mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

feat: Add comprehensive enterprise Linux infrastructure portfolio with Ansible, Python, and ELK stack
CI Pipeline / lint-ansible (push) Waiting to run
Details
CI Pipeline / test-python (push) Waiting to run
Details
CI Pipeline / validate-docker (push) Waiting to run
Details
CI Pipeline / security-scan (push) Waiting to run
Details
CI Pipeline / documentation (push) Waiting to run
Details
CI Pipeline / integration-test (push) Blocked by required conditions
Details

Browse Source
This commit is contained in:
Mateusz Suski
2026-04-29 23:14:14 +00:00
parent 2313efac88
commit 7757020014
33 changed files with 6165 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
enterprise-infra-simulator/playbooks/decommission.yml
+181
View File
@@ -0,0 +1,181 @@
---
- name: Decommission Enterprise Infrastructure Nodes
hosts: all
become: true
gather_facts: true
vars:
backup_data: true
export_config: true
graceful_shutdown: true
cleanup_inventory: true
pre_tasks:
- name: Check node health before decommissioning
uri:
url: http://localhost/health
method: GET
status_code: 200
register: health_check
ignore_errors: true
when: "'webservers' in group_names"
- name: Create decommissioning backup directory
file:
path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}"
state: directory
mode: '0755'
- name: Log decommissioning start
lineinfile:
path: "/var/log/decommission.log"
line: "{{ ansible_date_time.iso8601 }} - Starting decommissioning of {{ inventory_hostname }}"
create: yes
tasks:
- name: Stop application services gracefully
service:
name: "{{ item }}"
state: stopped
loop: "{{ application_services | default(['nginx', 'postgresql', 'haproxy']) }}"
ignore_errors: true
when: graceful_shutdown
- name: Wait for connections to drain
pause:
seconds: 30
when: graceful_shutdown and "'webservers' in group_names or 'loadbalancers' in group_names"
- name: Export configuration files
block:
- name: Create config export directory
file:
path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/config"
state: directory
- name: Archive system configuration
archive:
path:
- /etc/
- /opt/application/
dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/config/system_config.tar.gz"
format: gz
- name: Export service configurations
command: >
tar -czf /var/backups/decommission-{{ ansible_date_time.iso8601 }}/config/services.tar.gz
/etc/nginx /etc/postgresql /etc/haproxy
ignore_errors: true
when: export_config
- name: Backup application data
block:
- name: Create data backup directory
file:
path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data"
state: directory
- name: Backup database data
command: >
pg_dumpall -U postgres > /var/backups/decommission-{{ ansible_date_time.iso8601 }}/data/database_backup.sql
ignore_errors: true
when: "'databases' in group_names"
- name: Backup application files
archive:
path: "/var/www/html"
dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data/application_data.tar.gz"
format: gz
ignore_errors: true
when: "'webservers' in group_names"
- name: Backup monitoring data
archive:
path: "/var/lib/prometheus"
dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data/monitoring_data.tar.gz"
format: gz
ignore_errors: true
when: "'monitoring' in group_names"
when: backup_data
- name: Remove from load balancer
include_tasks: tasks/remove_from_lb.yml
when: "'webservers' in group_names or 'databases' in group_names"
- name: Update monitoring alerts
include_tasks: tasks/update_monitoring.yml
when: "'monitoring' not in group_names"
- name: Clean up application directories
file:
path: "{{ item }}"
state: absent
loop:
- /opt/application
- /var/www/html
- /var/lib/postgresql
- /var/lib/prometheus
ignore_errors: true
- name: Remove application packages
apt:
name: "{{ item }}"
state: absent
purge: yes
loop: "{{ application_packages | default(['nginx', 'postgresql', 'haproxy', 'prometheus']) }}"
when: ansible_os_family == "Debian"
ignore_errors: true
- name: Clean up system logs
command: >
find /var/log -name "*.log" -type f -exec truncate -s 0 {} \;
ignore_errors: true
- name: Remove SSH keys and known hosts
file:
path: "{{ item }}"
state: absent
loop:
- /root/.ssh/authorized_keys
- /root/.ssh/known_hosts
- /home/infra-admin/.ssh/authorized_keys
ignore_errors: true
- name: Generate decommissioning report
template:
src: templates/decommission_report.j2
dest: "/var/log/decommission_report_{{ ansible_date_time.iso8601 }}.log"
vars:
decommission_status: "SUCCESS"
backup_location: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}"
post_tasks:
- name: Send decommissioning notification
mail:
to: "{{ decommission_notification_email | default('infra-team@company.com') }}"
subject: "Node Decommissioned - {{ inventory_hostname }}"
body: |
Node {{ inventory_hostname }} has been successfully decommissioned.
