Initial CV-aligned infrastructure portfolio

Rework portfolio around Linux operations, Zabbix monitoring, migration validation, and ELK/Grafana log observability. Add AAP-style LVM resize workflow, Zabbix server/proxy/agent automation assets, Linux/AIX monitoring templates, and updated validation CI.
2026-05-04 17:37:24 +00:00
commit 35e6b139fc
114 changed files with 6422 additions and 0 deletions
@@ -0,0 +1,48 @@
+# Base Provision Role
+
+Provision basic infrastructure on enterprise nodes with security hardening.
+
+## Features
+
+- **Idempotent**: All tasks use proper idempotency markers (`changed_when`, `failed_when`)
+- **Handlers**: SSH and fail2ban restarts use handlers instead of direct service calls
+- **Variables**: All configuration in `defaults/main.yml` - no hardcoding
+- **Validation**: Pre-flight checks for system requirements
+- **Firewall**: UFW firewall configuration with configurable rules
+- **SSH Security**: Root login disabled, password auth disabled, key-based auth only
+
+## Role Variables
+
+See `defaults/main.yml` for all available variables.
+
+### Key Variables
+
+- `node_timezone`: System timezone (default: UTC)
+- `admin_user`: Admin username for infrastructure access
+- `ssh_port`: SSH service port (default: 22)
+- `base_packages`: List of base packages to install
+- `firewall_enabled`: Enable UFW firewall (default: true)
+- `firewall_allowed_tcp_ports`: Allowed TCP ports for firewall
+
+## Secret Variables
+
+This portfolio demo does not require secrets for offline validation. If you extend it with real passwords or keys, copy `group_vars/vault.example.yml` into an encrypted Ansible Vault file and keep real values out of normal git history.
+
+## Usage
+
+```yaml
+- role: base_provision
+  vars:
+    node_timezone: "Europe/Warsaw"
+    firewall_enabled: true
+```
+
+## Handlers
+
+- `restart sshd`: Restarts SSH service (triggered by config changes)
+- `restart fail2ban`: Restarts fail2ban service (triggered by config changes)
+
+## Tags
+
+- `provision`: All provisioning tasks
+- `base`: Base provision role tasks
@@ -0,0 +1,44 @@
+---
+# Base provisioning configuration
+node_timezone: "UTC"
+admin_user: "infra-admin"
+ssh_port: 22
+ssh_disabled_root_login: true
+ssh_disable_password_auth: true
+
+# Packages to install
+base_packages:
+  - curl
+  - wget
+  - vim
+  - htop
+  - net-tools
+  - iptables
+  - fail2ban
+  - unattended-upgrades
+
+# Firewall rules
+firewall_enabled: true
+firewall_default_policy: deny
+firewall_allowed_tcp_ports:
+  - 22
+  - 80
+  - 443
+
+# Application directories
+app_directories:
+  - path: /opt/application
+    owner: "{{ admin_user }}"
+    group: "{{ admin_user }}"
+    mode: '0755'
+  - path: /var/log/application
+    owner: "{{ admin_user }}"
+    group: "{{ admin_user }}"
+    mode: '0755'
+  - path: /etc/application
+    owner: root
+    group: root
+    mode: '0755'
+
+# Service verification
+services_to_verify: []
@@ -0,0 +1,11 @@
+---
+- name: restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
+- name: restart fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted
+    enabled: true
@@ -0,0 +1,138 @@
+---
+- name: Validate system requirements
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family == "Debian"
+      - ansible_python_version is version('3.6', '>=')
+    fail_msg: "Unsupported system - requires Debian and Python 3.6+"
+
+- name: Update package cache
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+  changed_when: false
+
+- name: Install base packages
+  ansible.builtin.apt:
+    name: "{{ base_packages }}"
+    state: present
+    update_cache: true
+
+- name: Check if admin user exists
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ admin_user }}"
+  register: admin_check
+  failed_when: false
+  changed_when: false
+
+- name: Create admin user
+  ansible.builtin.user:
+    name: "{{ admin_user }}"
+    groups: sudo
+    append: true
+    create_home: true
+    shell: /bin/bash
+  when: admin_check.failed
+
+- name: Configure timezone
+  community.general.timezone:
+    name: "{{ node_timezone }}"
+
+- name: Configure SSH security
+  block:
+    - name: Disable root SSH login
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin'
+        line: 'PermitRootLogin no'
+        state: present
+      when: ssh_disabled_root_login
+      notify: restart sshd
+
+    - name: Set SSH port
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^Port'
+        line: "Port {{ ssh_port }}"
+        state: present
+      notify: restart sshd
+
+    - name: Disable password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        state: present
