iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(infra): Implement multi-user admin SSH key management

Browse Source 
Centralize and manage multiple administrator SSH public keys for server access and streamline administrative tasks.

This change:
- Allows provisioning of multiple admin SSH keys to the `iklim` user for human access.
- Adds the same admin SSH keys to the `root` user for emergency or bootstrap scenarios.
- Grants the `iklim` user passwordless sudo privileges to simplify administrative operations.
- Replaces the single `admin_ssh_public_key_path` variable with a list of keys, accommodating multiple administrators.
This commit is contained in:
Murat ÖZDEMİR 2026-05-24 21:01:54 +03:00
parent 28ce381059
commit 6798426841
5 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/prod/files/keys/bimetri_dev1.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmD75GTgifJZnJWUTjxraPDsNa+bVG+ghdvY6i1Ezrs dev1@bimetri.com

1
ansible/prod/files/keys/bimetri_dev2.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET+QM2a434/qJBtKqzrYtko/jHCI9O4PFw2Uf0RYXY+ dev2@bimetri.com

1
ansible/prod/files/keys/murat_ozdemir.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC09M6TWgOA/Wx7nXQ897N72fmufa7Vt2IWf28HzVM+FUGPUMDYxtVaFU9AjU7RMVMMnW9FA8vlK+/uxZd6q0rz+g9NlJ42GJ7mT/mYPI/sgY6q8PqtImSodzKr000ZEvuV+JRm5+NmqVwdf5/AYZiD26OfwxzM82RgGYCMb1r+CbZCtVn7/iUcZmFukyrLqmF9BuV5UZZj3RFcoVf7dYMhTA+JJ5F2JZrJARYSA8yaNTopOEfPwq7rCKxEQEHzc/wixTfbNqqX27hMJgOGD7XOMP5Zn1IK/5KALsDHe1r/LxQVTKodaiTEGSygTLYVbIP6YrIhxhrxAbcYP4Zgo8o6lshiFwgoRnDrSURIp0VZ+b33RLREihDLDnkPB+rbSivaHnUi3KZs5zNrpVWRJ1H14Ex3TZNCURcTMVVV62aDqxmk7B73CAiq0chclfqkgWcEPHiYjFEqUIg8ovIy6Go6fr7JVzdJxGHJ27R9eBALXZnoD6I22YMWoTcuqVL1lyTZ+4dGjjgUNQxuQl1YsopWroTVaFlhxgxFprouTqexeEPNKq1GKp8winJlBR6Z3gL0cAQ3k+lgA93c9yqwFkXjOX0kdlVi17F30QE+lc4n+oDKr92rtOO9hq8r1QGdeB6fbxdRcGRWledsWyDaCVTAF/bqjw8msw0mZ/l5qqqOew== murat@INSPIRON-15-3525

5
ansible/prod/group_vars/all/vars.yml
View File

@ -28,5 +28,8 @@ act_runner_labels: "prod-runner:docker://catthehacker/ubuntu:act-22.04,ubuntu-24
swarm_manager_ip: "10.20.10.11"
mongodb_replset_name: "rs0"
admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32 188.3.184.2/32"
admin_ssh_public_key_path: "~/.ssh/id_rsa.pub"
admin_ssh_public_keys:
- "{{ lookup('file', 'files/keys/murat_ozdemir.pub') }}"
- "{{ lookup('file', 'files/keys/bimetri_dev1.pub') }}"
- "{{ lookup('file', 'files/keys/bimetri_dev2.pub') }}"
timezone: "Europe/Istanbul"

19
ansible/roles/hardening/tasks/main.yml
View File

@ -73,11 +73,26 @@
create_home: yes
state: present
- name: Add SSH key to iklim user
- name: Allow iklim user to use sudo without password
ansible.builtin.copy:
content: "iklim ALL=(ALL) NOPASSWD:ALL"
dest: /etc/sudoers.d/iklim
mode: '0440'
validate: /usr/sbin/visudo -cf %s
- name: Add multiple SSH keys to iklim user (for human access)
ansible.posix.authorized_key:
user: iklim
state: present
key: "{{ lookup('file', admin_ssh_public_key_path) }}"
key: "{{ item }}"
loop: "{{ admin_ssh_public_keys }}"
- name: Add admin SSH keys to root as well (for emergency/bootstrap/ansible)
ansible.posix.authorized_key:
user: root
state: present
key: "{{ item }}"
loop: "{{ admin_ssh_public_keys }}"
- name: Configure journald log limits
ansible.builtin.lineinfile: