homelab/orchestration/ansible/README.md

# Homelab SSH Orchestration (Ansible)

This setup gives you a **centralized, SSH-managed orchestration engine** for your homelab.

Control plane expectation: run Ansible from a dedicated Proxmox VM (`ansible-control`), not from your laptop.

## Why this stack
- Agentless (no daemon required on targets)
- Centrally managed from one control node
- Native SSH workflow (fits your existing key-based access)

## Layout
- `ansible.cfg` - controller defaults
- `inventory/hosts.yml` - your homelab hosts and groups
- `group_vars/all.yml` - common variables (key path, packages, timezone)
- `playbooks/ping.yml` - connectivity validation
- `playbooks/baseline.yml` - baseline hardening and package setup

## 1) Bootstrap control node
From this directory on the control node:

```bash
cd /Users/dan/work/homelab/orchestration/ansible
./scripts/bootstrap-control-node.sh
```

If needed, add local Python bin to PATH (script prints the exact line).

## 0) Create dedicated control VM in Proxmox

From any machine that can SSH to Proxmox root:

```bash
cd /Users/dan/work/homelab/orchestration/ansible
chmod +x scripts/create-ansible-control-vm.sh
./scripts/create-ansible-control-vm.sh
```

This creates `ansible-control` (VMID `105`) on `192.168.2.193` using Ubuntu 24.04 ISO.

After Ubuntu install in Proxmox console, ensure:
- static IP is `192.168.2.105`
- SSH key login works for user `dan`
- `sudo` is available for `dan`

## 0.5) Establish Proxmox cloud-init SSH key baseline

Goal: ensure a predefined key set is injected by cloud-init for Linux VMs.

1. Put your public keys (one per line) in:
  - `cloud-init/authorized_keys`
2. Run setup:

```bash
cd /Users/dan/work/homelab/orchestration/ansible
chmod +x scripts/proxmox-cloudinit-setup.sh
./scripts/proxmox-cloudinit-setup.sh
```

Defaults:
- Proxmox host: `root@192.168.2.193`
- VM targets: `100 102 103 104 105`
- Cloud-init user: `dan`

Override example:

```bash
VMIDS="100 104 105" CI_USER="dan" ./scripts/proxmox-cloudinit-setup.sh
```

Notes:
- Windows guests are skipped automatically.
- For existing Linux guests, cloud-init changes typically take effect after reboot.

## 2) Validate SSH orchestration

```bash
ansible --version
ansible-inventory --graph
ansible all -m ping
ansible-playbook playbooks/ping.yml
```

## 3) Apply baseline config

```bash
ansible-playbook playbooks/baseline.yml
```

## 4) Run targeted orchestration examples

```bash
# Reboot only workers
ansible workers -a "sudo reboot" -f 2

# Update package metadata everywhere except proxmox host
ansible 'all:!proxmox' -m apt -a "update_cache=true" -b

# Check uptime of control-plane nodes
ansible control_plane -a "uptime"
```

## 5) Deploy/redeploy Paperclip on openclaw

Playbook:

```bash
ansible-playbook playbooks/paperclip-openclaw.yml -l openclaw
```

One-command helper (from this directory):

```bash
chmod +x scripts/deploy-paperclip-openclaw.sh
./scripts/deploy-paperclip-openclaw.sh
```

Post-deploy quick checks:

```bash
ansible openclaw -m shell -a "systemctl is-enabled paperclip; systemctl is-active paperclip; ss -lntp | grep 3100"
curl -sS http://192.168.2.88:3100/api/health
```

## Notes
- Inventory includes your known hosts:
  - `kube-node-1` (`192.168.2.100`, user `dan`)
  - `kube-node-2` (`192.168.2.195`, user `dan`)
  - `kube-node-3` (`192.168.2.196`, user `dan`)
  - `kube-arbiter` (`192.168.2.200`, user `dan`)
  - `hp-proliant-proxmox` (`192.168.2.193`, user `root`)
- Proxmox is split into its own group to avoid accidentally running Linux baseline hardening tasks against it.
- If a host uses a different key path, override `ansible_ssh_private_key_file` in inventory host vars.