ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate to git submodules for inventories and secrets

Browse Source 
🔄 Repository Restructure - CLAUDE.md Compliance

Changes:
- Converted inventories/ to git submodule (PUBLIC)
- Updated secrets submodule reference
- Removed old inventory files from main repository
- Added ansible-inventories submodule

Submodules:
1. inventories → ssh://git@git.mymx.me:2222/ansible/ansible-inventories.git
   - PUBLIC repository
   - Dynamic libvirt inventory
   - Environment-specific configurations

2. secrets → ssh://git@git.mymx.me:2222/ansible/secrets.git
   - PRIVATE repository
   - SSH keys and vault files
   - Security-sensitive data

Benefits:
-  Separate version control for inventories
-  Separate version control for secrets (private)
-  Cleaner main repository structure
-  Follows CLAUDE.md guidelines
-  Improved security separation
-  Independent update cycles

Compliance:
- CLAUDE.md: inventories in public repository 
- CLAUDE.md: secrets in private repository 
- No secrets in main repository 
- Dynamic inventory only 

Usage:
  # Clone with submodules
  git clone --recurse-submodules <url>

  # Update submodules
  git submodule update --remote

  # Work with inventories
  cd inventories && git pull origin master

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
ansible
2025-11-11 14:43:15 +01:00
parent 22b756a3e0
commit be33603856
21 changed files with 5 additions and 1358 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@@ -1,3 +1,6 @@
[submodule "secrets"]
path = secrets
url = ssh://git@git.mymx.me:2222/ansible/secrets.git
[submodule "inventories"]
path = inventories
url = ssh://git@git.mymx.me:2222/ansible/ansible-inventories.git

1
inventories Submodule

Submodule inventories added at ebe29b698f

87
inventories/development/group_vars/all.yml
View File

@@ -1,87 +0,0 @@
---
# =============================================================================
# Global Variables for All Hosts
# =============================================================================
# Applied to all hosts in the development inventory
# =============================================================================
# Ansible Connection Settings
# -----------------------------------------------------------------------------
ansible_connection: ssh
ansible_python_interpreter: /usr/bin/python3
# SSH Connection Optimization
ansible_ssh_pipelining: true
ansible_ssh_retries: 3
# Privilege Escalation
ansible_become: true
ansible_become_method: sudo
ansible_become_user: root
# Fact Gathering
gather_subset:
- '!all'
- '!min'
- network
- hardware
- virtual
# Environment
# -----------------------------------------------------------------------------
environment: development
environment_name: development # Deprecated - use 'environment'
deployment_timestamp: "{{ ansible_date_time.iso8601 }}"
# Security Settings
# -----------------------------------------------------------------------------
security_hardening_enabled: false # Less strict for dev environment
selinux_enabled: true
selinux_mode: permissive # Permissive for development
firewall_enabled: true
# System Configuration
# -----------------------------------------------------------------------------
timezone: "UTC"
ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
# Package Management
# -----------------------------------------------------------------------------
package_state: present
enable_automatic_updates: false # Manual control in dev
# Monitoring & Logging
# -----------------------------------------------------------------------------
log_rotation_enabled: true
log_retention_days: 30
syslog_server: null # No central logging in dev
# Essential Packages (from CLAUDE.md)
# -----------------------------------------------------------------------------
essential_packages:
- vim
- htop
- tmux
- jq
- bc
- curl
- wget
- rsync
- git
- python3
- python3-pip
# Security Packages (from CLAUDE.md)
# -----------------------------------------------------------------------------
security_packages:
- aide
- auditd
# Development Flags
# -----------------------------------------------------------------------------
dev_mode: true
debug_enabled: false
verbose_logging: false

55
inventories/development/group_vars/all/vault.yml.example
View File

@@ -1,55 +0,0 @@
---
# =============================================================================
# Development Environment - Encrypted Secrets (EXAMPLE)
# =============================================================================
#
# This is an EXAMPLE vault file. To use:
#
# 1. Copy this file to vault.yml:
# cp vault.yml.example vault.yml
#
# 2. Fill in actual values (can use simple passwords for dev)
#
# 3. Encrypt with ansible-vault:
# ansible-vault encrypt inventories/development/group_vars/all/vault.yml
#
# NOTE: Development environment can use simpler credentials
#
# =============================================================================
# -----------------------------------------------------------------------------
# User Credentials
# -----------------------------------------------------------------------------
vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com"
vault_root_password: "dev_root_password"
vault_ansible_become_password: "dev_sudo_password"
# -----------------------------------------------------------------------------
# API Tokens (Development)
# -----------------------------------------------------------------------------
vault_aws_access_key_id: "dev_aws_access_key"
vault_aws_secret_access_key: "dev_aws_secret_key"
vault_gitea_username: "ansible@mymx.me"
vault_gitea_password: "79,;,metOND"
vault_mailcow_username: "ansible@mymx.me"
vault_mailcow_password: "79,;,metOND"
# -----------------------------------------------------------------------------
# Database Credentials (Development)
# -----------------------------------------------------------------------------
vault_mysql_root_password: "dev_mysql_root"
vault_postgresql_postgres_password: "dev_postgres"
vault_mongodb_admin_password: "dev_mongo"
vault_redis_password: "dev_redis"
# -----------------------------------------------------------------------------
# Application Secrets (Development)
# -----------------------------------------------------------------------------
vault_app_secret_key: "dev_app_secret_key_changeme"
vault_app_api_key: "dev_api_key"

