5 Commits

Author	SHA1	Message	Date
ilia	c2e797a027	feat(app_setup): improve deployment reliability and add mirrormatch support ... - Fix deploy script to handle non-git directories by cloning to temp location and moving contents, preserving .env files during clone - Remove comment lines from env.j2 template to prevent xargs errors - Add initial deploy task to app_setup role to ensure app is deployed before service starts - Fix migrate command precedence to check env-specific overrides first - Add sudo to systemctl restart commands in deploy script - Update documentation with project-specific configuration notes These changes improve deployment reliability for all app projects while adding support for mirrormatch-specific requirements (db:push, seeding). All changes are backward-compatible with existing projects (pote, punimTag).	2026-01-04 16:50:54 -05:00
ilia	c3e6caf9e8	refactor-servers-workstations-shell-monitoring (#4) ... ### Summary This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only. ### Key changes - **New playbooks** - `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps) - `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group** - **Monitoring split** - `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat) - `roles/monitoring_desktop`: desktop-oriented monitoring tooling - Updated playbooks to use the correct monitoring role per host type - **Shell role: server-safe + developer-friendly** - `roles/shell` now supports two modes: - `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc` - `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc` - `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full` - `playbooks/servers.yml` remains **aliases-only** - **Applications** - Applications role runs only on `desktop` group (via `workstations.yml`) - Removed Brave installs/repo management - Added **CopyQ** to desktop apps (`applications_desktop_packages`) - **Docs + architecture** - Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions) - Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md` - Fixed broken doc links by adding the missing referenced pages under `docs/` ### Behavior changes (important) - Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`). - Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k). ### How to test (local CI parity) ```bash make test npm test ``` Optional dry runs (interactive sudo may be required): ```bash make check make check-local ``` ### Rollout guidance - Apply to a single host first: - Workstations: `make workstations HOST=<devhost>` - Servers: `make servers HOST=<serverhost>` - Then expand to group runs. Reviewed-on: #4	2026-01-01 22:11:24 -05:00
ilia	69a39e5e5b	Add POTE app project support and improve IP conflict detection (#3) ... ## Summary This PR adds comprehensive support for deploying the **POTE** application project via Ansible, along with improvements to IP conflict detection and a new app stack provisioning system for Proxmox-managed LXC containers. ## Key Features ### 🆕 New Roles - **`roles/pote`**: Python/venv deployment role for POTE (PostgreSQL, cron jobs, Alembic migrations) - **`roles/app_setup`**: Generic app deployment role (Node.js/systemd) - **`roles/base_os`**: Base OS hardening role ### 🛡️ Safety Improvements - IP uniqueness validation within projects - Proxmox-side IP conflict detection - Enhanced error messages for IP conflicts ### 📦 New Playbooks - `playbooks/app/site.yml`: End-to-end app stack deployment - `playbooks/app/provision_vms.yml`: Proxmox guest provisioning - `playbooks/app/configure_app.yml`: OS + application configuration ## Security - ✅ All secrets stored in encrypted vault.yml - ✅ Deploy keys excluded via .gitignore - ✅ No plaintext secrets committed ## Testing - ✅ POTE successfully deployed to dev/qa/prod environments - ✅ All components validated (Git, PostgreSQL, cron, migrations) Co-authored-by: ilia <ilia@levkin.ca> Reviewed-on: #3	2026-01-01 11:19:54 -05:00
ilia	e897b1a027	Fix: Resolve linting errors and improve firewall configuration (#2) ... - Fix UFW firewall to allow outbound traffic (was blocking all outbound) - Add HOST parameter support to shell Makefile target - Fix all ansible-lint errors (trailing spaces, missing newlines, document starts) - Add changed_when: false to check commands - Fix variable naming (vault_devGPU -> vault_devgpu) - Update .ansible-lint config to exclude .gitea/ and allow strategy: free - Fix NodeSource repository GPG key handling in shell playbook - Add missing document starts to host_vars files - Clean up empty lines in datascience role files Reviewed-on: #2	2025-12-25 16:47:26 -05:00
ilia	cd12b02147	Add initial project structure with configuration files and playbooks for infrastructure management. Introduce .ansible-lint-ignore to manage linting exceptions for vault files. Create README.md and documentation for setup guides, including Tailscale and monitoring roles. Establish Makefile commands for streamlined execution of playbooks and tasks. Update inventory structure for better organization of hosts and variables.	2025-09-09 21:12:08 -04:00