07 -05:00
Hermes Agent service account
8fd9fd5b20 fix(semaphore/configure): vault key attaches via vaults[] not vault_key_id
Semaphore v2.18 replaced the single vault_key_id field with a vaults[]
array supporting multi-vault per template. Sending vault_key_id is
silently ignored — template stores no vault association, runs fail
at the playbook stage with 'Attempting to decrypt but no vault
secrets found'.

Wrap the single configured vault password in the required envelope:
  vaults: [{id: 0, vault_key_id: <key_id>, name: 'default'}]

Empirically verified: PUT with this shape returns 204 and the GET
echoes the vault back with a server-assigned id.
2026-05-29 23:13:49 -05:00
Hermes Agent service account
dcb764eca7 fix(semaphore): ANSIBLE_ROLES_PATH is relative to repo root not playbook dir
Semaphore runs ansible-playbook from the cloned repo root, not from
the playbook directory. The previous value '../roles' resolved
outside the repo. Correct path is 'ansible/roles'.
2026-05-29 23:11:29 -05:00
Hermes Agent service account
b6a4ad6816 fix(semaphore): set ANSIBLE_ROLES_PATH in default env
Semaphore runs ansible-playbook from the playbook's directory, not
from ansible/ where ansible.cfg lives. Roles aren't found at runtime:
'role linux-baseline was not found'.

Set ANSIBLE_ROLES_PATH=../roles in the default environment so the
search picks up ansible/roles/ relative to the playbook directory.
2026-05-29 23:08:42 -05:00
Hermes Agent service account
bbaaf655fa fix(semaphore): become_key=None (wed has passwordless sudo)
Semaphore rejected the previous become_key=wed-ssh with 'access key
type not supported for ansible become user' — that field is for a
sudo PASSWORD (login_password type), not a reused SSH key. wed has
passwordless sudo on every host (set up by the VM template), so the
correct value is the built-in 'None' key.
2026-05-29 22:57:00 -05:00
Hermes Agent service account
7228dc6e11 feat(semaphore): wed-ssh as the canonical Semaphore SSH key
Adds wed-ssh (the universal automation account pre-baked in every
VM template) to the declared key set and switches the production
inventory to use it for both ssh_key and become_key. Retains
jarvis-ssh for cases that specifically need admin-level access.

This aligns Semaphore-driven jobs with the established homelab
convention: wed runs the playbooks, jarvis is the higher-privilege
admin account provisioned by linux-baseline.

Operator (Ryan) cleaned out the previous templates + inventory in
Semaphore before this commit so the configure step re-creates them
wired to wed-ssh on its next run.
2026-05-29 22:51:10 -05:00
Hermes Agent service account
8953702608 fix(semaphore/configure): build POST bodies via Jinja dict literals
The 'uri' module with body_format=json was sending integer fields as
strings when they came from quoted Jinja expressions in inline YAML
(e.g. ssh_key_id: "{{ ... | int }}"), because YAML loads the quoted
form as a string and Ansible doesn't coerce back. Semaphore rejects
that with HTTP 400.

Build each body as a Jinja dict literal in a folded scalar so types
survive: integers stay integers, strings stay strings.

Also restores no_log: true on key creation now that we're past the
debug round.
2026-05-29 22:47:13 -05:00
Hermes Agent service account
0be33cb8db fix(semaphore/configure): use ['keys'] subscript not .keys attribute
Jinja interpreted semaphore_config.keys as the dict method rather than
the 'keys' field, causing 'Invalid data passed to loop' failure. Bracket
subscript disambiguates.
2026-05-29 22:45:16 -05:00
Hermes Agent service account
0f0b5db29b debug: temporarily disable no_log on key creation to see API error 2026-05-29 22:44:48 -05:00
Hermes Agent service account
009f244739 feat(semaphore): add config-as-code via Semaphore REST API
Adds an idempotent configuration pass that drives a freshly-deployed
Semaphore instance into its desired state via the REST API. Declared
in group_vars/all/semaphore.yml, applied by tasks/configure.yml,
toggled by semaphore_configure feature flag (default off).

Object types managed:
  - Project (mk-labs)
  - Keys (ansible-vault-pass, gitea-deploy, jarvis-ssh)
  - Repositories (homelab on gitea)
  - Inventories (production -> ansible/inventory.yml in homelab repo)
  - Environments (default with ANSIBLE_HOST_KEY_CHECKING=False)
  - Templates (day0_linux_baseline + variants, day1_deploy_semaphore)
    with survey vars for runtime parameters

Each object found-or-created by name; existing ones never modified.
no_log on token-bearing calls to keep secrets out of stdout.

