mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c4e11927f30ab113f1f44257b31bc89a5cd11de
portfolio/enterprise-infra-simulator/roles/patching/README.md
T
Mateusz Suski 78bcfce43a
ci / validate (push) Failing after 2m0s
Details
Refactor Ansible playbooks to comply with best practices and fix linting violations 
- Implement 4-role architecture (base_provision, patching, hardening, decommission)
- Extract hardcoded values to role defaults and group_vars
- Add Ansible Vault integration for secrets management
- Implement proper handlers for service restarts instead of direct tasks
- Add Molecule testing framework with Docker driver
- Configure ansible-lint with production profile settings

Fix all 125+ ansible-lint violations:
- Add FQCN (Fully Qualified Collection Names) to all modules
- Replace yes/no with true/false for boolean values
- Add explicit mode parameters to file/template operations
- Remove duplicate post_tasks blocks from playbooks
- Add newlines at end of all YAML files
- Fix key ordering in tasks (name, when, block)
- Convert service restarts to handlers with notify
- Remove ignore_errors in favor of failed_when/changed_when
- Fix line length violations and empty lines
- Add noqa comments for unavoidable risky-file-permissions

Update documentation:
- Add REFACTORING.md with implementation details
- Add VAULT_GUIDE.md for secrets management
- Add per-role README.md files
- Update existing documentation

All playbooks now pass ansible-lint production profile with 0 violations.
2026-05-04 09:13:25 +00:00

1.4 KiB
Raw Blame History

Patching Role

Apply security patches and OS updates to enterprise infrastructure nodes.

Features

  • Idempotent: Properly checks for changes with changed_when
  • Patch Window: Optional enforcement of patch time windows
  • Pre-patch Backup: Backs up package list before patching
  • Smart Reboot: Automatically detects if reboot is required
  • Service Restart: Restarts only necessary services after patching
  • Health Checks: Verifies services and runs health endpoint checks

Role Variables

See defaults/main.yml for all available variables.

Key Variables

  • patch_window_start: Patch window start time (default: 02:00)
  • patch_window_end: Patch window end time (default: 04:00)
  • enforce_patch_window: Enforce patch time window (default: true)
  • patch_security_only: Apply security updates only (default: true)
  • backup_before_patch: Create backup before patching (default: true)
  • reboot_if_required: Auto-reboot if required (default: false)
  • services_to_restart: Services to restart after patching
  • critical_services: Critical services to verify after patching

Usage

- role: patching
  vars:
    patch_security_only: true
    enforce_patch_window: false
    reboot_if_required: true

Report

Patch report is generated at: /var/log/patch_report_<timestamp>.log

Backup Location

Pre-patch backups saved to: /var/backups/pre-patch-<timestamp>/

Reference in New Issue View Git Blame Copy Permalink