7ec45642eb
Some checks failed
PR Checklist / pr-checklist (pull_request) Failing after 1m27s
Implements the Ansible Infrastructure as Code story from KT 2026-04-08. One canonical Ansible playbook defines: - Deadman switch (snapshot good config on health, rollback+restart on death) - Golden state config deployment (Anthropic BANNED, Kimi→Gemini→Ollama) - Cron schedule (source-controlled, no manual crontab edits) - Agent startup sequence (pull→validate→start→verify) - request_log telemetry table (every inference call logged) - Thin config pattern (immutable local pointer to upstream) - Gitea webhook handler (deploy on merge) - Config validator (rejects banned providers) Fleet inventory: Timmy (Mac), Allegro (VPS), Bezalel (VPS), Ezra (VPS) Roles: wizard_base, golden_state, deadman_switch, request_log, cron_manager Addresses: timmy-config #442, #443, #444, #445, #446 References: KT Final 2026-04-08 P2, KT Bezalel 2026-04-08 #1-#5
73 lines
2.4 KiB
YAML
73 lines
2.4 KiB
YAML
---
|
|
# =============================================================================
|
|
# site.yml — Master Playbook for the Timmy Foundation Fleet
|
|
# =============================================================================
|
|
# This is the ONE playbook that defines the entire fleet state.
|
|
# Run this and every machine converges to golden state.
|
|
#
|
|
# Usage:
|
|
# ansible-playbook -i inventory/hosts.yml playbooks/site.yml
|
|
# ansible-playbook -i inventory/hosts.yml playbooks/site.yml --limit bezalel
|
|
# ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diff
|
|
# =============================================================================
|
|
|
|
- name: "Timmy Foundation Fleet — Full Convergence"
|
|
hosts: wizards
|
|
become: true
|
|
|
|
pre_tasks:
|
|
- name: "Validate no banned providers in golden state"
|
|
assert:
|
|
that:
|
|
- "item.name not in banned_providers"
|
|
fail_msg: "BANNED PROVIDER DETECTED: {{ item.name }} — Anthropic is permanently banned."
|
|
quiet: true
|
|
loop: "{{ golden_state_providers }}"
|
|
tags: [always]
|
|
|
|
- name: "Display target wizard"
|
|
debug:
|
|
msg: "Deploying to {{ wizard_name }} ({{ wizard_role }}) on {{ ansible_host }}"
|
|
tags: [always]
|
|
|
|
roles:
|
|
- role: wizard_base
|
|
tags: [base, setup]
|
|
|
|
- role: golden_state
|
|
tags: [golden, config]
|
|
|
|
- role: deadman_switch
|
|
tags: [deadman, recovery]
|
|
|
|
- role: request_log
|
|
tags: [telemetry, logging]
|
|
|
|
- role: cron_manager
|
|
tags: [cron, schedule]
|
|
|
|
post_tasks:
|
|
- name: "Final validation — scan for banned providers"
|
|
shell: |
|
|
grep -ri 'anthropic\|claude-sonnet\|claude-opus\|claude-haiku' \
|
|
{{ hermes_home }}/config.yaml \
|
|
{{ wizard_home }}/config.yaml \
|
|
{{ thin_config_path }} 2>/dev/null || true
|
|
register: banned_scan
|
|
changed_when: false
|
|
tags: [validation]
|
|
|
|
- name: "FAIL if banned providers found in deployed config"
|
|
fail:
|
|
msg: |
|
|
BANNED PROVIDER DETECTED IN DEPLOYED CONFIG:
|
|
{{ banned_scan.stdout }}
|
|
Anthropic is permanently banned. Fix the config and re-deploy.
|
|
when: banned_scan.stdout | length > 0
|
|
tags: [validation]
|
|
|
|
- name: "Deployment complete"
|
|
debug:
|
|
msg: "{{ wizard_name }} converged to golden state. Provider chain: {{ golden_state_providers | map(attribute='name') | list | join(' → ') }}"
|
|
tags: [always]
|