# Ansible Pull — Iron Legion Fleet

Auto-applied Ansible playbooks for the Iron Legion AI agent fleet.

## How It Works

Each node runs `ansible-pull` every 5 minutes via cron. It clones this repo and applies `local.yml` to itself.

## Repo Structure

```
.
├── local.yml           # Main playbook — always runs
├── group_vars/
│   └── all.yml         # Fleet-wide variables
├── host_vars/
│   ├── artemis.yml     # Artemis (AI Foreman) specific
│   ├── mark44.yml      # Mark44 (Hulkbuster) specific
│   ├── mark5.yml       # Mark5 (Suitcase) specific
│   └── bones.yml       # Bones (Mark XLI) specific
└── roles/
    └── common/
        └── tasks/
            └── main.yml
```

## Adding Node-Specific Tasks

Edit the corresponding `host_vars/` file with node-specific vars (packages, configs). Edit `local.yml` for shared tasks that apply to all nodes.

## Security

- HTTPS auth via deploy token stored in `/etc/ansible/ansible.env`
- Token is root-readable only (chmod 600)
- Gitea provides TLS via NetBird mesh