84
inventories/development/group_vars/hypervisors.yml
View File

@@ -1,84 +0,0 @@
---
# =============================================================================
# Hypervisors Group Variables
# =============================================================================
# Configuration for KVM/QEMU hypervisor hosts
# =============================================================================
# Virtualization Platform
# -----------------------------------------------------------------------------
virtualization_type: kvm
virtualization_role: host
hypervisor_vendor: qemu
libvirt_version: "11.3.0"
qemu_version: "8.0+"
# Libvirt Configuration
# -----------------------------------------------------------------------------
libvirt_uri: "qemu:///system"
libvirt_socket: "/var/run/libvirt/libvirt-sock"
libvirt_daemon_enabled: true
libvirt_autostart: true
# Network Configuration
# -----------------------------------------------------------------------------
libvirt_networks:
- name: default
bridge: virbr0
subnet: "192.168.122.0/24"
dhcp_enabled: true
dhcp_range_start: "192.168.122.2"
dhcp_range_end: "192.168.122.254"
autostart: true
# Storage Pools
# -----------------------------------------------------------------------------
libvirt_storage_pools:
- name: default
type: dir
path: /var/lib/libvirt/images
autostart: true
# VM Management
# -----------------------------------------------------------------------------
vm_management_tool: virsh
vm_console_access: true
vm_serial_console_enabled: true
# SSH Configuration
# -----------------------------------------------------------------------------
ansible_ssh_extra_args: '-o ForwardAgent=yes'
# Resource Allocation
# -----------------------------------------------------------------------------
max_vms: 10
cpu_overcommit_ratio: 2
memory_overcommit_ratio: 1.5
# Monitoring
# -----------------------------------------------------------------------------
monitor_vm_performance: true
monitor_host_resources: true
alert_on_high_load: true
# Security
# -----------------------------------------------------------------------------
selinux_enabled: true
selinux_mode: enforcing
firewalld_enabled: true
firewalld_default_zone: public
# Required Hypervisor Packages
# -----------------------------------------------------------------------------
hypervisor_packages:
- qemu-kvm
- libvirt-daemon
- libvirt-daemon-system
- libvirt-clients
- bridge-utils
- virt-manager
- virt-viewer
- guestfs-tools
- libguestfs-tools
- python3-libvirt
- virtinst

101
inventories/development/group_vars/kvm_guests.yml
View File

@@ -1,101 +0,0 @@
---
# =============================================================================
# KVM Guest VMs Group Variables
# =============================================================================
# Common configuration for all KVM guest virtual machines
# =============================================================================
# VM Platform Details
# -----------------------------------------------------------------------------
virtualization_type: kvm
virtualization_role: guest
hypervisor_host: grokbox
management_interface: libvirt
# Network Configuration
# -----------------------------------------------------------------------------
vm_network_type: nat
vm_network_bridge: virbr0
vm_network_subnet: "192.168.122.0/24"
vm_gateway: "192.168.122.1"
# SSH & Connectivity
# -----------------------------------------------------------------------------
# Force SSH connection (override libvirt_qemu from dynamic inventory)
ansible_connection: ssh
ansible_user: ansible
ansible_become_password: null # Passwordless sudo configured
# Connection via ProxyJump through hypervisor
ansible_ssh_common_args: >-
-o ProxyJump=grokbox
-o StrictHostKeyChecking=accept-new
-o ServerAliveInterval=45
-o ServerAliveCountMax=3
-o ControlMaster=auto
-o ControlPersist=600s
# Storage Configuration (LVM - per CLAUDE.md)
# -----------------------------------------------------------------------------
lvm_enabled: true
lvm_vg_name: vg_system
lvm_pvs:
- /dev/vda2
lvm_lvs:
- name: lv_root
size: 8G
mount_point: /
fstype: ext4
- name: lv_boot
size: 2G
mount_point: /boot
fstype: ext4
- name: lv_opt
size: 3G
mount_point: /opt
fstype: ext4
- name: lv_tmp
size: 1G
mount_point: /tmp
fstype: ext4
mount_options: noexec,nosuid,nodev
- name: lv_home
size: 2G
mount_point: /home
fstype: ext4
- name: lv_var_log
size: 2G
mount_point: /var/log
fstype: ext4
- name: lv_var_audit
size: 1G
mount_point: /var/log/audit
fstype: ext4
- name: lv_swap
size: 1G
fstype: swap
# Resource Monitoring Thresholds
# -----------------------------------------------------------------------------
disk_usage_warning_threshold: 80
disk_usage_critical_threshold: 90
memory_warning_threshold: 85
memory_critical_threshold: 95
cpu_warning_threshold: 80
# Backup Configuration
# -----------------------------------------------------------------------------
backup_enabled: false # Development environment
snapshot_enabled: true
snapshot_retention_days: 7
# VM Lifecycle
# -----------------------------------------------------------------------------
vm_autostart: true
vm_shutdown_timeout: 300 # seconds
# Cloud-init Configuration
# -----------------------------------------------------------------------------
cloud_init_enabled: true
cloud_init_datasource: NoCloud