+      when: ssh_disable_password_auth
+      notify: restart sshd
+
+- name: Configure firewall
+  block:
+    - name: Enable UFW firewall
+      community.general.ufw:
+        state: enabled
+        policy: "{{ firewall_default_policy }}"
+      when: firewall_enabled
+
+    - name: Allow SSH access
+      community.general.ufw:
+        rule: allow
+        port: "{{ ssh_port }}"
+        proto: tcp
+      when: firewall_enabled
+
+    - name: Allow HTTP/HTTPS
+      community.general.ufw:
+        rule: allow
+        port: "{{ item }}"
+        proto: tcp
+      loop: "{{ firewall_allowed_tcp_ports }}"
+      when: firewall_enabled and item not in [ssh_port]
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    backup: true
+    mode: '0644'
+  notify: restart fail2ban
+
+- name: Enable unattended upgrades
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/20auto-upgrades
+    regexp: '^APT::Periodic::Unattended-Upgrade'
+    line: 'APT::Periodic::Unattended-Upgrade "1";'
+    state: present
+
+- name: Create application directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  loop: "{{ app_directories }}"
+
+- name: Record role-specific service intent
+  ansible.builtin.debug:
+    msg: "Would configure {{ node_type | default('generic') }} service components in a full lab deployment"
+
+- name: Verify services are running
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop: "{{ services_to_verify }}"
+  when: services_to_verify | length > 0
+  failed_when: false
+
+- name: Run health checks
+  ansible.builtin.uri:
+    url: http://localhost/health
+    method: GET
+    status_code: 200
+  register: health_check
+  failed_when: false
+  ignore_errors: true
+  when: "'webservers' in group_names"
@@ -0,0 +1,14 @@
+# fail2ban configuration
+[DEFAULT]
+bantime = 3600
+findtime = 600
+maxretry = 5
+
+[sshd]
+enabled = true
+port = {{ ssh_port }}
+logpath = /var/log/auth.log
+maxretry = 3
+
+[recidive]
+enabled = true
@@ -0,0 +1,62 @@
+# Decommission Role
+
+Gracefully decommission enterprise infrastructure nodes with comprehensive backup and cleanup.
+
+## Features
+
+- **Confirmation Prompt**: Interactive confirmation before decommissioning
+- **Graceful Shutdown**: Stop services gracefully with connection drain time
+- **Comprehensive Backup**: Archive configurations and data before cleanup
+- **Selective Cleanup**: Only remove items that were deployed
+- **Logging**: Detailed decommissioning logs for audit trail
+- **Notifications**: Optional email notifications on completion
+
+## Role Variables
+
+See `defaults/main.yml` for all available variables.
+
+### Key Variables
+
+- `backup_data`: Backup application data (default: true)
+- `export_config`: Export system configuration (default: true)
+- `graceful_shutdown`: Graceful service shutdown (default: true)
+- `auto_shutdown`: Auto shutdown after decommissioning (default: false)
+- `application_services`: Services to stop
+- `application_packages`: Packages to remove
+- `decommission_notification_email`: Email for notifications (optional)
+
+## Usage
+
+```yaml
+- role: decommission
+  vars:
+    backup_data: true
+    export_config: true
+    auto_shutdown: false
+    decommission_notification_email: "ops@company.com"
+```
+
+## Backup Locations
+
+- Configuration: `/var/backups/decommission-<timestamp>/config/`
+- Data: `/var/backups/decommission-<timestamp>/data/`
+- Report: `/var/log/decommission_report_<timestamp>.log`
+
+## Supported Groups
+
+- `webservers`: Backs up /var/www/html
+- `databases`: Backs up PostgreSQL data
+- `monitoring`: Backs up Prometheus data
+- `loadbalancers`: Loadbalancer cleanup
+
+## Safety Features
+
+- Interactive confirmation before execution
+- Connection drain time before shutdown (30 seconds)
+- Errors are logged but don't stop the process
+- Comprehensive audit log
+
+## Tags
+
+- `decommission`: All decommissioning tasks
+- `cleanup`: Cleanup-related tasks
@@ -0,0 +1,34 @@
+---
+# Decommissioning configuration
+backup_data: true
+export_config: true
+graceful_shutdown: true
+cleanup_inventory: true
+auto_shutdown: false
+shutdown_delay: 10
+
+# Services to stop gracefully
+application_services:
+  - nginx
+  - postgresql
+  - haproxy
+
+# Packages to remove
+application_packages:
+  - nginx
+  - postgresql
+  - haproxy
+  - prometheus
+
+# Directories to archive
+config_paths:
+  - /etc/
+  - /opt/application/
+
+data_paths:
+  - /var/www/html
+  - /var/lib/postgresql
+  - /var/lib/prometheus
+
+# Notification settings
+decommission_notification_email: null
@@ -0,0 +1,177 @@
+---
+- name: Validate decommissioning requirements
+  ansible.builtin.assert:
+    that:
