diff --git a/inventories/development/group_vars/all/vault.yml.example b/inventories/development/group_vars/all/vault.yml.example new file mode 100644 index 0000000..9e10190 --- /dev/null +++ b/inventories/development/group_vars/all/vault.yml.example @@ -0,0 +1,55 @@ +--- +# ============================================================================= +# Development Environment - Encrypted Secrets (EXAMPLE) +# ============================================================================= +# +# This is an EXAMPLE vault file. To use: +# +# 1. Copy this file to vault.yml: +# cp vault.yml.example vault.yml +# +# 2. Fill in actual values (can use simple passwords for dev) +# +# 3. Encrypt with ansible-vault: +# ansible-vault encrypt inventories/development/group_vars/all/vault.yml +# +# NOTE: Development environment can use simpler credentials +# +# ============================================================================= + +# ----------------------------------------------------------------------------- +# User Credentials +# ----------------------------------------------------------------------------- + +vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" +vault_root_password: "dev_root_password" +vault_ansible_become_password: "dev_sudo_password" + +# ----------------------------------------------------------------------------- +# API Tokens (Development) +# ----------------------------------------------------------------------------- + +vault_aws_access_key_id: "dev_aws_access_key" +vault_aws_secret_access_key: "dev_aws_secret_key" + +vault_gitea_username: "ansible@mymx.me" +vault_gitea_password: "79,;,metOND" + +vault_mailcow_username: "ansible@mymx.me" +vault_mailcow_password: "79,;,metOND" + +# ----------------------------------------------------------------------------- +# Database Credentials (Development) +# ----------------------------------------------------------------------------- + +vault_mysql_root_password: "dev_mysql_root" +vault_postgresql_postgres_password: "dev_postgres" +vault_mongodb_admin_password: "dev_mongo" +vault_redis_password: "dev_redis" + +# ----------------------------------------------------------------------------- +# Application Secrets (Development) +# ----------------------------------------------------------------------------- + +vault_app_secret_key: "dev_app_secret_key_changeme" +vault_app_api_key: "dev_api_key" diff --git a/inventories/production/README.md b/inventories/production/README.md new file mode 100644 index 0000000..2c84848 --- /dev/null +++ b/inventories/production/README.md @@ -0,0 +1,97 @@ +# Production Inventory + +This directory contains dynamic inventory configurations for the production environment. + +## Available Inventory Sources + +### 1. Libvirt/KVM Dynamic Inventory (Active) + +**File**: `libvirt_kvm.yml` + +Uses custom libvirt plugin to discover VMs on production hypervisors. + +```bash +# List all production hosts +ansible-inventory -i inventories/production/libvirt_kvm.yml --list + +# Test connectivity +ansible all -i inventories/production/libvirt_kvm.yml -m ping +``` + +### 2. NetBox CMDB (Example Configuration) + +**File**: `netbox.yml.example` + +For NetBox-based infrastructure management: + +1. Rename `netbox.yml.example` to `netbox.yml` +2. Configure NetBox API endpoint and token +3. Install required collection: + ```bash + ansible-galaxy collection install netbox.netbox + ``` + +### 3. AWS EC2 (Example Configuration) + +**File**: `aws_ec2.yml.example` + +For AWS cloud infrastructure: + +1. Rename `aws_ec2.yml.example` to `aws_ec2.yml` +2. Configure AWS regions and filters +3. Install required collection: + ```bash + ansible-galaxy collection install amazon.aws + pip3 install boto3 botocore + ``` + +## Configuration + +### Group Variables + +Add production-specific variables in: +- `group_vars/all.yml` - Global production settings +- `group_vars/all/vault.yml` - Encrypted secrets +- `group_vars/webservers.yml` - Web server group settings +- `group_vars/databases.yml` - Database group settings + +### Host Variables + +Add host-specific variables in: +- `host_vars/.yml` + +## Security + +- All secrets must be encrypted using Ansible Vault +- Never commit plaintext credentials +- Use environment variables or external secret managers when possible +- Rotate credentials every 90 days + +## Usage Examples + +```bash +# Run against all production hosts +ansible-playbook -i inventories/production site.yml + +# Run against specific group +ansible-playbook -i inventories/production site.yml --limit webservers + +# Check mode (dry-run) +ansible-playbook -i inventories/production site.yml --check + +# With specific tags +ansible-playbook -i inventories/production site.yml --tags security +``` + +## Validation + +```bash +# Validate inventory syntax +ansible-inventory -i inventories/production --list + +# Check specific host +ansible-inventory -i inventories/production --host hostname + +# Graph inventory structure +ansible-inventory -i inventories/production --graph +``` diff --git a/inventories/production/aws_ec2.yml.example b/inventories/production/aws_ec2.yml.example new file mode 100644 index 0000000..b6ac050 --- /dev/null +++ b/inventories/production/aws_ec2.yml.example @@ -0,0 +1,93 @@ +--- +# ============================================================================= +# Production Environment - AWS EC2 Dynamic Inventory (EXAMPLE) +# ============================================================================= +# +# This is an example configuration for AWS EC2 dynamic inventory. +# Rename to aws_ec2.yml and configure with your AWS details. +# +# Requirements: +# ansible-galaxy collection install amazon.aws +# pip3 install boto3 botocore +# +# Authentication: +# - AWS credentials via ~/.aws/credentials +# - IAM role (recommended for EC2 control nodes) +# - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) +# +# Usage: +# ansible-inventory -i inventories/production/aws_ec2.yml --list +# +# ============================================================================= + +plugin: amazon.aws.aws_ec2 + +# AWS Regions to query +regions: + - us-east-1 + - us-west-2 + # - eu-west-1 + # - ap-southeast-1 + +# Instance filters +filters: + tag:Environment: production + instance-state-name: running + +# Use private IP for internal networks, public for external +hostnames: + - tag:Name + - dns-name + - private-ip-address + +# Compose variables +compose: + ansible_host: private_ip_address + # For public access: + # ansible_host: public_ip_address + + environment: production + aws_region: placement.region + aws_az: placement.availability_zone + instance_type: instance_type + vpc_id: vpc_id + +# Keyed groups +keyed_groups: + # Group by tag:Role + - key: tags.Role + prefix: role + separator: "_" + + # Group by tag:Service + - key: tags.Service + prefix: service + separator: "_" + + # Group by instance type + - key: instance_type + prefix: instance_type + + # Group by availability zone + - key: placement.availability_zone + prefix: az + + # Group by VPC + - key: vpc_id + prefix: vpc + +# Strict mode (fail if groups can't be created) +strict: false + +# Cache settings +cache: true +cache_plugin: jsonfile +cache_timeout: 3600 +cache_connection: /tmp/ansible_aws_inventory_cache +cache_prefix: aws_ec2 + +# Include/exclude patterns +# include_filters: +# - tag:Managed: ansible +# exclude_filters: +# - tag:Backup: only diff --git a/inventories/production/group_vars/all.yml b/inventories/production/group_vars/all.yml new file mode 100644 index 0000000..d283152 --- /dev/null +++ b/inventories/production/group_vars/all.yml @@ -0,0 +1,176 @@ +--- +# ============================================================================= +# Production Environment - Global Variables +# ============================================================================= + +# Environment designation +environment: production + +# Ansible connection settings +ansible_user: ansible +ansible_become: true +ansible_become_method: sudo + +# SSH connection settings +ansible_ssh_pipelining: true +ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new' + +# ============================================================================= +# Network Configuration +# ============================================================================= + +# NTP servers for time synchronization +ntp_servers: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org + +# DNS servers +dns_servers: + - 8.8.8.8 + - 8.8.4.4 + - 1.1.1.1 + +# DNS search domains +dns_search_domains: + - example.com + - production.local + +# ============================================================================= +# Security Configuration +# ============================================================================= + +# Automatic security updates +security_auto_updates: true +security_auto_reboot: false +security_update_schedule: "daily" + +# Firewall settings +firewall_enabled: true +firewall_default_policy: deny + +# SELinux/AppArmor enforcement +selinux_state: enforcing +apparmor_enabled: true + +# SSH hardening +ssh_permit_root_login: no +ssh_password_authentication: no +ssh_gssapi_authentication: no +ssh_max_auth_tries: 3 +ssh_client_alive_interval: 300 + +# Audit logging +auditd_enabled: true +auditd_log_retention_days: 365 + +# ============================================================================= +# Logging and Monitoring +# ============================================================================= + +# Log retention +log_retention_days: 365 +log_compression_enabled: true + +# Syslog configuration +syslog_remote_server: null # Set to remote syslog server if available +syslog_remote_port: 514 + +# Monitoring +monitoring_enabled: true +monitoring_agent: null # Set to 'prometheus', 'zabbix', 'datadog', etc. + +# ============================================================================= +# Backup Configuration +# ============================================================================= + +backup_enabled: true +backup_schedule: "0 2 * * *" # Daily at 2 AM +backup_retention_days: 30 +backup_destination: /var/backups + +# ============================================================================= +# Package Management +# ============================================================================= + +# Essential packages (CLAUDE.md compliance) +essential_packages: + - vim + - htop + - tmux + - jq + - bc + - curl + - wget + - rsync + - git + - python3 + - python3-pip + +# Security packages +security_packages: + - aide + - auditd + - chrony + +# Additional tools +additional_packages: + - net-tools + - bind-utils # RHEL + # - dnsutils # Debian (uncomment based on OS) + - traceroute + - tcpdump + - strace + - lsof + +# ============================================================================= +# Performance Tuning +# ============================================================================= + +# System limits +system_max_open_files: 65535 +system_max_processes: 4096 + +# Kernel parameters (sysctl) +kernel_parameters: + net.ipv4.tcp_syncookies: 1 + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.conf.default.rp_filter: 1 + net.ipv4.icmp_echo_ignore_broadcasts: 1 + net.ipv4.conf.all.accept_source_route: 0 + net.ipv6.conf.all.accept_source_route: 0 + net.ipv4.conf.all.send_redirects: 0 + net.ipv4.conf.default.send_redirects: 0 + +# ============================================================================= +# Application Configuration +# ============================================================================= + +# Default application user +app_user: appuser +app_group: appgroup + +# Application directories +app_base_dir: /opt/apps +app_data_dir: /var/lib/apps +app_log_dir: /var/log/apps + +# ============================================================================= +# Compliance and Standards +# ============================================================================= + +# Compliance frameworks +compliance_frameworks: + - CIS + - NIST + +# Configuration management +config_management_tool: ansible +config_management_version: "{{ ansible_version.full }}" + +# ============================================================================= +# Custom Variables +# ============================================================================= + +# Add production-specific custom variables here diff --git a/inventories/production/group_vars/all/vault.yml.example b/inventories/production/group_vars/all/vault.yml.example new file mode 100644 index 0000000..bcdd5dc --- /dev/null +++ b/inventories/production/group_vars/all/vault.yml.example @@ -0,0 +1,160 @@ +--- +# ============================================================================= +# Production Environment - Encrypted Secrets (EXAMPLE) +# ============================================================================= +# +# This is an EXAMPLE vault file. To use: +# +# 1. Copy this file to vault.yml: +# cp vault.yml.example vault.yml +# +# 2. Fill in actual values (replace CHANGEME placeholders) +# +# 3. Encrypt with ansible-vault: +# ansible-vault encrypt inventories/production/group_vars/all/vault.yml +# +# 4. Edit encrypted vault: +# ansible-vault edit inventories/production/group_vars/all/vault.yml +# +# 5. Use in playbooks with --ask-vault-pass or --vault-password-file +# +# ============================================================================= + +# ----------------------------------------------------------------------------- +# User Credentials +# ----------------------------------------------------------------------------- + +# Ansible service account SSH key +vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" + +# Root password for console access (if needed) +vault_root_password: "CHANGEME_STRONG_PASSWORD" + +# Ansible user sudo password (if passwordless sudo not configured) +vault_ansible_become_password: "CHANGEME_SUDO_PASSWORD" + +# ----------------------------------------------------------------------------- +# API Tokens and Keys +# ----------------------------------------------------------------------------- + +# Cloud Provider API Tokens +vault_aws_access_key_id: "CHANGEME_AWS_ACCESS_KEY" +vault_aws_secret_access_key: "CHANGEME_AWS_SECRET_KEY" + +vault_azure_subscription_id: "CHANGEME_AZURE_SUBSCRIPTION" +vault_azure_client_id: "CHANGEME_AZURE_CLIENT_ID" +vault_azure_secret: "CHANGEME_AZURE_SECRET" +vault_azure_tenant: "CHANGEME_AZURE_TENANT" + +vault_gcp_service_account_key: "CHANGEME_GCP_JSON_KEY" + +vault_digitalocean_token: "CHANGEME_DO_TOKEN" + +# CMDB API Tokens +vault_netbox_api_token: "CHANGEME_NETBOX_TOKEN" +vault_servicenow_api_token: "CHANGEME_SERVICENOW_TOKEN" + +# Git/Repository Credentials +vault_gitea_username: "ansible@mymx.me" +vault_gitea_password: "79,;,metOND" +vault_gitea_api_token: "CHANGEME_GITEA_TOKEN" + +# Email Configuration +vault_mailcow_username: "ansible@mymx.me" +vault_mailcow_password: "79,;,metOND" +vault_smtp_username: "ansible@mymx.me" +vault_smtp_password: "79,;,metOND" + +# ----------------------------------------------------------------------------- +# Database Credentials +# ----------------------------------------------------------------------------- + +vault_mysql_root_password: "CHANGEME_MYSQL_ROOT" +vault_mysql_replication_password: "CHANGEME_MYSQL_REPL" + +vault_postgresql_postgres_password: "CHANGEME_PG_POSTGRES" +vault_postgresql_replication_password: "CHANGEME_PG_REPL" + +vault_mongodb_admin_password: "CHANGEME_MONGO_ADMIN" +vault_redis_password: "CHANGEME_REDIS_PASSWORD" + +# ----------------------------------------------------------------------------- +# Application Secrets +# ----------------------------------------------------------------------------- + +vault_app_secret_key: "CHANGEME_APP_SECRET_32_CHARS_MIN" +vault_app_api_key: "CHANGEME_APP_API_KEY" +vault_app_jwt_secret: "CHANGEME_JWT_SECRET" + +# ----------------------------------------------------------------------------- +# SSL/TLS Certificates +# ----------------------------------------------------------------------------- + +# Private key for SSL certificates (PEM format) +vault_ssl_private_key: | + -----BEGIN PRIVATE KEY----- + CHANGEME_SSL_PRIVATE_KEY_CONTENT + -----END PRIVATE KEY----- + +# SSL certificate chain +vault_ssl_certificate: | + -----BEGIN CERTIFICATE----- + CHANGEME_SSL_CERTIFICATE_CONTENT + -----END CERTIFICATE----- + +# Certificate authority certificate +vault_ssl_ca_certificate: | + -----BEGIN CERTIFICATE----- + CHANGEME_CA_CERTIFICATE_CONTENT + -----END CERTIFICATE----- + +# ----------------------------------------------------------------------------- +# Monitoring and Logging +# ----------------------------------------------------------------------------- + +vault_grafana_admin_password: "CHANGEME_GRAFANA_ADMIN" +vault_prometheus_auth_token: "CHANGEME_PROMETHEUS_TOKEN" +vault_zabbix_api_token: "CHANGEME_ZABBIX_TOKEN" +vault_elasticsearch_password: "CHANGEME_ELASTIC_PASSWORD" +vault_kibana_encryption_key: "CHANGEME_KIBANA_32_CHAR_KEY" + +# ----------------------------------------------------------------------------- +# Backup and Recovery +# ----------------------------------------------------------------------------- + +vault_backup_encryption_key: "CHANGEME_BACKUP_ENCRYPTION_KEY" +vault_s3_backup_access_key: "CHANGEME_S3_BACKUP_ACCESS" +vault_s3_backup_secret_key: "CHANGEME_S3_BACKUP_SECRET" + +# ----------------------------------------------------------------------------- +# External Services +# ----------------------------------------------------------------------------- + +vault_slack_webhook_url: "https://hooks.slack.com/services/CHANGEME" +vault_pagerduty_api_key: "CHANGEME_PAGERDUTY_KEY" +vault_datadog_api_key: "CHANGEME_DATADOG_KEY" +vault_datadog_app_key: "CHANGEME_DATADOG_APP_KEY" + +# ----------------------------------------------------------------------------- +# Encryption Keys +# ----------------------------------------------------------------------------- + +vault_luks_passphrase: "CHANGEME_LUKS_PASSPHRASE" +vault_gpg_passphrase: "CHANGEME_GPG_PASSPHRASE" + +# ============================================================================= +# Usage in Playbooks +# ============================================================================= +# +# Reference vault variables