4
inventories/development/host_vars/derp.yml
View File

@@ -1,4 +0,0 @@
---
# Override libvirt connection with SSH
ansible_connection: ssh
ansible_host: 192.168.122.99

4
inventories/development/host_vars/mymx.yml
View File

@@ -1,4 +0,0 @@
---
# Override libvirt connection with SSH
ansible_connection: ssh
ansible_host: 192.168.122.119

4
inventories/development/host_vars/pihole.yml
View File

@@ -1,4 +0,0 @@
---
# Override libvirt connection with SSH
ansible_connection: ssh
ansible_host: 192.168.122.12

60
inventories/development/libvirt_kvm.yml
View File

@@ -1,60 +0,0 @@
---
# =============================================================================
# Libvirt/KVM Dynamic Inventory Configuration
# =============================================================================
# Configuration for community.libvirt.libvirt dynamic inventory plugin
# Documentation: ansible-doc -t inventory community.libvirt.libvirt
# =============================================================================
plugin: community.libvirt.libvirt
# Hypervisor Connection
# -----------------------------------------------------------------------------
# URI to connect to libvirt hypervisor
# Remote SSH connection to grokbox hypervisor
uri: 'qemu+ssh://grok@grok.home.serneels.xyz/system'
# Inventory Hostname Format
# -----------------------------------------------------------------------------
# How to register VMs as inventory hostnames
# Options: 'name' (use VM name) or 'uuid' (use UUID)
inventory_hostname: name
# Grouping Configuration
# -----------------------------------------------------------------------------
# Automatically create groups based on VM characteristics
compose:
# Extract IP address from guest_info interface data
ansible_host: >-
guest_info['if.1.addr.0.addr'] if 'if.1.addr.0.addr' in guest_info else
(guest_info['if.0.addr.0.addr'] if 'if.0.addr.0.addr' in guest_info and guest_info['if.0.addr.0.addr'] != '127.0.0.1' else omit)
groups:
# Group by VM state (from info dict)
running_vms: info.state == 'running'
stopped_vms: info.state != 'running'
# Group by resource allocation (convert KB to MB)
small_vms: (info.memory_kb | int / 1024) <= 2048
medium_vms: (info.memory_kb | int / 1024) > 2048 and (info.memory_kb | int / 1024) <= 8192
large_vms: (info.memory_kb | int / 1024) > 8192
# Group all discovered VMs as kvm_guests
kvm_guests: true
# Keyed Groups
# -----------------------------------------------------------------------------
# Create dynamic groups based on host variables
keyed_groups:
- key: info.state
prefix: state
separator: "_"
- key: guest_info['os.id'] | default('unknown')
prefix: os
separator: "_"
# Filters
# -----------------------------------------------------------------------------
# Set strict mode for error handling
strict: false