+      - backup_data or not backup_data
+    fail_msg: "Invalid decommissioning configuration"
+
+- name: Pre-decommissioning checks
+  block:
+    - name: Check node health
+      ansible.builtin.uri:
+        url: http://localhost/health
+        method: GET
+        status_code: 200
+      register: health_check
+      failed_when: false
+      ignore_errors: true
+      when: "'webservers' in group_names"
+
+    - name: Create decommissioning backup directory
+      ansible.builtin.file:
+        path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}"
+        state: directory
+        mode: '0755'
+
+    - name: Initialize decommissioning log
+      ansible.builtin.file:
+        path: "/var/log/decommission.log"
+        state: touch
+        mode: '0644'
+        modification_time: now
+        access_time: now
+
+    - name: Log decommissioning start
+      ansible.builtin.lineinfile:
+        path: "/var/log/decommission.log"
+        line: "{{ ansible_date_time.iso8601 }} - Starting decommissioning of {{ inventory_hostname }}"
+        state: present
+
+- name: Graceful application shutdown
+  block:
+    - name: Stop application services
+      ansible.builtin.service:
+        name: "{{ item }}"
+        state: stopped
+      loop: "{{ application_services }}"
+      failed_when: false
+      when: graceful_shutdown
+
+    - name: Wait for connections to drain
+      ansible.builtin.pause:
+        seconds: 30
+      when: graceful_shutdown and ("webservers" in group_names or "loadbalancers" in group_names)
+
+- name: Export and backup data
+  block:
+    - name: Create config export directory
+      ansible.builtin.file:
+        path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/config"
+        state: directory
+        mode: '0755'
+
+    - name: Archive system configuration
+      community.general.archive:
+        path: "{{ config_paths }}"
+        dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/config/system_config.tar.gz"
+        format: gz
+      when: export_config
+      failed_when: false  # noqa risky-file-permissions
+
+    - name: Create data backup directory
+      ansible.builtin.file:
+        path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data"
+        state: directory
+        mode: '0755'
+      when: backup_data
+
+    - name: Backup individual data paths
+      community.general.archive:
+        path: "{{ item }}"
+        dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data/{{ item | regex_replace('/', '_') }}.tar.gz"
+        format: gz
+      loop: "{{ data_paths }}"
+      when: backup_data
+      failed_when: false  # noqa risky-file-permissions
+
+- name: Update monitoring and load balancing
+  block:
+    - name: Remove from load balancer
+      ansible.builtin.debug:
+        msg: "Would remove {{ inventory_hostname }} from load balancer"
+      when: "'webservers' in group_names or 'databases' in group_names"
+
+    - name: Update monitoring alerts
+      ansible.builtin.debug:
+        msg: "Would update monitoring alerts for {{ inventory_hostname }}"
+      when: "'monitoring' not in group_names"
+
+- name: Clean up application
+  block:
+    - name: Remove application directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /opt/application
+        - /var/www/html
+        - /var/lib/postgresql
+        - /var/lib/prometheus
+      failed_when: false
+
+    - name: Remove application packages
+      ansible.builtin.apt:
+        name: "{{ item }}"
+        state: absent
+        purge: true
+      loop: "{{ application_packages }}"
+      failed_when: false
+
+    - name: Clean system logs
+      ansible.builtin.shell: |
+        set -o pipefail
+        find /var/log -name "*.log" -type f -size +0 -exec truncate -s 0 {} \;
+      changed_when: false
+      failed_when: false
+
+    - name: Remove SSH credentials
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /root/.ssh/authorized_keys
+        - /root/.ssh/known_hosts
+        - /home/infra-admin/.ssh/authorized_keys
+      failed_when: false
+
+- name: Generate decommissioning report
+  ansible.builtin.template:
+    src: decommission_report.j2
+    dest: "/var/log/decommission_report_{{ ansible_date_time.iso8601 }}.log"
+    mode: '0644'
+  vars:
+    backup_location: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}"
+
+- name: Send decommissioning notification
+  community.general.mail:
+    host: localhost
+    port: 25
+    to: "{{ decommission_notification_email }}"
+    subject: "Node Decommissioned - {{ inventory_hostname }}"
+    body: |
+      Node {{ inventory_hostname }} has been successfully decommissioned.
