ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor-servers-workstations-shell-monitoring #4

Merged
ilia merged 14 commits from refactor-servers-workstations-shell-monitoring into master 2026-01-01 22:11:25 -05:00
Conversation 0 Commits 14 Files Changed 75 +1933 -3179
ilia commented 2025-12-31 23:21:33 -05:00
Owner
Copy Link

Summary

This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only.

Key changes

  • New playbooks

    • playbooks/servers.yml: baseline for server-class hosts (no desktop apps)
    • playbooks/workstations.yml: baseline for dev/desktop/local + desktop apps only on desktop group

  • Monitoring split

    • roles/monitoring_server: server monitoring + intrusion prevention (includes fail2ban, sysstat)
    • roles/monitoring_desktop: desktop-oriented monitoring tooling
    • Updated playbooks to use the correct monitoring role per host type

  • Shell role: server-safe + developer-friendly

    • roles/shell now supports two modes:
      • shell_mode: minimal (default): aliases-only, does not overwrite .zshrc
      • shell_mode: full: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed .zshrc
    • playbooks/development.yml and playbooks/workstations.yml use shell_mode: full
    • playbooks/servers.yml remains aliases-only

  • Applications

    • Applications role runs only on desktop group (via workstations.yml)
    • Removed Brave installs/repo management
    • Added CopyQ to desktop apps (applications_desktop_packages)

  • Docs + architecture

    • Added canonical doc tree under project-docs/ (overview/architecture/standards/workflow/decisions)
    • Consolidated architecture docs: docs/reference/architecture.md is now a pointer to project-docs/architecture.md
    • Fixed broken doc links by adding the missing referenced pages under docs/

Behavior changes (important)

  • Desktop GUI apps install only on the desktop inventory group (not on servers, not on dev VMs unless they are in desktop).
  • Dev/workstation Zsh is now provisioned in full mode (managed .zshrc + p10k).

How to test (local CI parity)

make test
npm test

Optional dry runs (interactive sudo may be required):

make check
make check-local

Rollout guidance

  • Apply to a single host first:
    • Workstations: make workstations HOST=<devhost>
    • Servers: make servers HOST=<serverhost>
  • Then expand to group runs.
### Summary This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only. ### Key changes - **New playbooks** - `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps) - `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group** - **Monitoring split** - `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat) - `roles/monitoring_desktop`: desktop-oriented monitoring tooling - Updated playbooks to use the correct monitoring role per host type - **Shell role: server-safe + developer-friendly** - `roles/shell` now supports two modes: - `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc` - `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc` - `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full` - `playbooks/servers.yml` remains **aliases-only** - **Applications** - Applications role runs only on `desktop` group (via `workstations.yml`) - Removed Brave installs/repo management - Added **CopyQ** to desktop apps (`applications_desktop_packages`) - **Docs + architecture** - Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions) - Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md` - Fixed broken doc links by adding the missing referenced pages under `docs/` ### Behavior changes (important) - Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`). - Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k). ### How to test (local CI parity) ```bash make test npm test ``` Optional dry runs (interactive sudo may be required): ```bash make check make check-local ``` ### Rollout guidance - Apply to a single host first: - Workstations: `make workstations HOST=<devhost>` - Servers: `make servers HOST=<serverhost>` - Then expand to group runs.
ilia added 7 commits 2025-12-31 23:21:33 -05:00
Add POTE app project support and improve IP conflict detection
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
Details
CI / ansible-validation (pull_request) Successful in 9m3s
Details
CI / secret-scanning (pull_request) Successful in 3m19s
Details
CI / dependency-scan (pull_request) Successful in 7m13s
Details
CI / sast-scan (pull_request) Successful in 6m38s
Details
CI / license-check (pull_request) Successful in 1m16s
Details
CI / vault-check (pull_request) Failing after 6m40s
Details
CI / playbook-test (pull_request) Successful in 9m28s
Details
CI / container-scan (pull_request) Successful in 7m59s
Details
CI / sonar-analysis (pull_request) Failing after 1m11s
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
c7a300b922 
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs
- Add playbooks/app/: Proxmox app stack provisioning and configuration
- Add roles/app_setup: Generic app deployment role (Node.js/systemd)
- Add roles/base_os: Base OS hardening role
- Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling
- Add IP uniqueness validation: Preflight check for duplicate IPs within projects
- Add Proxmox-side IP conflict detection: Check existing LXC net0 configs
- Update inventories/production/group_vars/all/main.yml: Add pote project config
- Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP)
- Update .gitignore: Exclude deploy keys, backup files, and other secrets
- Update documentation: README, role docs, execution flow guides