Backup location: /var/backups/decommission-{{ ansible_date_time.iso8601 }}
Services stopped: {{ application_services | default(['nginx', 'postgresql', 'haproxy']) | join(', ') }}
Configuration exported: {{ export_config }}
Data backed up: {{ backup_data }}
See /var/log/decommission_report_{{ ansible_date_time.iso8601 }}.log for details
when: decommission_notification_email is defined
ignore_errors: true
- name: Update dynamic inventory
include_tasks: tasks/update_inventory.yml
when: cleanup_inventory
- name: Final log entry
lineinfile:
path: "/var/log/decommission.log"
line: "{{ ansible_date_time.iso8601 }} - Decommissioning completed for {{ inventory_hostname }}"
- name: Shutdown node
command: shutdown -h now
async: 10
poll: 0
when: auto_shutdown | default(false) | bool
enterprise-infra-simulator/playbooks/harden.yml
+210
View File
@@ -0,0 +1,210 @@
---
- name: Harden Enterprise Infrastructure Nodes
hosts: all
become: true
gather_facts: true
vars:
cis_level: 1
disable_root_login: true
secure_ssh_config: true
firewall_policy: deny
auditd_enabled: true
selinux_mode: enforcing
apparmor_enabled: true
tasks:
- name: Include CIS hardening tasks
include_tasks: tasks/cis_hardening.yml
- name: Configure SSH hardening
block:
- name: Disable root SSH login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
when: disable_root_login
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
- name: Set MaxAuthTries
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^MaxAuthTries'
line: 'MaxAuthTries 3'
- name: Disable empty passwords
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
- name: Set ClientAliveInterval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: 'ClientAliveInterval 300'
- name: Set ClientAliveCountMax
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: 'ClientAliveCountMax 2'
notify: restart sshd
- name: Configure firewall
ufw:
state: enabled
policy: "{{ firewall_policy }}"
rules:
- rule: allow
port: '22'
proto: tcp
from: 10.0.0.0/8
- rule: allow
port: '22'
proto: tcp
from: 172.16.0.0/12
- rule: allow
port: '22'
proto: tcp
from: 192.168.0.0/16
- name: Disable unnecessary services
service:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- cups
- avahi-daemon
- bluetooth
- nfs-server
- rpcbind
ignore_errors: true
- name: Remove unnecessary packages
apt:
name: "{{ item }}"
state: absent
purge: yes
loop:
- telnet
- rsh-client
- talk
- ntalk
when: ansible_os_family == "Debian"
ignore_errors: true
- name: Configure auditd
block:
- name: Install auditd
apt:
name: auditd
state: present
when: ansible_os_family == "Debian"
- name: Configure audit rules
template:
src: templates/audit.rules.j2
dest: /etc/audit/rules.d/hardening.rules
- name: Enable auditd service
service:
name: auditd
state: started
enabled: yes
when: auditd_enabled
- name: Configure AppArmor
block:
- name: Install apparmor
apt:
name: apparmor
state: present
when: ansible_os_family == "Debian"
- name: Enable apparmor service
service:
name: apparmor
state: started
enabled: yes
when: apparmor_enabled and ansible_os_family == "Debian"
- name: Configure sysctl hardening
sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
reload: yes
loop:
- { key: 'net.ipv4.ip_forward', value: '0' }
- { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
- { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
- { key: 'net.ipv4.tcp_syncookies', value: '1' }
- { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
- name: Set secure file permissions
file:
path: "{{ item }}"
mode: '0644'
owner: root
group: root
loop:
- /etc/passwd
- /etc/group
- /etc/shadow
- /etc/gshadow
- name: Lock inactive user accounts
command: usermod -L "{{ item }}"
