Commit Graph

550 Commits

Author SHA1 Message Date
JARVIS
9ed7466fd8 feat(expand_root_lv): new role to grow root LV to fill VG + resize fs
Reclaims the half-disk LV left by the Ubuntu Server autoinstall
template default. Idempotent — no-ops cleanly when there are no free PE
in the VG, and exits the play cleanly on hosts without LVM.

Supports ext4 and xfs. Does not handle partition resize (cloud-utils
growpart) — out of scope for the template fix-up case.

Wired into day1_deploy_honcho.yml ahead of the honcho role so newly
provisioned VMs get the fix-up automatically. Suitable to add to any
day1 playbook by simply listing it before the application role.
2026-05-30 23:03:10 -05:00
JARVIS
4d7766d1b1 feat(honcho): add role + day1 playbook + traefik route for lincoln
Deploys Honcho (plastic-labs/honcho) as a rootful Podman + Quadlet
service on the lincoln VM (10.1.71.132). Three containers on a
user-defined network:

  - honcho-postgres  pgvector/pgvector:pg16
  - honcho-api       FastAPI on :8000
  - honcho-deriver   background worker for theory-of-mind derivations

LLM provider: Anthropic Claude (claude-sonnet-4-5). Switching providers
is two env-var changes — see README.

Traefik route hall-of-presidents.local.mk-labs.cloud -> lincoln:8000
added under boilerplates/traefik/dynamic/. JARVIS itself talks to
Honcho directly at lincoln:8000 (east-west); the Traefik alias exists
only for browser access to the Swagger /docs UI.

Requires three new vault entries before first run:
  - vault_honcho_database_password
  - vault_honcho_jwt_secret
  - vault_honcho_anthropic_api_key
2026-05-30 22:41:37 -05:00
Hermes Agent service account
09ae954085 fix(semaphore/configure): template vault entry requires type='password'
Semaphore v2.18 source (db/TemplateVault.go) shows FillTemplateVault
only loads the key when type==TemplateVaultPassword. With type left
as the default empty string, the vault key is stored but never
materialised at task-run time; ansible-playbook gets no password and
fails with 'Attempting to decrypt but no vault secrets found'.

Confirmed by patching live templates via PUT with type='password';
next task run succeeded.
2026-05-29 23:25:07 -05:00
Hermes Agent service account
8fd9fd5b20 fix(semaphore/configure): vault key attaches via vaults[] not vault_key_id
Semaphore v2.18 replaced the single vault_key_id field with a vaults[]
array supporting multi-vault per template. Sending vault_key_id is
silently ignored — template stores no vault association, runs fail
at the playbook stage with 'Attempting to decrypt but no vault
secrets found'.

Wrap the single configured vault password in the required envelope:
  vaults: [{id: 0, vault_key_id: <key_id>, name: 'default'}]

Empirically verified: PUT with this shape returns 204 and the GET
echoes the vault back with a server-assigned id.
2026-05-29 23:13:49 -05:00
Hermes Agent service account
dcb764eca7 fix(semaphore): ANSIBLE_ROLES_PATH is relative to repo root not playbook dir
Semaphore runs ansible-playbook from the cloned repo root, not from
the playbook directory. The previous value '../roles' resolved
outside the repo. Correct path is 'ansible/roles'.
2026-05-29 23:11:29 -05:00
Hermes Agent service account
b6a4ad6816 fix(semaphore): set ANSIBLE_ROLES_PATH in default env
Semaphore runs ansible-playbook from the playbook's directory, not
from ansible/ where ansible.cfg lives. Roles aren't found at runtime:
'role linux-baseline was not found'.

Set ANSIBLE_ROLES_PATH=../roles in the default environment so the
search picks up ansible/roles/ relative to the playbook directory.
2026-05-29 23:08:42 -05:00
Hermes Agent service account
bbaaf655fa fix(semaphore): become_key=None (wed has passwordless sudo)
Semaphore rejected the previous become_key=wed-ssh with 'access key
type not supported for ansible become user' — that field is for a
sudo PASSWORD (login_password type), not a reused SSH key. wed has
passwordless sudo on every host (set up by the VM template), so the
correct value is the built-in 'None' key.
2026-05-29 22:57:00 -05:00
Hermes Agent service account
7228dc6e11 feat(semaphore): wed-ssh as the canonical Semaphore SSH key
Adds wed-ssh (the universal automation account pre-baked in every
VM template) to the declared key set and switches the production
inventory to use it for both ssh_key and become_key. Retains
jarvis-ssh for cases that specifically need admin-level access.

