Initial CV-aligned infrastructure portfolio

Rework portfolio around Linux operations, Zabbix monitoring, migration validation, and ELK/Grafana log observability.

Add AAP-style LVM resize workflow, Zabbix server/proxy/agent automation assets, Linux/AIX monitoring templates, and updated validation CI.

professional-infra/linux-operations-automation/playbooks/decommission.yml

@@ -0,0 +1,34 @@
+---
+- name: Decommission Enterprise Infrastructure Nodes
+  hosts: all
+  become: true
+  gather_facts: true
+
+  pre_tasks:
+    - name: Confirm decommissioning
+      ansible.builtin.pause:
+        prompt: |
+          WARNING: This will decommission {{ inventory_hostname }}
+          Backup Data: {{ backup_data }}
+          Export Config: {{ export_config }}
+
+          Press ENTER to continue or Ctrl+C to cancel
+
+    - name: Display decommissioning information
+      ansible.builtin.debug:
+        msg: |
+          Decommissioning {{ inventory_hostname }}
+          Auto Shutdown: {{ auto_shutdown }}
+          Backup Enabled: {{ backup_data }}
+
+  roles:
+    - role: decommission
+      tags: ['decommission', 'cleanup']
+
+  post_tasks:
+    - name: Display decommissioning summary
+      ansible.builtin.debug:
+        msg: |
+          Decommissioning completed!
+          Host: {{ inventory_hostname }}
+          Backup Location: /var/backups/decommission-{{ ansible_date_time.iso8601 }}/

professional-infra/linux-operations-automation/playbooks/hardening.yml

@@ -0,0 +1,124 @@
+---
+- name: Harden Enterprise Infrastructure Nodes
+  hosts: all
+  become: true
+  gather_facts: true
+
+  pre_tasks:
+    - name: Validate hardening prerequisites
+      ansible.builtin.assert:
+        that:
+          - ansible_os_family == "Debian"
+          - cis_level in [1, 2]
+        fail_msg: "Invalid hardening configuration"
+
+    - name: Display hardening information
+      ansible.builtin.debug:
+        msg: |
+          Hardening {{ inventory_hostname }}
+          CIS Level: {{ cis_level }}
+          Disable Root Login: {{ disable_root_login }}
+
+  roles:
+    - role: hardening
+      tags: ['hardening', 'security']
+
+  post_tasks:
+    - name: Display hardening summary
+      ansible.builtin.debug:
+        msg: |
+          Hardening completed successfully!
+          Host: {{ inventory_hostname }}
+
+      when: ansible_os_family == "Debian"
+
+    - name: Configure auditd
+      when: auditd_enabled
+      block:
+        - name: Install auditd
+          ansible.builtin.apt:
+            name: auditd
+            state: present
+          when: ansible_os_family == "Debian"
+
+        - name: Configure audit rules
+          ansible.builtin.template:
+            src: templates/audit.rules.j2
+            dest: /etc/audit/rules.d/hardening.rules
+            mode: '0644'
+
+        - name: Enable auditd service
+          ansible.builtin.service:
+            name: auditd
+            state: started
+            enabled: true
+
+    - name: Configure AppArmor
+      when: apparmor_enabled and ansible_os_family == "Debian"
+      block:
+        - name: Install apparmor
+          ansible.builtin.apt:
+            name: apparmor
+            state: present
+          when: ansible_os_family == "Debian"
+
+        - name: Enable apparmor service
+          ansible.builtin.service:
+            name: apparmor
+            state: started
+            enabled: true
+
+    - name: Configure sysctl hardening
+      ansible.posix.sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
+        state: present
+        reload: true
+      loop:
+        - { key: 'net.ipv4.ip_forward', value: '0' }
+        - { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
+        - { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
+        - { key: 'net.ipv4.tcp_syncookies', value: '1' }
+        - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
+
+    - name: Set secure file permissions
+      ansible.builtin.file:
+        path: "{{ item }}"
+        mode: '0644'
+        owner: root
+        group: root
+      loop:
+        - /etc/passwd
+        - /etc/group
+        - /etc/shadow
+        - /etc/gshadow
+
+    - name: Lock inactive user accounts
+      ansible.builtin.command: usermod -L "{{ item }}"
+      loop: "{{ inactive_users | default([]) }}"
+      changed_when: false
+
+    - name: Configure password policies
+      community.general.pam_limits:
+        domain: '*'
+        limit_type: hard
+        limit_item: nofile
+        value: 1024
+
+    - name: Generate hardening report
+      ansible.builtin.template:
+        src: templates/hardening_report.j2
+        dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
+        mode: '0644'
+
+  handlers:
+    - name: restart sshd
+      ansible.builtin.service:
+        name: ssh
+        state: restarted
+
+    - name: restart auditd
+      ansible.builtin.service:
+        name: auditd
+        state: restarted
+      when: auditd_enabled

