f5e32afd81
Some checks failed
CI / lint-and-test (pull_request) Failing after 1m20s
CI / ansible-validation (pull_request) Successful in 6m40s
CI / secret-scanning (pull_request) Successful in 2m36s
CI / dependency-scan (pull_request) Successful in 6m12s
CI / sast-scan (pull_request) Successful in 6m48s
CI / license-check (pull_request) Successful in 1m16s
CI / vault-check (pull_request) Failing after 6m13s
CI / playbook-test (pull_request) Successful in 6m34s
CI / container-scan (pull_request) Successful in 6m57s
CI / sonar-analysis (pull_request) Failing after 1m10s
CI / workflow-summary (pull_request) Successful in 1m11s
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs - Add playbooks/app/: Proxmox app stack provisioning and configuration - Add roles/app_setup: Generic app deployment role (Node.js/systemd) - Add roles/base_os: Base OS hardening role - Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling - Add IP uniqueness validation: Preflight check for duplicate IPs within projects - Add Proxmox-side IP conflict detection: Check existing LXC net0 configs - Update inventories/production/group_vars/all/main.yml: Add pote project config - Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP) - Update .gitignore: Exclude deploy keys, backup files, and other secrets - Update documentation: README, role docs, execution flow guides Security: - All secrets stored in encrypted vault.yml (never committed in plaintext) - Deploy keys excluded via .gitignore - IP conflict guardrails prevent accidental duplicate IP assignments
Ansible Infrastructure Management
Ansible automation for development machines, service hosts, and Proxmox-managed guests (LXC-first, with a path for KVM VMs).
Quick start
# Install Python deps + Ansible collections
make bootstrap
# Edit secrets (Proxmox credentials, SSH public key, etc.)
make edit-group-vault
# Validate the repo
make test-syntax
Proxmox app projects (LXC-first)
This repo can provision and configure dev/qa/prod guests per application project using the app_projects model.
- Configure projects:
inventories/production/group_vars/all/main.yml(app_projects) - Configure secrets:
inventories/production/group_vars/all/vault.yml(encrypted) - Run end-to-end:
make app PROJECT=projectA
Other useful entry points:
- Provision only:
make app-provision PROJECT=projectA - Configure only:
make app-configure PROJECT=projectA - Info / safety:
make proxmox-info [PROJECT=projectA] [ALL=true] [TYPE=lxc|qemu|all]
Safety notes:
- IP conflict precheck: provisioning fails if the target IP responds (override with
-e allow_ip_conflicts=trueonly if you really mean it). - VMID/CTID collision guardrail: provisioning fails if the VMID exists but the guest name doesn’t match (override with
-e allow_vmid_collision=trueonly if you really mean it). - No destructive playbooks: this repo intentionally does not ship “destroy/decommission” automation.
Docs:
docs/guides/app_stack_proxmox.mddocs/guides/app_stack_execution_flow.md
Project structure (relevant paths)
ansible/
├── Makefile
├── ansible.cfg
├── collections/requirements.yml
├── inventories/production/
│ ├── hosts
│ ├── group_vars/all/
│ │ ├── main.yml
│ │ ├── vault.yml
│ │ └── vault.example.yml
│ └── host_vars/
├── playbooks/
│ ├── app/
│ │ ├── site.yml
│ │ ├── provision_vms.yml
│ │ ├── configure_app.yml
│ │ └── proxmox_info.yml
│ └── site.yml
└── roles/
├── proxmox_vm/
├── base_os/
├── app_setup/
└── pote/
Documentation
- Guides:
docs/guides/ - Reference:
docs/reference/