Security:
- All secrets stored in encrypted vault.yml (never committed in plaintext)
- Deploy keys excluded via .gitignore
- IP conflict guardrails prevent accidental duplicate IP assignments
Update CI workflow to exclude example vault files from validation and add host variables for dev02
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
Details
CI / ansible-validation (pull_request) Successful in 8m50s
Details
CI / secret-scanning (pull_request) Successful in 2m49s
Details
CI / dependency-scan (pull_request) Successful in 6m8s
Details
CI / sast-scan (pull_request) Successful in 6m31s
Details
CI / license-check (pull_request) Successful in 1m16s
Details
CI / vault-check (pull_request) Successful in 5m34s
Details
CI / playbook-test (pull_request) Successful in 5m33s
Details
CI / container-scan (pull_request) Failing after 2m51s
Details
CI / sonar-analysis (pull_request) Failing after 1m10s
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
9ea1090d02 
- Modify CI workflow to filter out example vault files during encryption validation
- Add new host variables for dev02, including sudo configuration and shell user settings
- Disable installation of data science stack components for dev02
Remove Node.js installation step from CI workflow
All checks were successful
CI / lint-and-test (pull_request) Successful in 1m20s
Details
CI / ansible-validation (pull_request) Successful in 5m54s
Details
CI / secret-scanning (pull_request) Successful in 1m39s
Details
CI / dependency-scan (pull_request) Successful in 2m53s
Details
CI / sast-scan (pull_request) Successful in 5m46s
Details
CI / license-check (pull_request) Successful in 1m15s
Details
CI / vault-check (pull_request) Successful in 5m29s
Details
CI / playbook-test (pull_request) Successful in 5m35s
Details
CI / container-scan (pull_request) Successful in 4m49s
Details
CI / sonar-analysis (pull_request) Successful in 1m22s
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
c84b0b8260 
- Eliminate the installation of Node.js for the checkout action in the CI workflow to streamline the process and reduce unnecessary dependencies.
Add CI skip check for branch name and commit message
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m12s
Details
CI / lint-and-test (pull_request) Has been skipped
Details
CI / ansible-validation (pull_request) Has been skipped
Details
CI / secret-scanning (pull_request) Has been skipped
Details
CI / dependency-scan (pull_request) Has been skipped
Details
CI / sast-scan (pull_request) Has been skipped
Details
CI / license-check (pull_request) Has been skipped
Details
CI / vault-check (pull_request) Has been skipped
Details
CI / playbook-test (pull_request) Has been skipped
Details
CI / container-scan (pull_request) Has been skipped
Details
CI / sonar-analysis (pull_request) Has been skipped
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
32479d03f8 
- Introduce a new job in the CI workflow to determine if CI should be skipped based on specific patterns in the branch name or commit message.
- Update existing jobs to depend on the skip check, ensuring that CI processes are only executed when necessary.
- Enhance the overall efficiency of the CI pipeline by preventing unnecessary runs for certain commits.
Refactor CI skip check to use a single pattern
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m13s
Details
CI / lint-and-test (pull_request) Has been skipped
Details
CI / ansible-validation (pull_request) Has been skipped
Details
CI / secret-scanning (pull_request) Has been skipped
Details
CI / dependency-scan (pull_request) Has been skipped
Details
CI / sast-scan (pull_request) Has been skipped
Details
CI / license-check (pull_request) Has been skipped
Details
CI / vault-check (pull_request) Has been skipped
Details
CI / playbook-test (pull_request) Has been skipped
Details
CI / container-scan (pull_request) Has been skipped
Details
CI / sonar-analysis (pull_request) Has been skipped
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