professional-infra/linux-operations-automation/playbooks/lvm_resize.yml

@@ -0,0 +1,149 @@
+---
+- name: AAP-style LVM filesystem resize workflow
+  hosts: all
+  become: true
+  gather_facts: true
+
+  vars:
+    lvm_dry_run: true
+    lvm_vg_name: ""
+    lvm_lv_name: ""
+    lvm_mountpoint: ""
+    lvm_size_request: "+10G"
+    lvm_resize_filesystem: true
+
+  pre_tasks:
+    - name: Validate required survey variables
+      ansible.builtin.assert:
+        that:
+          - lvm_vg_name | length > 0
+          - lvm_lv_name | length > 0
+          - lvm_mountpoint | length > 0
+          - lvm_size_request | length > 0
+        fail_msg: "Required variables: lvm_vg_name, lvm_lv_name, lvm_mountpoint, lvm_size_request"
+
+  tasks:
+    - name: Capture block device layout before resize
+      ansible.builtin.command:
+        argv:
+          - lsblk
+          - --fs
+      register: lvm_lsblk_before
+      changed_when: false
+
+    - name: Capture physical volumes before resize
+      ansible.builtin.command:
+        argv:
+          - pvs
+          - --noheadings
+          - --units
+          - g
+      register: lvm_pvs_before
+      changed_when: false
+
+    - name: Capture volume groups before resize
+      ansible.builtin.command:
+        argv:
+          - vgs
+          - --noheadings
+          - --units
+          - g
+      register: lvm_vgs_before
+      changed_when: false
+
+    - name: Capture logical volumes before resize
+      ansible.builtin.command:
+        argv:
+          - lvs
+          - --noheadings
+          - --units
+          - g
+      register: lvm_lvs_before
+      changed_when: false
+
+    - name: Capture filesystem usage before resize
+      ansible.builtin.command:
+        argv:
+          - df
+          - -hT
+          - "{{ lvm_mountpoint }}"
+      register: lvm_df_before
+      changed_when: false
+
+    - name: Validate target logical volume exists
+      ansible.builtin.command:
+        argv:
+          - lvs
+          - "/dev/{{ lvm_vg_name }}/{{ lvm_lv_name }}"
+      register: lvm_target_check
+      changed_when: false
+
+    - name: Show dry-run resize command
+      ansible.builtin.debug:
+        msg: "DRY RUN: would run lvextend -L {{ lvm_size_request }} /dev/{{ lvm_vg_name }}/{{ lvm_lv_name }}"
+      when: lvm_dry_run | bool
+
+    - name: Extend logical volume
+      ansible.builtin.command:
+        argv:
+          - lvextend
+          - -L
+          - "{{ lvm_size_request }}"
+          - "/dev/{{ lvm_vg_name }}/{{ lvm_lv_name }}"
+      register: lvm_lvextend_result
+      changed_when: true
+      when: not (lvm_dry_run | bool)
+
+    - name: Detect filesystem type
+      ansible.builtin.command:
+        argv:
+          - findmnt
+          - -n
+          - -o
+          - FSTYPE
+          - "{{ lvm_mountpoint }}"
+      register: lvm_fstype
+      changed_when: false
+
+    - name: Resize XFS filesystem
+      ansible.builtin.command:
+        argv:
+          - xfs_growfs
+          - "{{ lvm_mountpoint }}"
+      changed_when: true
+      when:
+        - not (lvm_dry_run | bool)
+        - lvm_resize_filesystem | bool
+        - lvm_fstype.stdout == "xfs"
+
+    - name: Resize ext filesystem
+      ansible.builtin.command:
+        argv:
+          - resize2fs
+          - "/dev/{{ lvm_vg_name }}/{{ lvm_lv_name }}"
+      changed_when: true
+      when:
+        - not (lvm_dry_run | bool)
+        - lvm_resize_filesystem | bool
+        - lvm_fstype.stdout in ["ext2", "ext3", "ext4"]
+
+    - name: Capture filesystem usage after resize
+      ansible.builtin.command:
+        argv:
+          - df
+          - -hT
+          - "{{ lvm_mountpoint }}"
+      register: lvm_df_after
+      changed_when: false
+
+    - name: Report LVM resize evidence
+      ansible.builtin.debug:
+        msg:
+          host: "{{ inventory_hostname }}"
+          dry_run: "{{ lvm_dry_run }}"
+          target: "/dev/{{ lvm_vg_name }}/{{ lvm_lv_name }}"
+          mountpoint: "{{ lvm_mountpoint }}"
+          requested_size: "{{ lvm_size_request }}"
+          filesystem_type: "{{ lvm_fstype.stdout | default('unknown') }}"
+          before_df: "{{ lvm_df_before.stdout_lines }}"
+          after_df: "{{ lvm_df_after.stdout_lines }}"

