ilia
69a39e5e5b
## Summary This PR adds comprehensive support for deploying the **POTE** application project via Ansible, along with improvements to IP conflict detection and a new app stack provisioning system for Proxmox-managed LXC containers. ## Key Features ### 🆕 New Roles - **`roles/pote`**: Python/venv deployment role for POTE (PostgreSQL, cron jobs, Alembic migrations) - **`roles/app_setup`**: Generic app deployment role (Node.js/systemd) - **`roles/base_os`**: Base OS hardening role ### 🛡️ Safety Improvements - IP uniqueness validation within projects - Proxmox-side IP conflict detection - Enhanced error messages for IP conflicts ### 📦 New Playbooks - `playbooks/app/site.yml`: End-to-end app stack deployment - `playbooks/app/provision_vms.yml`: Proxmox guest provisioning - `playbooks/app/configure_app.yml`: OS + application configuration ## Security - ✅ All secrets stored in encrypted vault.yml - ✅ Deploy keys excluded via .gitignore - ✅ No plaintext secrets committed ## Testing - ✅ POTE successfully deployed to dev/qa/prod environments - ✅ All components validated (Git, PostgreSQL, cron, migrations) Co-authored-by: ilia <ilia@levkin.ca> Reviewed-on: #3
43 lines
1.3 KiB
YAML
43 lines
1.3 KiB
YAML
---
|
|
# Example vault values for Proxmox app projects.
|
|
#
|
|
# Copy required keys into your encrypted vault:
|
|
# make edit-group-vault
|
|
#
|
|
# Never commit real secrets unencrypted.
|
|
|
|
# Proxmox API
|
|
vault_proxmox_host: "10.0.10.201"
|
|
vault_proxmox_user: "root@pam"
|
|
vault_proxmox_node: "pve"
|
|
vault_proxmox_password: "CHANGE_ME"
|
|
|
|
# Optional token auth (recommended if you use it)
|
|
# vault_proxmox_token_id: "root@pam!ansible"
|
|
# vault_proxmox_token: "CHANGE_ME"
|
|
|
|
# SSH public key for appuser (workstation key)
|
|
vault_ssh_public_key: "ssh-ed25519 AAAA... you@example"
|
|
|
|
# LXC create bootstrap password (often required by Proxmox)
|
|
vault_lxc_root_password: "CHANGE_ME"
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# POTE (python/venv + cron) secrets
|
|
# -----------------------------------------------------------------------------
|
|
# Private key used for cloning from Gitea (deploy key). Store as a multi-line block.
|
|
vault_pote_git_ssh_key: |
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
CHANGE_ME
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
|
|
# Environment-specific DB passwords (used by roles/pote)
|
|
vault_pote_db_password_dev: "CHANGE_ME"
|
|
vault_pote_db_password_qa: "CHANGE_ME"
|
|
vault_pote_db_password_prod: "CHANGE_ME"
|
|
|
|
# SMTP password for reports
|
|
vault_pote_smtp_password: "CHANGE_ME"
|
|
|
|
|