24 Commits

Author	SHA1	Message	Date
ilia	c3e6caf9e8	refactor-servers-workstations-shell-monitoring (#4) ... ### Summary This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only. ### Key changes - **New playbooks** - `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps) - `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group** - **Monitoring split** - `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat) - `roles/monitoring_desktop`: desktop-oriented monitoring tooling - Updated playbooks to use the correct monitoring role per host type - **Shell role: server-safe + developer-friendly** - `roles/shell` now supports two modes: - `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc` - `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc` - `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full` - `playbooks/servers.yml` remains **aliases-only** - **Applications** - Applications role runs only on `desktop` group (via `workstations.yml`) - Removed Brave installs/repo management - Added **CopyQ** to desktop apps (`applications_desktop_packages`) - **Docs + architecture** - Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions) - Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md` - Fixed broken doc links by adding the missing referenced pages under `docs/` ### Behavior changes (important) - Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`). - Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k). ### How to test (local CI parity) ```bash make test npm test ``` Optional dry runs (interactive sudo may be required): ```bash make check make check-local ``` ### Rollout guidance - Apply to a single host first: - Workstations: `make workstations HOST=<devhost>` - Servers: `make servers HOST=<serverhost>` - Then expand to group runs. Reviewed-on: #4	2026-01-01 22:11:24 -05:00
ilia	69a39e5e5b	Add POTE app project support and improve IP conflict detection (#3) ... ## Summary This PR adds comprehensive support for deploying the **POTE** application project via Ansible, along with improvements to IP conflict detection and a new app stack provisioning system for Proxmox-managed LXC containers. ## Key Features ### 🆕 New Roles - **`roles/pote`**: Python/venv deployment role for POTE (PostgreSQL, cron jobs, Alembic migrations) - **`roles/app_setup`**: Generic app deployment role (Node.js/systemd) - **`roles/base_os`**: Base OS hardening role ### 🛡️ Safety Improvements - IP uniqueness validation within projects - Proxmox-side IP conflict detection - Enhanced error messages for IP conflicts ### 📦 New Playbooks - `playbooks/app/site.yml`: End-to-end app stack deployment - `playbooks/app/provision_vms.yml`: Proxmox guest provisioning - `playbooks/app/configure_app.yml`: OS + application configuration ## Security - ✅ All secrets stored in encrypted vault.yml - ✅ Deploy keys excluded via .gitignore - ✅ No plaintext secrets committed ## Testing - ✅ POTE successfully deployed to dev/qa/prod environments - ✅ All components validated (Git, PostgreSQL, cron, migrations) Co-authored-by: ilia <ilia@levkin.ca> Reviewed-on: #3	2026-01-01 11:19:54 -05:00
ilia	e897b1a027	Fix: Resolve linting errors and improve firewall configuration (#2) ... - Fix UFW firewall to allow outbound traffic (was blocking all outbound) - Add HOST parameter support to shell Makefile target - Fix all ansible-lint errors (trailing spaces, missing newlines, document starts) - Add changed_when: false to check commands - Fix variable naming (vault_devGPU -> vault_devgpu) - Update .ansible-lint config to exclude .gitea/ and allow strategy: free - Fix NodeSource repository GPG key handling in shell playbook - Add missing document starts to host_vars files - Clean up empty lines in datascience role files Reviewed-on: #2	2025-12-25 16:47:26 -05:00
ilia	c017ec6941	Fix: Update CI workflow to install a fixed version of Trivy for improved reliability and error handling during installation	2025-12-15 15:50:04 -05:00
ilia	9e7ef8159b	Fix: Update CI workflow to disable SCM in SonarScanner configuration for improved analysis accuracy	2025-12-15 15:36:15 -05:00
ilia	3828e04b13	Fix: Update CI workflow to install Git alongside Node.js and enhance SonarScanner installation process with improved error handling	2025-12-15 15:11:36 -05:00
ilia	d6655babd9	Refactor: Simplify connectivity analysis logic by breaking down into smaller helper functions for improved readability and maintainability	2025-12-15 14:55:10 -05:00
ilia	dc94395bbc	Fix: Enhance SonarScanner error handling in CI workflow with detailed failure messages and troubleshooting guidance	2025-12-14 21:35:52 -05:00
ilia	699aaefac3	Fix: Update CI workflow to improve SonarScanner installation process with enhanced error handling and version management	2025-12-14 21:21:26 -05:00
ilia	83a5d988af	Fix: Update ansible-lint configuration to exclude specific paths and skip certain rules for improved linting flexibility	2025-12-14 21:04:45 -05:00
ilia	a45ee496e4	Fix: Update CI workflow to use Ubuntu 22.04 container, install Node.js and SonarScanner with improved methods, and enhance SonarQube connectivity verification	2025-12-14 20:51:36 -05:00
ilia	e54ecfefc1	Fix: Update CI workflow to enhance playbook syntax checking and improve SonarQube connectivity verification	2025-12-14 20:43:28 -05:00
ilia	f20b671e76	Fix: Update CI workflow to use Alpine-based images, install Node.js and Trivy with improved methods, and enhance dependency scanning steps	2025-12-14 20:28:06 -05:00
ilia	d0699d0b7a	Fix: Add SonarQube analysis to CI workflow and update host inventory for production environment	2025-12-14 20:10:38 -05:00
ilia	d4ce0a247d	Fix: Remove artifact upload, update Trivy flags, add workflow summary, and add git to shell role	2025-12-14 14:57:22 -05:00
ilia	0076155ef1	Fix: Improve Trivy installation with multiple fallback methods and better error handling	2025-12-14 09:06:53 -05:00
ilia	67a9b3ca2b	Fix: Check vault encryption header instead of decrypting files	2025-12-13 23:42:06 -05:00
ilia	6d14cf9253	Fix: Install git for Gitleaks and use direct Trivy binary download	2025-12-13 23:37:38 -05:00
ilia	a9ed19c9d2	Fix: Install Node.js in all Ubuntu containers for checkout action	2025-12-13 23:30:42 -05:00
ilia	1a565cc30e	Fix: Change all jobs to use ubuntu-latest label to match runner	2025-12-13 23:24:02 -05:00
ilia	8818de005f	Add comprehensive security scanning: SAST, license check, vault validation, playbook testing, and artifact uploads	2025-12-13 23:19:10 -05:00
ilia	990f886f02	Fix CI workflow: configure markdownlint, fix Node version, add Ansible validation	2025-12-13 23:13:40 -05:00
ilia	f3b34f3c95	Fix CI workflow: configure markdownlint and make link checking non-blocking	2025-12-13 23:06:26 -05:00
ilia	ba7d4eb5b3	Add CI workflow with markdown linting and self-hosted runner job	2025-12-13 23:00:58 -05:00