# Signer-host bootstrap (Ansible)

A **starting-point** playbook for provisioning the three **signer hosts** — the small machines (NUC / Pi /
mini-PC) that each have a USB-attached Coldcard and run a thin **signer agent** over `ckcc-protocol`.

This bootstraps the *host*, not the device: it installs the prerequisites, joins the private network, and
lays down a signer-agent service unit. **It never touches keys or seeds** — those are created on the Coldcard
itself, by you. Treat this as a skeleton to adapt to your environment (it is intentionally minimal and not
opinionated about your network).

## What it does
- Installs Python + `ckcc-protocol` (the Coldcard CLI/library) and USB access for the device.
- Joins the host to your private mesh (Tailscale shown as an example — swap for your VPN/WG).
- Installs a `signer-agent` systemd unit (placeholder ExecStart — point it at your agent).

## What it deliberately does NOT do
- It does not generate, copy, or read any seed or key.
- It does not configure the on-device HSM policy (that is loaded onto the Coldcard directly — see
  [`../docs/OPERATOR-MANUAL.md`](../docs/OPERATOR-MANUAL.md) §5, and mind the policy-vs-wallet ordering trap).

## Usage
```bash
# inventory.ini: one host per signer, in independent failure domains (≥1 offsite)
ansible-playbook -i inventory.ini signer-host.yml
```

> **Failure-domain placement is the make-or-break decision** — read §3 of the Operator Manual before you
> place signers. Never co-locate two signers behind a shared PSU / switch / host / hypervisor.