ansible/README.md

# Ansible IaC — The Timmy Foundation Fleet

> One canonical Ansible playbook defines: deadman switch, cron schedule,
> golden state rollback, agent startup sequence.
> — KT Final Session 2026-04-08, Priority TWO

## Purpose

This directory contains the **single source of truth** for fleet infrastructure.
No more ad-hoc recovery implementations. No more overlapping deadman switches.
No more agents mutating their own configs into oblivion.

**Everything** goes through Ansible. If it's not in a playbook, it doesn't exist.

## Architecture

```
┌─────────────────────────────────────────────────┐
│                  Gitea (Source of Truth)          │
│  timmy-config/ansible/                           │
│    ├── inventory/hosts.yml    (fleet machines)    │
│    ├── playbooks/site.yml     (master playbook)   │
│    ├── roles/                 (reusable roles)    │
│    └── group_vars/wizards.yml (golden state)      │
└──────────────────┬──────────────────────────────┘
                   │  PR merge triggers webhook
                   ▼
┌─────────────────────────────────────────────────┐
│              Gitea Webhook Handler                │
│  scripts/deploy_on_webhook.sh                     │
│  → ansible-pull on each target machine            │
└──────────────────┬──────────────────────────────┘
                   │  ansible-pull
                   ▼
┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐
│  Timmy   │  │ Allegro  │  │ Bezalel  │  │  Ezra    │
│  (Mac)   │  │  (VPS)   │  │  (VPS)   │  │  (VPS)   │
│          │  │          │  │          │  │          │
│ deadman  │  │ deadman  │  │ deadman  │  │ deadman  │
│ cron     │  │ cron     │  │ cron     │  │ cron     │
│ golden   │  │ golden   │  │ golden   │  │ golden   │
│ req_log  │  │ req_log  │  │ req_log  │  │ req_log  │
└──────────┘  └──────────┘  └──────────┘  └──────────┘
```

## Quick Start

```bash
# Deploy everything to all machines
ansible-playbook -i inventory/hosts.yml playbooks/site.yml

# Deploy only golden state config
ansible-playbook -i inventory/hosts.yml playbooks/golden_state.yml

# Deploy only to a specific wizard
ansible-playbook -i inventory/hosts.yml playbooks/site.yml --limit bezalel

# Dry run (check mode)
ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diff
```

## Golden State Provider Chain

All wizard configs converge on this provider chain. **Anthropic is BANNED.**

| Priority | Provider             | Model            | Endpoint                          |
| -------- | -------------------- | ---------------- | --------------------------------- |
| 1        | Kimi                 | kimi-k2.5        | https://api.kimi.com/coding/v1    |
| 2        | Gemini (OpenRouter)  | gemini-2.5-pro   | https://openrouter.ai/api/v1      |
| 3        | Ollama (local)       | gemma4:latest    | http://localhost:11434/v1         |

## Roles

| Role             | Purpose                                                      |
| ---------------- | ------------------------------------------------------------ |
| `wizard_base`    | Common wizard setup: directories, thin config, git pull      |
| `deadman_switch` | Health check → snapshot good config → rollback on death      |
| `golden_state`   | Deploy and enforce golden state provider chain               |
| `request_log`    | SQLite telemetry table for every inference call               |
| `cron_manager`   | Source-controlled cron jobs — no manual crontab edits         |

## Rules

1. **No manual changes.** If it's not in a playbook, it will be overwritten.
2. **No Anthropic.** Banned. Enforcement is automated. See `BANNED_PROVIDERS.yml`.
3. **Idempotent.** Every playbook can run 100 times with the same result.
4. **PR required.** Config changes go through Gitea PR review, then deploy.
5. **One identity per machine.** No duplicate agents. Fleet audit enforces this.

## Related Issues

- timmy-config #442: [P2] Ansible IaC Canonical Playbook
- timmy-config #444: Wire Deadman Switch ACTION
- timmy-config #443: Thin Config Pattern
- timmy-config #446: request_log Telemetry Table
feat(ansible): Canonical IaC playbook for fleet management Implements the Ansible Infrastructure as Code story from KT 2026-04-08. One canonical Ansible playbook defines: - Deadman switch (snapshot good config on health, rollback+restart on death) - Golden state config deployment (Anthropic BANNED, Kimi→Gemini→Ollama) - Cron schedule (source-controlled, no manual crontab edits) - Agent startup sequence (pull→validate→start→verify) - request_log telemetry table (every inference call logged) - Thin config pattern (immutable local pointer to upstream) - Gitea webhook handler (deploy on merge) - Config validator (rejects banned providers) Fleet inventory: Timmy (Mac), Allegro (VPS), Bezalel (VPS), Ezra (VPS) Roles: wizard_base, golden_state, deadman_switch, request_log, cron_manager Addresses: timmy-config #442, #443, #444, #445, #446 References: KT Final 2026-04-08 P2, KT Bezalel 2026-04-08 #1-#5 2026-04-09 22:25:31 +00:00			`# Ansible IaC — The Timmy Foundation Fleet`

