Implement: Administrative user, keyboard layout, and Ansible variable refactor

This commit introduces several core configurations and structural improvements: * **User Management:** Creates a new `iklim` administrative user with a securely hashed password, enabled by `python3-passlib`. * **System Configuration:** Sets the system keyboard layout to Turkish Q (`trq`). * **Security Hardening:** Refines firewall rules for SSH using a rich rule and ensures `journald` log limits file creation. * **Ansible Variable Management:** Restructures `group_vars` by consolidating global variables into `group_vars/all/vars.yml` and sensitive data into a dedicated `group_vars/all/vault.yml`. * **Ansible Compatibility:** Adds `!unsafe` to a `docker info` shell command to prevent future warnings.
2026-05-11 19:00:31 +03:00 · 2026-05-11 19:00:31 +03:00 · bbeaf97815
commit bbeaf97815
parent 65443e81e7
7 changed files with 60 additions and 39 deletions
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@ -27,6 +27,7 @@
      - chrony
      - python3
      - python3-pip
+      - python3-passlib
      - htop
      - btop
    state: present
@ -44,3 +45,12 @@
 - name: Set hostname
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}"
+
+- name: Get current keymap
+  ansible.builtin.command: localectl status
+  register: localectl_status
+  changed_when: false
+
+- name: Set keyboard layout to Turkish Q
+  ansible.builtin.command: localectl set-keymap trq
+  when: "'trq' not in localectl_status.stdout"
--- a/ansible/roles/hardening/tasks/main.yml
+++ b/ansible/roles/hardening/tasks/main.yml
@ -44,27 +44,37 @@
    state: started
    enabled: yes

+- name: Allow SSH in firewalld from admin CIDRs
+  ansible.posix.firewalld:
+    rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
+    zone: drop
+    state: enabled
+    permanent: yes
+    immediate: yes
+  loop: "{{ admin_allowed_cidrs.split(' ') }}"
+
 - name: Configure firewalld default zone
  ansible.builtin.shell: firewall-cmd --set-default-zone=drop
-  when: ansible_facts.services['firewalld.service'].state == 'running'
  changed_when: false

+- name: Create iklim user
+  ansible.builtin.user:
+    name: iklim
+    password: "{{ iklim_password | password_hash('sha512') }}"
+    groups: wheel
+    append: yes
+    shell: /bin/bash
+    create_home: yes
+    state: present
+
 - name: Configure journald log limits
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
+    create: yes
  loop:
    - { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
    - { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
  notify: Restart journald
-
- name: Allow SSH in firewalld from admin CIDRs
-  ansible.posix.firewalld:
-    service: ssh
-    source: "{{ item }}"
-    state: enabled
-    permanent: yes
-    immediate: yes
-  loop: "{{ admin_allowed_cidrs.split(' ') }}"
--- a/ansible/roles/swarm/tasks/main.yml
+++ b/ansible/roles/swarm/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: Check if Swarm is initialized
-  ansible.builtin.shell: docker info --format '{{.Swarm.LocalNodeState}}'
+  ansible.builtin.shell: !unsafe "docker info --format '{{.Swarm.LocalNodeState}}'"
  register: swarm_status
  changed_when: false

