c7a300b922
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
CI / ansible-validation (pull_request) Successful in 9m3s
CI / secret-scanning (pull_request) Successful in 3m19s
CI / dependency-scan (pull_request) Successful in 7m13s
CI / sast-scan (pull_request) Successful in 6m38s
CI / license-check (pull_request) Successful in 1m16s
CI / vault-check (pull_request) Failing after 6m40s
CI / playbook-test (pull_request) Successful in 9m28s
CI / container-scan (pull_request) Successful in 7m59s
CI / sonar-analysis (pull_request) Failing after 1m11s
CI / workflow-summary (pull_request) Successful in 1m11s
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs - Add playbooks/app/: Proxmox app stack provisioning and configuration - Add roles/app_setup: Generic app deployment role (Node.js/systemd) - Add roles/base_os: Base OS hardening role - Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling - Add IP uniqueness validation: Preflight check for duplicate IPs within projects - Add Proxmox-side IP conflict detection: Check existing LXC net0 configs - Update inventories/production/group_vars/all/main.yml: Add pote project config - Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP) - Update .gitignore: Exclude deploy keys, backup files, and other secrets - Update documentation: README, role docs, execution flow guides Security: - All secrets stored in encrypted vault.yml (never committed in plaintext) - Deploy keys excluded via .gitignore - IP conflict guardrails prevent accidental duplicate IP assignments
80 lines
2.3 KiB
Markdown
80 lines
2.3 KiB
Markdown
# Ansible Infrastructure Management
|
|
|
|
Ansible automation for development machines, service hosts, and **Proxmox-managed guests** (LXC-first, with a path for KVM VMs).
|
|
|
|
## Quick start
|
|
|
|
```bash
|
|
# Install Python deps + Ansible collections
|
|
make bootstrap
|
|
|
|
# Edit secrets (Proxmox credentials, SSH public key, etc.)
|
|
make edit-group-vault
|
|
|
|
# Validate the repo
|
|
make test-syntax
|
|
```
|
|
|
|
## Proxmox app projects (LXC-first)
|
|
|
|
This repo can provision and configure **dev/qa/prod guests per application project** using the `app_projects` model.
|
|
|
|
- **Configure projects**: `inventories/production/group_vars/all/main.yml` (`app_projects`)
|
|
- **Configure secrets**: `inventories/production/group_vars/all/vault.yml` (encrypted)
|
|
- **Run end-to-end**:
|
|
|
|
```bash
|
|
make app PROJECT=projectA
|
|
```
|
|
|
|
Other useful entry points:
|
|
|
|
- **Provision only**: `make app-provision PROJECT=projectA`
|
|
- **Configure only**: `make app-configure PROJECT=projectA`
|
|
- **Info / safety**: `make proxmox-info [PROJECT=projectA] [ALL=true] [TYPE=lxc|qemu|all]`
|
|
|
|
Safety notes:
|
|
|
|
- **IP conflict precheck**: provisioning fails if the target IP responds
|
|
(override with `-e allow_ip_conflicts=true` only if you really mean it).
|
|
- **VMID/CTID collision guardrail**: provisioning fails if the VMID exists but the guest name doesn't match
|
|
(override with `-e allow_vmid_collision=true` only if you really mean it).
|
|
- **No destructive playbooks**: this repo intentionally does **not** ship “destroy/decommission” automation.
|
|
|
|
Docs:
|
|
|
|
- `docs/guides/app_stack_proxmox.md`
|
|
- `docs/guides/app_stack_execution_flow.md`
|
|
|
|
## Project structure (relevant paths)
|
|
|
|
```
|
|
ansible/
|
|
├── Makefile
|
|
├── ansible.cfg
|
|
├── collections/requirements.yml
|
|
├── inventories/production/
|
|
│ ├── hosts
|
|
│ ├── group_vars/all/
|
|
│ │ ├── main.yml
|
|
│ │ ├── vault.yml
|
|
│ │ └── vault.example.yml
|
|
│ └── host_vars/
|
|
├── playbooks/
|
|
│ ├── app/
|
|
│ │ ├── site.yml
|
|
│ │ ├── provision_vms.yml
|
|
│ │ ├── configure_app.yml
|
|
│ │ └── proxmox_info.yml
|
|
│ └── site.yml
|
|
└── roles/
|
|
├── proxmox_vm/
|
|
├── base_os/
|
|
├── app_setup/
|
|
└── pote/
|
|
```
|
|
|
|
## Documentation
|
|
|
|
- **Guides**: `docs/guides/`
|
|
- **Reference**: `docs/reference/` |