From d0699d0b7ab8ee5879ba3dc86ffce28f46ed4682 Mon Sep 17 00:00:00 2001
From: ilia <ilia@levkin.ca>
Date: Sun, 14 Dec 2025 20:10:38 -0500
Subject: [PATCH] Fix: Add SonarQube analysis to CI workflow and update host
 inventory for production environment

---
 .gitea/workflows/ci.yml                       | 29 ++++++++++++++++++-
 .../production/host_vars/git-ci-01.yml        |  8 +++++
 .../production/host_vars/sonarqube-01.yml     | 10 +++++++
 inventories/production/hosts                  | 10 ++++---
 4 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 inventories/production/host_vars/git-ci-01.yml
 create mode 100644 inventories/production/host_vars/sonarqube-01.yml

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 5610f70..983257c 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -346,9 +346,35 @@ jobs:
           fi
         continue-on-error: true
 
+  sonar-analysis:
+    runs-on: ubuntu-latest
+    container:
+      image: sonarsource/sonar-scanner-cli:latest
+    env:
+      SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+    steps:
+      - name: Install Node.js for checkout action
+        run: |
+          apt-get update && apt-get install -y curl
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+          apt-get install -y nodejs
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Run SonarScanner
+        run: |
+          sonar-scanner \
+            -Dsonar.projectKey=ansible-infra \
+            -Dsonar.sources=. \
+            -Dsonar.host.url=${SONAR_HOST_URL} \
+            -Dsonar.login=${SONAR_TOKEN}
+        continue-on-error: true
+
   workflow-summary:
     runs-on: ubuntu-latest
-    needs: [lint-and-test, ansible-validation, secret-scanning, dependency-scan, sast-scan, license-check, vault-check, playbook-test, container-scan]
+    needs: [lint-and-test, ansible-validation, secret-scanning, dependency-scan, sast-scan, license-check, vault-check, playbook-test, container-scan, sonar-analysis]
     if: always()
     steps:
       - name: Generate workflow summary
@@ -368,6 +394,7 @@ jobs:
           echo "| 🔒 Vault Check | ${{ needs.vault-check.result }} |" >> $GITHUB_STEP_SUMMARY || true
           echo "| 📋 Playbook Test | ${{ needs.playbook-test.result }} |" >> $GITHUB_STEP_SUMMARY || true
           echo "| 🐳 Container Scan | ${{ needs.container-scan.result }} |" >> $GITHUB_STEP_SUMMARY || true
+          echo "| 🔍 SonarQube Analysis | ${{ needs.sonar-analysis.result }} |" >> $GITHUB_STEP_SUMMARY || true
           echo "" >> $GITHUB_STEP_SUMMARY || true
           echo "### 📊 Summary" >> $GITHUB_STEP_SUMMARY || true
           echo "" >> $GITHUB_STEP_SUMMARY || true
diff --git a/inventories/production/host_vars/git-ci-01.yml b/inventories/production/host_vars/git-ci-01.yml
new file mode 100644
index 0000000..5e4549d
--- /dev/null
+++ b/inventories/production/host_vars/git-ci-01.yml
@@ -0,0 +1,8 @@
+# Configure sudo path for git-ci-01
+# Sudo may not be in PATH for non-interactive shells
+ansible_become_exe: /usr/bin/sudo
+ansible_become_method: sudo
+
+# Alternative: if sudo is in a different location, update this
+# ansible_become_exe: /usr/local/bin/sudo
+
diff --git a/inventories/production/host_vars/sonarqube-01.yml b/inventories/production/host_vars/sonarqube-01.yml
new file mode 100644
index 0000000..1300d54
--- /dev/null
+++ b/inventories/production/host_vars/sonarqube-01.yml
@@ -0,0 +1,10 @@
+---
+# SonarQube host configuration
+# Install sudo first, then use sudo for become
+# After sudo is installed, this will work:
+ansible_become: true
+ansible_become_method: sudo
+# Configure shell for ladmin user
+shell_users:
+  - ladmin
+
diff --git a/inventories/production/hosts b/inventories/production/hosts
index 21da9b3..b652536 100644
--- a/inventories/production/hosts
+++ b/inventories/production/hosts
@@ -13,13 +13,15 @@ portainerVM ansible_host=10.0.30.69 ansible_user=ladmin
 homepageVM ansible_host=10.0.30.12 ansible_user=homepage
 
 [vaultwarden]
-vaultwardenVM ansible_host=100.100.19.11 ansible_host_fallback=10.0.10.142 ansible_user=root
+vaultwardenVM ansible_host=10.0.10.142 ansible_user=root
 
 [dev]
 dev01 ansible_host=10.0.30.105 ansible_user=ladmin
 bottom ansible_host=10.0.10.156 ansible_user=beast
 debianDesktopVM ansible_host=10.0.10.206 ansible_user=user skip_reboot=true
 devGPU ansible_host=10.0.30.63 ansible_user=root
+git-ci-01 ansible_host=10.0.10.223 ansible_user=ladmin
+sonarqube-01 ansible_host=10.0.10.54 ansible_user=ladmin
 
 [ansible]
 ansibleVM ansible_host=10.0.10.157 ansible_user=master
@@ -28,9 +30,9 @@ ansibleVM ansible_host=10.0.10.157 ansible_user=master
 tailscaleVM ansible_host=100.66.218.53 ansible_user=ladmin
 
 [services]
-caddy ansible_host=100.117.106.18 ansible_host_fallback=10.0.10.50 ansible_user=root
-jellyfin ansible_host=100.104.109.45 ansible_host_fallback=10.0.10.232 ansible_user=root
-listmonk ansible_host=100.73.190.115 ansible_host_fallback=10.0.10.149 ansible_user=root
+caddy ansible_host=10.0.10.50 ansible_user=root
+jellyfin ansible_host=10.0.10.232 ansible_user=root
+listmonk ansible_host=10.0.10.149 ansible_user=root
 nextcloud ansible_host=10.0.10.25 ansible_user=root
 actual ansible_host=10.0.10.159 ansible_user=root
 n8n ansible_host=10.0.10.158 ansible_user=root