Centralize and manage multiple administrator SSH public keys for server access and streamline administrative tasks.
This change:
- Allows provisioning of multiple admin SSH keys to the `iklim` user for human access.
- Adds the same admin SSH keys to the `root` user for emergency or bootstrap scenarios.
- Grants the `iklim` user passwordless sudo privileges to simplify administrative operations.
- Replaces the single `admin_ssh_public_key_path` variable with a list of keys, accommodating multiple administrators.
Refactor StorageBox mount logic for greater stability and consistent remounts by utilizing shell commands. Enable `user_allow_other` for davfs2 mounts in `/etc/fuse.conf` and `fstab`, ensuring non-root container access to mounted files.
Standardize SWAG configuration directory provisioning to include specific subdirectories for DNS, proxy, and Certbot files. Streamline local `/opt/iklimco` directory creation on app and db nodes, removing obsolete paths and consolidating relevant service directories.
- Ensure consistent directory and file permissions on StorageBox mounts for improved container access across application and database services.
- Introduce application-specific `storagebox_uid`/`gid` variables for more granular ownership control.
- Enhance StorageBox mount reliability by adding systemd reload and remount handlers for configuration changes.
- Add root credentials to Patroni's etcd configuration for authenticated communication.
- Update all relevant documentation and deployment scripts to use the `iklimco` Docker stack name for database services.
- Re-encrypt production vault secrets to include the new etcd password.
- Synchronized environment-specific settings with the new isolated architecture.
- Updated network and storage definitions to match the latest Swarm stack requirements.
- Harmonized configuration templates for consistent cross-environment deployment.
Document and commit the production bootstrap state after the initial Hetzner and Ansible rollout.
- switch Ansible prod runbooks to use the shared vault password file
- record production admin CIDRs, SSH key path, encrypted group vault, and encrypted per-host vault files
- add generated production inventory and the prod setup history notes from the first bootstrap
- keep root password login disabled while preserving key-based root access for Ansible bootstrap continuity
- document separate Hetzner projects and tokens for test/prod and commit the prod provider lock file
- remove the private Redis firewall allowance from the prod Terraform firewall and matching setup docs