			`> One canonical Ansible playbook defines: deadman switch, cron schedule,`
			`> golden state rollback, agent startup sequence.`
			`> — KT Final Session 2026-04-08, Priority TWO`

			`## Purpose`

			`This directory contains the single source of truth for fleet infrastructure.`
			`No more ad-hoc recovery implementations. No more overlapping deadman switches.`
			`No more agents mutating their own configs into oblivion.`

			`Everything goes through Ansible. If it's not in a playbook, it doesn't exist.`

			`## Architecture`

			```
			`┌─────────────────────────────────────────────────┐`
			`│ Gitea (Source of Truth) │`
			`│ timmy-config/ansible/ │`
			`│ ├── inventory/hosts.yml (fleet machines) │`
			`│ ├── playbooks/site.yml (master playbook) │`
			`│ ├── roles/ (reusable roles) │`
			`│ └── group_vars/wizards.yml (golden state) │`
			`└──────────────────┬──────────────────────────────┘`
			`│ PR merge triggers webhook`
			`▼`
			`┌─────────────────────────────────────────────────┐`
			`│ Gitea Webhook Handler │`
			`│ scripts/deploy_on_webhook.sh │`
			`│ → ansible-pull on each target machine │`
			`└──────────────────┬──────────────────────────────┘`
			`│ ansible-pull`
			`▼`
			`┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐`
			`│ Timmy │ │ Allegro │ │ Bezalel │ │ Ezra │`
			`│ (Mac) │ │ (VPS) │ │ (VPS) │ │ (VPS) │`
			`│ │ │ │ │ │ │ │`
			`│ deadman │ │ deadman │ │ deadman │ │ deadman │`
			`│ cron │ │ cron │ │ cron │ │ cron │`
			`│ golden │ │ golden │ │ golden │ │ golden │`
			`│ req_log │ │ req_log │ │ req_log │ │ req_log │`
			`└──────────┘ └──────────┘ └──────────┘ └──────────┘`
			```

			`## Quick Start`

			```bash
			`# Deploy everything to all machines`
			`ansible-playbook -i inventory/hosts.yml playbooks/site.yml`

			`# Deploy only golden state config`
			`ansible-playbook -i inventory/hosts.yml playbooks/golden_state.yml`

			`# Deploy only to a specific wizard`
			`ansible-playbook -i inventory/hosts.yml playbooks/site.yml --limit bezalel`

			`# Dry run (check mode)`
			`ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diff`
			```

			`## Golden State Provider Chain`

			`All wizard configs converge on this provider chain. Anthropic is BANNED.`

			`\| Priority \| Provider \| Model \| Endpoint \|`
			`\| -------- \| -------------------- \| ---------------- \| --------------------------------- \|`
			`\| 1 \| Kimi \| kimi-k2.5 \| https://api.kimi.com/coding/v1 \|`
			`\| 2 \| Gemini (OpenRouter) \| gemini-2.5-pro \| https://openrouter.ai/api/v1 \|`
			`\| 3 \| Ollama (local) \| gemma4:latest \| http://localhost:11434/v1 \|`

			`## Roles`

			`\| Role \| Purpose \|`
			`\| ---------------- \| ------------------------------------------------------------ \|`
			\| `wizard_base` \| Common wizard setup: directories, thin config, git pull \|
			\| `deadman_switch` \| Health check → snapshot good config → rollback on death \|
			\| `golden_state` \| Deploy and enforce golden state provider chain \|
			\| `request_log` \| SQLite telemetry table for every inference call \|
			\| `cron_manager` \| Source-controlled cron jobs — no manual crontab edits \|

			`## Rules`

			`1. No manual changes. If it's not in a playbook, it will be overwritten.`
			2. No Anthropic. Banned. Enforcement is automated. See `BANNED_PROVIDERS.yml`.
			`3. Idempotent. Every playbook can run 100 times with the same result.`
			`4. PR required. Config changes go through Gitea PR review, then deploy.`
			`5. One identity per machine. No duplicate agents. Fleet audit enforces this.`

			`## Related Issues`

			`- timmy-config #442: [P2] Ansible IaC Canonical Playbook`
			`- timmy-config #444: Wire Deadman Switch ACTION`
			`- timmy-config #443: Thin Config Pattern`
			`- timmy-config #446: request_log Telemetry Table`