# Enterprise Infrastructure Simulator - Refactored

Refactored enterprise infrastructure automation using Ansible best practices.

## Structure

```
playbooks/          # Main playbooks
├── provision.yml   # Provision infrastructure nodes
├── patch.yml       # Apply security patches
├── hardening.yml   # Harden infrastructure
└── decommission.yml # Decommission nodes

roles/              # Reusable Ansible roles
├── base_provision/ # Base OS provisioning
├── patching/       # Patch management
├── hardening/      # Security hardening
└── decommission/   # Node decommissioning

group_vars/         # Group-level variables
├── all.yml         # All hosts
├── webservers.yml  # Web servers
├── databases.yml   # Database servers
├── loadbalancers.yml
├── monitoring.yml
└── vault.yml       # Encrypted secrets (Vault)

molecule/default/   # Testing with Molecule
├── molecule.yml    # Molecule config
├── converge.yml    # Test playbook
└── verify.yml      # Test verification
```

## Best Practices Implemented

### ✅ Idempotencja
- All tasks use `changed_when` and `failed_when` for proper state detection
- Command modules replaced with native Ansible modules where possible
- Shell tasks include `changed_when: false` when appropriate

### ✅ Role + Struktura
- Clean role separation: `base_provision`, `patching`, `hardening`, `decommission`
- Each role has: `tasks/`, `handlers/`, `defaults/`, `templates/`, `README.md`
- Proper namespacing prevents variable conflicts

### ✅ Brak Hardcodu
- All variables in `defaults/main.yml` or `group_vars/`
- No hardcoded values in playbooks
- Configurable through `group_vars` for different environments

### ✅ Handlers zamiast Restartów
- SSH restart via handler (triggered only on config change)
- fail2ban restart via handler
- Services not restarted unnecessarily

### ✅ Vault do Sekretów
- Secrets go in `group_vars/vault.yml` (encrypted with Ansible Vault)
- Admin passwords not in plaintext
- Database credentials managed via Vault

### ✅ ansible-lint
- `.ansible-lint` configuration included
- Rules configured for project standards
- Run: `ansible-lint playbooks/ roles/`

### ✅ Molecule
- Docker-based testing in `molecule/default/`
- Test convergence and verification
- Run: `molecule test`

## Usage

### Run Provisioning

```bash
ansible-playbook playbooks/provision.yml -i inventory/hosts.ini
```

### Run Patching

```bash
ansible-playbook playbooks/patch.yml -i inventory/hosts.ini --ask-vault-pass
```

### Run Hardening

```bash
ansible-playbook playbooks/hardening.yml -i inventory/hosts.ini --ask-vault-pass
```

### Run Decommissioning

```bash
ansible-playbook playbooks/decommission.yml -i inventory/hosts.ini --ask-vault-pass
```

## Vault Management

### Create Vault Password File

```bash
echo "your-secure-password" > ~/.vault_pass.txt
chmod 600 ~/.vault_pass.txt
```

### Encrypt Secrets

```bash
ansible-vault encrypt group_vars/vault.yml --vault-password-file ~/.vault_pass.txt
```

### Edit Encrypted Vault

```bash
ansible-vault edit group_vars/vault.yml --vault-password-file ~/.vault_pass.txt
```

### Run with Vault

```bash
ansible-playbook playbooks/provision.yml \
  --vault-password-file ~/.vault_pass.txt \
  -i inventory/hosts.ini
```

## Linting

### Run ansible-lint

```bash
ansible-lint playbooks/ roles/
```

### Fix Issues

```bash
ansible-lint playbooks/ roles/ --fix
```

## Testing with Molecule

### Run All Tests

```bash
cd enterprise-infra-simulator
molecule test
```

### Run Specific Scenarios

```bash
molecule converge      # Apply roles
molecule verify        # Verify results
molecule destroy       # Cleanup
```

## Role Documentation

Each role has detailed README:

- [base_provision/README.md](roles/base_provision/README.md)
- [patching/README.md](roles/patching/README.md)
- [hardening/README.md](roles/hardening/README.md)
- [decommission/README.md](roles/decommission/README.md)

## Group Variables

- `group_vars/all.yml` - Global configuration
- `group_vars/webservers.yml` - Web server config
- `group_vars/databases.yml` - Database config
- `group_vars/loadbalancers.yml` - Load balancer config
- `group_vars/monitoring.yml` - Monitoring config
- `group_vars/vault.yml` - Encrypted secrets

## Tags

Use tags to run specific parts:

```bash
ansible-playbook playbooks/provision.yml --tags base,provision
ansible-playbook playbooks/hardening.yml --tags security,hardening
```

## Error Handling

- Proper use of `failed_when` for critical failures
- Strategic use of `ignore_errors` only for optional operations
- Comprehensive assertion checks for prerequisites

## Security

- Passwords stored in encrypted Vault
- SSH key-based authentication
- Firewall configured with deny-by-default policy
- SELinux/AppArmor support
- CIS hardening levels 1-2

## Monitoring

- Health checks included in playbooks
- Service verification after operations
- Detailed logging to `/var/log/`
- Report generation for audit trails

## Support

For issues or questions about the roles, see individual role README files.