infra/host-provisioner/pipeline/head This commit looks goodDetails
Since the host-provisioner connects to remote machines as _root_, it
normally doesn't use Ansible's "become" system at all. Some tasks,
though, need to to use it to switch to a specific unprivileged user.
For those, `doas` is not appropriate, since it doesn't permit root by
default. Rather than adjust this configuration, let's switch to `su`
which requires no configuration, and does allow root.
The _Host Provisioner_ is a tool that runs an Anisble playbook to
initially provision a new machine. It is intended to run as a
Kubernetes Job, created by a webhook that is triggered when the machine
boots up for the first time. The tool retrieves information about the
new machine (its hostname and SSH host keys) from a message queue,
published by the same webhook that launched the job. It then clones
the configuration policy (optionally from the branch provided in the
host info message) and applies the `site.yml` playbook.
Dustin