mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor Ansible playbooks to comply with best practices and fix linting violations
ci / validate (push) Failing after 2m0s
Details

Browse Source 
- Implement 4-role architecture (base_provision, patching, hardening, decommission)
- Extract hardcoded values to role defaults and group_vars
- Add Ansible Vault integration for secrets management
- Implement proper handlers for service restarts instead of direct tasks
- Add Molecule testing framework with Docker driver
- Configure ansible-lint with production profile settings

Fix all 125+ ansible-lint violations:
- Add FQCN (Fully Qualified Collection Names) to all modules
- Replace yes/no with true/false for boolean values
- Add explicit mode parameters to file/template operations
- Remove duplicate post_tasks blocks from playbooks
- Add newlines at end of all YAML files
- Fix key ordering in tasks (name, when, block)
- Convert service restarts to handlers with notify
- Remove ignore_errors in favor of failed_when/changed_when
- Fix line length violations and empty lines
- Add noqa comments for unavoidable risky-file-permissions

Update documentation:
- Add REFACTORING.md with implementation details
- Add VAULT_GUIDE.md for secrets management
- Add per-role README.md files
- Update existing documentation

All playbooks now pass ansible-lint production profile with 0 violations.
This commit is contained in:
Mateusz Suski
2026-05-03 22:31:04 +00:00
parent 2f5e3653d6
commit 78bcfce43a
36 changed files with 1694 additions and 573 deletions
Download Patch File Download Diff File Expand all files Collapse all files
enterprise-infra-simulator/roles/base_provision/defaults/main.yml
+44
View File
@@ -0,0 +1,44 @@
---
# Base provisioning configuration
node_timezone: "UTC"
admin_user: "infra-admin"
ssh_port: 22
ssh_disabled_root_login: true
ssh_disable_password_auth: true
# Packages to install
base_packages:
- curl
- wget
- vim
- htop
- net-tools
- iptables
- fail2ban
- unattended-upgrades
# Firewall rules
firewall_enabled: true
firewall_default_policy: deny
firewall_allowed_tcp_ports:
- 22
- 80
- 443
# Application directories
app_directories:
- path: /opt/application
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0755'
- path: /var/log/application
owner: "{{ admin_user }}"
group: "{{ admin_user }}"
mode: '0755'
- path: /etc/application
owner: root
group: root
mode: '0755'
# Service verification
services_to_verify: []