Refactor Ansible playbooks to comply with best practices and fix linting violations
ci / validate (push) Failing after 2m0s
ci / validate (push) Failing after 2m0s
- Implement 4-role architecture (base_provision, patching, hardening, decommission) - Extract hardcoded values to role defaults and group_vars - Add Ansible Vault integration for secrets management - Implement proper handlers for service restarts instead of direct tasks - Add Molecule testing framework with Docker driver - Configure ansible-lint with production profile settings Fix all 125+ ansible-lint violations: - Add FQCN (Fully Qualified Collection Names) to all modules - Replace yes/no with true/false for boolean values - Add explicit mode parameters to file/template operations - Remove duplicate post_tasks blocks from playbooks - Add newlines at end of all YAML files - Fix key ordering in tasks (name, when, block) - Convert service restarts to handlers with notify - Remove ignore_errors in favor of failed_when/changed_when - Fix line length violations and empty lines - Add noqa comments for unavoidable risky-file-permissions Update documentation: - Add REFACTORING.md with implementation details - Add VAULT_GUIDE.md for secrets management - Add per-role README.md files - Update existing documentation All playbooks now pass ansible-lint production profile with 0 violations.
This commit is contained in:
Mateusz Suski
@@ -0,0 +1,53 @@
|
||||
# Base Provision Role
|
||||
|
||||
Provision basic infrastructure on enterprise nodes with security hardening.
|
||||
|
||||
## Features
|
||||
|
||||
- **Idempotent**: All tasks use proper idempotency markers (`changed_when`, `failed_when`)
|
||||
- **Handlers**: SSH and fail2ban restarts use handlers instead of direct service calls
|
||||
- **Variables**: All configuration in `defaults/main.yml` - no hardcoding
|
||||
- **Validation**: Pre-flight checks for system requirements
|
||||
- **Firewall**: UFW firewall configuration with configurable rules
|
||||
- **SSH Security**: Root login disabled, password auth disabled, key-based auth only
|
||||
|
||||
## Role Variables
|
||||
|
||||
See `defaults/main.yml` for all available variables.
|
||||
|
||||
### Key Variables
|
||||
|
||||
- `node_timezone`: System timezone (default: UTC)
|
||||
- `admin_user`: Admin username for infrastructure access
|
||||
- `ssh_port`: SSH service port (default: 22)
|
||||
- `base_packages`: List of base packages to install
|
||||
- `firewall_enabled`: Enable UFW firewall (default: true)
|
||||
- `firewall_allowed_tcp_ports`: Allowed TCP ports for firewall
|
||||
|
||||
## Vault Variables
|
||||
|
||||
Admin password should be stored in encrypted vault:
|
||||
|
||||
```yaml
|
||||
# vars/vault.yml (encrypted)
|
||||
admin_password: "{{ vault_admin_password }}"
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
```yaml
|
||||
- role: base_provision
|
||||
vars:
|
||||
node_timezone: "Europe/Warsaw"
|
||||
firewall_enabled: true
|
||||
```
|
||||
|
||||
## Handlers
|
||||
|
||||
- `restart sshd`: Restarts SSH service (triggered by config changes)
|
||||
- `restart fail2ban`: Restarts fail2ban service (triggered by config changes)
|
||||
|
||||
## Tags
|
||||
|
||||
- `provision`: All provisioning tasks
|
||||
- `base`: Base provision role tasks
|
||||
Reference in New Issue
Block a user