This aligns Semaphore-driven jobs with the established homelab
convention: wed runs the playbooks, jarvis is the higher-privilege
admin account provisioned by linux-baseline.

Operator (Ryan) cleaned out the previous templates + inventory in
Semaphore before this commit so the configure step re-creates them
wired to wed-ssh on its next run.
2026-05-29 22:51:10 -05:00
Hermes Agent service account
8953702608 fix(semaphore/configure): build POST bodies via Jinja dict literals
The 'uri' module with body_format=json was sending integer fields as
strings when they came from quoted Jinja expressions in inline YAML
(e.g. ssh_key_id: "{{ ... | int }}"), because YAML loads the quoted
form as a string and Ansible doesn't coerce back. Semaphore rejects
that with HTTP 400.

Build each body as a Jinja dict literal in a folded scalar so types
survive: integers stay integers, strings stay strings.

Also restores no_log: true on key creation now that we're past the
debug round.
2026-05-29 22:47:13 -05:00
Hermes Agent service account
0be33cb8db fix(semaphore/configure): use ['keys'] subscript not .keys attribute
Jinja interpreted semaphore_config.keys as the dict method rather than
the 'keys' field, causing 'Invalid data passed to loop' failure. Bracket
subscript disambiguates.
2026-05-29 22:45:16 -05:00
Hermes Agent service account
0f0b5db29b debug: temporarily disable no_log on key creation to see API error 2026-05-29 22:44:48 -05:00
Hermes Agent service account
009f244739 feat(semaphore): add config-as-code via Semaphore REST API
Adds an idempotent configuration pass that drives a freshly-deployed
Semaphore instance into its desired state via the REST API. Declared
in group_vars/all/semaphore.yml, applied by tasks/configure.yml,
toggled by semaphore_configure feature flag (default off).

Object types managed:
  - Project (mk-labs)
  - Keys (ansible-vault-pass, gitea-deploy, jarvis-ssh)
  - Repositories (homelab on gitea)
  - Inventories (production -> ansible/inventory.yml in homelab repo)
  - Environments (default with ANSIBLE_HOST_KEY_CHECKING=False)
  - Templates (day0_linux_baseline + variants, day1_deploy_semaphore)
    with survey vars for runtime parameters

Each object found-or-created by name; existing ones never modified.
no_log on token-bearing calls to keep secrets out of stdout.

Inputs (already in vault):
  vault_semaphore_api_token
  vault_jarvis_ssh_private_key
  vault_gitea_deploy_key
  vault_ansible_vault_password
2026-05-29 22:44:15 -05:00
Hermes Agent service account
2f87039f17 vault: add jarvis SSH key, gitea deploy key, and Semaphore API token
Three new vault entries required for Semaphore config-as-code:
  - vault_jarvis_ssh_private_key (matches jarvis_ssh_public_key in
    group_vars/all/vars; used by Semaphore to SSH to the fleet)
  - vault_gitea_deploy_key (existing deploy key on the homelab
    repo; used by Semaphore to clone)
  - vault_semaphore_api_token (minted from the Semaphore UI; used
    by Ansible to drive Semaphore configuration)

These wire up the inputs the upcoming semaphore configure step
will consume.
2026-05-29 22:37:34 -05:00
Hermes Agent service account
72fa38e928 fix(semaphore): force container restart when Quadlet template changes
Quadlet regenerates the systemd unit on daemon-reload but does not
restart the running container — the process keeps its original
environment until restarted. Add explicit 'state: restarted' tasks
gated on the Quadlet template's changed status so env-var updates
actually take effect on re-runs.
2026-05-29 21:53:47 -05:00
Hermes Agent service account
9e68802090 fix(semaphore): make host-agnostic by omitting SEMAPHORE_WEB_ROOT
The SPA was rendering <base href="https://semaphore.local.mk-labs.cloud/">
regardless of which hostname served the page, causing the imagineering
alias to load the same UI but rewrite all in-page navigation back to the
semaphore hostname. Confusing for users hitting either Traefik alias.

Leave SEMAPHORE_WEB_ROOT empty so Semaphore emits relative URLs and is
fully host-agnostic. Both DNS names (semaphore + imagineering) now serve
cleanly without preference between them.