1b9b801713 
- Simplify the CI workflow by consolidating the skip check for both branch names and commit messages to a single case-insensitive pattern: @skipci.
- Remove the previous multiple pattern checks to streamline the logic and improve readability.
- Ensure that the CI process can be effectively skipped based on the new pattern, enhancing overall efficiency.
Add comment to CI skip check job
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m12s
Details
CI / lint-and-test (pull_request) Successful in 1m20s
Details
CI / ansible-validation (pull_request) Successful in 5m49s
Details
CI / secret-scanning (pull_request) Successful in 1m38s
Details
CI / dependency-scan (pull_request) Successful in 2m53s
Details
CI / sast-scan (pull_request) Successful in 5m42s
Details
CI / license-check (pull_request) Successful in 1m16s
Details
CI / vault-check (pull_request) Successful in 5m34s
Details
CI / playbook-test (pull_request) Successful in 5m35s
Details
CI / container-scan (pull_request) Successful in 4m58s
Details
CI / sonar-analysis (pull_request) Successful in 1m21s
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
572af82852
Refactor playbooks: servers/workstations, split monitoring, improve shell
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m18s
Details
CI / lint-and-test (pull_request) Successful in 1m21s
Details
CI / ansible-validation (pull_request) Successful in 2m43s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m23s
Details
CI / sast-scan (pull_request) Successful in 2m28s
Details
CI / license-check (pull_request) Successful in 1m20s
Details
CI / vault-check (pull_request) Successful in 2m21s
Details
CI / playbook-test (pull_request) Successful in 2m19s
Details
CI / container-scan (pull_request) Successful in 1m48s
Details
CI / sonar-analysis (pull_request) Successful in 1m26s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
3415340e26
ilia force-pushed refactor-servers-workstations-shell-monitoring from 3415340e26 to a176dd2365 2026-01-01 12:18:50 -05:00 Compare
ilia added 1 commit 2026-01-01 12:39:18 -05:00
ilia added 1 commit 2026-01-01 12:47:43 -05:00
ilia added 1 commit 2026-01-01 12:58:05 -05:00
ilia added 1 commit 2026-01-01 13:02:34 -05:00
CI: fix triggers/conditions; make Sonar non-blocking
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m17s
Details
CI / lint-and-test (pull_request) Successful in 1m22s
Details
CI / ansible-validation (pull_request) Failing after 2m51s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m24s
Details
CI / sast-scan (pull_request) Successful in 2m42s
Details
CI / license-check (pull_request) Failing after 1m23s
Details
CI / vault-check (pull_request) Failing after 2m17s
Details
CI / playbook-test (pull_request) Failing after 2m23s
Details
CI / container-scan (pull_request) Successful in 1m52s
Details
CI / sonar-analysis (pull_request) Failing after 1m16s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
e0996642bc
ilia added 1 commit 2026-01-01 13:08:17 -05:00
CI: avoid vault requirement in lint/tests
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m17s
Details
CI / lint-and-test (pull_request) Successful in 1m22s
Details
CI / ansible-validation (pull_request) Failing after 2m48s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m24s
Details
CI / sast-scan (pull_request) Successful in 2m34s
Details
CI / license-check (pull_request) Failing after 1m22s
Details
CI / vault-check (pull_request) Failing after 2m20s
Details
CI / playbook-test (pull_request) Failing after 2m19s
Details
CI / container-scan (pull_request) Successful in 1m50s
Details
CI / sonar-analysis (pull_request) Failing after 1m16s
Details
CI / workflow-summary (pull_request) Successful in 1m16s
Details
0322279ab0
ilia added 2 commits 2026-01-01 13:11:18 -05:00 
- Upgrade markdownlint-cli2 to version 0.20.0
- Update various dependencies to their latest versions, ensuring compatibility with Node.js 20.x
- Add new dependencies such as string-width and strip-ansi for improved functionality