97
inventories/production/README.md
View File

@@ -1,97 +0,0 @@
# Production Inventory
This directory contains dynamic inventory configurations for the production environment.
## Available Inventory Sources
### 1. Libvirt/KVM Dynamic Inventory (Active)
**File**: `libvirt_kvm.yml`
Uses custom libvirt plugin to discover VMs on production hypervisors.
```bash
# List all production hosts
ansible-inventory -i inventories/production/libvirt_kvm.yml --list
# Test connectivity
ansible all -i inventories/production/libvirt_kvm.yml -m ping
```
### 2. NetBox CMDB (Example Configuration)
**File**: `netbox.yml.example`
For NetBox-based infrastructure management:
1. Rename `netbox.yml.example` to `netbox.yml`
2. Configure NetBox API endpoint and token
3. Install required collection:
```bash
ansible-galaxy collection install netbox.netbox
```
### 3. AWS EC2 (Example Configuration)
**File**: `aws_ec2.yml.example`
For AWS cloud infrastructure:
1. Rename `aws_ec2.yml.example` to `aws_ec2.yml`
2. Configure AWS regions and filters
3. Install required collection:
```bash
ansible-galaxy collection install amazon.aws
pip3 install boto3 botocore
```
## Configuration
### Group Variables
Add production-specific variables in:
- `group_vars/all.yml` - Global production settings
- `group_vars/all/vault.yml` - Encrypted secrets
- `group_vars/webservers.yml` - Web server group settings
- `group_vars/databases.yml` - Database group settings
### Host Variables
Add host-specific variables in:
- `host_vars/<hostname>.yml`
## Security
- All secrets must be encrypted using Ansible Vault
- Never commit plaintext credentials
- Use environment variables or external secret managers when possible
- Rotate credentials every 90 days
## Usage Examples
```bash
# Run against all production hosts
ansible-playbook -i inventories/production site.yml
# Run against specific group
ansible-playbook -i inventories/production site.yml --limit webservers
# Check mode (dry-run)
ansible-playbook -i inventories/production site.yml --check
# With specific tags
ansible-playbook -i inventories/production site.yml --tags security
```
## Validation
```bash
# Validate inventory syntax
ansible-inventory -i inventories/production --list
# Check specific host
ansible-inventory -i inventories/production --host hostname
# Graph inventory structure
ansible-inventory -i inventories/production --graph
```

93
inventories/production/aws_ec2.yml.example
View File

@@ -1,93 +0,0 @@
---
# =============================================================================
# Production Environment - AWS EC2 Dynamic Inventory (EXAMPLE)
# =============================================================================
#
# This is an example configuration for AWS EC2 dynamic inventory.
# Rename to aws_ec2.yml and configure with your AWS details.
#
# Requirements:
# ansible-galaxy collection install amazon.aws
# pip3 install boto3 botocore
#
# Authentication:
# - AWS credentials via ~/.aws/credentials
# - IAM role (recommended for EC2 control nodes)
# - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
#
# Usage:
# ansible-inventory -i inventories/production/aws_ec2.yml --list
#
# =============================================================================
plugin: amazon.aws.aws_ec2
# AWS Regions to query
regions:
- us-east-1
- us-west-2
# - eu-west-1
# - ap-southeast-1
# Instance filters
filters:
tag:Environment: production
instance-state-name: running
# Use private IP for internal networks, public for external
hostnames:
- tag:Name
- dns-name
- private-ip-address
# Compose variables
compose:
ansible_host: private_ip_address
# For public access:
# ansible_host: public_ip_address
environment: production
aws_region: placement.region
aws_az: placement.availability_zone
instance_type: instance_type
vpc_id: vpc_id
# Keyed groups
keyed_groups:
# Group by tag:Role
- key: tags.Role
prefix: role
separator: "_"
# Group by tag:Service
- key: tags.Service
prefix: service
separator: "_"
# Group by instance type
- key: instance_type
prefix: instance_type
# Group by availability zone
- key: placement.availability_zone
prefix: az
# Group by VPC
- key: vpc_id
prefix: vpc
# Strict mode (fail if groups can't be created)
strict: false
# Cache settings
cache: true
cache_plugin: jsonfile
cache_timeout: 3600
cache_connection: /tmp/ansible_aws_inventory_cache
cache_prefix: aws_ec2
# Include/exclude patterns
# include_filters:
# - tag:Managed: ansible
# exclude_filters:
# - tag:Backup: only

