Overview

Date: 2026-05-11

Time: 15:41

Overview

This is an FTL2 AI-loop rule that ensures a host called "stargate" has a hardened SSH configuration and an admin user with key-based access. It follows the observe → condition → action pattern used by the FTL2 reconciliation loop: it observes current state, checks whether remediation is needed, and applies changes if the system has drifted from the desired state.

Usage Patterns

This rule is executed automatically by the FTL2 AI-loop (ftl2-ai-loop). It is not called directly by a user. The loop evaluates observe to gather state, calls condition(state) to decide whether to act, and calls action(ftl) if the condition returns True.

The observe list runs two commands on the target host:

observe = [
    {"name": "admin_user", "module": "command", "params": {"cmd": "id admin"}, "host": "stargate"},
    {"name": "sshd_config", "module": "command", "params": {"cmd": "cat /etc/ssh/sshd_config"}, "host": "stargate"},
]

The action function uses the ftl host accessor pattern — ftl["stargate"] — to call modules sequentially via await:

await ftl["stargate"].user(name="admin", shell="/bin/bash", create_home=True)
await ftl["stargate"].lineinfile(path="/etc/ssh/sshd_config", regexp="^#?PasswordAuthentication", line="PasswordAuthentication no")

API and Configuration

Observe state keys:

• admin_user — result of id admin; rc == 0 means user exists
• sshdconfig — full contents of /etc/ssh/sshdconfig in stdout

Condition triggers (any one triggers action):

• admin user does not exist (rc != 0)
• sshd_config missing PasswordAuthentication no
• sshd_config missing PermitRootLogin no
• sshd_config missing AddressFamily inet

Modules used in action: user, file, copy, lineinfile, service

Hardcoded values: SSH public key for ben@bthomass-mac, target host stargate, admin username admin.

Key Behaviors

• Sequential ordering matters. The user must be created (step 1) before files can be owned by admin (steps 2–3). The docstring explicitly calls this out as a race condition avoidance measure.
• Idempotent. Each module call (user, file, copy, lineinfile) is idempotent — safe to re-run. The condition gate prevents unnecessary runs, but the action itself is also safe if re-triggered.
• Service restart. SSHD is restarted at the end, which will briefly interrupt SSH connections to the host. The rule applies all config changes before the single restart.
• Sudoers via drop-in. Uses /etc/sudoers.d/admin rather than editing /etc/sudoers directly — the safer pattern.
• Duplicate observe block. The file contains two observe definitions and two docstrings (from two AI-loop generations). The second observe overwrites the first at runtime; they are identical so this is benign but messy.

Relationships

• FTL2 AI-loop — the runtime that discovers, evaluates, and executes this rule file
• FTL2 modules — command, user, file, copy, lineinfile, service — the standard module library called via ftl["host"].module() syntax
• Target host: stargate — the host defined in FTL2 inventory that this rule manages
• Inventory — stargate must be defined in the FTL2 inventory with SSH connectivity for the observe and action steps to reach it