- Stop checking out the old private mono-repo `ai-workspace-infra`.
- Checkout the split public repositories `ai-workspace-infra/playbooks` and `ai-workspace-infra/iac_modules` separately.
- Remove `CODEX_GITHUB_PERSONAL_ACCESS_TOKEN` (`INFRA_REPO_TOKEN`) dependency from vault as it's no longer needed for public repos.
Documents the YAML->generate.py->terraform->cmdb.json->ansible flow, the FQDN
inventory_hostname contract, the two execution models, the Vault-OIDC pipeline,
the non-empty/fail-fast checks, and the key fixes that make it work end to end.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
DEEPSEEK/NVIDIA/OLLAMA_API_KEY live in kv/data/openclaw (not CICD); vault-action
reads them from that path in the same step. Policy grants read on both
kv/data/CICD and kv/data/openclaw.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- VAULT_KV -> kv/data/CICD (shared CICD secrets), map existing keys to outputs:
CODEX_GITHUB_PERSONAL_ACCESS_TOKEN->INFRA_REPO_TOKEN,
SSH_PRIVATE_DEPLOY_KEY[_B64]->ANSIBLE_SSH_KEY[_B64],
CLOUDFLARE_DNS_API_TOKEN direct; VULTR_API_KEY/LLM keys same name.
- docs: policy reads kv/data/CICD; field table maps existing keys; note the
three LLM keys still need to be added to kv/CICD, and SSH_PUBLIC_DEPLOY_KEY
must match hosts.yaml.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- deploy job: read ANSIBLE_SSH_KEY_B64 (preferred) + ANSIBLE_SSH_KEY (fallback)
from Vault, decode/write ~/.ssh/id_deploy and ssh-keygen -y self-check —
matches the org SSH-deploy runbook (avoids multiline-key libcrypto errors).
- docs/operations/vault-github-actions.md: full Vault role/policy/jwt/KV setup
for github-actions-xworkspace-console, mirroring the existing org records.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- deploy-ai-workspace-iac.yaml: deploy job now ssh-es to each host and runs
the official curl|bash bootstrap locally (host-side ansible -c local,
offline-accelerated), instead of running all-in-one from the runner (which
breaks on roles/agent_skills delegate_to: localhost). provision job kept as
the batch-provision mode.
- docs/operations: record final console fix (local python static backend),
caddy/public-access architecture, and debian13/ubuntu26.04/macOS verification.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Records the IaC->inventory->deploy linkage, offline-package linkage
verification, the local-on-host execution finding, the 5 fixes applied to
playbooks, and the remaining console static-serve + pipeline TODOs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