This change enhances the development environment by keeping dependencies up to date and ensuring compliance with the latest Node.js version requirements.
CI: fix vault file detection; remove plaintext vault
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m18s
Details
CI / lint-and-test (pull_request) Failing after 1m19s
Details
CI / ansible-validation (pull_request) Failing after 2m51s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m24s
Details
CI / sast-scan (pull_request) Successful in 2m32s
Details
CI / license-check (pull_request) Failing after 1m23s
Details
CI / vault-check (pull_request) Successful in 2m14s
Details
CI / playbook-test (pull_request) Failing after 2m27s
Details
CI / container-scan (pull_request) Successful in 1m49s
Details
CI / sonar-analysis (pull_request) Failing after 1m16s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
c5f01d27de
ilia added 1 commit 2026-01-01 13:15:02 -05:00
inventory: drop become password for root devGPU
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m17s
Details
CI / lint-and-test (pull_request) Failing after 1m20s
Details
CI / ansible-validation (pull_request) Failing after 2m56s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m24s
Details
CI / sast-scan (pull_request) Successful in 2m32s
Details
CI / license-check (pull_request) Failing after 1m23s
Details
CI / vault-check (pull_request) Successful in 2m17s
Details
CI / playbook-test (pull_request) Failing after 2m21s
Details
CI / container-scan (pull_request) Successful in 1m50s
Details
CI / sonar-analysis (pull_request) Failing after 1m16s
Details
CI / workflow-summary (pull_request) Successful in 1m16s
Details
84ad3fb56a
ilia added 1 commit 2026-01-01 16:31:55 -05:00
CI: fix vault/markdown/license errors
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m18s
Details
CI / lint-and-test (pull_request) Successful in 1m28s
Details
CI / ansible-validation (pull_request) Failing after 3m4s
Details
CI / secret-scanning (pull_request) Successful in 1m20s
Details
CI / dependency-scan (pull_request) Successful in 1m24s
Details
CI / sast-scan (pull_request) Successful in 2m27s
Details
CI / license-check (pull_request) Failing after 1m22s
Details
CI / vault-check (pull_request) Successful in 2m14s
Details
CI / playbook-test (pull_request) Failing after 2m24s
Details
CI / container-scan (pull_request) Successful in 1m51s
Details
CI / sonar-analysis (pull_request) Failing after 1m17s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
a8c83d6efd 
- Remove ANSIBLE_VAULT_PASSWORD_FILE env (invalid /dev/null)
- Fix markdown table spacing in docs/reference/*.md
- Whitelist Python-2.0 license (argparse dependency)
ilia added 1 commit 2026-01-01 21:47:14 -05:00
CI: fix Jinja2 recursion and license check
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m19s
Details
CI / lint-and-test (pull_request) Successful in 1m22s
Details
CI / ansible-validation (pull_request) Successful in 3m3s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m25s
Details
CI / sast-scan (pull_request) Successful in 2m35s
Details
CI / license-check (pull_request) Failing after 1m23s
Details
CI / vault-check (pull_request) Successful in 2m25s
Details
CI / playbook-test (pull_request) Failing after 2m20s
Details
CI / container-scan (pull_request) Successful in 1m50s
Details
CI / sonar-analysis (pull_request) Failing after 1m16s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
64f7273ddd 
- Fix recursive loop in configure_app.yml by using hardcoded defaults
  instead of self-referential variables (app_backend_port, etc.)
- Whitelist BlueOak-1.0.0 license (for sax dependency)
- All make test checks pass locally
ilia added 1 commit 2026-01-01 22:00:27 -05:00
CI: fix remaining errors
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m18s
Details
CI / lint-and-test (pull_request) Successful in 1m23s
Details
CI / ansible-validation (pull_request) Successful in 3m2s
Details
CI / secret-scanning (pull_request) Successful in 1m20s
Details
CI / dependency-scan (pull_request) Successful in 1m24s
Details
CI / sast-scan (pull_request) Successful in 2m39s
Details
CI / license-check (pull_request) Successful in 1m24s
Details
CI / vault-check (pull_request) Successful in 2m19s
Details
CI / playbook-test (pull_request) Successful in 2m25s
Details
CI / container-scan (pull_request) Successful in 1m50s
Details
CI / sonar-analysis (pull_request) Successful in 2m33s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
85e475b36d 
- Whitelist 0BSD license (for tslib dependency)
- Fix roles_path to use absolute path: /workspace/ilia/ansible/roles
  (relative 'roles' was searching in wrong directories)
- Add Node.js install step before checkout in sonar-analysis job
  (actions/checkout@v4 requires node runtime)

All make test and npm test checks pass locally
ilia merged commit c3e6caf9e8 into master 2026-01-01 22:11:25 -05:00
ilia deleted branch refactor-servers-workstations-shell-monitoring 2026-01-01 22:11:25 -05:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ira ilia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: ilia/ansible#4
No description provided.
Delete Branch "refactor-servers-workstations-shell-monitoring"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?