+
+      Backup location: /var/backups/decommission-{{ ansible_date_time.iso8601 }}/
+      Services stopped: {{ application_services | join(', ') }}
+      Configuration exported: {{ export_config }}
+      Data backed up: {{ backup_data }}
+
+      See /var/log/decommission_report_{{ ansible_date_time.iso8601 }}.log for details
+  when: decommission_notification_email is defined
+  failed_when: false
+
+- name: Finalize decommissioning
+  block:
+    - name: Log decommissioning completion
+      ansible.builtin.lineinfile:
+        path: "/var/log/decommission.log"
+        line: "{{ ansible_date_time.iso8601 }} - Decommissioning completed for {{ inventory_hostname }}"
+        state: present
+
+    - name: Perform system shutdown
+      ansible.builtin.reboot:
+        msg: "System scheduled for shutdown after decommissioning"
+        delay: "{{ shutdown_delay }}"
+      when: auto_shutdown | bool
+      async: 1
+      poll: 0
@@ -0,0 +1,13 @@
+Decommissioning Report
+======================
+Generated: {{ ansible_date_time.iso8601 }}
+Host: {{ inventory_hostname }}
+
+Status: COMPLETED
+Backup Location: {{ backup_location }}
+
+Configuration Exported: {{ export_config }}
+Data Backed Up: {{ backup_data }}
+Services Stopped: {{ application_services | join(', ') }}
+
+Log Location: /var/log/decommission.log
@@ -0,0 +1,58 @@
+# Hardening Role
+
+Apply security hardening to enterprise infrastructure nodes following CIS benchmarks.
+
+## Features
+
+- **CIS Compliance**: Support for CIS hardening levels 1 and 2
+- **SSH Hardening**: Disable root login, password auth, set auth limits
+- **Firewall Configuration**: UFW with configurable rules
+- **Service Cleanup**: Disable unnecessary services and remove insecure packages
+- **Handlers**: SSH restarts via handlers
+
+## Role Variables
+
+See `defaults/main.yml` for all available variables.
+
+### Key Variables
+
+- `cis_level`: CIS hardening level (1 or 2)
+- `disable_root_login`: Disable root SSH login (default: true)
+- `secure_ssh_config`: Apply SSH security hardening (default: true)
+- `firewall_policy`: Firewall default policy (default: deny)
+- `ssh_max_auth_tries`: Maximum SSH authentication attempts (default: 3)
+- `ssh_client_alive_interval`: SSH client alive interval in seconds (default: 300)
+- `ssh_allowed_networks`: Networks allowed SSH access from
+
+### SSH Allowed Networks
+
+Default trusted networks:
+- 10.0.0.0/8 (Private Class A)
+- 172.16.0.0/12 (Private Class B)
+- 192.168.0.0/16 (Private Class C)
+
+## Usage
+
+```yaml
+- role: hardening
+  vars:
+    cis_level: 1
+    disable_root_login: true
+    ssh_allowed_networks:
+      - 10.0.0.0/8
+      - 203.0.113.0/24
+```
+
+## SSH Configuration Changes
+
+- Root login disabled
+- Password authentication disabled
+- Maximum auth tries: 3
+- Empty passwords prohibited
+- Client alive interval: 300 seconds
+- Client alive count max: 2
+
+## Tags
+
+- `hardening`: All hardening tasks
+- `security`: Security-related tasks
@@ -0,0 +1,35 @@
+---
+# Hardening configuration
+cis_level: 1
+disable_root_login: true
+secure_ssh_config: true
+firewall_policy: deny
+auditd_enabled: true
+selinux_mode: enforcing
+apparmor_enabled: true
+
+# SSH Hardening
+ssh_max_auth_tries: 3
+ssh_client_alive_interval: 300
+ssh_client_alive_count_max: 2
+
+# Firewall rules for SSH (trusted networks)
+ssh_allowed_networks:
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+  - 192.168.0.0/16
+
+# Services to disable
+unnecessary_services:
