ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1198d8e4a39007caf7bcddc69c6887c8f6293f05
infra-automation/EXECUTION_PLAN.md
ansible 1198d8e4a3 Add comprehensive roadmap and execution plan 
- Add ROADMAP.md with short-term and long-term objectives
  - Phase 1-4: Short-term (12 weeks)
  - Phase 5-10: Long-term (2025-2026)
  - Success metrics and KPIs
  - Risk assessment and mitigation
  - Resource requirements

- Add EXECUTION_PLAN.md with detailed todo lists
  - Week-by-week breakdown of Phase 1-4
  - Actionable tasks with priorities and effort estimates
  - Acceptance criteria for each task
  - Issue tracking guidance
  - Progress reporting templates

- Update CLAUDE.md with correct login credentials
  - Use ansible@mymx.me as login for services

Roadmap covers:
- Foundation strengthening (inventories, CI/CD, testing)
- Core role development (common, security, monitoring)
- Secrets management (Ansible Vault, HashiCorp Vault)
- Application deployment (nginx, postgresql)
- Cloud infrastructure (AWS, Azure, GCP)
- Container orchestration (Docker, Kubernetes)
- Advanced features (backup, compliance, observability)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-10 23:49:42 +01:00

23 KiB
Raw Blame History

Execution Plan - Ansible Infrastructure Automation

This document provides detailed, actionable todo lists for executing the roadmap objectives defined in ROADMAP.md.

Created: 2025-11-10 Status: Active Tracking Method: GitHub Issues / Gitea Issues

How to Use This Document

  1. Each phase has detailed todo lists with actionable tasks
  2. Tasks are marked with priorities: 🔴 HIGH, 🟡 MEDIUM, 🟢 LOW
  3. Dependencies are clearly noted
  4. Estimated effort is provided (hours/days)
  5. Tasks can be converted to issues in Gitea for tracking

Phase 1: Foundation Strengthening (Weeks 1-4)

Week 1: Infrastructure Repository Organization

Task 1.1: Create Inventories Repository

Priority: 🔴 HIGH | Effort: 4 hours | Assignee: TBD

Todo List:

  • Create new repository ansible/inventories on Gitea via API
    • Use API: POST /api/v1/user/repos
    • Set as public repository
    • Add description: "Ansible dynamic and static inventory configurations"
  • Initialize repository with README.md
  • Create directory structure: 
    inventories/
├── README.md
├── production/
│   ├── README.md
│   ├── aws_ec2.yml
│   ├── azure_rm.yml
│   ├── libvirt_kvm.yml
│   └── group_vars/
├── staging/
│   └── [similar structure]
└── development/
    └── hosts.yml
  • Create .gitignore for inventory cache files
  • Document inventory structure in README.md
  • Add example inventory configurations for each type

Acceptance Criteria:

  • Repository created and accessible
  • All directories created with READMEs
  • Example configurations present
  • Documentation complete

Task 1.2: Configure Inventories as Submodule

Priority: 🔴 HIGH | Effort: 2 hours | Depends On: Task 1.1

Todo List:

  • Remove current inventories/ directory from main repo (if exists) 
    git rm -rf inventories/
  • Add inventories repository as git submodule 
    git submodule add ssh://git@git.mymx.me:2222/ansible/inventories.git inventories
  • Update .gitmodules file
  • Test submodule operations:
    • Clone with submodules
    • Update submodule
    • Push changes to submodule
  • Document submodule workflow in docs/inventory.md
  • Create cheatsheet for submodule operations
  • Update main README.md with submodule instructions

Acceptance Criteria:

  • Inventories configured as submodule
  • Submodule operations tested and working
  • Documentation updated

Task 1.3: Migrate Existing Inventories

Priority: 🟡 MEDIUM | Effort: 3 hours | Depends On: Task 1.2

Todo List:

  • Copy existing inventory files to inventories submodule
    • inventory-debian-vm.ini → inventories/development/
    • inventory-debian-vm-direct.ini → inventories/development/
  • Copy dynamic inventory plugins
    • plugins/inventory/libvirt_kvm.py → inventories/production/libvirt_kvm.yml (config)
    • plugins/inventory/ssh_config_inventory.py → keep in main repo (plugin)
  • Create inventory configuration for each environment
  • Test all inventory sources 
    ansible-inventory -i inventories/development/hosts.yml --list
ansible-inventory -i inventories/production/libvirt_kvm.yml --list
  • Update playbooks to reference new inventory locations
  • Commit and push changes to inventories submodule
  • Update CHANGELOG.md

Acceptance Criteria:

  • All inventories migrated successfully
  • No broken playbook references
  • All inventory sources tested and working

Week 2: CI/CD Pipeline Setup

Task 2.1: Configure Gitea Actions

Priority: 🔴 HIGH | Effort: 6 hours

Todo List:

  • Research Gitea Actions capabilities and requirements
  • Install Gitea Actions runner (if not available)
  • Create .gitea/workflows/ directory in main repository
  • Create workflow: lint.yml 
    name: Ansible Lint
on: [push, pull_request]
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run ansible-lint
        uses: ansible/ansible-lint-action@main
  • Create workflow: syntax-check.yml
    • Run ansible-playbook --syntax-check on all playbooks
  • Create workflow: yaml-lint.yml
    • Run yamllint on all YAML files
  • Test workflows with sample commits
  • Configure branch protection for master/main
    • Require status checks to pass
    • Require pull request reviews
  • Document CI/CD setup in docs/ci-cd.md
  • Update CLAUDE.md with CI/CD requirements

Acceptance Criteria:

  • Gitea Actions configured and running
  • All workflows passing
  • Branch protection enabled
  • Documentation complete

Task 2.2: Setup Pre-commit Hooks

Priority: 🟡 MEDIUM | Effort: 3 hours | Depends On: Task 2.1

Todo List:

  • Install pre-commit framework 
    pip3 install pre-commit
  • Create .pre-commit-config.yaml in repository root 
    repos:
  - repo: https://github.com/ansible/ansible-lint
    rev: v6.20.0
    hooks:
      - id: ansible-lint
  - repo: https://github.com/adrienverge/yamllint
    rev: v1.32.0
    hooks:
      - id: yamllint
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-added-large-files
  • Test pre-commit hooks locally 
    pre-commit run --all-files
  • Install pre-commit hooks 
    pre-commit install
  • Document pre-commit setup in CONTRIBUTING.md
  • Add pre-commit installation to development setup docs
  • Create troubleshooting guide for common pre-commit issues

Acceptance Criteria:

  • Pre-commit hooks installed and working
  • All hooks passing on current codebase
  • Documentation complete

Week 3: Testing Framework Setup

Task 3.1: Install and Configure Molecule

Priority: 🔴 HIGH | Effort: 8 hours

Todo List:

  • Install Molecule and dependencies 
    pip3 install molecule molecule-plugins[docker] ansible-lint
  • Install Docker or Podman for test containers 
    # Debian/Ubuntu
apt-get install docker.io
# OR
apt-get install podman
  • Configure user for Docker/Podman access 
    usermod -aG docker $USER
  • Create Molecule scenario for deploy_linux_vm role 
    cd roles/deploy_linux_vm
molecule init scenario --driver-name docker
  • Configure molecule.yml for multi-platform testing
    • Debian 11
    • Debian 12
    • Ubuntu 22.04
    • Rocky Linux 9
  • Create converge.yml playbook for testing
  • Create verify.yml for test assertions
  • Run initial tests 
    molecule test
  • Document Molecule usage in docs/testing.md
  • Create testing cheatsheet
  • Add Molecule tests to CI/CD pipeline

Acceptance Criteria:

  • Molecule installed and configured
  • Tests running successfully
  • Multi-platform testing working
  • Documentation complete
  • CI/CD integration complete