176
inventories/production/group_vars/all.yml
View File

@@ -1,176 +0,0 @@
---
# =============================================================================
# Production Environment - Global Variables
# =============================================================================
# Environment designation
environment: production
# Ansible connection settings
ansible_user: ansible
ansible_become: true
ansible_become_method: sudo
# SSH connection settings
ansible_ssh_pipelining: true
ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new'
# =============================================================================
# Network Configuration
# =============================================================================
# NTP servers for time synchronization
ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
# DNS servers
dns_servers:
- 8.8.8.8
- 8.8.4.4
- 1.1.1.1
# DNS search domains
dns_search_domains:
- example.com
- production.local
# =============================================================================
# Security Configuration
# =============================================================================
# Automatic security updates
security_auto_updates: true
security_auto_reboot: false
security_update_schedule: "daily"
# Firewall settings
firewall_enabled: true
firewall_default_policy: deny
# SELinux/AppArmor enforcement
selinux_state: enforcing
apparmor_enabled: true
# SSH hardening
ssh_permit_root_login: no
ssh_password_authentication: no
ssh_gssapi_authentication: no
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
# Audit logging
auditd_enabled: true
auditd_log_retention_days: 365
# =============================================================================
# Logging and Monitoring
# =============================================================================
# Log retention
log_retention_days: 365
log_compression_enabled: true
# Syslog configuration
syslog_remote_server: null # Set to remote syslog server if available
syslog_remote_port: 514
# Monitoring
monitoring_enabled: true
monitoring_agent: null # Set to 'prometheus', 'zabbix', 'datadog', etc.
# =============================================================================
# Backup Configuration
# =============================================================================
backup_enabled: true
backup_schedule: "0 2 * * *" # Daily at 2 AM
backup_retention_days: 30
backup_destination: /var/backups
# =============================================================================
# Package Management
# =============================================================================
# Essential packages (CLAUDE.md compliance)
essential_packages:
- vim
- htop
- tmux
- jq
- bc
- curl
- wget
- rsync
- git
- python3
- python3-pip
# Security packages
security_packages:
- aide
- auditd
- chrony
# Additional tools
additional_packages:
- net-tools
- bind-utils # RHEL
# - dnsutils # Debian (uncomment based on OS)
- traceroute
- tcpdump
- strace
- lsof
# =============================================================================
# Performance Tuning
# =============================================================================
# System limits
system_max_open_files: 65535
system_max_processes: 4096
# Kernel parameters (sysctl)
kernel_parameters:
net.ipv4.tcp_syncookies: 1
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.conf.all.accept_source_route: 0
net.ipv6.conf.all.accept_source_route: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
# =============================================================================
# Application Configuration
# =============================================================================
# Default application user
app_user: appuser
app_group: appgroup
# Application directories
app_base_dir: /opt/apps
app_data_dir: /var/lib/apps
app_log_dir: /var/log/apps
# =============================================================================
# Compliance and Standards
# =============================================================================
# Compliance frameworks
compliance_frameworks:
- CIS
- NIST
# Configuration management
config_management_tool: ansible
config_management_version: "{{ ansible_version.full }}"
# =============================================================================
# Custom Variables
# =============================================================================
# Add production-specific custom variables here

