ansible/playbooks/site.yml

---
# =============================================================================
# site.yml — Master Playbook for the Timmy Foundation Fleet
# =============================================================================
# This is the ONE playbook that defines the entire fleet state.
# Run this and every machine converges to golden state.
#
# Usage:
#   ansible-playbook -i inventory/hosts.yml playbooks/site.yml
#   ansible-playbook -i inventory/hosts.yml playbooks/site.yml --limit bezalel
#   ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diff
# =============================================================================

- name: "Timmy Foundation Fleet — Full Convergence"
  hosts: wizards
  become: true

  pre_tasks:
    - name: "Validate no banned providers in golden state"
      assert:
        that:
          - "item.name not in banned_providers"
        fail_msg: "BANNED PROVIDER DETECTED: {{ item.name }} — Anthropic is permanently banned."
        quiet: true
      loop: "{{ golden_state_providers }}"
      tags: [always]

    - name: "Display target wizard"
      debug:
        msg: "Deploying to {{ wizard_name }} ({{ wizard_role }}) on {{ ansible_host }}"
      tags: [always]

  roles:
    - role: wizard_base
      tags: [base, setup]

    - role: golden_state
      tags: [golden, config]

    - role: deadman_switch
      tags: [deadman, recovery]

    - role: request_log
      tags: [telemetry, logging]

    - role: cron_manager
      tags: [cron, schedule]

  post_tasks:
    - name: "Final validation — scan for banned providers"
      shell: |
        grep -ri 'anthropic\|claude-sonnet\|claude-opus\|claude-haiku' \
          {{ hermes_home }}/config.yaml \
          {{ wizard_home }}/config.yaml \
          {{ thin_config_path }} 2>/dev/null || true
      register: banned_scan
      changed_when: false
      tags: [validation]

    - name: "FAIL if banned providers found in deployed config"
      fail:
        msg: |
          BANNED PROVIDER DETECTED IN DEPLOYED CONFIG:
          {{ banned_scan.stdout }}
          Anthropic is permanently banned. Fix the config and re-deploy.
      when: banned_scan.stdout | length > 0
      tags: [validation]

    - name: "Deployment complete"
      debug:
        msg: "{{ wizard_name }} converged to golden state. Provider chain: {{ golden_state_providers | map(attribute='name') | list | join(' → ') }}"
      tags: [always]
feat(ansible): Canonical IaC playbook for fleet management Implements the Ansible Infrastructure as Code story from KT 2026-04-08. One canonical Ansible playbook defines: - Deadman switch (snapshot good config on health, rollback+restart on death) - Golden state config deployment (Anthropic BANNED, Kimi→Gemini→Ollama) - Cron schedule (source-controlled, no manual crontab edits) - Agent startup sequence (pull→validate→start→verify) - request_log telemetry table (every inference call logged) - Thin config pattern (immutable local pointer to upstream) - Gitea webhook handler (deploy on merge) - Config validator (rejects banned providers) Fleet inventory: Timmy (Mac), Allegro (VPS), Bezalel (VPS), Ezra (VPS) Roles: wizard_base, golden_state, deadman_switch, request_log, cron_manager Addresses: timmy-config #442, #443, #444, #445, #446 References: KT Final 2026-04-08 P2, KT Bezalel 2026-04-08 #1-#5 2026-04-09 22:25:31 +00:00			`---`
			`# =============================================================================`
			`# site.yml — Master Playbook for the Timmy Foundation Fleet`
			`# =============================================================================`
			`# This is the ONE playbook that defines the entire fleet state.`
			`# Run this and every machine converges to golden state.`
			`#`
			`# Usage:`
			`# ansible-playbook -i inventory/hosts.yml playbooks/site.yml`
			`# ansible-playbook -i inventory/hosts.yml playbooks/site.yml --limit bezalel`
			`# ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diff`
			`# =============================================================================`

			`- name: "Timmy Foundation Fleet — Full Convergence"`
			`hosts: wizards`
			`become: true`

			`pre_tasks:`
			`- name: "Validate no banned providers in golden state"`
			`assert:`
			`that:`
			`- "item.name not in banned_providers"`
			`fail_msg: "BANNED PROVIDER DETECTED: {{ item.name }} — Anthropic is permanently banned."`
			`quiet: true`
			`loop: "{{ golden_state_providers }}"`
			`tags: [always]`

			`- name: "Display target wizard"`
			`debug:`
			`msg: "Deploying to {{ wizard_name }} ({{ wizard_role }}) on {{ ansible_host }}"`
			`tags: [always]`

			`roles:`
			`- role: wizard_base`
			`tags: [base, setup]`

			`- role: golden_state`
			`tags: [golden, config]`

			`- role: deadman_switch`
			`tags: [deadman, recovery]`

			`- role: request_log`
			`tags: [telemetry, logging]`

			`- role: cron_manager`
			`tags: [cron, schedule]`

			`post_tasks:`
			`- name: "Final validation — scan for banned providers"`
			`shell: \|`
			`grep -ri 'anthropic\\|claude-sonnet\\|claude-opus\\|claude-haiku' \`
			`{{ hermes_home }}/config.yaml \`
			`{{ wizard_home }}/config.yaml \`
			`{{ thin_config_path }} 2>/dev/null \|\| true`
			`register: banned_scan`
			`changed_when: false`
			`tags: [validation]`

			`- name: "FAIL if banned providers found in deployed config"`
			`fail:`
			`msg: \|`
			`BANNED PROVIDER DETECTED IN DEPLOYED CONFIG:`
			`{{ banned_scan.stdout }}`
			`Anthropic is permanently banned. Fix the config and re-deploy.`
			`when: banned_scan.stdout \| length > 0`
			`tags: [validation]`

			`- name: "Deployment complete"`
			`debug:`
			`msg: "{{ wizard_name }} converged to golden state. Provider chain: {{ golden_state_providers \| map(attribute='name') \| list \| join(' → ') }}"`
			`tags: [always]`