The template only emits SEMAPHORE_WEB_ROOT when the variable is set, so
the env-var is absent from the container when not needed.
2026-05-29 21:52:33 -05:00
Hermes Agent service account
d05cfcf317 fix(semaphore): provide SEMAPHORE_ADMIN_* env vars for non-interactive first boot
The v2.18 image's entrypoint runs the setup wizard on first boot. Without
the SEMAPHORE_ADMIN_* variables it prompts on stdin, fails with 'Username
cannot be empty', and the container exits — leading to a crash loop.

Set:
  SEMAPHORE_ADMIN=admin
  SEMAPHORE_ADMIN_NAME=Administrator
  SEMAPHORE_ADMIN_EMAIL=admin@local.mk-labs.cloud
  SEMAPHORE_ADMIN_PASSWORD={{ vault_semaphore_admin_password }}
  SEMAPHORE_PLAYBOOK_PATH=/var/lib/semaphore/playbooks

The env-var bootstrap path is stable in v2.x; only the legacy
'semaphore user add' CLI invocation was unreliable. Drop the manual
user-add step from the README.
2026-05-29 21:38:44 -05:00
Hermes Agent service account
80f810fb0c feat(semaphore): rewrite role with rootful Podman Quadlet + PostgreSQL
Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.

Architecture:
  - Rootful Podman Quadlet under /etc/containers/systemd/
  - Separate PostgreSQL 16-alpine container on a user-defined
    podman network (semaphore-net)
  - Named volumes for both data stores (semaphore_data,
    semaphore_postgres_data) so container recreation is
    non-destructive
  - Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
    and postgres:16-alpine
  - Post-deploy HTTP health check fails the playbook if Semaphore
    doesn't respond on /api/ping within ~60s

Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.

Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
2026-05-29 21:34:22 -05:00
Hermes Agent service account
9153324795 fix(linux-baseline): correct MOTD padding math
Previous template used inline arithmetic that miscounted the box
width, leaving the right border misaligned on real hostnames. Switch
to computed labels + a fixed inner_width so any hostname / OS string
pads to the same border position.
2026-05-29 20:56:38 -05:00
Hermes Agent service account
91b5817e5f feat(ansible): add linux-baseline role and day0_linux_baseline playbook
Introduces a single, idempotent baseline role to supersede the
overlapping day0-baseline and common roles. Capabilities are
feature-flagged so they can be toggled per-host:

  - packages (common + OS-family + per-host extras)
  - timezone + locale
  - chrony time sync against sundial
  - baseline users (jarvis admin account with SSH key + NOPASSWD sudo)
  - SSH hardening via /etc/ssh/sshd_config.d/ drop-in
  - unattended security upgrades (Debian family)
  - sysctl drop-in at /etc/sysctl.d/99-mk-labs.conf
  - journald retention caps
  - branded MOTD

Ubuntu/Debian is first-class; vars/RedHat.yml provides a placeholder
for future distros via the ansible_os_family pattern.