160
inventories/production/group_vars/all/vault.yml.example
View File

@@ -1,160 +0,0 @@
---
# =============================================================================
# Production Environment - Encrypted Secrets (EXAMPLE)
# =============================================================================
#
# This is an EXAMPLE vault file. To use:
#
# 1. Copy this file to vault.yml:
# cp vault.yml.example vault.yml
#
# 2. Fill in actual values (replace CHANGEME placeholders)
#
# 3. Encrypt with ansible-vault:
# ansible-vault encrypt inventories/production/group_vars/all/vault.yml
#
# 4. Edit encrypted vault:
# ansible-vault edit inventories/production/group_vars/all/vault.yml
#
# 5. Use in playbooks with --ask-vault-pass or --vault-password-file
#
# =============================================================================
# -----------------------------------------------------------------------------
# User Credentials
# -----------------------------------------------------------------------------
# Ansible service account SSH key
vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com"
# Root password for console access (if needed)
vault_root_password: "CHANGEME_STRONG_PASSWORD"
# Ansible user sudo password (if passwordless sudo not configured)
vault_ansible_become_password: "CHANGEME_SUDO_PASSWORD"
# -----------------------------------------------------------------------------
# API Tokens and Keys
# -----------------------------------------------------------------------------
# Cloud Provider API Tokens
vault_aws_access_key_id: "CHANGEME_AWS_ACCESS_KEY"
vault_aws_secret_access_key: "CHANGEME_AWS_SECRET_KEY"
vault_azure_subscription_id: "CHANGEME_AZURE_SUBSCRIPTION"
vault_azure_client_id: "CHANGEME_AZURE_CLIENT_ID"
vault_azure_secret: "CHANGEME_AZURE_SECRET"
vault_azure_tenant: "CHANGEME_AZURE_TENANT"
vault_gcp_service_account_key: "CHANGEME_GCP_JSON_KEY"
vault_digitalocean_token: "CHANGEME_DO_TOKEN"
# CMDB API Tokens
vault_netbox_api_token: "CHANGEME_NETBOX_TOKEN"
vault_servicenow_api_token: "CHANGEME_SERVICENOW_TOKEN"
# Git/Repository Credentials
vault_gitea_username: "ansible@mymx.me"
vault_gitea_password: "79,;,metOND"
vault_gitea_api_token: "CHANGEME_GITEA_TOKEN"
# Email Configuration
vault_mailcow_username: "ansible@mymx.me"
vault_mailcow_password: "79,;,metOND"
vault_smtp_username: "ansible@mymx.me"
vault_smtp_password: "79,;,metOND"
# -----------------------------------------------------------------------------
# Database Credentials
# -----------------------------------------------------------------------------
vault_mysql_root_password: "CHANGEME_MYSQL_ROOT"
vault_mysql_replication_password: "CHANGEME_MYSQL_REPL"
vault_postgresql_postgres_password: "CHANGEME_PG_POSTGRES"
vault_postgresql_replication_password: "CHANGEME_PG_REPL"
vault_mongodb_admin_password: "CHANGEME_MONGO_ADMIN"
vault_redis_password: "CHANGEME_REDIS_PASSWORD"
# -----------------------------------------------------------------------------
# Application Secrets
# -----------------------------------------------------------------------------
vault_app_secret_key: "CHANGEME_APP_SECRET_32_CHARS_MIN"
vault_app_api_key: "CHANGEME_APP_API_KEY"
vault_app_jwt_secret: "CHANGEME_JWT_SECRET"
# -----------------------------------------------------------------------------
# SSL/TLS Certificates
# -----------------------------------------------------------------------------
# Private key for SSL certificates (PEM format)
vault_ssl_private_key: |
-----BEGIN PRIVATE KEY-----
CHANGEME_SSL_PRIVATE_KEY_CONTENT
-----END PRIVATE KEY-----
# SSL certificate chain
vault_ssl_certificate: |
-----BEGIN CERTIFICATE-----
CHANGEME_SSL_CERTIFICATE_CONTENT
-----END CERTIFICATE-----
# Certificate authority certificate
vault_ssl_ca_certificate: |
-----BEGIN CERTIFICATE-----
CHANGEME_CA_CERTIFICATE_CONTENT
-----END CERTIFICATE-----
# -----------------------------------------------------------------------------
# Monitoring and Logging
# -----------------------------------------------------------------------------
vault_grafana_admin_password: "CHANGEME_GRAFANA_ADMIN"
vault_prometheus_auth_token: "CHANGEME_PROMETHEUS_TOKEN"
vault_zabbix_api_token: "CHANGEME_ZABBIX_TOKEN"
vault_elasticsearch_password: "CHANGEME_ELASTIC_PASSWORD"
vault_kibana_encryption_key: "CHANGEME_KIBANA_32_CHAR_KEY"
# -----------------------------------------------------------------------------
# Backup and Recovery
# -----------------------------------------------------------------------------
vault_backup_encryption_key: "CHANGEME_BACKUP_ENCRYPTION_KEY"
vault_s3_backup_access_key: "CHANGEME_S3_BACKUP_ACCESS"
vault_s3_backup_secret_key: "CHANGEME_S3_BACKUP_SECRET"
# -----------------------------------------------------------------------------
# External Services
# -----------------------------------------------------------------------------
vault_slack_webhook_url: "https://hooks.slack.com/services/CHANGEME"
vault_pagerduty_api_key: "CHANGEME_PAGERDUTY_KEY"
vault_datadog_api_key: "CHANGEME_DATADOG_KEY"
vault_datadog_app_key: "CHANGEME_DATADOG_APP_KEY"
# -----------------------------------------------------------------------------
# Encryption Keys
# -----------------------------------------------------------------------------
vault_luks_passphrase: "CHANGEME_LUKS_PASSPHRASE"
vault_gpg_passphrase: "CHANGEME_GPG_PASSPHRASE"
# =============================================================================
# Usage in Playbooks
# =============================================================================
#
# Reference vault variables in your playbooks and roles:
#
# - name: Create user with vault password
# user:
# name: ansible
# password: "{{ vault_ansible_user_password | password_hash('sha512') }}"
#
# - name: Configure database
# mysql_db:
# login_password: "{{ vault_mysql_root_password }}"
#
# =============================================================================

42
inventories/production/libvirt_kvm.yml
View File

@@ -1,42 +0,0 @@
---
# =============================================================================
# Production Environment - Libvirt/KVM Dynamic Inventory
# =============================================================================
#
# This inventory uses the custom libvirt_kvm.py plugin to dynamically discover
# running VMs on production KVM hypervisors.
#
# Usage:
# ansible-inventory -i inventories/production/libvirt_kvm.yml --list
# ansible all -i inventories/production/libvirt_kvm.yml -m ping
#
# =============================================================================
plugin: libvirt_kvm
uri: qemu+ssh://ansible@hypervisor-prod.example.com/system
# Connection settings
connection_timeout: 30
ssh_proxy_jump: null # Set to bastion host if needed
# Filtering
states:
- running
# Grouping
keyed_groups:
- key: tags.environment
prefix: env
- key: tags.role
prefix: role
- key: tags.service
prefix: service
# Compose variables
compose:
ansible_host: "{{ ansible_host | default(ip_address) }}"
environment: production
# Host filters (only include VMs with production tag)
# filters:
# - tags.environment == 'production'

