c7a300b922
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
CI / ansible-validation (pull_request) Successful in 9m3s
CI / secret-scanning (pull_request) Successful in 3m19s
CI / dependency-scan (pull_request) Successful in 7m13s
CI / sast-scan (pull_request) Successful in 6m38s
CI / license-check (pull_request) Successful in 1m16s
CI / vault-check (pull_request) Failing after 6m40s
CI / playbook-test (pull_request) Successful in 9m28s
CI / container-scan (pull_request) Successful in 7m59s
CI / sonar-analysis (pull_request) Failing after 1m11s
CI / workflow-summary (pull_request) Successful in 1m11s
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs - Add playbooks/app/: Proxmox app stack provisioning and configuration - Add roles/app_setup: Generic app deployment role (Node.js/systemd) - Add roles/base_os: Base OS hardening role - Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling - Add IP uniqueness validation: Preflight check for duplicate IPs within projects - Add Proxmox-side IP conflict detection: Check existing LXC net0 configs - Update inventories/production/group_vars/all/main.yml: Add pote project config - Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP) - Update .gitignore: Exclude deploy keys, backup files, and other secrets - Update documentation: README, role docs, execution flow guides Security: - All secrets stored in encrypted vault.yml (never committed in plaintext) - Deploy keys excluded via .gitignore - IP conflict guardrails prevent accidental duplicate IP assignments
33 lines
841 B
YAML
33 lines
841 B
YAML
---
|
|
# Role: base_os
|
|
# Purpose: baseline OS configuration for app guests (packages, appuser, firewall).
|
|
|
|
base_os_packages:
|
|
- git
|
|
- curl
|
|
- ca-certificates
|
|
- openssh-server
|
|
- sudo
|
|
- ufw
|
|
- python3
|
|
- python3-apt
|
|
- nodejs
|
|
- npm
|
|
|
|
base_os_allow_ssh_port: 22
|
|
|
|
# App ports (override per project)
|
|
base_os_backend_port: "{{ app_backend_port | default(3001) }}"
|
|
base_os_frontend_port: "{{ app_frontend_port | default(3000) }}"
|
|
base_os_enable_backend: true
|
|
base_os_enable_frontend: true
|
|
|
|
base_os_user: "{{ appuser_name | default('appuser') }}"
|
|
base_os_user_shell: "{{ appuser_shell | default('/bin/bash') }}"
|
|
base_os_user_groups: "{{ appuser_groups | default(['sudo']) }}"
|
|
base_os_user_ssh_public_key: "{{ appuser_ssh_public_key | default('') }}"
|
|
|
|
# If true, create passwordless sudo for base_os_user.
|
|
base_os_passwordless_sudo: true
|
|
|