From b301ce44008d51c90be076bbafae06ae0f42bda6 Mon Sep 17 00:00:00 2001
From: Samuel James <samueljamesinc@gmail.com>
Date: Wed, 10 Jun 2026 13:14:06 +0000
Subject: [PATCH] add: Ansible playbook to prepare racknerd3 for Forge

---
 playbooks/prepare-racknerd3.yml | 159 ++++++++++++++++++++++++++++++++
 1 file changed, 159 insertions(+)
 create mode 100644 playbooks/prepare-racknerd3.yml

diff --git a/playbooks/prepare-racknerd3.yml b/playbooks/prepare-racknerd3.yml
new file mode 100644
index 0000000..845412d
--- /dev/null
+++ b/playbooks/prepare-racknerd3.yml
@@ -0,0 +1,159 @@
+---
+# Forge — Prepare racknerd3
+# Run from any host with SSH access to racknerd3:
+#   ansible-playbook -i "racknerd3," playbooks/prepare-racknerd3.yml
+#
+# Prerequisites: SSH access to racknerd3 as root
+
+- name: Prepare racknerd3 for Forge agents
+  hosts: all
+  become: true
+  vars:
+    forge_user: root
+    forge_home: /root/forge
+    forgejo_url: "http://192.168.122.102:3000"
+    forgejo_token: "4ba6ae006be3c1555f7ad63d64d5ecf4703fd6a3"
+    aws_region: us-east-1
+    ssh_key_path: /root/.ssh/id_ed25519
+
+  tasks:
+    # ─── Stop and disable OpenClaw ───
+    - name: Stop OpenClaw service
+      systemd:
+        name: openclaw
+        state: stopped
+        enabled: false
+      ignore_errors: true
+
+    - name: Verify OpenClaw is stopped
+      command: systemctl is-active openclaw
+      register: claw_status
+      failed_when: false
+      changed_when: false
+
+    - name: Report OpenClaw status
+      debug:
+        msg: "OpenClaw is {{ claw_status.stdout }}"
+
+    # ─── Install dependencies ───
+    - name: Install AWS CLI and base tools
+      apt:
+        name:
+          - awscli
+          - jq
+          - curl
+          - git
+          - cron
+        state: present
+        update_cache: true
+
+    - name: Verify AWS CLI installed
+      command: aws --version
+      register: aws_ver
+      changed_when: false
+
+    - name: Report AWS CLI version
+      debug:
+        msg: "{{ aws_ver.stdout }}"
+
+    # ─── Configure Forgejo SSH access ───
+    - name: Add Forgejo host key to known_hosts
+      known_hosts:
+        name: 192.168.122.102
+        key: "{{ lookup('pipe', 'ssh-keyscan -t ed25519 192.168.122.102 2>/dev/null') }}"
+        path: /root/.ssh/known_hosts
+        state: present
+
+    - name: Register SSH key with Forgejo
+      uri:
+        url: "{{ forgejo_url }}/api/v1/user/keys"
+        method: POST
+        headers:
+          Authorization: "token {{ forgejo_token }}"
+          Content-Type: "application/json"
+        body_format: json
+        body:
+          title: "racknerd3-forge"
+          key: "{{ lookup('file', ssh_key_path + '.pub') }}"
+        status_code: [201, 422]  # 422 = key already exists
+
+    # ─── Clone Forge repo ───
+    - name: Create forge directory
+      file:
+        path: "{{ forge_home }}"
+        state: directory
+        mode: "0750"
+
+    - name: Clone forge repo
+      git:
+        repo: "http://192.168.122.102:3000/sam/forge.git"
+        dest: "{{ forge_home }}"
+        version: main
+        force: false
+      environment:
+        GIT_TERMINAL_PROMPT: "0"
+
+    # ─── AWS credentials placeholder ───
+    - name: Create AWS credentials directory
+      file:
+        path: /root/.aws
+        state: directory
+        mode: "0700"
+
+    - name: Create AWS config
+      copy:
+        dest: /root/.aws/config
+        mode: "0600"
+        content: |
+          [default]
+          region = {{ aws_region }}
+          output = json
+
+    - name: Check if AWS credentials exist
+      stat:
+        path: /root/.aws/credentials
+      register: aws_creds
+
+    - name: Remind about AWS credentials
+      debug:
+        msg: >
+          AWS credentials file does not exist.
+          Create an IAM user with Bedrock-only access and add credentials:
+          aws configure --profile default
+      when: not aws_creds.stat.exists
+
+    # ─── Firewall cleanup ───
+    - name: Ensure UFW allows SSH
+      ufw:
+        rule: allow
+        name: OpenSSH
+
+    - name: Ensure UFW allows Telegram bot (port 18789 kept for transition)
+      ufw:
+        rule: allow
+        port: "18789"
+        proto: tcp
+
+    # ─── Create agent log directories ───
+    - name: Create log directories for each agent
+      file:
+        path: "{{ forge_home }}/agents/{{ item }}/logs"
+        state: directory
+        mode: "0750"
+      loop:
+        - scribe
+        - june
+        - nightwatch
+
+    # ─── Summary ───
+    - name: Preparation complete
+      debug:
+        msg: |
+          ✅ racknerd3 prepared for Forge:
+          - OpenClaw: disabled
+          - AWS CLI: installed (credentials needed)
+          - Forgejo SSH: configured
+          - Forge repo: cloned to {{ forge_home }}
+          - Agent log dirs: created
+          NEXT: Add AWS credentials (aws configure) and test Bedrock access
+