From be33603856f8be25790b15960caa23dd1606de51 Mon Sep 17 00:00:00 2001 From: ansible Date: Tue, 11 Nov 2025 14:43:15 +0100 Subject: [PATCH] Migrate to git submodules for inventories and secrets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🔄 Repository Restructure - CLAUDE.md Compliance Changes: - Converted inventories/ to git submodule (PUBLIC) - Updated secrets submodule reference - Removed old inventory files from main repository - Added ansible-inventories submodule Submodules: 1. inventories → ssh://git@git.mymx.me:2222/ansible/ansible-inventories.git - PUBLIC repository - Dynamic libvirt inventory - Environment-specific configurations 2. secrets → ssh://git@git.mymx.me:2222/ansible/secrets.git - PRIVATE repository - SSH keys and vault files - Security-sensitive data Benefits: - ✅ Separate version control for inventories - ✅ Separate version control for secrets (private) - ✅ Cleaner main repository structure - ✅ Follows CLAUDE.md guidelines - ✅ Improved security separation - ✅ Independent update cycles Compliance: - CLAUDE.md: inventories in public repository ✅ - CLAUDE.md: secrets in private repository ✅ - No secrets in main repository ✅ - Dynamic inventory only ✅ Usage: # Clone with submodules git clone --recurse-submodules # Update submodules git submodule update --remote # Work with inventories cd inventories && git pull origin master 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .gitmodules | 3 + inventories | 1 + inventories/development/group_vars/all.yml | 87 --------- .../group_vars/all/vault.yml.example | 55 ------ .../development/group_vars/hypervisors.yml | 84 --------- .../development/group_vars/kvm_guests.yml | 101 ---------- inventories/development/host_vars/derp.yml | 4 - inventories/development/host_vars/mymx.yml | 4 - inventories/development/host_vars/pihole.yml | 4 - inventories/development/libvirt_kvm.yml | 60 ------ inventories/production/README.md | 97 ---------- inventories/production/aws_ec2.yml.example | 93 --------- inventories/production/group_vars/all.yml | 176 ------------------ .../group_vars/all/vault.yml.example | 160 ---------------- inventories/production/libvirt_kvm.yml | 42 ----- inventories/production/netbox.yml.example | 64 ------- inventories/staging/README.md | 58 ------ inventories/staging/group_vars/all.yml | 164 ---------------- .../staging/group_vars/all/vault.yml.example | 62 ------ inventories/staging/libvirt_kvm.yml | 42 ----- secrets | 2 +- 21 files changed, 5 insertions(+), 1358 deletions(-) create mode 160000 inventories delete mode 100644 inventories/development/group_vars/all.yml delete mode 100644 inventories/development/group_vars/all/vault.yml.example delete mode 100644 inventories/development/group_vars/hypervisors.yml delete mode 100644 inventories/development/group_vars/kvm_guests.yml delete mode 100644 inventories/development/host_vars/derp.yml delete mode 100644 inventories/development/host_vars/mymx.yml delete mode 100644 inventories/development/host_vars/pihole.yml delete mode 100644 inventories/development/libvirt_kvm.yml delete mode 100644 inventories/production/README.md delete mode 100644 inventories/production/aws_ec2.yml.example delete mode 100644 inventories/production/group_vars/all.yml delete mode 100644 inventories/production/group_vars/all/vault.yml.example delete mode 100644 inventories/production/libvirt_kvm.yml delete mode 100644 inventories/production/netbox.yml.example delete mode 100644 inventories/staging/README.md delete mode 100644 inventories/staging/group_vars/all.yml delete mode 100644 inventories/staging/group_vars/all/vault.yml.example delete mode 100644 inventories/staging/libvirt_kvm.yml diff --git a/.gitmodules b/.gitmodules index d54ad7d..06ab931 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "secrets"] path = secrets url = ssh://git@git.mymx.me:2222/ansible/secrets.git +[submodule "inventories"] + path = inventories + url = ssh://git@git.mymx.me:2222/ansible/ansible-inventories.git diff --git a/inventories b/inventories new file mode 160000 index 0000000..ebe29b6 --- /dev/null +++ b/inventories @@ -0,0 +1 @@ +Subproject commit ebe29b698f35d0fd896ae7ffb4b48ce21dcb8c4a diff --git a/inventories/development/group_vars/all.yml b/inventories/development/group_vars/all.yml deleted file mode 100644 index d15d5d7..0000000 --- a/inventories/development/group_vars/all.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -# ============================================================================= -# Global Variables for All Hosts -# ============================================================================= -# Applied to all hosts in the development inventory -# ============================================================================= - -# Ansible Connection Settings -# ----------------------------------------------------------------------------- -ansible_connection: ssh -ansible_python_interpreter: /usr/bin/python3 - -# SSH Connection Optimization -ansible_ssh_pipelining: true -ansible_ssh_retries: 3 - -# Privilege Escalation -ansible_become: true -ansible_become_method: sudo -ansible_become_user: root - -# Fact Gathering -gather_subset: - - '!all' - - '!min' - - network - - hardware - - virtual - -# Environment -# ----------------------------------------------------------------------------- -environment: development -environment_name: development # Deprecated - use 'environment' -deployment_timestamp: "{{ ansible_date_time.iso8601 }}" - -# Security Settings -# ----------------------------------------------------------------------------- -security_hardening_enabled: false # Less strict for dev environment -selinux_enabled: true -selinux_mode: permissive # Permissive for development -firewall_enabled: true - -# System Configuration -# ----------------------------------------------------------------------------- -timezone: "UTC" -ntp_servers: - - 0.pool.ntp.org - - 1.pool.ntp.org - - 2.pool.ntp.org - -# Package Management -# ----------------------------------------------------------------------------- -package_state: present -enable_automatic_updates: false # Manual control in dev - -# Monitoring & Logging -# ----------------------------------------------------------------------------- -log_rotation_enabled: true -log_retention_days: 30 -syslog_server: null # No central logging in dev - -# Essential Packages (from CLAUDE.md) -# ----------------------------------------------------------------------------- -essential_packages: - - vim - - htop - - tmux - - jq - - bc - - curl - - wget - - rsync - - git - - python3 - - python3-pip - -# Security Packages (from CLAUDE.md) -# ----------------------------------------------------------------------------- -security_packages: - - aide - - auditd - -# Development Flags -# ----------------------------------------------------------------------------- -dev_mode: true -debug_enabled: false -verbose_logging: false diff --git a/inventories/development/group_vars/all/vault.yml.example b/inventories/development/group_vars/all/vault.yml.example deleted file mode 100644 index 9e10190..0000000 --- a/inventories/development/group_vars/all/vault.yml.example +++ /dev/null @@ -1,55 +0,0 @@ ---- -# ============================================================================= -# Development Environment - Encrypted Secrets (EXAMPLE) -# ============================================================================= -# -# This is an EXAMPLE vault file. To use: -# -# 1. Copy this file to vault.yml: -# cp vault.yml.example vault.yml -# -# 2. Fill in actual values (can use simple passwords for dev) -# -# 3. Encrypt with ansible-vault: -# ansible-vault encrypt inventories/development/group_vars/all/vault.yml -# -# NOTE: Development environment can use simpler credentials -# -# ============================================================================= - -# ----------------------------------------------------------------------------- -# User Credentials -# ----------------------------------------------------------------------------- - -vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" -vault_root_password: "dev_root_password" -vault_ansible_become_password: "dev_sudo_password" - -# ----------------------------------------------------------------------------- -# API Tokens (Development) -# ----------------------------------------------------------------------------- - -vault_aws_access_key_id: "dev_aws_access_key" -vault_aws_secret_access_key: "dev_aws_secret_key" - -vault_gitea_username: "ansible@mymx.me" -vault_gitea_password: "79,;,metOND" - -vault_mailcow_username: "ansible@mymx.me" -vault_mailcow_password: "79,;,metOND" - -# ----------------------------------------------------------------------------- -# Database Credentials (Development) -# ----------------------------------------------------------------------------- - -vault_mysql_root_password: "dev_mysql_root" -vault_postgresql_postgres_password: "dev_postgres" -vault_mongodb_admin_password: "dev_mongo" -vault_redis_password: "dev_redis" - -# ----------------------------------------------------------------------------- -# Application Secrets (Development) -# ----------------------------------------------------------------------------- - -vault_app_secret_key: "dev_app_secret_key_changeme" -vault_app_api_key: "dev_api_key" diff --git a/inventories/development/group_vars/hypervisors.yml b/inventories/development/group_vars/hypervisors.yml deleted file mode 100644 index 8c3ee4e..0000000 --- a/inventories/development/group_vars/hypervisors.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -# ============================================================================= -# Hypervisors Group Variables -# ============================================================================= -# Configuration for KVM/QEMU hypervisor hosts -# ============================================================================= - -# Virtualization Platform -# ----------------------------------------------------------------------------- -virtualization_type: kvm -virtualization_role: host -hypervisor_vendor: qemu -libvirt_version: "11.3.0" -qemu_version: "8.0+" - -# Libvirt Configuration -# ----------------------------------------------------------------------------- -libvirt_uri: "qemu:///system" -libvirt_socket: "/var/run/libvirt/libvirt-sock" -libvirt_daemon_enabled: true -libvirt_autostart: true - -# Network Configuration -# ----------------------------------------------------------------------------- -libvirt_networks: - - name: default - bridge: virbr0 - subnet: "192.168.122.0/24" - dhcp_enabled: true - dhcp_range_start: "192.168.122.2" - dhcp_range_end: "192.168.122.254" - autostart: true - -# Storage Pools -# ----------------------------------------------------------------------------- -libvirt_storage_pools: - - name: default - type: dir - path: /var/lib/libvirt/images - autostart: true - -# VM Management -# ----------------------------------------------------------------------------- -vm_management_tool: virsh -vm_console_access: true -vm_serial_console_enabled: true - -# SSH Configuration -# ----------------------------------------------------------------------------- -ansible_ssh_extra_args: '-o ForwardAgent=yes' - -# Resource Allocation -# ----------------------------------------------------------------------------- -max_vms: 10 -cpu_overcommit_ratio: 2 -memory_overcommit_ratio: 1.5 - -# Monitoring -# ----------------------------------------------------------------------------- -monitor_vm_performance: true -monitor_host_resources: true -alert_on_high_load: true - -# Security -# ----------------------------------------------------------------------------- -selinux_enabled: true -selinux_mode: enforcing -firewalld_enabled: true -firewalld_default_zone: public - -# Required Hypervisor Packages -# ----------------------------------------------------------------------------- -hypervisor_packages: - - qemu-kvm - - libvirt-daemon - - libvirt-daemon-system - - libvirt-clients - - bridge-utils - - virt-manager - - virt-viewer - - guestfs-tools - - libguestfs-tools - - python3-libvirt - - virtinst diff --git a/inventories/development/group_vars/kvm_guests.yml b/inventories/development/group_vars/kvm_guests.yml deleted file mode 100644 index d24d113..0000000 --- a/inventories/development/group_vars/kvm_guests.