Mateusz Suski
35e6b139fc
ci / validate (push) Failing after 1m8s
Rework portfolio around Linux operations, Zabbix monitoring, migration validation, and ELK/Grafana log observability. Add AAP-style LVM resize workflow, Zabbix server/proxy/agent automation assets, Linux/AIX monitoring templates, and updated validation CI.
139 lines
3.5 KiB
YAML
139 lines
3.5 KiB
YAML
---
|
|
- name: Validate system requirements
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_os_family == "Debian"
|
|
- ansible_python_version is version('3.6', '>=')
|
|
fail_msg: "Unsupported system - requires Debian and Python 3.6+"
|
|
|
|
- name: Update package cache
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
changed_when: false
|
|
|
|
- name: Install base packages
|
|
ansible.builtin.apt:
|
|
name: "{{ base_packages }}"
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Check if admin user exists
|
|
ansible.builtin.getent:
|
|
database: passwd
|
|
key: "{{ admin_user }}"
|
|
register: admin_check
|
|
failed_when: false
|
|
changed_when: false
|
|
|
|
- name: Create admin user
|
|
ansible.builtin.user:
|
|
name: "{{ admin_user }}"
|
|
groups: sudo
|
|
append: true
|
|
create_home: true
|
|
shell: /bin/bash
|
|
when: admin_check.failed
|
|
|
|
- name: Configure timezone
|
|
community.general.timezone:
|
|
name: "{{ node_timezone }}"
|
|
|
|
- name: Configure SSH security
|
|
block:
|
|
- name: Disable root SSH login
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
line: 'PermitRootLogin no'
|
|
state: present
|
|
when: ssh_disabled_root_login
|
|
notify: restart sshd
|
|
|
|
- name: Set SSH port
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^Port'
|
|
line: "Port {{ ssh_port }}"
|
|
state: present
|
|
notify: restart sshd
|
|
|
|
- name: Disable password authentication
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
state: present
|
|
when: ssh_disable_password_auth
|
|
notify: restart sshd
|
|
|
|
- name: Configure firewall
|
|
block:
|
|
- name: Enable UFW firewall
|
|
community.general.ufw:
|
|
state: enabled
|
|
policy: "{{ firewall_default_policy }}"
|
|
when: firewall_enabled
|
|
|
|
- name: Allow SSH access
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
when: firewall_enabled
|
|
|
|
- name: Allow HTTP/HTTPS
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item }}"
|
|
proto: tcp
|
|
loop: "{{ firewall_allowed_tcp_ports }}"
|
|
when: firewall_enabled and item not in [ssh_port]
|
|
|
|
- name: Configure fail2ban
|
|
ansible.builtin.template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
backup: true
|
|
mode: '0644'
|
|
notify: restart fail2ban
|
|
|
|
- name: Enable unattended upgrades
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
regexp: '^APT::Periodic::Unattended-Upgrade'
|
|
line: 'APT::Periodic::Unattended-Upgrade "1";'
|
|
state: present
|
|
|
|
- name: Create application directories
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
mode: "{{ item.mode }}"
|
|
loop: "{{ app_directories }}"
|
|
|
|
- name: Record role-specific service intent
|
|
ansible.builtin.debug:
|
|
msg: "Would configure {{ node_type | default('generic') }} service components in a full lab deployment"
|
|
|
|
- name: Verify services are running
|
|
ansible.builtin.service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: true
|
|
loop: "{{ services_to_verify }}"
|
|
when: services_to_verify | length > 0
|
|
failed_when: false
|
|
|
|
- name: Run health checks
|
|
ansible.builtin.uri:
|
|
url: http://localhost/health
|
|
method: GET
|
|
status_code: 200
|
|
register: health_check
|
|
failed_when: false
|
|
ignore_errors: true
|
|
when: "'webservers' in group_names"
|