in your playbooks and roles: +# +# - name: Create user with vault password +# user: +# name: ansible +# password: "{{ vault_ansible_user_password | password_hash('sha512') }}" +# +# - name: Configure database +# mysql_db: +# login_password: "{{ vault_mysql_root_password }}" +# +# ============================================================================= diff --git a/inventories/production/libvirt_kvm.yml b/inventories/production/libvirt_kvm.yml new file mode 100644 index 0000000..322ff20 --- /dev/null +++ b/inventories/production/libvirt_kvm.yml @@ -0,0 +1,42 @@ +--- +# ============================================================================= +# Production Environment - Libvirt/KVM Dynamic Inventory +# ============================================================================= +# +# This inventory uses the custom libvirt_kvm.py plugin to dynamically discover +# running VMs on production KVM hypervisors. +# +# Usage: +# ansible-inventory -i inventories/production/libvirt_kvm.yml --list +# ansible all -i inventories/production/libvirt_kvm.yml -m ping +# +# ============================================================================= + +plugin: libvirt_kvm +uri: qemu+ssh://ansible@hypervisor-prod.example.com/system + +# Connection settings +connection_timeout: 30 +ssh_proxy_jump: null # Set to bastion host if needed + +# Filtering +states: + - running + +# Grouping +keyed_groups: + - key: tags.environment + prefix: env + - key: tags.role + prefix: role + - key: tags.service + prefix: service + +# Compose variables +compose: + ansible_host: "{{ ansible_host | default(ip_address) }}" + environment: production + +# Host filters (only include VMs with production tag) +# filters: +# - tags.environment == 'production' diff --git a/inventories/production/netbox.yml.example b/inventories/production/netbox.yml.example new file mode 100644 index 0000000..aea174d --- /dev/null +++ b/inventories/production/netbox.yml.example @@ -0,0 +1,64 @@ +--- +# ============================================================================= +# Production Environment - NetBox CMDB Dynamic Inventory (EXAMPLE) +# ============================================================================= +# +# This is an example configuration for NetBox dynamic inventory. +# Rename to netbox.yml and configure with your NetBox instance details. +# +# Requirements: +# ansible-galaxy collection install netbox.netbox +# +# Usage: +# ansible-inventory -i inventories/production/netbox.yml --list +# +# ============================================================================= + +plugin: netbox.netbox.nb_inventory + +# NetBox API Configuration +api_endpoint: https://netbox.example.com +token: "{{ lookup('env', 'NETBOX_TOKEN') }}" # Use environment variable +# OR use vault: +# token: "{{ vault_netbox_api_token }}" + +# Validate SSL certificate +validate_certs: true + +# Device filters +config_context: false +group_by: + - device_roles + - sites + - platforms + - tags + +# Query filters +query_filters: + - site: production + - status: active + +# Group prefix +group_names_raw: false + +# Compose host variables +compose: + ansible_host: primary_ip4 + environment: production + netbox_site: site.name + netbox_role: device_role.name + +# Keyed groups +keyed_groups: + - key: device_role.name + prefix: role + - key: site.name + prefix: site + - key: platform.name + prefix: platform + +# Virtual machines +virtual_machines: true + +# Interfaces +interfaces: true diff --git a/inventories/staging/README.md b/inventories/staging/README.md new file mode 100644 index 0000000..af86ca3 --- /dev/null +++ b/inventories/staging/README.md @@ -0,0 +1,58 @@ +# Staging Inventory + +This directory contains dynamic inventory configurations for the staging environment. + +## Available Inventory Sources + +### 1. Libvirt/KVM Dynamic Inventory (Active) + +**File**: `libvirt_kvm.yml` + +Uses custom libvirt plugin to discover VMs on staging hypervisors. + +```bash +# List all staging hosts +ansible-inventory -i inventories/staging/libvirt_kvm.yml --list + +# Test connectivity +ansible all -i inventories/staging/libvirt_kvm.yml -m ping +``` + +## Configuration + +### Group Variables + +Add staging-specific variables in: +- `group_vars/all.yml` - Global staging settings +- `group_vars/all/vault.yml` - Encrypted secrets + +### Host Variables + +Add host-specific variables in: +- `host_vars/.yml` + +## Usage Examples + +```bash +# Run against all staging hosts +ansible-playbook -i inventories/staging site.yml + +# Run against specific group +ansible-playbook -i inventories/staging site.yml --limit webservers + +# Test changes before production +ansible-playbook -i inventories/staging site.yml --tags security +``` + +## Validation + +```bash +# Validate inventory syntax +ansible-inventory -i inventories/staging --list + +# Check specific host +ansible-inventory -i inventories/staging --host hostname + +# Graph inventory structure +ansible-inventory -i inventories/staging --graph +``` diff --git a/inventories/staging/group_vars/all.yml b/inventories/staging/group_vars/all.yml new file mode 100644 index 0000000..1d6d397 --- /dev/null +++ b/inventories/staging/group_vars/all.yml @@ -0,0 +1,164 @@ +--- +# ============================================================================= +# Staging Environment - Global Variables +# ============================================================================= + +# Environment designation +environment: staging + +# Ansible connection settings +ansible_user: ansible +ansible_become: true +ansible_become_method: sudo + +# SSH connection settings +ansible_ssh_pipelining: true +ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new' + +# ============================================================================= +# Network Configuration +# ============================================================================= + +# NTP servers for time synchronization +ntp_servers: + - 0.pool.ntp.org + - 1.pool.ntp.org + +# DNS servers +dns_servers: + - 8.8.8.8 + - 8.8.4.4 + +# DNS search domains +dns_search_domains: + - staging.local + +# ============================================================================= +# Security Configuration +# ============================================================================= + +# Automatic security updates +security_auto_updates: true +security_auto_reboot: false # Can be true for staging +security_update_schedule: "daily" + +# Firewall settings +firewall_enabled: true +firewall_default_policy: deny + +# SELinux/AppArmor enforcement +selinux_state: enforcing +apparmor_enabled: true + +# SSH hardening +ssh_permit_root_login: no +ssh_password_authentication: no +ssh_gssapi_authentication: no +ssh_max_auth_tries: 5 +ssh_client_alive_interval: 300 + +# Audit logging +auditd_enabled: true +auditd_log_retention_days: 90 + +# ============================================================================= +# Logging and Monitoring +# ============================================================================= + +# Log retention (shorter for staging) +log_retention_days: 90 +log_compression_enabled: true + +# Syslog configuration +syslog_remote_server: null +syslog_remote_port: 514 + +# Monitoring +monitoring_enabled: true +monitoring_agent: null + +# ============================================================================= +# Backup Configuration +# ============================================================================= + +backup_enabled: true +backup_schedule: "0 3 * * *" # Daily at 3 AM +backup_retention_days: 14 +backup_destination: /var/backups + +# ============================================================================= +# Package Management +# ============================================================================= + +# Essential packages (CLAUDE.md compliance) +essential_packages: + - vim + - htop + - tmux + - jq + - bc + - curl + - wget + - rsync + - git + - python3 + - python3-pip + +# Security packages +security_packages: + - aide + - auditd + - chrony + +# Additional tools +additional_packages: + - net-tools + - traceroute + - tcpdump + - strace + - lsof + +# ============================================================================= +# Performance Tuning +# ============================================================================= + +# System limits +system_max_open_files: 32768 +system_max_processes: 2048 + +# Kernel parameters (sysctl) +kernel_parameters: + net.ipv4.tcp_syncookies: 1 + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.icmp_echo_ignore_broadcasts: 1 + +# ============================================================================= +# Application Configuration +# ============================================================================= + +# Default application user +app_user: appuser +app_group: appgroup + +# Application directories +app_base_dir: /opt/apps +app_data_dir: /var/lib/apps +app_log_dir: /var/log/apps + +# ============================================================================= +# Compliance and Standards +# ============================================================================= + +# Compliance