64
inventories/production/netbox.yml.example
View File

@@ -1,64 +0,0 @@
---
# =============================================================================
# Production Environment - NetBox CMDB Dynamic Inventory (EXAMPLE)
# =============================================================================
#
# This is an example configuration for NetBox dynamic inventory.
# Rename to netbox.yml and configure with your NetBox instance details.
#
# Requirements:
# ansible-galaxy collection install netbox.netbox
#
# Usage:
# ansible-inventory -i inventories/production/netbox.yml --list
#
# =============================================================================
plugin: netbox.netbox.nb_inventory
# NetBox API Configuration
api_endpoint: https://netbox.example.com
token: "{{ lookup('env', 'NETBOX_TOKEN') }}" # Use environment variable
# OR use vault:
# token: "{{ vault_netbox_api_token }}"
# Validate SSL certificate
validate_certs: true
# Device filters
config_context: false
group_by:
- device_roles
- sites
- platforms
- tags
# Query filters
query_filters:
- site: production
- status: active
# Group prefix
group_names_raw: false
# Compose host variables
compose:
ansible_host: primary_ip4
environment: production
netbox_site: site.name
netbox_role: device_role.name
# Keyed groups
keyed_groups:
- key: device_role.name
prefix: role
- key: site.name
prefix: site
- key: platform.name
prefix: platform
# Virtual machines
virtual_machines: true
# Interfaces
interfaces: true

58
inventories/staging/README.md
View File

@@ -1,58 +0,0 @@
# Staging Inventory
This directory contains dynamic inventory configurations for the staging environment.
## Available Inventory Sources
### 1. Libvirt/KVM Dynamic Inventory (Active)
**File**: `libvirt_kvm.yml`
Uses custom libvirt plugin to discover VMs on staging hypervisors.
```bash
# List all staging hosts
ansible-inventory -i inventories/staging/libvirt_kvm.yml --list
# Test connectivity
ansible all -i inventories/staging/libvirt_kvm.yml -m ping
```
## Configuration
### Group Variables
Add staging-specific variables in:
- `group_vars/all.yml` - Global staging settings
- `group_vars/all/vault.yml` - Encrypted secrets
### Host Variables
Add host-specific variables in:
- `host_vars/<hostname>.yml`
## Usage Examples
```bash
# Run against all staging hosts
ansible-playbook -i inventories/staging site.yml
# Run against specific group
ansible-playbook -i inventories/staging site.yml --limit webservers
# Test changes before production
ansible-playbook -i inventories/staging site.yml --tags security
```
## Validation
```bash
# Validate inventory syntax
ansible-inventory -i inventories/staging --list
# Check specific host
ansible-inventory -i inventories/staging --host hostname
# Graph inventory structure
ansible-inventory -i inventories/staging --graph
```

164
inventories/staging/group_vars/all.yml
View File

@@ -1,164 +0,0 @@
---
# =============================================================================
# Staging Environment - Global Variables
# =============================================================================
# Environment designation
environment: staging
# Ansible connection settings
ansible_user: ansible
ansible_become: true
ansible_become_method: sudo
# SSH connection settings
ansible_ssh_pipelining: true
ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new'
# =============================================================================
# Network Configuration
# =============================================================================
# NTP servers for time synchronization
ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
# DNS servers
dns_servers:
- 8.8.8.8
- 8.8.4.4
# DNS search domains
dns_search_domains:
- staging.local
# =============================================================================
# Security Configuration
# =============================================================================
# Automatic security updates
security_auto_updates: true
security_auto_reboot: false # Can be true for staging
security_update_schedule: "daily"
# Firewall settings
firewall_enabled: true
firewall_default_policy: deny
# SELinux/AppArmor enforcement
selinux_state: enforcing
apparmor_enabled: true
# SSH hardening
ssh_permit_root_login: no
ssh_password_authentication: no
ssh_gssapi_authentication: no
ssh_max_auth_tries: 5
ssh_client_alive_interval: 300
# Audit logging
auditd_enabled: true
auditd_log_retention_days: 90
# =============================================================================
# Logging and Monitoring
# =============================================================================
# Log retention (shorter for staging)
log_retention_days: 90
log_compression_enabled: true
# Syslog configuration
syslog_remote_server: null
syslog_remote_port: 514
# Monitoring
monitoring_enabled: true
monitoring_agent: null
# =============================================================================
# Backup Configuration
# =============================================================================
backup_enabled: true
backup_schedule: "0 3 * * *" # Daily at 3 AM
backup_retention_days: 14
backup_destination: /var/backups
# =============================================================================
# Package Management
# =============================================================================
# Essential packages (CLAUDE.md compliance)
essential_packages:
- vim
- htop
- tmux
- jq
- bc
- curl
- wget
- rsync
- git
- python3
- python3-pip
# Security packages
security_packages:
- aide
- auditd
- chrony
# Additional tools
additional_packages:
- net-tools
- traceroute
- tcpdump
- strace
- lsof
# =============================================================================
# Performance Tuning
# =============================================================================
# System limits
system_max_open_files: 32768
system_max_processes: 2048
# Kernel parameters (sysctl)
kernel_parameters:
net.ipv4.tcp_syncookies: 1
net.ipv4.conf.all.rp_filter: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
# =============================================================================
# Application Configuration
# =============================================================================
# Default application user
app_user: appuser
app_group: appgroup
# Application directories
app_base_dir: /opt/apps
app_data_dir: /var/lib/apps
app_log_dir: /var/log/apps
# =============================================================================
# Compliance and Standards
# =============================================================================
# Compliance frameworks
compliance_frameworks:
- CIS
# Configuration management
config_management_tool: ansible
config_management_version: "{{ ansible_version.full }}"
# =============================================================================
# Custom Variables
# =============================================================================
# Add staging-specific custom variables here