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- -# ============================================================================= -# KVM Guest VMs Group Variables -# ============================================================================= -# Common configuration for all KVM guest virtual machines -# ============================================================================= - -# VM Platform Details -# ----------------------------------------------------------------------------- -virtualization_type: kvm -virtualization_role: guest -hypervisor_host: grokbox -management_interface: libvirt - -# Network Configuration -# ----------------------------------------------------------------------------- -vm_network_type: nat -vm_network_bridge: virbr0 -vm_network_subnet: "192.168.122.0/24" -vm_gateway: "192.168.122.1" - -# SSH & Connectivity -# ----------------------------------------------------------------------------- -# Force SSH connection (override libvirt_qemu from dynamic inventory) -ansible_connection: ssh -ansible_user: ansible -ansible_become_password: null # Passwordless sudo configured - -# Connection via ProxyJump through hypervisor -ansible_ssh_common_args: >- - -o ProxyJump=grokbox - -o StrictHostKeyChecking=accept-new - -o ServerAliveInterval=45 - -o ServerAliveCountMax=3 - -o ControlMaster=auto - -o ControlPersist=600s - -# Storage Configuration (LVM - per CLAUDE.md) -# ----------------------------------------------------------------------------- -lvm_enabled: true -lvm_vg_name: vg_system -lvm_pvs: - - /dev/vda2 - -lvm_lvs: - - name: lv_root - size: 8G - mount_point: / - fstype: ext4 - - name: lv_boot - size: 2G - mount_point: /boot - fstype: ext4 - - name: lv_opt - size: 3G - mount_point: /opt - fstype: ext4 - - name: lv_tmp - size: 1G - mount_point: /tmp - fstype: ext4 - mount_options: noexec,nosuid,nodev - - name: lv_home - size: 2G - mount_point: /home - fstype: ext4 - - name: lv_var_log - size: 2G - mount_point: /var/log - fstype: ext4 - - name: lv_var_audit - size: 1G - mount_point: /var/log/audit - fstype: ext4 - - name: lv_swap - size: 1G - fstype: swap - -# Resource Monitoring Thresholds -# ----------------------------------------------------------------------------- -disk_usage_warning_threshold: 80 -disk_usage_critical_threshold: 90 -memory_warning_threshold: 85 -memory_critical_threshold: 95 -cpu_warning_threshold: 80 - -# Backup Configuration -# ----------------------------------------------------------------------------- -backup_enabled: false # Development environment -snapshot_enabled: true -snapshot_retention_days: 7 - -# VM Lifecycle -# ----------------------------------------------------------------------------- -vm_autostart: true -vm_shutdown_timeout: 300 # seconds - -# Cloud-init Configuration -# ----------------------------------------------------------------------------- -cloud_init_enabled: true -cloud_init_datasource: NoCloud diff --git a/inventories/development/host_vars/derp.yml b/inventories/development/host_vars/derp.yml deleted file mode 100644 index d83ed9e..0000000 --- a/inventories/development/host_vars/derp.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Override libvirt connection with SSH -ansible_connection: ssh -ansible_host: 192.168.122.99 diff --git a/inventories/development/host_vars/mymx.yml b/inventories/development/host_vars/mymx.yml deleted file mode 100644 index b86f82b..0000000 --- a/inventories/development/host_vars/mymx.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Override libvirt connection with SSH -ansible_connection: ssh -ansible_host: 192.168.122.119 diff --git a/inventories/development/host_vars/pihole.yml b/inventories/development/host_vars/pihole.yml deleted file mode 100644 index 40d4093..0000000 --- a/inventories/development/host_vars/pihole.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Override libvirt connection with SSH -ansible_connection: ssh -ansible_host: 192.168.122.12 diff --git a/inventories/development/libvirt_kvm.yml b/inventories/development/libvirt_kvm.yml deleted file mode 100644 index ff1aee5..0000000 --- a/inventories/development/libvirt_kvm.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -# ============================================================================= -# Libvirt/KVM Dynamic Inventory Configuration -# ============================================================================= -# Configuration for community.libvirt.libvirt dynamic inventory plugin -# Documentation: ansible-doc -t inventory community.libvirt.libvirt -# ============================================================================= - -plugin: community.libvirt.libvirt - -# Hypervisor Connection -# ----------------------------------------------------------------------------- -# URI to connect to libvirt hypervisor -# Remote SSH connection to grokbox hypervisor -uri: 'qemu+ssh://grok@grok.home.serneels.xyz/system' - -# Inventory Hostname Format -# ----------------------------------------------------------------------------- -# How to register VMs as inventory hostnames -# Options: 'name' (use VM name) or 'uuid' (use UUID) -inventory_hostname: name - -# Grouping Configuration -# ----------------------------------------------------------------------------- -# Automatically create groups based on VM characteristics -compose: - # Extract IP address from guest_info interface data - ansible_host: >- - guest_info['if.1.addr.0.addr'] if 'if.1.addr.0.addr' in guest_info else - (guest_info['if.0.addr.0.addr'] if 'if.0.addr.0.addr' in guest_info and guest_info['if.0.addr.0.addr'] != '127.0.0.1' else omit) - -groups: - # Group by VM state (from info dict) - running_vms: info.state == 'running' - stopped_vms: info.state != 'running' - - # Group by resource allocation (convert KB to MB) - small_vms: (info.memory_kb | int / 1024) <= 2048 - medium_vms: (info.memory_kb | int / 1024) > 2048 and (info.memory_kb | int / 1024) <= 