hermes-agent/ansible/fleet_mtls.yml

---
# fleet_mtls.yml — Deploy mutual-TLS certificates to all fleet agents.
#
# Prerequisites:
#   1. Run scripts/gen_fleet_ca.sh to create the fleet CA.
#   2. For each agent, run:
#        scripts/gen_agent_cert.sh --agent timmy
#        scripts/gen_agent_cert.sh --agent allegro
#        scripts/gen_agent_cert.sh --agent ezra
#
# Usage:
#   ansible-playbook -i inventory/fleet.ini ansible/fleet_mtls.yml
#
# Inventory example (inventory/fleet.ini):
#   [fleet]
#   timmy.local   agent_name=timmy
#   allegro.local agent_name=allegro
#   ezra.local    agent_name=ezra
#
# Refs #806

- name: Distribute fleet mTLS certificates
  hosts: fleet
  become: true
  vars:
    _pki_base: "{{ lookup('env', 'HOME') }}/.hermes/pki"
  roles:
    - role: hermes_mtls
      vars:
        hermes_mtls_local_ca_cert: "{{ _pki_base }}/ca/fleet-ca.crt"
        hermes_mtls_local_agent_cert: "{{ _pki_base }}/agents/{{ agent_name }}/{{ agent_name }}.crt"
        hermes_mtls_local_agent_key: "{{ _pki_base }}/agents/{{ agent_name }}/{{ agent_name }}.key"