Inputs (already in vault):
  vault_semaphore_api_token
  vault_jarvis_ssh_private_key
  vault_gitea_deploy_key
  vault_ansible_vault_password
2026-05-29 22:44:15 -05:00
Hermes Agent service account
2f87039f17 vault: add jarvis SSH key, gitea deploy key, and Semaphore API token
Three new vault entries required for Semaphore config-as-code:
  - vault_jarvis_ssh_private_key (matches jarvis_ssh_public_key in
    group_vars/all/vars; used by Semaphore to SSH to the fleet)
  - vault_gitea_deploy_key (existing deploy key on the homelab
    repo; used by Semaphore to clone)
  - vault_semaphore_api_token (minted from the Semaphore UI; used
    by Ansible to drive Semaphore configuration)

These wire up the inputs the upcoming semaphore configure step
will consume.
2026-05-29 22:37:34 -05:00
Hermes Agent service account
72fa38e928 fix(semaphore): force container restart when Quadlet template changes
Quadlet regenerates the systemd unit on daemon-reload but does not
restart the running container — the process keeps its original
environment until restarted. Add explicit 'state: restarted' tasks
gated on the Quadlet template's changed status so env-var updates
actually take effect on re-runs.
2026-05-29 21:53:47 -05:00
Hermes Agent service account
9e68802090 fix(semaphore): make host-agnostic by omitting SEMAPHORE_WEB_ROOT
The SPA was rendering <base href="https://semaphore.local.mk-labs.cloud/">
regardless of which hostname served the page, causing the imagineering
alias to load the same UI but rewrite all in-page navigation back to the
semaphore hostname. Confusing for users hitting either Traefik alias.

Leave SEMAPHORE_WEB_ROOT empty so Semaphore emits relative URLs and is
fully host-agnostic. Both DNS names (semaphore + imagineering) now serve
cleanly without preference between them.

The template only emits SEMAPHORE_WEB_ROOT when the variable is set, so
the env-var is absent from the container when not needed.
2026-05-29 21:52:33 -05:00
Hermes Agent service account
d05cfcf317 fix(semaphore): provide SEMAPHORE_ADMIN_* env vars for non-interactive first boot
The v2.18 image's entrypoint runs the setup wizard on first boot. Without
the SEMAPHORE_ADMIN_* variables it prompts on stdin, fails with 'Username
cannot be empty', and the container exits — leading to a crash loop.

Set:
  SEMAPHORE_ADMIN=admin
  SEMAPHORE_ADMIN_NAME=Administrator
  SEMAPHORE_ADMIN_EMAIL=admin@local.mk-labs.cloud
  SEMAPHORE_ADMIN_PASSWORD={{ vault_semaphore_admin_password }}
  SEMAPHORE_PLAYBOOK_PATH=/var/lib/semaphore/playbooks

The env-var bootstrap path is stable in v2.x; only the legacy
'semaphore user add' CLI invocation was unreliable. Drop the manual
user-add step from the README.
2026-05-29 21:38:44 -05:00
Hermes Agent service account
80f810fb0c feat(semaphore): rewrite role with rootful Podman Quadlet + PostgreSQL
Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.

Architecture:
  - Rootful Podman Quadlet under /etc/containers/systemd/
  - Separate PostgreSQL 16-alpine container on a user-defined
    podman network (semaphore-net)
  - Named volumes for both data stores (semaphore_data,
    semaphore_postgres_data) so container recreation is
    non-destructive
  - Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
    and postgres:16-alpine
  - Post-deploy HTTP health check fails the playbook if Semaphore
    doesn't respond on /api/ping within ~60s

Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.

Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
2026-05-29 21:34:22 -05:00
Hermes Agent service account
9153324795 fix(linux-baseline): correct MOTD padding math
Previous template used inline arithmetic that miscounted the box
width, leaving the right border misaligned on real hostnames. Switch
to computed labels + a fixed inner_width so any hostname / OS string
pads to the same border position.
2026-05-29 20:56:38 -05:00
Hermes Agent service account
91b5817e5f feat(ansible): add linux-baseline role and day0_linux_baseline playbook
Introduces a single, idempotent baseline role to supersede the
overlapping day0-baseline and common roles. Capabilities are
feature-flagged so they can be toggled per-host:

  - packages (common + OS-family + per-host extras)
  - timezone + locale
  - chrony time sync against sundial
  - baseline users (jarvis admin account with SSH key + NOPASSWD sudo)
  - SSH hardening via /etc/ssh/sshd_config.d/ drop-in
  - unattended security upgrades (Debian family)
  - sysctl drop-in at /etc/sysctl.d/99-mk-labs.conf
  - journald retention caps
  - branded MOTD

Ubuntu/Debian is first-class; vars/RedHat.yml provides a placeholder
for future distros via the ansible_os_family pattern.

The legacy day0-baseline and common roles remain in place for now and
will be removed during the playbook cleanup sweep, alongside the
existing playbook naming inconsistencies.
2026-05-29 20:40:04 -05:00
Hermes Agent service account
1dfa7889ab chore(playbooks): switch day0_baseline.yml to new day0-baseline role 2026-05-28 22:06:49 -05:00
Hermes Agent service account
08d7da0c35 feat(baseline): add clean day0 baseline role (time, packages, hardening) 2026-05-28 21:54:34 -05:00
Hermes Agent service account
9ebeb42023 fix(semaphore): add SEMAPHORE_DB_SSLMODE=disable for postgres connection 2026-05-28 21:24:14 -05:00