f5e32afd81
Some checks failed
CI / lint-and-test (pull_request) Failing after 1m20s
CI / ansible-validation (pull_request) Successful in 6m40s
CI / secret-scanning (pull_request) Successful in 2m36s
CI / dependency-scan (pull_request) Successful in 6m12s
CI / sast-scan (pull_request) Successful in 6m48s
CI / license-check (pull_request) Successful in 1m16s
CI / vault-check (pull_request) Failing after 6m13s
CI / playbook-test (pull_request) Successful in 6m34s
CI / container-scan (pull_request) Successful in 6m57s
CI / sonar-analysis (pull_request) Failing after 1m10s
CI / workflow-summary (pull_request) Successful in 1m11s
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs - Add playbooks/app/: Proxmox app stack provisioning and configuration - Add roles/app_setup: Generic app deployment role (Node.js/systemd) - Add roles/base_os: Base OS hardening role - Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling - Add IP uniqueness validation: Preflight check for duplicate IPs within projects - Add Proxmox-side IP conflict detection: Check existing LXC net0 configs - Update inventories/production/group_vars/all/main.yml: Add pote project config - Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP) - Update .gitignore: Exclude deploy keys, backup files, and other secrets - Update documentation: README, role docs, execution flow guides Security: - All secrets stored in encrypted vault.yml (never committed in plaintext) - Deploy keys excluded via .gitignore - IP conflict guardrails prevent accidental duplicate IP assignments
8.5 KiB
8.5 KiB
Architecture Overview
Technical architecture and design of the Ansible infrastructure management system.
System Architecture
┌─────────────────────────────────────────────────────────────┐
│ Control Machine |
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Ansible │ │ Makefile │ │ Vault │ │
│ │ Engine │ │ Automation │ │ Secrets │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────┬───────────────────────────────────────┘
│ SSH + Tailscale VPN
┌─────────────────┴──────────────────────────────┐
│ │
┌───▼────────┐ ┌──────────────┐ ┌─────────────────▼────────┐
│ Dev │ │ Service │ │ Infrastructure │
│ Machines │ │ VMs │ │ VMs │
├────────────┤ ├──────────────┤ ├──────────────────────────┤
│ • dev01 │ │ • giteaVM │ │ • Proxmox Controller │
│ • bottom │ │ • portainerVM│ │ • Future VMs │
│ • desktop │ │ • homepageVM │ │ │
└────────────┘ └──────────────┘ └──────────────────────────┘
Network Topology
Physical Network
- LAN: 192.168.1.0/24 (typical home/office network)
- Proxmox Host: Hypervisor for VM management
- Physical Machines: Direct network access
Tailscale Overlay Network
- Mesh VPN: Secure peer-to-peer connections
- 100.x.x.x: Tailscale IP range
- Zero-config: Automatic NAT traversal
- End-to-end encryption: WireGuard protocol
Host Groups
Development (dev)
Purpose: Developer workstations and environments
- Hosts: dev01, bottom, debianDesktopVM
- OS: Debian/Ubuntu
- Roles: Full development stack
Services
Purpose: Self-hosted services and applications
Gitea (gitea)
- Host: giteaVM
- OS: Alpine Linux (lightweight)
- Service: Git repository hosting
Portainer (portainer)
- Host: portainerVM
- OS: Alpine Linux
- Service: Container management UI
Homepage (homepage)
- Host: homepageVM
- OS: Debian
- Service: Service dashboard
Infrastructure (ansible)
Purpose: Ansible control and automation
- Host: Ansible controller VM
- OS: Ubuntu Server
- Service: Infrastructure automation
Local (local)
Purpose: Local machine management
- Host: localhost
- Connection: Local (no SSH)
Playbook Architecture
Core Playbooks
playbooks/development.yml # Development environment setup
├── roles/maintenance # System updates
├── roles/base # Core packages
├── roles/ssh # SSH hardening
├── roles/user # User management
├── roles/development # Dev tools
├── roles/shell # Shell config
├── roles/docker # Container platform
├── roles/applications # Desktop apps
├── roles/snap # Snap packages
├── roles/tailscale # VPN setup
├── roles/monitoring # Monitoring tools
playbooks/local.yml # Local machine
├── roles/base
├── roles/shell
├── roles/development
└── roles/tailscale
playbooks/maintenance.yml # System maintenance
└── roles/maintenance
playbooks/tailscale.yml # VPN deployment
└── roles/tailscale
playbooks/infrastructure/proxmox-vm.yml # KVM VM provisioning (controller VM, etc.)
