Refactor Ansible playbooks to comply with best practices and fix linting violations

- Implement 4-role architecture (base_provision, patching, hardening, decommission)
- Extract hardcoded values to role defaults and group_vars
- Add Ansible Vault integration for secrets management
- Implement proper handlers for service restarts instead of direct tasks
- Add Molecule testing framework with Docker driver
- Configure ansible-lint with production profile settings

Fix all 125+ ansible-lint violations:
- Add FQCN (Fully Qualified Collection Names) to all modules
- Replace yes/no with true/false for boolean values
- Add explicit mode parameters to file/template operations
- Remove duplicate post_tasks blocks from playbooks
- Add newlines at end of all YAML files
- Fix key ordering in tasks (name, when, block)
- Convert service restarts to handlers with notify
- Remove ignore_errors in favor of failed_when/changed_when
- Fix line length violations and empty lines
- Add noqa comments for unavoidable risky-file-permissions

Update documentation:
- Add REFACTORING.md with implementation details
- Add VAULT_GUIDE.md for secrets management
- Add per-role README.md files
- Update existing documentation

All playbooks now pass ansible-lint production profile with 0 violations.

enterprise-infra-simulator/group_vars/all.yml

@@ -0,0 +1,20 @@
+---
+# Group variables for all hosts
+
+# SSH Configuration
+ssh_config:
+  port: 22
+  max_auth_tries: 3
+  alive_interval: 300
+
+# Firewall defaults
+firewall_enabled: true
+firewall_default_policy: deny
+
+# Patching defaults
+patch_enabled: true
+enforce_patch_window: true
+
+# Services monitoring
+enable_monitoring: false
+enable_health_checks: true

enterprise-infra-simulator/group_vars/databases.yml

@@ -0,0 +1,9 @@
+---
+# Database servers group configuration
+db_type: postgresql
+db_port: 5432
+db_backup_enabled: true
+db_backup_path: /var/backups/database
+
+# Database user (use vault for production)
+db_admin_user: postgres

enterprise-infra-simulator/group_vars/loadbalancers.yml

@@ -0,0 +1,10 @@
+---
+# Load balancers group configuration
+lb_type: haproxy
+lb_port: 443
+lb_stats_port: 8404
+lb_stats_enabled: true
+
+# Frontend configuration
+frontend_host: "0.0.0.0"
+frontend_port: 80

enterprise-infra-simulator/group_vars/monitoring.yml

@@ -0,0 +1,10 @@
+---
+# Monitoring servers group configuration
+monitoring_type: prometheus
+monitoring_port: 9090
+monitoring_retention: 30d
+monitoring_scrape_interval: 15s
+
+# Grafana configuration
+grafana_port: 3000
+grafana_admin_password: "{{ vault_grafana_password }}"

enterprise-infra-simulator/group_vars/vault.yml

@@ -0,0 +1,9 @@
+---
+# Vault variables for sensitive data
+# NOTE: This file should be encrypted with: ansible-vault encrypt group_vars/vault.yml
+# Run: ansible-playbook --ask-vault-pass playbooks/provision.yml
+
+vault_admin_password: "{{ admin_password }}"
+vault_db_password: "{{ db_root_password }}"
+vault_grafana_password: "{{ grafana_admin_password }}"
+vault_ssh_key_passphrase: "{{ ssh_key_passphrase }}"

enterprise-infra-simulator/group_vars/webservers.yml

@@ -0,0 +1,11 @@
+---
+# Webservers group configuration
+webserver_type: nginx
+http_port: 80
+https_port: 443
+health_check_path: /health
+
+# Application configuration
+app_name: "{{ group_names[0] | default('app') }}"
+app_user: "{{ admin_user }}"
+app_group: "{{ admin_user }}"