fix(ssh): allow dual-stack runner source for restricted keys

- Include web IPv6 alongside IPv4 in authorized_keys from= allowlist\n- Write web public IPv6 into inventory/host_vars/web.yml from Terraform outputs
2026-01-21 15:08:36 -05:00 · 2026-01-21 15:08:36 -05:00 · 0c6d09abcd
commit 0c6d09abcd
parent 8ac79d3300
3 changed files with 29 additions and 7 deletions
--- a/roles/app_ssh_access/tasks/main.yml
+++ b/roles/app_ssh_access/tasks/main.yml
@ -5,8 +5,16 @@
      {{
          (app_ssh_allowed_ip | default('', true))
          if (app_ssh_allowed_ip | default('', true) | length) > 0
-          else (hostvars[app_ssh_allowed_host].public_ipv4
-            | default(hostvars[app_ssh_allowed_host].ansible_host, true))
+          else (
+            [
+              (hostvars[app_ssh_allowed_host].public_ipv4
+                | default(hostvars[app_ssh_allowed_host].ansible_host, true)),
+              (hostvars[app_ssh_allowed_host].public_ipv6 | default('', true) | regex_replace('/.*$', ''))
+            ]
+            | select('match', '.+')
+            | unique
+            | join(',')
+          )
        }}

 - name: Compute register SSH public key
--- a/roles/infra_controller/tasks/main.yml
+++ b/roles/infra_controller/tasks/main.yml
@ -5,8 +5,16 @@
      {{
        (service_ssh_allowed_ip | default('', true))
        if (service_ssh_allowed_ip | default('', true) | length) > 0
-        else (hostvars[service_ssh_allowed_host].public_ipv4
-          | default(hostvars[service_ssh_allowed_host].ansible_host, true))
+        else (
+          [
+            (hostvars[service_ssh_allowed_host].public_ipv4
+              | default(hostvars[service_ssh_allowed_host].ansible_host, true)),
+            (hostvars[service_ssh_allowed_host].public_ipv6 | default('', true) | regex_replace('/.*$', ''))
+          ]
+          | select('match', '.+')
+          | unique
+          | join(',')
+        )
      }}

 - name: Compute service SSH register public key
--- a/setup.sh
+++ b/setup.sh
@ -118,7 +118,7 @@ if [[ -f "secrets/vault.yml" ]]; then
  while IFS= read -r line; do
    [[ -z "${line}" ]] && continue
    [[ "${line}" == "---" ]] && continue
-    [[ "${line}" != TF_VAR_*:* ]] && [[ "${line}" != CF_DNS_API_TOKEN:* ]] && [[ "${line}" != S3_ACCESS_KEY_ID:* ]] && [[ "${line}" != S3_SECRET_ACCESS_KEY:* ]] && continue
+    [[ "${line}" != TF_VAR_*:* ]] && [[ "${line}" != CF_DNS_API_TOKEN:* ]] && [[ "${line}" != CF_ZONE_API_TOKEN:* ]] && [[ "${line}" != S3_ACCESS_KEY_ID:* ]] && [[ "${line}" != S3_SECRET_ACCESS_KEY:* ]] && continue
    key="${line%%:*}"
    value="${line#*:}"
    value="${value# }"
@ -127,8 +127,12 @@ if [[ -f "secrets/vault.yml" ]]; then
    eval "export ${key}=${escaped}"
  done <<< "${vault_plain}"

-  if [[ -z "${CF_DNS_API_TOKEN:-}" ]] && [[ -n "${TF_VAR_cloudflare_api_token:-}" ]]; then
-    export CF_DNS_API_TOKEN="${TF_VAR_cloudflare_api_token}"
+  if [[ -z "${TF_VAR_cloudflare_api_token:-}" ]] && [[ -n "${CF_DNS_API_TOKEN:-}" ]]; then
+    export TF_VAR_cloudflare_api_token="${CF_DNS_API_TOKEN}"
+  fi
+
+  if [[ -z "${TF_VAR_cloudflare_zone_id:-}" ]] && [[ -n "${CF_ZONE_API_TOKEN:-}" ]]; then
+    export TF_VAR_cloudflare_zone_id="${CF_ZONE_API_TOKEN}"
  fi
 fi

@ -150,6 +154,7 @@ if [[ "${run_terraform}" == "true" ]]; then
  rm -f terraform/tfplan

  web_ipv4=$(terraform -chdir=terraform output -raw web_ip)
+  web_ipv6=$(terraform -chdir=terraform output -raw web_ipv6)
  services_ipv4=$(terraform -chdir=terraform output -raw services_ip)

  ssh_user=${TF_VAR_user:-ansible}
@ -175,6 +180,7 @@ EOF

  cat > inventory/host_vars/web.yml <<EOF
 public_ipv4: ${web_ipv4}
+public_ipv6: ${web_ipv6%%/*}
 EOF
 else
  if [[ ! -f inventory/hosts.yml ]]; then