f5e32afd81
Some checks failed
CI / lint-and-test (pull_request) Failing after 1m20s
CI / ansible-validation (pull_request) Successful in 6m40s
CI / secret-scanning (pull_request) Successful in 2m36s
CI / dependency-scan (pull_request) Successful in 6m12s
CI / sast-scan (pull_request) Successful in 6m48s
CI / license-check (pull_request) Successful in 1m16s
CI / vault-check (pull_request) Failing after 6m13s
CI / playbook-test (pull_request) Successful in 6m34s
CI / container-scan (pull_request) Successful in 6m57s
CI / sonar-analysis (pull_request) Failing after 1m10s
CI / workflow-summary (pull_request) Successful in 1m11s
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs - Add playbooks/app/: Proxmox app stack provisioning and configuration - Add roles/app_setup: Generic app deployment role (Node.js/systemd) - Add roles/base_os: Base OS hardening role - Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling - Add IP uniqueness validation: Preflight check for duplicate IPs within projects - Add Proxmox-side IP conflict detection: Check existing LXC net0 configs - Update inventories/production/group_vars/all/main.yml: Add pote project config - Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP) - Update .gitignore: Exclude deploy keys, backup files, and other secrets - Update documentation: README, role docs, execution flow guides Security: - All secrets stored in encrypted vault.yml (never committed in plaintext) - Deploy keys excluded via .gitignore - IP conflict guardrails prevent accidental duplicate IP assignments
78 lines
2.3 KiB
Markdown
78 lines
2.3 KiB
Markdown
# Ansible Infrastructure Management
|
||
|
||
Ansible automation for development machines, service hosts, and **Proxmox-managed guests** (LXC-first, with a path for KVM VMs).
|
||
|
||
## Quick start
|
||
|
||
```bash
|
||
# Install Python deps + Ansible collections
|
||
make bootstrap
|
||
|
||
# Edit secrets (Proxmox credentials, SSH public key, etc.)
|
||
make edit-group-vault
|
||
|
||
# Validate the repo
|
||
make test-syntax
|
||
```
|
||
|
||
## Proxmox app projects (LXC-first)
|
||
|
||
This repo can provision and configure **dev/qa/prod guests per application project** using the `app_projects` model.
|
||
|
||
- **Configure projects**: `inventories/production/group_vars/all/main.yml` (`app_projects`)
|
||
- **Configure secrets**: `inventories/production/group_vars/all/vault.yml` (encrypted)
|
||
- **Run end-to-end**:
|
||
|
||
```bash
|
||
make app PROJECT=projectA
|
||
```
|
||
|
||
Other useful entry points:
|
||
|
||
- **Provision only**: `make app-provision PROJECT=projectA`
|
||
- **Configure only**: `make app-configure PROJECT=projectA`
|
||
- **Info / safety**: `make proxmox-info [PROJECT=projectA] [ALL=true] [TYPE=lxc|qemu|all]`
|
||
|
||
Safety notes:
|
||
|
||
- **IP conflict precheck**: provisioning fails if the target IP responds (override with `-e allow_ip_conflicts=true` only if you really mean it).
|
||
- **VMID/CTID collision guardrail**: provisioning fails if the VMID exists but the guest name doesn’t match (override with `-e allow_vmid_collision=true` only if you really mean it).
|
||
- **No destructive playbooks**: this repo intentionally does **not** ship “destroy/decommission” automation.
|
||
|
||
Docs:
|
||
|
||
- `docs/guides/app_stack_proxmox.md`
|
||
- `docs/guides/app_stack_execution_flow.md`
|
||
|
||
## Project structure (relevant paths)
|
||
|
||
```
|
||
ansible/
|
||
├── Makefile
|
||
├── ansible.cfg
|
||
├── collections/requirements.yml
|
||
├── inventories/production/
|
||
│ ├── hosts
|
||
│ ├── group_vars/all/
|
||
│ │ ├── main.yml
|
||
│ │ ├── vault.yml
|
||
│ │ └── vault.example.yml
|
||
│ └── host_vars/
|
||
├── playbooks/
|
||
│ ├── app/
|
||
│ │ ├── site.yml
|
||
│ │ ├── provision_vms.yml
|
||
│ │ ├── configure_app.yml
|
||
│ │ └── proxmox_info.yml
|
||
│ └── site.yml
|
||
└── roles/
|
||
├── proxmox_vm/
|
||
├── base_os/
|
||
├── app_setup/
|
||
└── pote/
|
||
```
|
||
|
||
## Documentation
|
||
|
||
- **Guides**: `docs/guides/`
|
||
- **Reference**: `docs/reference/` |