└── roles/proxmox_vm
playbooks/app/site.yml # Proxmox app stack (LXC-first)
├── playbooks/app/provision_vms.yml # Proxmox API provisioning (LXC/KVM)
└── playbooks/app/configure_app.yml # Guest OS + app configuration over SSH
Role Dependencies
base
├── Required by: all other roles
├── Provides: core utilities, security tools
└── Dependencies: none
ssh
├── Required by: secure access
├── Provides: hardened SSH, firewall
└── Dependencies: base
user
├── Required by: system access
├── Provides: user accounts, sudo
└── Dependencies: base
development
├── Required by: coding tasks
├── Provides: git, nodejs, python
└── Dependencies: base
docker
├── Required by: containerization
├── Provides: Docker CE, compose
└── Dependencies: base
tailscale
├── Required by: secure networking
├── Provides: mesh VPN
└── Dependencies: base
Data Flow
Configuration Management
- Variables →
inventories/production/group_vars/all/main.yml - Secrets →
inventories/production/group_vars/all/vault.yml(encrypted) - Host Config →
inventories/production/host_vars/<hostname>.yml - Role Defaults → roles/*/defaults/main.yml
- Tasks → roles/*/tasks/main.yml
- Templates → roles//templates/.j2
- Handlers → roles/*/handlers/main.yml
Execution Flow
make command
↓
Makefile target
↓
ansible-playbook
↓
Inventory + Variables
↓
Role execution
↓
Task processing
↓
Handler notification
↓
Result reporting
Security Architecture
Defense in Depth
Network Layer
- Tailscale VPN: Encrypted mesh network
- UFW Firewall: Default deny, explicit allow
- SSH Hardening: Key-only, rate limiting
Application Layer
- Fail2ban: Intrusion prevention
- Package signing: GPG verification
- Service isolation: Docker containers
Data Layer
- Ansible Vault: Encrypted secrets
- SSH Keys: Ed25519 cryptography
Access Control
User → SSH Key → Jump Host → Tailscale → Target Host
↓ ↓ ↓ ↓
Ed25519 Bastion WireGuard Firewall
Encryption Rules
Storage Architecture
Configuration Storage
/etc/ # System configuration
/opt/ # Application data
/usr/local/ # Custom scripts
/var/log/ # Logs and audit trails
Monitoring Architecture
System Monitoring
- btop/htop: Process monitoring
- iotop: I/O monitoring
- nethogs: Network per-process
- Custom dashboards: sysinfo, netinfo
Log Management
- logwatch: Daily summaries
- journald: System logs
- fail2ban: Security logs
Scalability Considerations
Horizontal Scaling
- Add hosts to inventory groups
- Parallel execution with ansible forks
- Role reusability across environments
Vertical Scaling
- Proxmox VM resource adjustment
- Docker resource limits
- Service-specific tuning
Technology Stack
Core Technologies
- Ansible: 2.9+ (Configuration management)
- Python: 3.x (Ansible runtime)
- Jinja2: Templating engine
- YAML: Configuration format
Target Platforms
- Debian: 11+ (Bullseye, Bookworm)
- Ubuntu: 20.04+ (Focal, Jammy, Noble)
- Alpine: 3.x (Lightweight containers)
Service Technologies
- Docker: Container runtime
- Tailscale: Mesh VPN
- SystemD: Service management
- UFW: Firewall management
Best Practices
Code Organization
- One role = one responsibility
- Idempotent tasks
- Proper handler usage
- Template for configuration
- Defaults for flexibility
Security
- Vault for all secrets
- Least privilege principle
- Regular updates
- Audit logging
- Network segmentation
Operations
- Test in check mode
- Use tags for selective runs
- Document changes
- Version control everything
- Monitor and alert