loop: "{{ inactive_users | default([]) }}"
ignore_errors: true
- name: Configure password policies
pam_limits:
domain: '*'
limit_type: hard
limit_item: nofile
value: 1024
- name: Generate hardening report
template:
src: templates/hardening_report.j2
dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
handlers:
- name: restart sshd
service:
name: ssh
state: restarted
- name: restart auditd
service:
name: auditd
state: restarted
when: auditd_enabled
post_tasks:
- name: Run CIS compliance check
command: >
bash -c "
score=0
total=0
echo 'CIS Compliance Check Results:' > /tmp/cis_check.log
# Add CIS checks here
echo 'Overall Score: $score/$total' >> /tmp/cis_check.log
cat /tmp/cis_check.log
"
register: cis_check
changed_when: false
- name: Archive CIS results
copy:
content: "{{ cis_check.stdout }}"
dest: "/var/log/cis_compliance_{{ ansible_date_time.iso8601 }}.log"
enterprise-infra-simulator/playbooks/patch.yml
+139
View File
@@ -0,0 +1,139 @@
---
- name: Apply Security Patches and Updates
hosts: all
become: true
gather_facts: true
vars:
patch_window_start: "02:00"
patch_window_end: "04:00"
reboot_required: false
security_only: true
pre_tasks:
- name: Check patch window
assert:
that: ansible_date_time.hour|int >= patch_window_start.split(':')[0]|int and ansible_date_time.hour|int < patch_window_end.split(':')[0]|int
fail_msg: "Current time {{ ansible_date_time.hour }}:{{ ansible_date_time.minute }} is outside patch window {{ patch_window_start }}-{{ patch_window_end }}"
when: enforce_patch_window | default(true) | bool
- name: Create patch backup
file:
path: "/var/backups/pre-patch-{{ ansible_date_time.iso8601 }}"
state: directory
- name: Backup package list
command: dpkg --get-selections
register: package_backup
changed_when: false
- name: Save package backup
copy:
content: "{{ package_backup.stdout }}"
dest: "/var/backups/pre-patch-{{ ansible_date_time.iso8601 }}/packages.list"
tasks:
- name: Update package cache
apt:
update_cache: yes
cache_valid_time: 300
when: ansible_os_family == "Debian"
- name: Check for available updates
command: apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l
register: updates_available
changed_when: false
when: ansible_os_family == "Debian"
- name: Apply security updates only
apt:
upgrade: dist
update_cache: yes
when: security_only and ansible_os_family == "Debian"
- name: Apply all updates
apt:
upgrade: dist
update_cache: yes
when: not security_only and ansible_os_family == "Debian"
- name: Check if reboot required
stat:
path: /var/run/reboot-required
register: reboot_required_file
when: ansible_os_family == "Debian"
- name: Set reboot flag
set_fact:
reboot_required: "{{ reboot_required_file.stat.exists | default(false) }}"
- name: Restart services after patching
service:
name: "{{ item }}"
state: restarted
loop:
- sshd
- fail2ban
- unattended-upgrades
ignore_errors: true
- name: Update monitoring agent
include_role:
name: monitoring_agent_update
when: "'monitoring' in group_names"
- name: Verify critical services
service:
name: "{{ item }}"
state: started
loop:
- systemd-journald
- systemd-logind
- cron
ignore_errors: true
- name: Run post-patch health checks
uri:
url: http://localhost/health
method: GET
status_code: 200
register: health_result
ignore_errors: true
when: "'webservers' in group_names"
post_tasks:
- name: Generate patch report
template:
src: templates/patch_report.j2
dest: "/var/log/patch_report_{{ ansible_date_time.iso8601 }}.log"
vars:
patch_status: "{{ 'SUCCESS' if health_result.status == 200 else 'WARNING' }}"
updates_applied: "{{ updates_available.stdout | default('0') }}"
reboot_needed: "{{ reboot_required }}"
- name: Send patch notification