8192 - large_vms: (info.memory_kb | int / 1024) > 8192 - - # Group all discovered VMs as kvm_guests - kvm_guests: true - -# Keyed Groups -# ----------------------------------------------------------------------------- -# Create dynamic groups based on host variables -keyed_groups: - - key: info.state - prefix: state - separator: "_" - - - key: guest_info['os.id'] | default('unknown') - prefix: os - separator: "_" - -# Filters -# ----------------------------------------------------------------------------- -# Set strict mode for error handling -strict: false diff --git a/inventories/production/README.md b/inventories/production/README.md deleted file mode 100644 index 2c84848..0000000 --- a/inventories/production/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Production Inventory - -This directory contains dynamic inventory configurations for the production environment. - -## Available Inventory Sources - -### 1. Libvirt/KVM Dynamic Inventory (Active) - -**File**: `libvirt_kvm.yml` - -Uses custom libvirt plugin to discover VMs on production hypervisors. - -```bash -# List all production hosts -ansible-inventory -i inventories/production/libvirt_kvm.yml --list - -# Test connectivity -ansible all -i inventories/production/libvirt_kvm.yml -m ping -``` - -### 2. NetBox CMDB (Example Configuration) - -**File**: `netbox.yml.example` - -For NetBox-based infrastructure management: - -1. Rename `netbox.yml.example` to `netbox.yml` -2. Configure NetBox API endpoint and token -3. Install required collection: - ```bash - ansible-galaxy collection install netbox.netbox - ``` - -### 3. AWS EC2 (Example Configuration) - -**File**: `aws_ec2.yml.example` - -For AWS cloud infrastructure: - -1. Rename `aws_ec2.yml.example` to `aws_ec2.yml` -2. Configure AWS regions and filters -3. Install required collection: - ```bash - ansible-galaxy collection install amazon.aws - pip3 install boto3 botocore - ``` - -## Configuration - -### Group Variables - -Add production-specific variables in: -- `group_vars/all.yml` - Global production settings -- `group_vars/all/vault.yml` - Encrypted secrets -- `group_vars/webservers.yml` - Web server group settings -- `group_vars/databases.yml` - Database group settings - -### Host Variables - -Add host-specific variables in: -- `host_vars/.yml` - -## Security - -- All secrets must be encrypted using Ansible Vault -- Never commit plaintext credentials -- Use environment variables or external secret managers when possible -- Rotate credentials every 90 days - -## Usage Examples - -```bash -# Run against all production hosts -ansible-playbook -i inventories/production site.yml - -# Run against specific group -ansible-playbook -i inventories/production site.yml --limit webservers - -# Check mode (dry-run) -ansible-playbook -i inventories/production site.yml --check - -# With specific tags -ansible-playbook -i inventories/production site.yml --tags security -``` - -## Validation - -```bash -# Validate inventory syntax -ansible-inventory -i inventories/production --list - -# Check specific host -ansible-inventory -i inventories/production --host hostname - -# Graph inventory structure -ansible-inventory -i inventories/production --graph -``` diff --git a/inventories/production/aws_ec2.yml.example b/inventories/production/aws_ec2.yml.example deleted file mode 100644 index b6ac050..0000000 --- a/inventories/production/aws_ec2.yml.example +++ /dev/null @@ -1,93 +0,0 @@ ---- -# ============================================================================= -# Production Environment - AWS EC2 Dynamic Inventory (EXAMPLE) -# ============================================================================= -# -# This is an example configuration for AWS EC2 dynamic inventory. -# Rename to aws_ec2.yml and configure with your AWS details. -# -# Requirements: -# ansible-galaxy collection install amazon.aws -# pip3 install boto3 botocore -# -# Authentication: -# - AWS credentials via ~/.aws/credentials -# - IAM role (recommended for EC2 control nodes) -# - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) -# -# Usage: -# ansible-inventory -i inventories/production/aws_ec2.yml --list -# -# ============================================================================= - -plugin: amazon.aws.aws_ec2 - -# AWS Regions to query -regions: - - us-east-1 - - us-west-2 - # - eu-west-1 - # - ap-southeast-1 - -# Instance filters -filters: - tag:Environment: production - instance-state-name: running - -# Use private IP for internal networks, public for external -hostnames: - - tag:Name - - dns-name - - private-ip-address - -# Compose variables -compose: - ansible_host: private_ip_address - # For public access: - # ansible_host: public_ip_address - - environment: production - aws_region: placement.region - aws_az: placement.availability_zone - instance_type: instance_type - vpc_id: vpc_id - -# Keyed groups -keyed_groups: - # Group by tag:Role - - key: tags.Role - prefix: role - separator: "_" - - # Group by tag:Service - - key: tags.Service - prefix: service - separator: "_" - - # Group by instance type - - key: instance_type - prefix: instance_type - - # Group by availability zone - - key: placement.availability_zone - prefix: az - - # Group by VPC - - key: vpc_id - prefix: vpc - -# Strict mode (fail if groups can't be created) -strict: false - -# Cache settings -cache: true -cache_plugin: jsonfile -cache_timeout: 3600 -cache_connection: /tmp/ansible_aws_inventory_cache -cache_prefix: aws_ec2 - -# Include/exclude patterns -# include_filters: -# - tag:Managed: ansible -# exclude_filters: -# - tag:Backup: only diff --git a/inventories/production/group_vars/all.yml b/inventories/production/group_vars/all.yml deleted file mode 100644 index d283152..0000000 --- a/inventories/production/group_vars/all.yml +++ /dev/null @@ -1,176 +0,0 @@ ---- -# ============================================================================= -# Production Environment - Global Variables -# ============================================================================= - -# Environment designation -environment: production - -# Ansible connection settings -ansible_user: ansible -ansible_become: true -ansible_become_method: sudo - -# SSH connection settings -ansible_ssh_pipelining: true -ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new' - -# ============================================================================= -# Network Configuration -# ============================================================================= - -# NTP servers for time synchronization -ntp_servers: - - 0.pool.ntp.org - - 1.pool.ntp.org - - 2.pool.ntp.org - - 3.pool.ntp.org - -# DNS servers -dns_servers: - - 8.8.8.8 - - 8.8.4.4 - - 1.1.1.1 - -# DNS search domains -dns_search_domains: - - example.com - - production.local - -# ============================================================================= -# Security Configuration -# ============================================================================= - -# Automatic security updates -security_auto_updates: true -security_auto_reboot: false -security_update_schedule: "daily" - -# Firewall settings -firewall_enabled: true -firewall_default_policy: deny - -# SELinux/AppArmor enforcement -selinux_state: enforcing -apparmor_enabled: true - -# SSH hardening -ssh_permit_root_login: no -ssh_password_authentication: no -ssh_gssapi_authentication: no -ssh_max_auth_tries: 3 -ssh_client_alive_interval: 300 - -# Audit logging -auditd_enabled: true -auditd_log_retention_days: 365 - -# ============================================================================= -# Logging and Monitoring -# ============================================================================= - -# Log retention -log_retention_days: 365 -log_compression_enabled: true - -# Syslog configuration -syslog_remote_server: null # Set to remote syslog server if available -syslog_remote_port: 514 - -# Monitoring -monitoring_enabled: true -monitoring_agent: null # Set to 'prometheus', 'zabbix', 'datadog', etc. - -# ============================================================================= -# Backup Configuration -# ============================================================================= - -backup_enabled: true -backup_schedule: "0 2 * * *" # Daily at 2 AM -backup_retention_days: 30 -backup_destination: /var/backups - -# ============================================================================= -# Package Management -# ============================================================================= - -# Essential packages (CLAUDE.md compliance) -essential_packages: - - vim - - htop - - tmux - - jq - - bc - - curl - - wget - - rsync - - git - - python3 - - python3-pip - -# Security packages -security_packages: - - aide - - auditd - - chrony - -# Additional tools -additional_packages: - - net-tools - - bind-utils # RHEL - # - dnsutils # Debian (uncomment based on OS) - - traceroute - - tcpdump - - strace - - lsof - -# ============================================================================= -# Performance Tuning -# ============================================================================= - -# System limits -system_max_open_files: 65535 -system_max_processes: 4096 - -# Kernel parameters (sysctl) -kernel_parameters: - net.ipv4.tcp_syncookies: 1 - net.ipv4.conf.all.rp_filter: 1 - net.ipv4.conf.default.rp_filter: 1 - net.ipv4.icmp_echo_ignore_broadcasts: 1 - net.ipv4.conf.all.accept_source_route: 0 - net.ipv6.conf.all.accept_source_route: 0 - net.ipv4.conf.all.send_redirects: 0 - net.ipv4.conf.default.send_redirects: 0 - -# ============================================================================= -# Application Configuration -# ============================================================================= - -# Default application user -app_user: appuser -app_group: appgroup - -# Application directories -app_base_dir: /opt/apps -app_data_dir: /var/lib/apps -app_log_dir: /var/log/apps - -# ============================================================================= -# Compliance and Standards -# ============================================================================= - -# Compliance frameworks -compliance_frameworks: - - CIS - - NIST - -# Configuration management -config_management_tool: ansible -config_management_version: "{{ ansible_version.full }}" - -# ============================================================================= -# Custom Variables -# ============================================================================= - -# Add production-specific custom variables here diff --git a/inventories/production/group_vars/all/vault.yml.example b/inventories/production/group_vars/all/vault.yml.example deleted file mode 100644 index bcdd5dc..0000000 --- a/inventories/production/group_vars/all/vault.yml.example +++ /dev/null @@ -1,160 +0,0 @@ ---- -# ============================================================================= -# Production Environment - Encrypted Secrets (EXAMPLE) -# ============================================================================= -# -# This is an EXAMPLE vault file. To use: -# -# 1. Copy this file to vault.yml: -# cp vault.yml.example vault.yml -# -# 2. Fill in actual values (replace CHANGEME placeholders) -# -# 3. Encrypt with ansible-vault: -# ansible-vault encrypt inventories/production/group_vars/all/vault.yml -# -# 4. Edit encrypted vault: -# ansible-vault edit inventories/production/group_vars/all/vault.yml -# -# 5. Use in playbooks with --ask-vault-pass or --vault-password-file -# -# ============================================================================= - -# ----------------------------------------------------------------------------- -# User Credentials -# ----------------------------------------------------------------------------- - -# Ansible service account SSH key -vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" - -# Root password for console access (if needed) -vault_root_password: "CHANGEME_STRONG_PASSWORD" - -# Ansible user sudo password (if passwordless sudo not configured) -vault_ansible_become_password: "CHANGEME_SUDO_PASSWORD" - -# ----------------------------------------------------------------------------- -# API