ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ansible/roles/base_os/README.md
ilia c7a300b922
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
Details
CI / ansible-validation (pull_request) Successful in 9m3s
Details
CI / secret-scanning (pull_request) Successful in 3m19s
Details
CI / dependency-scan (pull_request) Successful in 7m13s
Details
CI / sast-scan (pull_request) Successful in 6m38s
Details
CI / license-check (pull_request) Successful in 1m16s
Details
CI / vault-check (pull_request) Failing after 6m40s
Details
CI / playbook-test (pull_request) Successful in 9m28s
Details
CI / container-scan (pull_request) Successful in 7m59s
Details
CI / sonar-analysis (pull_request) Failing after 1m11s
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
Add POTE app project support and improve IP conflict detection 
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs
- Add playbooks/app/: Proxmox app stack provisioning and configuration
- Add roles/app_setup: Generic app deployment role (Node.js/systemd)
- Add roles/base_os: Base OS hardening role
- Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling
- Add IP uniqueness validation: Preflight check for duplicate IPs within projects
- Add Proxmox-side IP conflict detection: Check existing LXC net0 configs
- Update inventories/production/group_vars/all/main.yml: Add pote project config
- Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP)
- Update .gitignore: Exclude deploy keys, backup files, and other secrets
- Update documentation: README, role docs, execution flow guides

Security:
- All secrets stored in encrypted vault.yml (never committed in plaintext)
- Deploy keys excluded via .gitignore
- IP conflict guardrails prevent accidental duplicate IP assignments
2025-12-28 20:54:50 -05:00

22 lines
710 B
Markdown
Raw Blame History

# `base_os`
Baseline OS configuration for app guests:
- Installs required packages (git/curl/nodejs/npm/ufw/openssh-server/etc.)
- Creates deployment user (default `appuser`) with passwordless sudo
- Adds your authorized SSH key
- Configures UFW to allow SSH + backend/frontend ports
## Variables
See [`defaults/main.yml`](defaults/main.yml). Common inputs in the app stack:
- `appuser_name`, `appuser_groups`, `appuser_shell`
- `appuser_ssh_public_key` (usually `{{ vault_ssh_public_key }}`)
- `components.backend`, `components.frontend` (enable/disable firewall rules per component)
- `app_backend_port`, `app_frontend_port`
This role is used by `playbooks/app/configure_app.yml` after provisioning.
Reference in New Issue View Git Blame Copy Permalink