mail:
to: "{{ patch_notification_email | default('infra-team@company.com') }}"
subject: "Patch Report - {{ inventory_hostname }}"
body: |
Patch completed for {{ inventory_hostname }}
Updates applied: {{ updates_applied }}
Reboot required: {{ reboot_required }}
Health check: {{ 'PASSED' if health_result.status == 200 else 'FAILED' }}
See /var/log/patch_report_{{ ansible_date_time.iso8601 }}.log for details
when: patch_notification_email is defined
ignore_errors: true
- name: Schedule reboot if required
command: shutdown -r +5 "Rebooting for security patches"
when: reboot_required and auto_reboot | default(false) | bool
async: 600
poll: 0
handlers:
- name: restart monitoring
service:
name: "{{ monitoring_service | default('prometheus-node-exporter') }}"
state: restarted
when: "'monitoring' in group_names"
enterprise-infra-simulator/playbooks/provision.yml
+158
View File
@@ -0,0 +1,158 @@
---
- name: Provision Enterprise Infrastructure Nodes
hosts: all
become: true
gather_facts: true
vars:
node_timezone: "UTC"
admin_user: "infra-admin"
ssh_port: 22
packages:
- curl
- wget
- vim
- htop
- net-tools
- iptables
- fail2ban
- unattended-upgrades
tasks:
- name: Update package cache
apt:
update_cache: yes
cache_valid_time: 3600
when: ansible_os_family == "Debian"
- name: Install base packages
apt:
name: "{{ packages }}"
state: present
when: ansible_os_family == "Debian"
- name: Create admin user
user:
name: "{{ admin_user }}"
groups: sudo
append: yes
create_home: yes
shell: /bin/bash
password: "{{ 'infra-admin-password' | password_hash('sha512') }}"
- name: Configure timezone
timezone:
name: "{{ node_timezone }}"
- name: Configure SSH
block:
- name: Disable root SSH login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
- name: Set SSH port
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Port'
line: "Port {{ ssh_port }}"
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
- name: Restart SSH service
service:
name: sshd
state: restarted
- name: Configure firewall
ufw:
state: enabled
policy: deny
rules:
- rule: allow
port: "{{ ssh_port }}"
proto: tcp
- rule: allow
port: '80'
proto: tcp
- rule: allow
port: '443'
proto: tcp
- name: Configure fail2ban
template:
src: templates/jail.local.j2
dest: /etc/fail2ban/jail.local
notify: restart fail2ban
- name: Enable unattended upgrades
lineinfile:
path: /etc/apt/apt.conf.d/20auto-upgrades
regexp: '^APT::Periodic::Unattended-Upgrade'
line: 'APT::Periodic::Unattended-Upgrade "1";'
when: ansible_os_family == "Debian"
- name: Create application directories
file:
path: "{{ item }}"
state: directory
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0755'
loop:
- /opt/application
- /var/log/application
- /etc/application
- name: Deploy monitoring agent
include_role:
name: monitoring_agent
when: "'monitoring' in group_names"
- name: Deploy web server
include_role:
name: nginx
when: "'webservers' in group_names"
- name: Deploy database server
include_role:
name: postgresql
when: "'databases' in group_names"
- name: Deploy load balancer
include_role:
name: haproxy
when: "'loadbalancers' in group_names"
- name: Generate provisioning report
template:
src: templates/provisioning_report.j2
dest: /var/log/provisioning_report_{{ ansible_date_time.iso8601 }}.log
delegate_to: localhost
handlers:
- name: restart fail2ban
service:
name: fail2ban
state: restarted
post_tasks:
- name: Verify services
service:
name: "{{ item }}"
state: started
enabled: yes
loop: "{{ services_to_verify | default([]) }}"
ignore_errors: true
- name: Run health checks
uri:
url: http://localhost/health
method: GET
register: health_check
ignore_errors: true
when: "'webservers' in group_names"