Tokens and Keys -# ----------------------------------------------------------------------------- - -# Cloud Provider API Tokens -vault_aws_access_key_id: "CHANGEME_AWS_ACCESS_KEY" -vault_aws_secret_access_key: "CHANGEME_AWS_SECRET_KEY" - -vault_azure_subscription_id: "CHANGEME_AZURE_SUBSCRIPTION" -vault_azure_client_id: "CHANGEME_AZURE_CLIENT_ID" -vault_azure_secret: "CHANGEME_AZURE_SECRET" -vault_azure_tenant: "CHANGEME_AZURE_TENANT" - -vault_gcp_service_account_key: "CHANGEME_GCP_JSON_KEY" - -vault_digitalocean_token: "CHANGEME_DO_TOKEN" - -# CMDB API Tokens -vault_netbox_api_token: "CHANGEME_NETBOX_TOKEN" -vault_servicenow_api_token: "CHANGEME_SERVICENOW_TOKEN" - -# Git/Repository Credentials -vault_gitea_username: "ansible@mymx.me" -vault_gitea_password: "79,;,metOND" -vault_gitea_api_token: "CHANGEME_GITEA_TOKEN" - -# Email Configuration -vault_mailcow_username: "ansible@mymx.me" -vault_mailcow_password: "79,;,metOND" -vault_smtp_username: "ansible@mymx.me" -vault_smtp_password: "79,;,metOND" - -# ----------------------------------------------------------------------------- -# Database Credentials -# ----------------------------------------------------------------------------- - -vault_mysql_root_password: "CHANGEME_MYSQL_ROOT" -vault_mysql_replication_password: "CHANGEME_MYSQL_REPL" - -vault_postgresql_postgres_password: "CHANGEME_PG_POSTGRES" -vault_postgresql_replication_password: "CHANGEME_PG_REPL" - -vault_mongodb_admin_password: "CHANGEME_MONGO_ADMIN" -vault_redis_password: "CHANGEME_REDIS_PASSWORD" - -# ----------------------------------------------------------------------------- -# Application Secrets -# ----------------------------------------------------------------------------- - -vault_app_secret_key: "CHANGEME_APP_SECRET_32_CHARS_MIN" -vault_app_api_key: "CHANGEME_APP_API_KEY" -vault_app_jwt_secret: "CHANGEME_JWT_SECRET" - -# ----------------------------------------------------------------------------- -# SSL/TLS Certificates -# ----------------------------------------------------------------------------- - -# Private key for SSL certificates (PEM format) -vault_ssl_private_key: | - -----BEGIN PRIVATE KEY----- - CHANGEME_SSL_PRIVATE_KEY_CONTENT - -----END PRIVATE KEY----- - -# SSL certificate chain -vault_ssl_certificate: | - -----BEGIN CERTIFICATE----- - CHANGEME_SSL_CERTIFICATE_CONTENT - -----END CERTIFICATE----- - -# Certificate authority certificate -vault_ssl_ca_certificate: | - -----BEGIN CERTIFICATE----- - CHANGEME_CA_CERTIFICATE_CONTENT - -----END CERTIFICATE----- - -# ----------------------------------------------------------------------------- -# Monitoring and Logging -# ----------------------------------------------------------------------------- - -vault_grafana_admin_password: "CHANGEME_GRAFANA_ADMIN" -vault_prometheus_auth_token: "CHANGEME_PROMETHEUS_TOKEN" -vault_zabbix_api_token: "CHANGEME_ZABBIX_TOKEN" -vault_elasticsearch_password: "CHANGEME_ELASTIC_PASSWORD" -vault_kibana_encryption_key: "CHANGEME_KIBANA_32_CHAR_KEY" - -# ----------------------------------------------------------------------------- -# Backup and Recovery -# ----------------------------------------------------------------------------- - -vault_backup_encryption_key: "CHANGEME_BACKUP_ENCRYPTION_KEY" -vault_s3_backup_access_key: "CHANGEME_S3_BACKUP_ACCESS" -vault_s3_backup_secret_key: "CHANGEME_S3_BACKUP_SECRET" - -# ----------------------------------------------------------------------------- -# External Services -# ----------------------------------------------------------------------------- - -vault_slack_webhook_url: "https://hooks.slack.com/services/CHANGEME" -vault_pagerduty_api_key: "CHANGEME_PAGERDUTY_KEY" -vault_datadog_api_key: "CHANGEME_DATADOG_KEY" -vault_datadog_app_key: "CHANGEME_DATADOG_APP_KEY" - -# ----------------------------------------------------------------------------- -# Encryption Keys -# ----------------------------------------------------------------------------- - -vault_luks_passphrase: "CHANGEME_LUKS_PASSPHRASE" -vault_gpg_passphrase: "CHANGEME_GPG_PASSPHRASE" - -# ============================================================================= -# Usage in Playbooks -# ============================================================================= -# -# Reference vault variables in your playbooks and roles: -# -# - name: Create user with vault password -# user: -# name: ansible -# password: "{{ vault_ansible_user_password | password_hash('sha512') }}" -# -# - name: Configure database -# mysql_db: -# login_password: "{{ vault_mysql_root_password }}" -# -# ============================================================================= diff --git a/inventories/production/libvirt_kvm.yml b/inventories/production/libvirt_kvm.yml deleted file mode 100644 index 322ff20..0000000 --- a/inventories/production/libvirt_kvm.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# ============================================================================= -# Production Environment - Libvirt/KVM Dynamic Inventory -# ============================================================================= -# -# This inventory uses the custom libvirt_kvm.py plugin to dynamically discover -# running VMs on production KVM hypervisors. -# -# Usage: -# ansible-inventory -i inventories/production/libvirt_kvm.yml --list -# ansible all -i inventories/production/libvirt_kvm.yml -m ping -# -# ============================================================================= - -plugin: libvirt_kvm -uri: qemu+ssh://ansible@hypervisor-prod.example.com/system - -# Connection settings -connection_timeout: 30 -ssh_proxy_jump: null # Set to bastion host if needed - -# Filtering -states: - - running - -# Grouping -keyed_groups: - - key: tags.environment - prefix: env - - key: tags.role - prefix: role - - key: tags.service - prefix: service - -# Compose variables -compose: - ansible_host: "{{ ansible_host | default(ip_address) }}" - environment: production - -# Host filters (only include VMs with production tag) -# filters: -# - tags.environment == 'production' diff --git