+  - cups
+  - avahi-daemon
+  - bluetooth
+  - nfs-server
+  - rpcbind
+
+# Packages to remove
+unnecessary_packages:
+  - telnet
+  - rsh-client
+  - talk
+  - ntalk
@@ -0,0 +1,5 @@
+---
+- name: restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
@@ -0,0 +1,7 @@
+---
+# CIS Hardening Level 1 tasks (stub for future expansion)
+# https://www.cisecurity.org/cis-benchmarks/
+
+- name: Check CIS status
+  ansible.builtin.debug:
+    msg: "CIS Hardening Level {{ cis_level }} would be applied here"
@@ -0,0 +1,95 @@
+---
+- name: Validate hardening requirements
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family == "Debian"
+      - cis_level in [1, 2]
+    fail_msg: "Unsupported configuration for hardening"
+
+- name: Apply CIS hardening tasks
+  ansible.builtin.include_tasks: cis_hardening.yml
+  when: cis_level >= 1
+
+- name: Configure SSH hardening
+  block:
+    - name: Disable root SSH login
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin'
+        line: 'PermitRootLogin no'
+        state: present
+      when: disable_root_login
+      notify: restart sshd
+
+    - name: Disable password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        state: present
+      when: secure_ssh_config
+      notify: restart sshd
+
+    - name: Set MaxAuthTries
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^MaxAuthTries'
+        line: "MaxAuthTries {{ ssh_max_auth_tries }}"
+        state: present
+      notify: restart sshd
+
+    - name: Disable empty passwords
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitEmptyPasswords'
+        line: 'PermitEmptyPasswords no'
+        state: present
+      notify: restart sshd
+
+    - name: Set ClientAliveInterval
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^ClientAliveInterval'
+        line: "ClientAliveInterval {{ ssh_client_alive_interval }}"
+        state: present
+      notify: restart sshd
+
+    - name: Set ClientAliveCountMax
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^ClientAliveCountMax'
+        line: "ClientAliveCountMax {{ ssh_client_alive_count_max }}"
+        state: present
+      notify: restart sshd
+
+- name: Configure firewall rules
+  block:
+    - name: Enable firewall
+      community.general.ufw:
+        state: enabled
+        policy: "{{ firewall_policy }}"
+      when: firewall_policy is defined
+
+    - name: Allow SSH from trusted networks
+      community.general.ufw:
+        rule: allow
+        port: '22'
+        proto: tcp
+        from: "{{ item }}"
+      loop: "{{ ssh_allowed_networks }}"
+
+- name: Disable unnecessary services
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop: "{{ unnecessary_services }}"
+  failed_when: false
+
+- name: Remove unnecessary packages
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: absent
+    purge: true
+  loop: "{{ unnecessary_packages }}"
+  failed_when: false
@@ -0,0 +1,45 @@
+# Patching Role
+
+Apply security patches and OS updates to enterprise infrastructure nodes.
+
+## Features
+
+- **Idempotent**: Properly checks for changes with `changed_when`
+- **Patch Window**: Optional enforcement of patch time windows
+- **Pre-patch Backup**: Backs up package list before patching
+- **Smart Reboot**: Automatically detects if reboot is required
+- **Service Restart**: Restarts only necessary services after patching
+- **Health Checks**: Verifies services and runs health endpoint checks
+
+## Role Variables
+
+See `defaults/main.yml` for all available variables.
