Mateusz Suski
e5da6cfdad
ci / validate (push) Has been cancelled
- Implement 4-role architecture (base_provision, patching, hardening, decommission) - Extract hardcoded values to role defaults and group_vars - Add Ansible Vault integration for secrets management - Implement proper handlers for service restarts instead of direct tasks - Add Molecule testing framework with Docker driver - Configure ansible-lint with production profile settings Fix all 125+ ansible-lint violations: - Add FQCN (Fully Qualified Collection Names) to all modules - Replace yes/no with true/false for boolean values - Add explicit mode parameters to file/template operations - Remove duplicate post_tasks blocks from playbooks - Add newlines at end of all YAML files - Fix key ordering in tasks (name, when, block) - Convert service restarts to handlers with notify - Remove ignore_errors in favor of failed_when/changed_when - Fix line length violations and empty lines - Add noqa comments for unavoidable risky-file-permissions Update documentation: - Add REFACTORING.md with implementation details - Add VAULT_GUIDE.md for secrets management - Add per-role README.md files - Update existing documentation All playbooks now pass ansible-lint production profile with 0 violations.
21 lines
394 B
YAML
21 lines
394 B
YAML
---
|
|
# Patching configuration
|
|
patch_window_start: "02:00"
|
|
patch_window_end: "04:00"
|
|
enforce_patch_window: true
|
|
patch_security_only: true
|
|
backup_before_patch: true
|
|
reboot_if_required: false
|
|
reboot_timeout: 300
|
|
|
|
# Services to restart after patching
|
|
services_to_restart:
|
|
- sshd
|
|
- fail2ban
|
|
|
|
# Services to verify after patching
|
|
critical_services:
|
|
- systemd-journald
|
|
- systemd-logind
|
|
- cron
|