From 0c6d09abcdf5897d6880cc95151e3ed7e3831c51 Mon Sep 17 00:00:00 2001 From: Jeremie Fraeys Date: Wed, 21 Jan 2026 15:08:36 -0500 Subject: [PATCH] fix(ssh): allow dual-stack runner source for restricted keys - Include web IPv6 alongside IPv4 in authorized_keys from= allowlist\n- Write web public IPv6 into inventory/host_vars/web.yml from Terraform outputs --- roles/app_ssh_access/tasks/main.yml | 12 ++++++++++-- roles/infra_controller/tasks/main.yml | 12 ++++++++++-- setup.sh | 12 +++++++++--- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/roles/app_ssh_access/tasks/main.yml b/roles/app_ssh_access/tasks/main.yml index c66cc98..770d69b 100644 --- a/roles/app_ssh_access/tasks/main.yml +++ b/roles/app_ssh_access/tasks/main.yml @@ -5,8 +5,16 @@ {{ (app_ssh_allowed_ip | default('', true)) if (app_ssh_allowed_ip | default('', true) | length) > 0 - else (hostvars[app_ssh_allowed_host].public_ipv4 - | default(hostvars[app_ssh_allowed_host].ansible_host, true)) + else ( + [ + (hostvars[app_ssh_allowed_host].public_ipv4 + | default(hostvars[app_ssh_allowed_host].ansible_host, true)), + (hostvars[app_ssh_allowed_host].public_ipv6 | default('', true) | regex_replace('/.*$', '')) + ] + | select('match', '.+') + | unique + | join(',') + ) }} - name: Compute register SSH public key diff --git a/roles/infra_controller/tasks/main.yml b/roles/infra_controller/tasks/main.yml index 7543416..d2deb90 100644 --- a/roles/infra_controller/tasks/main.yml +++ b/roles/infra_controller/tasks/main.yml @@ -5,8 +5,16 @@ {{ (service_ssh_allowed_ip | default('', true)) if (service_ssh_allowed_ip | default('', true) | length) > 0 - else (hostvars[service_ssh_allowed_host].public_ipv4 - | default(hostvars[service_ssh_allowed_host].ansible_host, true)) + else ( + [ + (hostvars[service_ssh_allowed_host].public_ipv4 + | default(hostvars[service_ssh_allowed_host].ansible_host, true)), + (hostvars[service_ssh_allowed_host].public_ipv6 | default('', true) | regex_replace('/.*$', '')) + ] + | select('match', '.+') + | unique + | join(',') + ) }} - name: Compute service SSH register public key diff --git a/setup.sh b/setup.sh index dc978a3..0bcac4c 100755 --- a/setup.sh +++ b/setup.sh @@ -118,7 +118,7 @@ if [[ -f "secrets/vault.yml" ]]; then while IFS= read -r line; do [[ -z "${line}" ]] && continue [[ "${line}" == "---" ]] && continue - [[ "${line}" != TF_VAR_*:* ]] && [[ "${line}" != CF_DNS_API_TOKEN:* ]] && [[ "${line}" != S3_ACCESS_KEY_ID:* ]] && [[ "${line}" != S3_SECRET_ACCESS_KEY:* ]] && continue + [[ "${line}" != TF_VAR_*:* ]] && [[ "${line}" != CF_DNS_API_TOKEN:* ]] && [[ "${line}" != CF_ZONE_API_TOKEN:* ]] && [[ "${line}" != S3_ACCESS_KEY_ID:* ]] && [[ "${line}" != S3_SECRET_ACCESS_KEY:* ]] && continue key="${line%%:*}" value="${line#*:}" value="${value# }" @@ -127,8 +127,12 @@ if [[ -f "secrets/vault.yml" ]]; then eval "export ${key}=${escaped}" done <<< "${vault_plain}" - if [[ -z "${CF_DNS_API_TOKEN:-}" ]] && [[ -n "${TF_VAR_cloudflare_api_token:-}" ]]; then - export CF_DNS_API_TOKEN="${TF_VAR_cloudflare_api_token}" + if [[ -z "${TF_VAR_cloudflare_api_token:-}" ]] && [[ -n "${CF_DNS_API_TOKEN:-}" ]]; then + export TF_VAR_cloudflare_api_token="${CF_DNS_API_TOKEN}" + fi + + if [[ -z "${TF_VAR_cloudflare_zone_id:-}" ]] && [[ -n "${CF_ZONE_API_TOKEN:-}" ]]; then + export TF_VAR_cloudflare_zone_id="${CF_ZONE_API_TOKEN}" fi fi @@ -150,6 +154,7 @@ if [[ "${run_terraform}" == "true" ]]; then rm -f terraform/tfplan web_ipv4=$(terraform -chdir=terraform output -raw web_ip) + web_ipv6=$(terraform -chdir=terraform output -raw web_ipv6) services_ipv4=$(terraform -chdir=terraform output -raw services_ip) ssh_user=${TF_VAR_user:-ansible} @@ -175,6 +180,7 @@ EOF cat > inventory/host_vars/web.yml <