feat(deploy): Ansible provisioning for prod hosts (Stage 18)
Idempotent playbooks under deploy/ansible/ prepare both production hosts: docker-ce + compose plugin, a non-sudo deploy service account holding the CI deploy key, key-only sshd, default-deny ufw, fail2ban, unattended upgrades and chrony. The main host also opens 80/443/9443 and creates the external edge network; the tg host verifies direct Bot API egress (the no-VPN assumption). The application is deployed separately by the prod-deploy workflow (later phase), running as the deploy account this playbook provisions.
This commit is contained in:
@@ -0,0 +1,6 @@
|
||||
# Managed by Ansible (deploy/ansible). Key-only authentication.
|
||||
# root stays reachable by key (prohibit-password) for provisioning re-runs.
|
||||
PasswordAuthentication no
|
||||
PermitRootLogin prohibit-password
|
||||
PubkeyAuthentication yes
|
||||
KbdInteractiveAuthentication no
|
||||
Reference in New Issue
Block a user