Implement: Administrative user, keyboard layout, and Ansible variable refactor

This commit introduces several core configurations and structural improvements: * **User Management:** Creates a new `iklim` administrative user with a securely hashed password, enabled by `python3-passlib`. * **System Configuration:** Sets the system keyboard layout to Turkish Q (`trq`). * **Security Hardening:** Refines firewall rules for SSH using a rich rule and ensures `journald` log limits file creation. * **Ansible Variable Management:** Restructures `group_vars` by consolidating global variables into `group_vars/all/vars.yml` and sensitive data into a dedicated `group_vars/all/vault.yml`. * **Ansible Compatibility:** Adds `!unsafe` to a `docker info` shell command to prevent future warnings.
2026-05-11 19:00:31 +03:00 · 2026-05-11 19:00:31 +03:00 · bbeaf97815
commit bbeaf97815
parent 65443e81e7
7 changed files with 60 additions and 39 deletions
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@ -27,6 +27,7 @@
      - chrony
      - python3
      - python3-pip
      - python3-passlib
      - htop
      - btop
    state: present
@ -44,3 +45,12 @@
 - name: Set hostname
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}"
 - name: Get current keymap
  ansible.builtin.command: localectl status
  register: localectl_status
  changed_when: false
 - name: Set keyboard layout to Turkish Q
  ansible.builtin.command: localectl set-keymap trq
  when: "'trq' not in localectl_status.stdout"
--- a/ansible/roles/hardening/tasks/main.yml
+++ b/ansible/roles/hardening/tasks/main.yml
@ -44,27 +44,37 @@
    state: started
    enabled: yes
 - name: Allow SSH in firewalld from admin CIDRs
  ansible.posix.firewalld:
    rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
    zone: drop
    state: enabled
    permanent: yes
    immediate: yes
  loop: "{{ admin_allowed_cidrs.split(' ') }}"
 - name: Configure firewalld default zone
  ansible.builtin.shell: firewall-cmd --set-default-zone=drop
  when: ansible_facts.services['firewalld.service'].state == 'running'
  changed_when: false
 - name: Create iklim user
  ansible.builtin.user:
    name: iklim
    password: "{{ iklim_password | password_hash('sha512') }}"
    groups: wheel
    append: yes
    shell: /bin/bash
    create_home: yes
    state: present
 - name: Configure journald log limits
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    create: yes
  loop:
    - { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
    - { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
  notify: Restart journald
 - name: Allow SSH in firewalld from admin CIDRs
  ansible.posix.firewalld:
    service: ssh
    source: "{{ item }}"
    state: enabled
    permanent: yes
    immediate: yes
  loop: "{{ admin_allowed_cidrs.split(' ') }}"
--- a/ansible/roles/swarm/tasks/main.yml
+++ b/ansible/roles/swarm/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: Check if Swarm is initialized
-  ansible.builtin.shell: docker info --format '{{.Swarm.LocalNodeState}}'
+  ansible.builtin.shell: !unsafe "docker info --format '{{.Swarm.LocalNodeState}}'"
  register: swarm_status
  changed_when: false
--- a/ansible/test/group_vars/all.yml
+++ b/ansible/test/group_vars/all.yml
@ -1,4 +0,0 @@
 # Global variables for all environments
 storagebox_account: "u469968"
 admin_allowed_cidrs: "127.0.0.1/8" # Overridden in inventory or vault
 timezone: "Europe/Istanbul"
--- a/ansible/test/group_vars/all/vars.yml
+++ b/ansible/test/group_vars/all/vars.yml
@ -1,7 +1,9 @@
-# Test environment specific variables
+storagebox_account: "u469968"
 storagebox_user: "{{ storagebox_account }}-sub4"
 storagebox_url: "https://{{ storagebox_user }}.your-storagebox.de/"
 storagebox_mount_point: "/mnt/storagebox"
 storagebox_password: "{{ vault_storagebox_password }}"
 iklim_password: "{{ vault_iklim_password }}"
 swarm_manager_ip: "10.10.10.11"
 admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32"
-# storagebox_password: "{{ vault_storagebox_password }}" # In test-vault.yml
+timezone: "Europe/Istanbul"
--- a/ansible/test/group_vars/all/vault.yml
+++ b/ansible/test/group_vars/all/vault.yml
@ -0,0 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
 32653536356331386232373033363738363336323461363432653031666166343462393737643730
 3162386266326333386533373630663563386337613338310a376137623835333461363662323035
 65636332376331643335323265336439613331613238393363626330313831653233373864313033
 3430303335306366660a636139623264386437383763316665373230643939653039633330623834
 64636564313232626462373638653538393261323031616563653164323961393664656439393639
 37313335313739353564626364313663363038316132633739623338343436303337643162396635
 34323838346664303464396438393534636265636262323364643364323163653464303931626130
 37663138363966386530323133613661316230303362323937313132306236323339323839633139
 34633733333531373233386436313837343364326334386535626262356537376137646163326666
 38306238666639623639393137623266363465313264326566663839303664303233666335663731
 32633232376164383265313835326433366134613230613164373034663931396161623631666236
 37613631353233346464363236383539663461333739396432626638323134383230343163396335
 64363333396130326463316538306162363034353936383063333531396233356437333064613230
 63353337306632323364336233313836663365623436336532623239633434656563666637333636
 31343836353230306461613936383766636138663361343864623466376235666536306133306435
 65666338333465653434386166366633383539323566613935363434363735313231336166626364
 65353033363366386432306434333135653862616635373837376233326262646330326363626134
 32343735386137363334306464383935613531373533363330363635633236313930373865393738
 38363564663066363439396532656236656636646365363038393535303632356364613538353737
 32636434383766343765643634633464353262396466393265643963383634323730343162323837
 39343139613538653531616466303638336133396165646138663463383238616431613563343031
 39333139643033326630343630366630633766383861353663353534633436646363356334626438
 62306661376339343437643732333032373362633062326365666430616634613537316635653465
 64306362386339333562
--- a/ansible/test/group_vars/test-vault.yml
+++ b/ansible/test/group_vars/test-vault.yml
@ -1,22 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 39313733646339343230326361633435636632393938663537396530393131363335326664346334
 3533366238616262366665373638373030393536383962390a626532373431336632366264356261
 31336533663537303964613862336530363335616334313839363333383863323462376135636134
 3963356335393733650a393439336365343132373038393362653136353462646636396430376561
 66633161633434326265376631353734323661643830386437303631386438336536646538326465
 35653864633631656461313235316637383063656164353536336634373663353466346161623731
 38393365313439623261363732393333376266336663303565373866643135396437356339643136
 34303735336365353930353065343234373032363063356133393436383636313038643934663435
 61366635396363613537396563613235303665363230656366353739656364376636356433333766
 34323464343438356262363337303937646561366366386233353338333434633333373464373234
 31323763303366363239353537343966316439656134663033653965613635393562363663323962
 34646238386232616464343162386164626638306439346138336263386537653536336130616638
 39306366663164373235373863366237313933373633613464353364643630386666336134616364
 64363633306465323831623831323139373931393938623233636536636664353839643866393138
 37313261623737346433653535393835356635353662386632373964613832333434303739396164
 61653438326261346464316230656262393466643939636335363662383466616363333265303536
 61663337393038356165316261323035383361666266333665346363623166333434383166653936
 34396636373638656633643135316566663736363931393633393365343161636239306535623935
 38623165393963383131616261383539643234343064306366663434333166353131333431343532
 36363362303131373165646666343938663964323063643363303131336462386431396431323162
 34643539326266333236656130616134616663373966613464663136386239303861