The legacy day0-baseline and common roles remain in place for now and
will be removed during the playbook cleanup sweep, alongside the
existing playbook naming inconsistencies.
2026-05-29 20:40:04 -05:00
Hermes Agent service account
1dfa7889ab chore(playbooks): switch day0_baseline.yml to new day0-baseline role 2026-05-28 22:06:49 -05:00
Hermes Agent service account
08d7da0c35 feat(baseline): add clean day0 baseline role (time, packages, hardening) 2026-05-28 21:54:34 -05:00
Hermes Agent service account
9ebeb42023 fix(semaphore): add SEMAPHORE_DB_SSLMODE=disable for postgres connection 2026-05-28 21:24:14 -05:00
Hermes Agent service account
075f34b1fb fix(semaphore): make network creation task more reliable 2026-05-28 15:22:45 -05:00
Hermes Agent service account
210c89c2c7 fix(semaphore): make network creation more robust and earlier in legacy block 2026-05-28 15:20:09 -05:00
Hermes Agent service account
b93a6e50ab feat(semaphore): add optional aggressive storage cleanup for legacy mode 2026-05-28 15:17:54 -05:00
Hermes Agent service account
85cc1f8c6a fix(semaphore): improve container cleanup and volume reuse in legacy mode 2026-05-28 15:16:07 -05:00
Hermes Agent service account
8e781b0c54 fix(semaphore): add container cleanup at start of legacy postgres deployment 2026-05-28 15:14:34 -05:00
Hermes Agent service account
d8ad35b8e9 fix(semaphore): add dedicated network for legacy postgres deployment 2026-05-28 15:13:16 -05:00
Hermes Agent service account
a9973d1e0f feat(semaphore): add legacy postgres deployment path using podman_container 2026-05-28 15:07:47 -05:00
4113011f63 fixed semaphore template 2026-05-28 14:51:04 -05:00
Hermes Agent service account
018782d986 fix(semaphore): remove User/Group from quadlet template 2026-05-28 14:49:37 -05:00
Hermes Agent service account
3681e8c03e fix(semaphore): make volume creation task more robust 2026-05-28 14:31:06 -05:00
Hermes Agent service account
8f377e4cf3 fix(semaphore): create named volumes before deploying quadlets 2026-05-28 14:25:18 -05:00
Hermes Agent service account
419acaa40d fix(semaphore): use systemctl start for quadlet services after daemon-reload 2026-05-28 14:08:53 -05:00
Hermes Agent service account
42b204bf8a fix(semaphore): make quadlet deployment self-contained with immediate daemon-reload + service start 2026-05-28 14:06:24 -05:00
Hermes Agent service account
1d7dcb7d82 fix(semaphore): load role defaults in cleanup playbook so variables are defined 2026-05-28 14:02:33 -05:00
Hermes Agent service account
d63ca0b4f9 docs(semaphore): add cleanup playbook reference to deploy playbook 2026-05-28 14:01:00 -05:00
Hermes Agent service account
e9440327aa feat(semaphore): add dedicated cleanup playbook
- Explicit playbook for removing old container, systemd services, and quadlets
- Optional semaphore_force_clean variable for data removal
- Safer than tags for destructive operations
2026-05-28 10:25:56 -05:00
Hermes Agent service account
dcc7e282c7 feat(semaphore): complete quadlet deployment for PostgreSQL + Semaphore
- Add quadlet tasks and handlers for modern rootless Podman deployment
- Fix broken Jinja in semaphore.container.j2
- Add proper 0777 permissions handling for rootless
- Support semaphore_use_postgres toggle with fallback to legacy BoltDB path
2026-05-28 10:22:28 -05:00
Hermes Agent service account
6d5fc7c5c6 fix(semaphore): set data directory permissions to 0777 for rootless compatibility 2026-05-27 22:38:36 -05:00
312fdf9986 fix env.j2 2026-05-27 22:26:51 -05:00
Hermes Agent service account
4e0b4fa049 refactor(semaphore): remove unreliable admin user creation from role
Initial admin user must now be created manually after first deployment
2026-05-27 22:20:43 -05:00
Hermes Agent service account
cf7c2a1436 fix(semaphore): clean up admin user creation tasks with proper fallback and force logic 2026-05-27 22:16:34 -05:00
Hermes Agent service account
3dc6555ad1 fix(semaphore): support vault_semaphore_admin_password as fallback variable name 2026-05-27 22:15:20 -05:00
Hermes Agent service account
27ff9286b4 feat(semaphore): add semaphore_force_admin_user option
- When set to true, deletes existing admin user before creating
- Useful for recovering from bad password or broken user state
2026-05-27 22:10:32 -05:00
Hermes Agent service account
6e50461999 docs: add comprehensive Semaphore deployment and setup guide
- Covers deployment, initial setup, DNS/Traefik, GitOps approach, and troubleshooting
2026-05-27 21:57:02 -05:00
Hermes Agent service account
3f1c3a40cf feat(semaphore): add idempotent initial admin user creation
- New variables for admin user (password from vault)
- Task checks if user exists before creating
- Uses podman exec + semaphore CLI
2026-05-27 21:56:36 -05:00
Hermes Agent service account
0116ec4cc3 fix(dns): improve hostname extraction in add_service_route.yml
- Use explicit Jinja2 loop for more reliable parsing of Host() rules
- Handles multi-host router definitions correctly
2026-05-27 21:39:51 -05:00
Hermes Agent service account
f962d0a6d7 feat(dns): rewrite add_service_route.yml to support multi-host Traefik configs
- Parse Host() rules from router definitions
- Supports multiple hostnames per service file (e.g. semaphore + imagineering)
- More robust and future-proof
2026-05-27 21:31:41 -05:00
Hermes Agent service account
dc3c0d7cb1 feat(traefik): add semaphore dynamic config with dual hostnames
- semaphore.local.mk-labs.cloud
- imagineering.local.mk-labs.cloud
- Backend: figment:3000
- Cloudflare certResolver + security-headers
2026-05-27 21:24:02 -05:00