62
inventories/staging/group_vars/all/vault.yml.example
View File

@@ -1,62 +0,0 @@
---
# =============================================================================
# Staging Environment - Encrypted Secrets (EXAMPLE)
# =============================================================================
#
# This is an EXAMPLE vault file. To use:
#
# 1. Copy this file to vault.yml:
# cp vault.yml.example vault.yml
#
# 2. Fill in actual values (replace CHANGEME placeholders)
#
# 3. Encrypt with ansible-vault:
# ansible-vault encrypt inventories/staging/group_vars/all/vault.yml
#
# =============================================================================
# -----------------------------------------------------------------------------
# User Credentials
# -----------------------------------------------------------------------------
vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com"
vault_root_password: "CHANGEME_STAGING_ROOT_PASSWORD"
vault_ansible_become_password: "CHANGEME_STAGING_SUDO_PASSWORD"
# -----------------------------------------------------------------------------
# API Tokens and Keys
# -----------------------------------------------------------------------------
vault_aws_access_key_id: "CHANGEME_AWS_STAGING_ACCESS_KEY"
vault_aws_secret_access_key: "CHANGEME_AWS_STAGING_SECRET_KEY"
vault_netbox_api_token: "CHANGEME_NETBOX_STAGING_TOKEN"
vault_gitea_username: "ansible@mymx.me"
vault_gitea_password: "79,;,metOND"
vault_mailcow_username: "ansible@mymx.me"
vault_mailcow_password: "79,;,metOND"
# -----------------------------------------------------------------------------
# Database Credentials (Staging - weaker passwords OK)
# -----------------------------------------------------------------------------
vault_mysql_root_password: "CHANGEME_STAGING_MYSQL"
vault_postgresql_postgres_password: "CHANGEME_STAGING_PG"
vault_mongodb_admin_password: "CHANGEME_STAGING_MONGO"
vault_redis_password: "CHANGEME_STAGING_REDIS"
# -----------------------------------------------------------------------------
# Application Secrets (Staging)
# -----------------------------------------------------------------------------
vault_app_secret_key: "CHANGEME_STAGING_APP_SECRET"
vault_app_api_key: "CHANGEME_STAGING_API_KEY"
# -----------------------------------------------------------------------------
# Monitoring and Logging
# -----------------------------------------------------------------------------
vault_grafana_admin_password: "CHANGEME_STAGING_GRAFANA"
vault_elasticsearch_password: "CHANGEME_STAGING_ELASTIC"

42
inventories/staging/libvirt_kvm.yml
View File

@@ -1,42 +0,0 @@
---
# =============================================================================
# Staging Environment - Libvirt/KVM Dynamic Inventory
# =============================================================================
#
# This inventory uses the custom libvirt_kvm.py plugin to dynamically discover
# running VMs on staging KVM hypervisors.
#
# Usage:
# ansible-inventory -i inventories/staging/libvirt_kvm.yml --list
# ansible all -i inventories/staging/libvirt_kvm.yml -m ping
#
# =============================================================================
plugin: libvirt_kvm
uri: qemu+ssh://ansible@hypervisor-staging.example.com/system
# Connection settings
connection_timeout: 30
ssh_proxy_jump: null # Set to bastion host if needed
# Filtering
states:
- running
# Grouping
keyed_groups:
- key: tags.environment
prefix: env
- key: tags.role
prefix: role
- key: tags.service
prefix: service
# Compose variables
compose:
ansible_host: "{{ ansible_host | default(ip_address) }}"
environment: staging
# Host filters (only include VMs with staging tag)
# filters:
# - tags.environment == 'staging'

2
secrets

Submodule secrets updated: c2241e0e7d...8def011667