frameworks +compliance_frameworks: + - CIS + +# Configuration management +config_management_tool: ansible +config_management_version: "{{ ansible_version.full }}" + +# ============================================================================= +# Custom Variables +# ============================================================================= + +# Add staging-specific custom variables here diff --git a/inventories/staging/group_vars/all/vault.yml.example b/inventories/staging/group_vars/all/vault.yml.example new file mode 100644 index 0000000..a6d9b71 --- /dev/null +++ b/inventories/staging/group_vars/all/vault.yml.example @@ -0,0 +1,62 @@ +--- +# ============================================================================= +# Staging Environment - Encrypted Secrets (EXAMPLE) +# ============================================================================= +# +# This is an EXAMPLE vault file. To use: +# +# 1. Copy this file to vault.yml: +# cp vault.yml.example vault.yml +# +# 2. Fill in actual values (replace CHANGEME placeholders) +# +# 3. Encrypt with ansible-vault: +# ansible-vault encrypt inventories/staging/group_vars/all/vault.yml +# +# ============================================================================= + +# ----------------------------------------------------------------------------- +# User Credentials +# ----------------------------------------------------------------------------- + +vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" +vault_root_password: "CHANGEME_STAGING_ROOT_PASSWORD" +vault_ansible_become_password: "CHANGEME_STAGING_SUDO_PASSWORD" + +# ----------------------------------------------------------------------------- +# API Tokens and Keys +# ----------------------------------------------------------------------------- + +vault_aws_access_key_id: "CHANGEME_AWS_STAGING_ACCESS_KEY" +vault_aws_secret_access_key: "CHANGEME_AWS_STAGING_SECRET_KEY" + +vault_netbox_api_token: "CHANGEME_NETBOX_STAGING_TOKEN" + +vault_gitea_username: "ansible@mymx.me" +vault_gitea_password: "79,;,metOND" + +vault_mailcow_username: "ansible@mymx.me" +vault_mailcow_password: "79,;,metOND" + +# ----------------------------------------------------------------------------- +# Database Credentials (Staging - weaker passwords OK) +# ----------------------------------------------------------------------------- + +vault_mysql_root_password: "CHANGEME_STAGING_MYSQL" +vault_postgresql_postgres_password: "CHANGEME_STAGING_PG" +vault_mongodb_admin_password: "CHANGEME_STAGING_MONGO" +vault_redis_password: "CHANGEME_STAGING_REDIS" + +# ----------------------------------------------------------------------------- +# Application Secrets (Staging) +# ----------------------------------------------------------------------------- + +vault_app_secret_key: "CHANGEME_STAGING_APP_SECRET" +vault_app_api_key: "CHANGEME_STAGING_API_KEY" + +# ----------------------------------------------------------------------------- +# Monitoring and Logging +# ----------------------------------------------------------------------------- + +vault_grafana_admin_password: "CHANGEME_STAGING_GRAFANA" +vault_elasticsearch_password: "CHANGEME_STAGING_ELASTIC" diff --git a/inventories/staging/libvirt_kvm.yml b/inventories/staging/libvirt_kvm.yml new file mode 100644 index 0000000..fbc630f --- /dev/null +++ b/inventories/staging/libvirt_kvm.yml @@ -0,0 +1,42 @@ +--- +# ============================================================================= +# Staging Environment - Libvirt/KVM Dynamic Inventory +# ============================================================================= +# +# This inventory uses the custom libvirt_kvm.py plugin to dynamically discover +# running VMs on staging KVM hypervisors. +# +# Usage: +# ansible-inventory -i inventories/staging/libvirt_kvm.yml --list +# ansible all -i inventories/staging/libvirt_kvm.yml -m ping +# +# ============================================================================= + +plugin: libvirt_kvm +uri: qemu+ssh://ansible@hypervisor-staging.example.com/system + +# Connection settings +connection_timeout: 30 +ssh_proxy_jump: null # Set to bastion host if needed + +# Filtering +states: + - running + +# Grouping +keyed_groups: + - key: tags.environment + prefix: env + - key: tags.role + prefix: role + - key: tags.service + prefix: service + +# Compose variables +compose: + ansible_host: "{{ ansible_host | default(ip_address) }}" + environment: staging + +# Host filters (only include VMs with staging tag) +# filters: +# - tags.environment == 'staging'