professional-infra/linux-operations-automation/playbooks/patch.yml

@@ -0,0 +1,31 @@
+---
+- name: Apply Security Patches and Updates
+  hosts: all
+  become: true
+  gather_facts: true
+
+  pre_tasks:
+    - name: Validate patch prerequisites
+      ansible.builtin.assert:
+        that:
+          - ansible_os_family == "Debian"
+        fail_msg: "Patching supported only on Debian-based systems"
+
+    - name: Display patch information
+      ansible.builtin.debug:
+        msg: |
+          Patching {{ inventory_hostname }}
+          Patch Window: {{ patch_window_start }} - {{ patch_window_end }}
+          Security Only: {{ patch_security_only }}
+
+  roles:
+    - role: patching
+      tags: ['patch', 'updates']
+
+  post_tasks:
+    - name: Display patching summary
+      ansible.builtin.debug:
+        msg: |
+          Patching completed!
+          Host: {{ inventory_hostname }}
+          Reboot Required: {{ reboot_required | default(false) }}

professional-infra/linux-operations-automation/playbooks/provision.yml

@@ -0,0 +1,33 @@
+---
+- name: Provision Enterprise Infrastructure Nodes
+  hosts: all
+  become: true
+  gather_facts: true
+
+  pre_tasks:
+    - name: Validate Ansible version
+      ansible.builtin.assert:
+        that:
+          - ansible_version.major >= 2
+          - ansible_version.minor >= 9
+        fail_msg: "Ansible 2.9+ is required"
+
+    - name: Display provisioning information
+      ansible.builtin.debug:
+        msg: |
+          Provisioning {{ inventory_hostname }}
+          OS: {{ ansible_os_family }}
+          Python: {{ ansible_python_version }}
+
+  roles:
+    - role: base_provision
+      tags: ['provision', 'base']
+
+  post_tasks:
+    - name: Generate provisioning summary
+      ansible.builtin.debug:
+        msg: |
+          Provisioning completed successfully!
+          Host: {{ inventory_hostname }}
+          IP: {{ ansible_default_ipv4.address }}
+          OS: {{ ansible_os_family }} {{ ansible_os_version }}