jfraeysd/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/infra_controller/tasks/main.yml
Jeremie Fraeys 0c6d09abcd
fix(ssh): allow dual-stack runner source for restricted keys 
- Include web IPv6 alongside IPv4 in authorized_keys from= allowlist\n- Write web public IPv6 into inventory/host_vars/web.yml from Terraform outputs
2026-01-21 15:08:36 -05:00

100 lines
3.7 KiB
YAML
Raw Permalink Blame History

---
- name: Compute service SSH allowed IP
set_fact:
service_ssh_allowed_ip_effective: >-
{{
(service_ssh_allowed_ip | default('', true))
if (service_ssh_allowed_ip | default('', true) | length) > 0
else (
[
(hostvars[service_ssh_allowed_host].public_ipv4
| default(hostvars[service_ssh_allowed_host].ansible_host, true)),
(hostvars[service_ssh_allowed_host].public_ipv6 | default('', true) | regex_replace('/.*$', ''))
]
| select('match', '.+')
| unique
| join(',')
)
}}
- name: Compute service SSH register public key
set_fact:
service_ssh_register_key_effective: >-
{{
(service_ssh_register_key | default('', true))
if (service_ssh_register_key | default('', true) | length) > 0
else (
SERVICE_SSH_REGISTER_PUBLIC_KEY
| default(lookup('env', 'SERVICE_SSH_REGISTER_PUBLIC_KEY'), true)
)
}}
no_log: true
- name: Compute service SSH deregister public key
set_fact:
service_ssh_deregister_key_effective: >-
{{
(service_ssh_deregister_key | default('', true))
if (service_ssh_deregister_key | default('', true) | length) > 0
else (
SERVICE_SSH_DEREGISTER_PUBLIC_KEY
| default(lookup('env', 'SERVICE_SSH_DEREGISTER_PUBLIC_KEY'), true)
)
}}
no_log: true
- name: Fail if service SSH register public key is missing
fail:
msg: "SERVICE_SSH_REGISTER_PUBLIC_KEY is required (must be an SSH public key like 'ssh-ed25519 AAAA...')"
when: service_ssh_register_key_effective | length == 0
- name: Fail if service SSH deregister public key is missing
fail:
msg: "SERVICE_SSH_DEREGISTER_PUBLIC_KEY is required (must be an SSH public key like 'ssh-ed25519 AAAA...')"
when: service_ssh_deregister_key_effective | length == 0
- name: Fail if service SSH register public key does not look like an SSH key
fail:
msg: "SERVICE_SSH_REGISTER_PUBLIC_KEY does not look like an SSH public key"
when: not (service_ssh_register_key_effective is match('^ssh-'))
- name: Fail if service SSH deregister public key does not look like an SSH key
fail:
msg: "SERVICE_SSH_DEREGISTER_PUBLIC_KEY does not look like an SSH public key"
when: not (service_ssh_deregister_key_effective is match('^ssh-'))
- name: Fail if service SSH allowed host/IP cannot be determined
fail:
msg: "Unable to determine service SSH allowed IP (set service_ssh_allowed_ip or ensure hostvars[{{ service_ssh_allowed_host }}] has public_ipv4/ansible_host)"
when: service_ssh_allowed_ip_effective | length == 0
- name: Ensure service SSH user exists
user:
name: "{{ service_ssh_user }}"
state: present
create_home: true
shell: /bin/bash
- name: Ensure .ssh directory exists
file:
path: "/home/{{ service_ssh_user }}/.ssh"
state: directory
owner: "{{ service_ssh_user }}"
group: "{{ service_ssh_user }}"
mode: "0700"
- name: Install restricted authorized key for register
authorized_key:
user: "{{ service_ssh_user }}"
state: present
key: "{{ service_ssh_register_key_effective }}"
key_options: >-
command="/usr/local/sbin/infra-register-stdin",from="{{ service_ssh_allowed_ip_effective }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding
- name: Install restricted authorized key for deregister
authorized_key:
user: "{{ service_ssh_user }}"
state: present
key: "{{ service_ssh_deregister_key_effective }}"
key_options: >-
command="/usr/local/sbin/infra-deregister",from="{{ service_ssh_allowed_ip_effective }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding
Reference in a new issue View git blame Copy permalink