Files
portfolio/enterprise-infra-simulator/roles/base_provision/README.md
T
Mateusz Suski e5da6cfdad
ci / validate (push) Has been cancelled
Refactor Ansible playbooks to comply with best practices and fix linting violations
- Implement 4-role architecture (base_provision, patching, hardening, decommission)
- Extract hardcoded values to role defaults and group_vars
- Add Ansible Vault integration for secrets management
- Implement proper handlers for service restarts instead of direct tasks
- Add Molecule testing framework with Docker driver
- Configure ansible-lint with production profile settings

Fix all 125+ ansible-lint violations:
- Add FQCN (Fully Qualified Collection Names) to all modules
- Replace yes/no with true/false for boolean values
- Add explicit mode parameters to file/template operations
- Remove duplicate post_tasks blocks from playbooks
- Add newlines at end of all YAML files
- Fix key ordering in tasks (name, when, block)
- Convert service restarts to handlers with notify
- Remove ignore_errors in favor of failed_when/changed_when
- Fix line length violations and empty lines
- Add noqa comments for unavoidable risky-file-permissions

Update documentation:
- Add REFACTORING.md with implementation details
- Add VAULT_GUIDE.md for secrets management
- Add per-role README.md files
- Update existing documentation

All playbooks now pass ansible-lint production profile with 0 violations.
2026-05-03 22:31:04 +00:00

1.5 KiB

Base Provision Role

Provision basic infrastructure on enterprise nodes with security hardening.

Features

  • Idempotent: All tasks use proper idempotency markers (changed_when, failed_when)
  • Handlers: SSH and fail2ban restarts use handlers instead of direct service calls
  • Variables: All configuration in defaults/main.yml - no hardcoding
  • Validation: Pre-flight checks for system requirements
  • Firewall: UFW firewall configuration with configurable rules
  • SSH Security: Root login disabled, password auth disabled, key-based auth only

Role Variables

See defaults/main.yml for all available variables.

Key Variables

  • node_timezone: System timezone (default: UTC)
  • admin_user: Admin username for infrastructure access
  • ssh_port: SSH service port (default: 22)
  • base_packages: List of base packages to install
  • firewall_enabled: Enable UFW firewall (default: true)
  • firewall_allowed_tcp_ports: Allowed TCP ports for firewall

Vault Variables

Admin password should be stored in encrypted vault:

# vars/vault.yml (encrypted)
admin_password: "{{ vault_admin_password }}"

Usage

- role: base_provision
  vars:
    node_timezone: "Europe/Warsaw"
    firewall_enabled: true

Handlers

  • restart sshd: Restarts SSH service (triggered by config changes)
  • restart fail2ban: Restarts fail2ban service (triggered by config changes)

Tags

  • provision: All provisioning tasks
  • base: Base provision role tasks