--- a/ansible/test/group_vars/all.yml
+++ b/ansible/test/group_vars/all.yml
@ -1,4 +0,0 @@
-# Global variables for all environments
-storagebox_account: "u469968"
-admin_allowed_cidrs: "127.0.0.1/8" # Overridden in inventory or vault
-timezone: "Europe/Istanbul"
--- a/ansible/test/group_vars/all/vars.yml
+++ b/ansible/test/group_vars/all/vars.yml
@ -1,7 +1,9 @@
-# Test environment specific variables
+storagebox_account: "u469968"
 storagebox_user: "{{ storagebox_account }}-sub4"
 storagebox_url: "https://{{ storagebox_user }}.your-storagebox.de/"
 storagebox_mount_point: "/mnt/storagebox"
+storagebox_password: "{{ vault_storagebox_password }}"
+iklim_password: "{{ vault_iklim_password }}"
 swarm_manager_ip: "10.10.10.11"
 admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32"
-# storagebox_password: "{{ vault_storagebox_password }}" # In test-vault.yml
+timezone: "Europe/Istanbul"
--- a/ansible/test/group_vars/all/vault.yml
+++ b/ansible/test/group_vars/all/vault.yml
@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+32653536356331386232373033363738363336323461363432653031666166343462393737643730
+3162386266326333386533373630663563386337613338310a376137623835333461363662323035
+65636332376331643335323265336439613331613238393363626330313831653233373864313033
+3430303335306366660a636139623264386437383763316665373230643939653039633330623834
+64636564313232626462373638653538393261323031616563653164323961393664656439393639
+37313335313739353564626364313663363038316132633739623338343436303337643162396635
+34323838346664303464396438393534636265636262323364643364323163653464303931626130
+37663138363966386530323133613661316230303362323937313132306236323339323839633139
+34633733333531373233386436313837343364326334386535626262356537376137646163326666
+38306238666639623639393137623266363465313264326566663839303664303233666335663731
+32633232376164383265313835326433366134613230613164373034663931396161623631666236
+37613631353233346464363236383539663461333739396432626638323134383230343163396335
+64363333396130326463316538306162363034353936383063333531396233356437333064613230
+63353337306632323364336233313836663365623436336532623239633434656563666637333636
+31343836353230306461613936383766636138663361343864623466376235666536306133306435
+65666338333465653434386166366633383539323566613935363434363735313231336166626364
+65353033363366386432306434333135653862616635373837376233326262646330326363626134
+32343735386137363334306464383935613531373533363330363635633236313930373865393738
+38363564663066363439396532656236656636646365363038393535303632356364613538353737
+32636434383766343765643634633464353262396466393265643963383634323730343162323837
+39343139613538653531616466303638336133396165646138663463383238616431613563343031
+39333139643033326630343630366630633766383861353663353534633436646363356334626438
+62306661376339343437643732333032373362633062326365666430616634613537316635653465
+64306362386339333562
--- a/ansible/test/group_vars/test-vault.yml
+++ b/ansible/test/group_vars/test-vault.yml
@ -1,22 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-39313733646339343230326361633435636632393938663537396530393131363335326664346334
-3533366238616262366665373638373030393536383962390a626532373431336632366264356261
-31336533663537303964613862336530363335616334313839363333383863323462376135636134
-3963356335393733650a393439336365343132373038393362653136353462646636396430376561
-66633161633434326265376631353734323661643830386437303631386438336536646538326465
-35653864633631656461313235316637383063656164353536336634373663353466346161623731
-38393365313439623261363732393333376266336663303565373866643135396437356339643136
-34303735336365353930353065343234373032363063356133393436383636313038643934663435
-61366635396363613537396563613235303665363230656366353739656364376636356433333766
-34323464343438356262363337303937646561366366386233353338333434633333373464373234
-31323763303366363239353537343966316439656134663033653965613635393562363663323962
-34646238386232616464343162386164626638306439346138336263386537653536336130616638
-39306366663164373235373863366237313933373633613464353364643630386666336134616364
-64363633306465323831623831323139373931393938623233636536636664353839643866393138
-37313261623737346433653535393835356635353662386632373964613832333434303739396164
-61653438326261346464316230656262393466643939636335363662383466616363333265303536
-61663337393038356165316261323035383361666266333665346363623166333434383166653936
-34396636373638656633643135316566663736363931393633393365343161636239306535623935
-38623165393963383131616261383539643234343064306366663434333166353131333431343532
-36363362303131373165646666343938663964323063643363303131336462386431396431323162
-34643539326266333236656130616134616663373966613464663136386239303861