workstation: roster source-of-truth + host package manifest [ci skip]

roster.yaml is the single source of truth for the devvm Workstation lifecycle (os_user -> authentik_user/k8s_user/tier/namespaces); wizard listed as admin so the regenerated ttyd-map/dispatch never drops his instance. packages.txt is the declarative apt toolset (non-apt tools — node/claude-code/kubectl/vault/kubelogin — noted with their real install paths; the apt pkg named 'kubelogin' is the wrong Azure tool). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 13:38:20 +00:00 · 2026-06-08 13:38:20 +00:00 · 3033e2c355
commit 3033e2c355
parent 7ab4c1e1e2
2 changed files with 47 additions and 0 deletions
--- a/scripts/workstation/packages.txt
+++ b/scripts/workstation/packages.txt
@ -0,0 +1,26 @@
+# Declarative host toolset for the devvm Workstation (apt packages, one per line).
+# Consumed by setup-devvm.sh:  apt-get install -y $(grep -vE '^\s*(#|$)' packages.txt)
+# Comments (#) and blank lines are ignored. Tools NOT in the standard apt repos
+# are listed below as comments with their real install path (handled explicitly
+# in setup-devvm.sh) so this manifest stays a safe argument to `apt-get install`.
+git
+zsh
+tmux
+ripgrep
+fd-find
+jq
+curl
+ca-certificates
+python3
+python3-yaml
+python3-pip
+podman
+
+# --- installed by setup-devvm.sh via NON-apt paths (not apt-installable) ---
+# nodejs + npm                -> NodeSource repo (claude-code needs node >= 18; distro nodejs is too old)
+# @anthropic-ai/claude-code   -> npm install -g
+# kubectl                     -> k8s apt repo OR pinned binary (already present on devvm)
+# vault                       -> HashiCorp apt repo OR pinned binary (already present on devvm)
+# kubelogin (kubectl oidc-login) -> `kubectl krew install oidc-login` or int128/kubelogin release.
+#                                NOTE: the apt package literally named "kubelogin" is the AZURE
+#                                tool, NOT the OIDC one we need -- do not apt-install it.
--- a/scripts/workstation/roster.yaml
+++ b/scripts/workstation/roster.yaml
@ -0,0 +1,21 @@
+# THE single source of truth for the devvm Workstation lifecycle (onboard -> offboard).
+# Consumed by roster_engine.py (derive/validate) + t3-provision-users.sh (apply).
+#
+# os_user (the map KEY, pinned) -> authentik_user . k8s_user . tier . namespaces
+# The three identifiers differ per person (verified 2026-06-08) -- no email->username
+# derivation; record each explicitly.
+#
+# Tiers: admin | power-user | namespace-owner
+#   admin           - cluster-admin, unlocked tree, secrets (groups: sudo,docker,code-shared)
+#   power-user      - cluster-wide READ (no Secrets) via oidc-power-user-readonly; locked clone
+#   namespace-owner - admin in their own namespace(s) only; locked clone
+#
+# wizard IS listed (as admin): the reconcile REGENERATES /etc/ttyd-user-map +
+# dispatch.json from this file, so omitting him would drop his t3 instance. The
+# provisioner skips account/group/clone mutations for already-existing users, so
+# listing him is safe (he keeps his unlocked tree + cluster-admin untouched).
+users:
+  wizard:    {authentik_user: vbarzin,     k8s_user: wizard, tier: admin}                                          # base config author + cluster-admin
+  emo:       {authentik_user: emil.barzin, k8s_user: emo,    tier: power-user}                                     # NET-NEW k8s_users entry (add as power-user before provisioning)
+  ancamilea: {authentik_user: ancaelena98, k8s_user: anca,   tier: namespace-owner, namespaces: [plotting-book]}   # ALREADY provisioned in-cluster -- assert, don't re-create
+# gheorghe:  {authentik_user: vabbit81,    k8s_user: vabbit81, tier: namespace-owner, namespaces: [vabbit81]}      # already a cluster ns-owner; uncomment to give him a devvm workstation