ilia
69a39e5e5b
## Summary This PR adds comprehensive support for deploying the **POTE** application project via Ansible, along with improvements to IP conflict detection and a new app stack provisioning system for Proxmox-managed LXC containers. ## Key Features ### 🆕 New Roles - **`roles/pote`**: Python/venv deployment role for POTE (PostgreSQL, cron jobs, Alembic migrations) - **`roles/app_setup`**: Generic app deployment role (Node.js/systemd) - **`roles/base_os`**: Base OS hardening role ### 🛡️ Safety Improvements - IP uniqueness validation within projects - Proxmox-side IP conflict detection - Enhanced error messages for IP conflicts ### 📦 New Playbooks - `playbooks/app/site.yml`: End-to-end app stack deployment - `playbooks/app/provision_vms.yml`: Proxmox guest provisioning - `playbooks/app/configure_app.yml`: OS + application configuration ## Security - ✅ All secrets stored in encrypted vault.yml - ✅ Deploy keys excluded via .gitignore - ✅ No plaintext secrets committed ## Testing - ✅ POTE successfully deployed to dev/qa/prod environments - ✅ All components validated (Git, PostgreSQL, cron, migrations) Co-authored-by: ilia <ilia@levkin.ca> Reviewed-on: #3
85 lines
2.0 KiB
YAML
85 lines
2.0 KiB
YAML
---
|
|
# Role: app_setup
|
|
# Purpose: create app layout, env file, deploy script, and systemd units.
|
|
|
|
- name: Ensure app root directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ app_root }}"
|
|
state: directory
|
|
owner: "{{ app_owner }}"
|
|
group: "{{ app_group }}"
|
|
mode: "0755"
|
|
|
|
- name: Ensure backend directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ app_backend_dir }}"
|
|
state: directory
|
|
owner: "{{ app_owner }}"
|
|
group: "{{ app_group }}"
|
|
mode: "0755"
|
|
when: app_enable_backend | bool
|
|
|
|
- name: Ensure frontend directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ app_frontend_dir }}"
|
|
state: directory
|
|
owner: "{{ app_owner }}"
|
|
group: "{{ app_group }}"
|
|
mode: "0755"
|
|
when: app_enable_frontend | bool
|
|
|
|
- name: Deploy environment file for this env
|
|
ansible.builtin.template:
|
|
src: env.j2
|
|
dest: "{{ app_root }}/.env.{{ app_env }}"
|
|
owner: "{{ app_owner }}"
|
|
group: "{{ app_group }}"
|
|
mode: "0640"
|
|
|
|
- name: Deploy deploy script
|
|
ansible.builtin.template:
|
|
src: deploy_app.sh.j2
|
|
dest: /usr/local/bin/deploy_app.sh
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: Deploy systemd unit for backend
|
|
ansible.builtin.template:
|
|
src: app-backend.service.j2
|
|
dest: /etc/systemd/system/app-backend.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload systemd
|
|
when: app_enable_backend | bool
|
|
|
|
- name: Deploy systemd unit for frontend
|
|
ansible.builtin.template:
|
|
src: app-frontend.service.j2
|
|
dest: /etc/systemd/system/app-frontend.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload systemd
|
|
when: app_enable_frontend | bool
|
|
|
|
- name: Ensure systemd is reloaded before enabling services
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Enable and start backend service
|
|
ansible.builtin.systemd:
|
|
name: app-backend.service
|
|
enabled: true
|
|
state: started
|
|
when: app_enable_backend | bool
|
|
|
|
- name: Enable and start frontend service
|
|
ansible.builtin.systemd:
|
|
name: app-frontend.service
|
|
enabled: true
|
|
state: started
|
|
when: app_enable_frontend | bool
|
|
|
|
|