# Ansible Pull — Iron Legion Fleet

Auto-applied Ansible playbooks for the Iron Legion AI agent fleet.

## How It Works

Each node runs `ansible-pull` every 5 minutes via cron. It clones this repo and applies `local.yml` to itself.

## Repo Structure

```
.
├── local.yml           # Main playbook — always runs
├── group_vars/
│   └── all.yml         # Fleet-wide variables
├── host_vars/
│   ├── artemis.yml              # Artemis (AI Foreman)
│   ├── cinnamint--elitebook.yml # Cinnamint-EliteBook (WSL2 workstation)
│   ├── hulkbuster.yml           # Mark44 (GPU heavy)
│   ├── mark5.yml                # Mark5 (GPU light / Suitcase)
│   ├── mark-vii.yml             # Mark VII (Swarm manager + services)
│   ├── mission-control.yml      # Mission-Control (WSL2 workstation)
│   ├── mk-33.yml                # MK-33 Silver Centurion (Swarm worker)
│   ├── mk-34.yml                # MK-34 (Swarm worker)
│   ├── mk-39.yml                # MK-39 (Swarm worker)
│   ├── mk-42.yml                # MK-42 Extremis (Swarm worker)
│   └── nebuchadnezzar.yml       # Neo (Nextcloud + Vaultwarden)
├── new-build/
│   └── portainer/
│       └── docker-compose.yml   # Portainer CE stack for Swarm manager
├── ubuntu-autoinstall/
│   └── autoinstall.yaml         # Fleet-standard headless autoinstall
└── archive/
    └── maas/
```

## Adding Node-Specific Tasks

Edit the corresponding `host_vars/` file with node-specific vars (packages, configs). Edit `local.yml` for shared tasks that apply to all nodes.

## Security

- HTTPS auth via deploy token stored in `/etc/ansible/ansible.env`
- Token is root-readable only (chmod 600)
- Gitea provides TLS via NetBird mesh