feat(nut): include pi5-worker1 in nut_clients; SSH unblocked #20

Merged
kblack0610 merged 1 commit from feat/nut-include-worker1 into master 2026-06-03 14:45:52 +00:00
Owner

The original NUT PR excluded pi5-worker1 from nut_clients based on an inventory note claiming its SSH key auth was broken. Investigation while rolling out NUT to workers 2-5 found the diagnosis was actually wrong — ALL workers were rejecting the current workstation's ed25519 key because their authorized_keys held a stale ssh-rsa key from a prior workstation (kblack0610-cachy, dated Sep 30 2025).

PXE kickstart's key seeding only applies to fresh installs; these hosts predated the current key. Fix path: kubectl debug node/<k8s-name> --profile=sysadmin -- chroot /host sh -c 'echo $KEY >> /home/kblack0610/.ssh/authorized_keys' — no SSH needed because the privileged debug pod has host fs at /host. After that, all 5 workers SSH-reachable from this workstation.

This PR:

  • Adds pi5-worker1 to nut_clients
  • Removes the stale "rejects key-based auth" comment under linux_bare_metal (that diagnosis was wrong)

The host-access pattern itself is documented in a follow-up doc PR.

Test plan

  • ansible nut_clients -m ping — all 5 OK
  • Dry-run on pi5-worker1: ok=8, changed=4, failed=0
  • Apply (post-merge): ansible-playbook --tags nut --limit pi5-worker1
  • Verify nut-monitor active + upsc cyberpower@192.168.1.20 returns metrics
The original NUT PR excluded pi5-worker1 from `nut_clients` based on an inventory note claiming its SSH key auth was broken. Investigation while rolling out NUT to workers 2-5 found the diagnosis was actually wrong — ALL workers were rejecting the current workstation's ed25519 key because their authorized_keys held a stale ssh-rsa key from a prior workstation (`kblack0610-cachy`, dated Sep 30 2025). PXE kickstart's key seeding only applies to fresh installs; these hosts predated the current key. Fix path: `kubectl debug node/<k8s-name> --profile=sysadmin -- chroot /host sh -c 'echo $KEY >> /home/kblack0610/.ssh/authorized_keys'` — no SSH needed because the privileged debug pod has host fs at /host. After that, all 5 workers SSH-reachable from this workstation. This PR: - Adds `pi5-worker1` to `nut_clients` - Removes the stale "rejects key-based auth" comment under `linux_bare_metal` (that diagnosis was wrong) The host-access pattern itself is documented in a follow-up doc PR. ## Test plan - [x] `ansible nut_clients -m ping` — all 5 OK - [x] Dry-run on pi5-worker1: `ok=8, changed=4, failed=0` - [ ] Apply (post-merge): `ansible-playbook --tags nut --limit pi5-worker1` - [ ] Verify `nut-monitor` active + `upsc cyberpower@192.168.1.20` returns metrics
Workers 2-5 were the original nut_clients; pi5-worker1 was excluded
based on an inventory note saying its SSH key auth was broken. The
diagnosis was actually wrong — ALL workers were rejecting the current
workstation's ed25519 key because their authorized_keys still held a
stale ssh-rsa key from a prior workstation (kblack0610-cachy). The PXE
kickstart's seeded key only applies to fresh installs; these hosts
predate the current key.

Fix path (see docs/host-access.md): used `kubectl debug node/<name>
--profile=sysadmin -- chroot /host` to append the current workstation
key to each worker's authorized_keys, no SSH needed. After that:

  ansible nut_clients -m ping  → all 5 reachable
  ansible-playbook --tags nut --limit nut_clients  → ok=10, changed=6, failed=0

Drop the stale comment under linux_bare_metal too — that diagnosis was
wrong.
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
kblack0610/home-config!20
No description provided.