feat: enhance Ansible and Terraform configurations for improved deployment security and management

regenrek · regenrek · commit 541fb40302f4 · 2025-10-01T01:23:08.000+02:00
- Updated .gitignore to exclude Terraform state files for better repository cleanliness.
- Modified site.yml to run synchronization tasks as the root user for elevated permissions.
- Enhanced vars.example.yml to include ansible_become_flags for sudo command customization.
- Updated hosts.ini with the specific IP address for the Compose host.
- Improved cloud-init.yaml to include password hash management for the deploy user.
- Added deploy_password_hash variable in variables.tf to securely manage the deploy user's password hash.
- Updated README.md to reflect changes in deployment user management and password handling.
diff --git a/.gitignore b/.gitignore
@@ -101,3 +101,8 @@ infra/ansible/group_vars/constructa/vars.yml
 .vault-pass.txt
 # END Ruler Generated Files
 .ex0
+
+# Terraform state files anywhere in the repo
+*.tfstate
+*.tfstate.*
+*.tfstate.backup
diff --git a/infra/ansible/group_vars/constructa/vars.example.yml b/infra/ansible/group_vars/constructa/vars.example.yml
@@ -15,6 +15,7 @@ constructa_deploy_sudo_passwort: 'change-me-deploy-password'
 ansible_become: true
 ansible_become_method: sudo
 ansible_become_password: "{{ constructa_deploy_sudo_passwort }}"
+ansible_become_flags: "-SE"
 
 # Optional: login to image registry before pulling
 constructa_enable_registry_login: false
diff --git a/infra/ansible/inventory/hosts.ini b/infra/ansible/inventory/hosts.ini
@@ -1,4 +1,4 @@
 [constructa]
 # Replace with the reachable hostname or IP of your Compose host
 # example: ex0-dev ansible_user=deploy
-ex0-dev ansible_host=<IP> ansible_user=deploy
+ex0-dev ansible_host=5.75.251.186 ansible_user=deploy
diff --git a/infra/ansible/site.yml b/infra/ansible/site.yml
@@ -109,6 +109,8 @@
 
   tasks:
     - name: Sync compose bundle (excluding .env; rendered from Vault below)
+      become: true
+      become_user: root
       ansible.posix.synchronize:
         src: "{{ playbook_dir }}/../deploy/"
         dest: "{{ constructa_deploy_dir }}/"
diff --git a/infra/hetzner/README.md b/infra/hetzner/README.md
@@ -13,6 +13,8 @@ export TF_VAR_hcloud_token=your-token
 # export TF_VAR_ssh_public_key_path=~/.ssh/id_ed25519.pub
 # required: restrict SSH to your IP/CIDR
 export TF_VAR_allowed_ssh_cidr="203.0.113.42/32"
+# required: set the deploy sudo password hash (SHA-512)
+export TF_VAR_deploy_password_hash="$(python3 -c "import crypt, getpass; pwd=getpass.getpass('deploy password: '); print(crypt.crypt(pwd, crypt.mksalt(crypt.METHOD_SHA512)))")"
 
 terraform init
 terraform apply
@@ -21,7 +23,7 @@ terraform apply
 This provisions a Debian 13 server with:
 
 * **Docker Engine** (incl. buildx + compose plugin)
-* Non-root `${deploy_username}` user (limited sudo; not in `docker` group)
+* Non-root `${deploy_username}` user with a primed sudo password (not in `docker` group)
 * UFW hardened (SSH from your CIDR only; **80/443** open)
 * Fail2ban enabled with an sshd jail
 
@@ -43,4 +45,4 @@ MinIO remains bound to `127.0.0.1:9000/9001` on the host to support SSH tunnels
 For deployment updates, build & push your image, then instruct the server to `docker compose pull && up -d`.
 Use the project CLI (`pnpm run ex0`) for `release`, `deploy`, `deploy-branch`, `logs`, `restart`, and SSH tunnels.
 
-```
+```
diff --git a/infra/hetzner/cloud-init.yaml b/infra/hetzner/cloud-init.yaml
@@ -9,6 +9,12 @@ users:
     ssh_authorized_keys:
       - ${deploy_ssh_pubkey}
 
+chpasswd:
+  expire: false
+  encrypted: true
+  list: |
+    ${deploy_username}:${deploy_password_hash}
+
 package_update: true
 package_upgrade: true
 packages:
diff --git a/infra/hetzner/main.tf b/infra/hetzner/main.tf
@@ -51,8 +51,9 @@ resource "hcloud_server" "app" {
   ssh_keys     = [hcloud_ssh_key.me.id]
   firewall_ids = [hcloud_firewall.app.id]
   user_data    = templatefile("${path.module}/cloud-init.yaml", {
-    deploy_username   = var.deploy_username
-    deploy_ssh_pubkey = local.ssh_pub_key
-    allowed_ssh_cidr  = var.allowed_ssh_cidr
+    deploy_username        = var.deploy_username
+    deploy_ssh_pubkey      = local.ssh_pub_key
+    allowed_ssh_cidr       = var.allowed_ssh_cidr
+    deploy_password_hash   = var.deploy_password_hash
   })
 }
diff --git a/infra/hetzner/variables.tf b/infra/hetzner/variables.tf
@@ -52,3 +52,9 @@ variable "deploy_username" {
   type        = string
   default     = "deploy"
 }
+
+variable "deploy_password_hash" {
+  description = "SHA-512 password hash for the deploy user (used to prime sudo password)."
+  type        = string
+  sensitive   = true
+}