+
+### Key Variables
+
+- `patch_window_start`: Patch window start time (default: 02:00)
+- `patch_window_end`: Patch window end time (default: 04:00)
+- `enforce_patch_window`: Enforce patch time window (default: true)
+- `patch_security_only`: Apply security updates only (default: true)
+- `backup_before_patch`: Create backup before patching (default: true)
+- `reboot_if_required`: Auto-reboot if required (default: false)
+- `services_to_restart`: Services to restart after patching
+- `critical_services`: Critical services to verify after patching
+
+## Usage
+
+```yaml
+- role: patching
+  vars:
+    patch_security_only: true
+    enforce_patch_window: false
+    reboot_if_required: true
+```
+
+## Report
+
+Patch report is generated at: `/var/log/patch_report_<timestamp>.log`
+
+## Backup Location
+
+Pre-patch backups saved to: `/var/backups/pre-patch-<timestamp>/`
@@ -0,0 +1,20 @@
+---
+# Patching configuration
+patch_window_start: "02:00"
+patch_window_end: "04:00"
+enforce_patch_window: true
+patch_security_only: true
+backup_before_patch: true
+reboot_if_required: false
+reboot_timeout: 300
+
+# Services to restart after patching
+services_to_restart:
+  - sshd
+  - fail2ban
+
+# Services to verify after patching
+critical_services:
+  - systemd-journald
+  - systemd-logind
+  - cron
@@ -0,0 +1,6 @@
+---
+- name: restart patching services
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: restarted
+  loop: "{{ services_to_restart }}"
@@ -0,0 +1,105 @@
+---
+- name: Validate patch window
+  when: enforce_patch_window | bool
+  block:
+    - name: Check current time against patch window
+      ansible.builtin.assert:
+        that:
+          - ansible_date_time.hour | int >= patch_window_start.split(':')[0] | int
+          - ansible_date_time.hour | int < patch_window_end.split(':')[0] | int
+        fail_msg: |
+          Current time {{ ansible_date_time.hour }}:{{ ansible_date_time.minute }} is outside patch window {{ patch_window_start }}-{{ patch_window_end }}
+
+- name: Create pre-patch backup
+  when: backup_before_patch | bool
+  block:
+    - name: Create backup directory
+      ansible.builtin.file:
+        path: "/var/backups/pre-patch-{{ ansible_date_time.iso8601 }}"
+        state: directory
+        mode: '0755'
+
+    - name: Capture current package list
+      ansible.builtin.shell: |
+        set -o pipefail
+        dpkg --get-selections > /var/backups/pre-patch-{{ ansible_date_time.iso8601 }}/packages.list
+      changed_when: false
+
+- name: Check for available updates
+  ansible.builtin.shell: |
+    set -o pipefail
+    apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l
+  register: updates_available_count
+  changed_when: false
+  failed_when: false
+
+- name: Update package cache
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 300
+  changed_when: false
+
+- name: Check if reboot required before patching
+  ansible.builtin.stat:
+    path: /var/run/reboot-required
+  register: reboot_required_before
+  changed_when: false
+
+- name: Apply security updates
+  ansible.builtin.apt:
+    upgrade: dist
+    update_cache: true
+  when: patch_security_only | bool
+  register: apt_update_result
+  notify: restart patching services
+
+- name: Apply all available updates
+  ansible.builtin.apt:
+    upgrade: full
+    update_cache: true
+  when: not (patch_security_only | bool)
+  register: apt_update_result
+  notify: restart patching services
+
+- name: Check if reboot required after patching
+  ansible.builtin.stat:
+    path: /var/run/reboot-required
+  register: reboot_required_after
+  changed_when: false
+
+- name: Verify critical services are running
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop: "{{ critical_services }}"
+  failed_when: false
+
+- name: Run post-patch health checks
+  ansible.builtin.uri:
+    url: http://localhost/health
+    method: GET
+    status_code: 200
+  register: health_check
+  failed_when: false
+  ignore_errors: true
+  when: "'webservers' in group_names"
+
+- name: Set reboot required flag
+  ansible.builtin.set_fact:
+    reboot_required: "{{ reboot_required_after.stat.exists | default(false) }}"
+
+- name: Perform system reboot if required
+  ansible.builtin.reboot:
+    msg: "Rebooting after security patches"
+    timeout: "{{ reboot_timeout }}"
+  when: reboot_required and reboot_if_required | bool
+
+- name: Generate patching report
+  ansible.builtin.template:
+    src: patch_report.j2
+    dest: /var/log/patch_report_{{ ansible_date_time.iso8601 }}.log
+    mode: '0644'
+  vars:
+    updates_applied_count: "{{ apt_update_result.changed | ternary('Yes', 'No') }}"
+    reboot_required_flag: "{{ reboot_required }}"
@@ -0,0 +1,10 @@
+Patching Report
+===============
+Generated: {{ ansible_date_time.iso8601 }}
+Host: {{ inventory_hostname }}
+
+Updates Applied: {{ updates_applied_count }}
+Reboot Required: {{ reboot_required_flag }}
+Services Restarted: {{ services_to_restart | join(', ') }}
+
+Backup Location: /var/backups/pre-patch-{{ ansible_date_time.iso8601 }}/