a/inventories/production/netbox.yml.example b/inventories/production/netbox.yml.example deleted file mode 100644 index aea174d..0000000 --- a/inventories/production/netbox.yml.example +++ /dev/null @@ -1,64 +0,0 @@ ---- -# ============================================================================= -# Production Environment - NetBox CMDB Dynamic Inventory (EXAMPLE) -# ============================================================================= -# -# This is an example configuration for NetBox dynamic inventory. -# Rename to netbox.yml and configure with your NetBox instance details. -# -# Requirements: -# ansible-galaxy collection install netbox.netbox -# -# Usage: -# ansible-inventory -i inventories/production/netbox.yml --list -# -# ============================================================================= - -plugin: netbox.netbox.nb_inventory - -# NetBox API Configuration -api_endpoint: https://netbox.example.com -token: "{{ lookup('env', 'NETBOX_TOKEN') }}" # Use environment variable -# OR use vault: -# token: "{{ vault_netbox_api_token }}" - -# Validate SSL certificate -validate_certs: true - -# Device filters -config_context: false -group_by: - - device_roles - - sites - - platforms - - tags - -# Query filters -query_filters: - - site: production - - status: active - -# Group prefix -group_names_raw: false - -# Compose host variables -compose: - ansible_host: primary_ip4 - environment: production - netbox_site: site.name - netbox_role: device_role.name - -# Keyed groups -keyed_groups: - - key: device_role.name - prefix: role - - key: site.name - prefix: site - - key: platform.name - prefix: platform - -# Virtual machines -virtual_machines: true - -# Interfaces -interfaces: true diff --git a/inventories/staging/README.md b/inventories/staging/README.md deleted file mode 100644 index af86ca3..0000000 --- a/inventories/staging/README.md +++ /dev/null @@ -1,58 +0,0 @@ -# Staging Inventory - -This directory contains dynamic inventory configurations for the staging environment. - -## Available Inventory Sources - -### 1. Libvirt/KVM Dynamic Inventory (Active) - -**File**: `libvirt_kvm.yml` - -Uses custom libvirt plugin to discover VMs on staging hypervisors. - -```bash -# List all staging hosts -ansible-inventory -i inventories/staging/libvirt_kvm.yml --list - -# Test connectivity -ansible all -i inventories/staging/libvirt_kvm.yml -m ping -``` - -## Configuration - -### Group Variables - -Add staging-specific variables in: -- `group_vars/all.yml` - Global staging settings -- `group_vars/all/vault.yml` - Encrypted secrets - -### Host Variables - -Add host-specific variables in: -- `host_vars/.yml` - -## Usage Examples - -```bash -# Run against all staging hosts -ansible-playbook -i inventories/staging site.yml - -# Run against specific group -ansible-playbook -i inventories/staging site.yml --limit webservers - -# Test changes before production -ansible-playbook -i inventories/staging site.yml --tags security -``` - -## Validation - -```bash -# Validate inventory syntax -ansible-inventory -i inventories/staging --list - -# Check specific host -ansible-inventory -i inventories/staging --host hostname - -# Graph inventory structure -ansible-inventory -i inventories/staging --graph -``` diff --git a/inventories/staging/group_vars/all.yml b/inventories/staging/group_vars/all.yml deleted file mode 100644 index 1d6d397..0000000 --- a/inventories/staging/group_vars/all.yml +++ /dev/null @@ -1,164 +0,0 @@ ---- -# ============================================================================= -# Staging Environment - Global Variables -# ============================================================================= - -# Environment designation -environment: staging - -# Ansible connection settings -ansible_user: ansible -ansible_become: true -ansible_become_method: sudo - -# SSH connection settings -ansible_ssh_pipelining: true -ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new' - -# ============================================================================= -# Network Configuration -# ============================================================================= - -# NTP servers for time synchronization -ntp_servers: - - 0.pool.ntp.org - - 1.pool.ntp.org - -# DNS servers -dns_servers: - - 8.8.8.8 - - 8.8.4.4 - -# DNS search domains -dns_search_domains: - - staging.local - -# ============================================================================= -# Security Configuration -# ============================================================================= - -# Automatic security updates -security_auto_updates: true -security_auto_reboot: false # Can be true for staging -security_update_schedule: "daily" - -# Firewall settings -firewall_enabled: true -firewall_default_policy: deny - -# SELinux/AppArmor enforcement -selinux_state: enforcing -apparmor_enabled: true - -# SSH hardening -ssh_permit_root_login: no -ssh_password_authentication: no -ssh_gssapi_authentication: no -ssh_max_auth_tries: 5 -ssh_client_alive_interval: 300 - -# Audit logging -auditd_enabled: true -auditd_log_retention_days: 90 - -# ============================================================================= -# Logging and Monitoring -# ============================================================================= - -# Log retention (shorter for staging) -log_retention_days: 90 -log_compression_enabled: true - -# Syslog configuration -syslog_remote_server: null -syslog_remote_port: 514 - -# Monitoring -monitoring_enabled: true -monitoring_agent: null - -# ============================================================================= -# Backup Configuration -# ============================================================================= - -backup_enabled: true -backup_schedule: "0 3 * * *" # Daily at 3 AM -backup_retention_days: 14 -backup_destination: /var/backups - -# ============================================================================= -# Package Management -# ============================================================================= - -# Essential packages (CLAUDE.md compliance) -essential_packages: - - vim - - htop - - tmux - - jq - - bc - - curl - - wget - - rsync - - git - - python3 - - python3-pip - -# Security packages -security_packages: - - aide - - auditd - - chrony - -# Additional tools -additional_packages: - - net-tools - - traceroute - - tcpdump - - strace - - lsof - -# ============================================================================= -# Performance Tuning -# ============================================================================= - -# System limits -system_max_open_files: 32768 -system_max_processes: 2048 - -# Kernel parameters (sysctl) -kernel_parameters: - net.ipv4.tcp_syncookies: 1 - net.ipv4.conf.all.rp_filter: 1 - net.ipv4.icmp_echo_ignore_broadcasts: 1 - -# ============================================================================= -# Application Configuration -# ============================================================================= - -# Default application user -app_user: appuser -app_group: appgroup - -# Application directories -app_base_dir: /opt/apps -app_data_dir: /var/lib/apps -app_log_dir: /var/log/apps - -# ============================================================================= -# Compliance and Standards -# ============================================================================= - -# Compliance frameworks -compliance_frameworks: - - CIS - -# Configuration management -config_management_tool: ansible -config_management_version: "{{ ansible_version.full }}" - -# ============================================================================= -# Custom Variables -# ============================================================================= - -# Add staging-specific custom variables here diff --git a/inventories/staging/group_vars/all/vault.yml.example b/inventories/staging/group_vars/all/vault.yml.example deleted file mode 100644 index a6d9b71..0000000 --- a/inventories/staging/group_vars/all/vault.yml.example +++ /dev/null @@ -1,62 +0,0 @@ ---- -# ============================================================================= -# Staging Environment - Encrypted Secrets (EXAMPLE) -# ============================================================================= -# -# This is an EXAMPLE vault file. To use: -# -# 1. Copy this file to vault.yml: -# cp vault.yml.example vault.yml -# -# 2. Fill in actual values (replace CHANGEME placeholders) -# -# 3. Encrypt with ansible-vault: -# ansible-vault encrypt inventories/staging/group_vars/all/vault.yml -# -# ============================================================================= - -# ----------------------------------------------------------------------------- -# User Credentials -# ----------------------------------------------------------------------------- - -vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" -vault_root_password: "CHANGEME_STAGING_ROOT_PASSWORD" -vault_ansible_become_password: "CHANGEME_STAGING_SUDO_PASSWORD" - -# ----------------------------------------------------------------------------- -# API Tokens and Keys -# ----------------------------------------------------------------------------- - -vault_aws_access_key_id: "CHANGEME_AWS_STAGING_ACCESS_KEY" -vault_aws_secret_access_key: "CHANGEME_AWS_STAGING_SECRET_KEY" - -vault_netbox_api_token: "CHANGEME_NETBOX_STAGING_TOKEN" - -vault_gitea_username: "ansible@mymx.me" -vault_gitea_password: "79,;,metOND" - -vault_mailcow_username: "ansible@mymx.me" -vault_mailcow_password: "79,;,metOND" - -# ----------------------------------------------------------------------------- -# Database Credentials (Staging - weaker passwords OK) -# ----------------------------------------------------------------------------- - -vault_mysql_root_password: "CHANGEME_STAGING_MYSQL" -vault_postgresql_postgres_password: "CHANGEME_STAGING_PG" -vault_mongodb_admin_password: "CHANGEME_STAGING_MONGO" -vault_redis_password: "CHANGEME_STAGING_REDIS" - -# ----------------------------------------------------------------------------- -# Application Secrets (Staging) -# ----------------------------------------------------------------------------- - -vault_app_secret_key: "CHANGEME_STAGING_APP_SECRET" -vault_app_api_key: "CHANGEME_STAGING_API_KEY" - -# ----------------------------------------------------------------------------- -# Monitoring and Logging -# ----------------------------------------------------------------------------- - -vault_grafana_admin_password: "CHANGEME_STAGING_GRAFANA" -vault_elasticsearch_password: "CHANGEME_STAGING_ELASTIC" diff --git a/inventories/staging/libvirt_kvm.yml b/inventories/staging/libvirt_kvm.yml deleted file mode 100644 index fbc630f..0000000 --- a/inventories/staging/libvirt_kvm.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# ============================================================================= -# Staging Environment - Libvirt/KVM Dynamic Inventory -# ============================================================================= -# -# This inventory uses the custom libvirt_kvm.py plugin to dynamically discover -# running VMs on staging KVM hypervisors. -# -# Usage: -# ansible-inventory -i inventories/staging/libvirt_kvm.yml --list -# ansible all -i inventories/staging/libvirt_kvm.yml -m ping -# -# ============================================================================= - -plugin: libvirt_kvm -uri: qemu+ssh://ansible@hypervisor-staging.example.com/system - -# Connection settings -connection_timeout: 30 -ssh_proxy_jump: null # Set to bastion host if needed - -# Filtering -states: - - running - -# Grouping -keyed_groups: - - key: tags.environment - prefix: env - - key: tags.role - prefix: role - - key: tags.service - prefix: service - -# Compose variables -compose: - ansible_host: "{{ ansible_host | default(ip_address) }}" - environment: staging - -# Host filters (only include VMs with staging tag) -# filters: -# - tags.environment == 'staging' diff --git a/secrets b/secrets index c2241e0..8def011 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit c2241e0e7da2730c516c7451aebd4d43a6c69a37 +Subproject commit 8def01166734af391c66937816d5b6d12171be8c