Task 3.2: Create Test Coverage for Existing Role

Priority: 🔴 HIGH | Effort: 6 hours | Depends On: Task 3.1

Todo List:

  • Analyze deploy_linux_vm role for test scenarios
  • Create test cases for:
    • LVM configuration validation
    • Package installation verification
    • Service state checks
    • Security hardening validation
    • SSH configuration tests
    • Firewall rule verification
  • Implement verify.yml with testinfra or Ansible asserts
  • Add edge case testing:
    • Minimal resources scenario
    • Different OS distributions
    • Custom variable configurations
  • Achieve >80% test coverage
  • Document test scenarios in role README.md
  • Create test report generation
  • Add test metrics to CI/CD pipeline

Acceptance Criteria:

  • All critical paths tested

  • 80% test coverage achieved

  • Tests passing consistently
  • Documentation updated

Week 4: Testing Documentation & Optimization

Task 4.1: Create Comprehensive Testing Documentation

Priority: 🟡 MEDIUM | Effort: 4 hours

Todo List:

  • Create docs/testing.md with:
    • Testing philosophy and approach
    • Molecule usage guide
    • Writing test cases
    • Running tests locally
    • Debugging failed tests
    • CI/CD test integration
  • Create cheatsheets/testing.md with:
    • Common Molecule commands
    • Quick test scenarios
    • Troubleshooting tips
  • Add testing section to CLAUDE.md
  • Create video walkthrough (optional)
  • Update CONTRIBUTING.md with testing requirements

Acceptance Criteria:

  • Comprehensive testing documentation
  • Cheatsheet created
  • Guidelines updated

Phase 2: Core Role Development (Weeks 5-8)

Week 5: Common Role Development

Task 5.1: Create Common Base Role

Priority: 🔴 HIGH | Effort: 12 hours

Todo List:

  • Create role structure 
    ansible-galaxy init roles/common
  • Design role architecture:
    • defaults/main.yml - Default variables
    • vars/Debian.yml - Debian family specific vars
    • vars/RedHat.yml - RedHat family specific vars
    • tasks/main.yml - Main entry point
    • tasks/packages.yml - Package installation
    • tasks/users.yml - User management
    • tasks/ssh.yml - SSH hardening
    • tasks/time.yml - Time synchronization
    • tasks/logging.yml - System logging
    • templates/sshd_config.j2 - SSH config template
    • templates/chrony.conf.j2 - Chrony config template
    • handlers/main.yml - Service handlers
  • Implement package installation logic
    • Essential packages list (vim, htop, curl, wget, etc.)
    • OS-specific package handling
    • Package update mechanism
  • Implement user management
    • ansible user creation
    • authorized_keys management
    • sudo configuration (NOPASSWD)
    • User groups
  • Implement SSH hardening
    • Disable root login
    • Key-based authentication only
    • Configure SSH timeouts
    • Disable password authentication
    • Configure allowed users
  • Implement time synchronization
    • Install and configure chrony
    • Configure NTP servers
    • Timezone configuration
    • Verify time sync status
  • Implement logging configuration
    • Configure rsyslog
    • Log rotation settings
    • Remote syslog (optional)
    • journald configuration
  • Create comprehensive README.md
  • Add proper tagging (install, configure, users, ssh, time, logging)
  • Create Molecule tests
  • Test on multiple distributions
  • Document variables and examples

Acceptance Criteria:

  • Role complete and functional
  • Tests passing on Debian and RHEL families
  • Documentation complete
  • Code passes ansible-lint

Task 5.2: Create Common Role Documentation

Priority: 🟡 MEDIUM | Effort: 3 hours | Depends On: Task 5.1

Todo List:

  • Create detailed roles/common/README.md
    • Role purpose and features
    • Requirements
    • Variable documentation
    • Example playbooks
    • Dependencies
    • Compatibility matrix
  • Create docs/roles/common.md
    • Architecture overview
    • Design decisions
    • Security considerations
    • Best practices
  • Create cheatsheets/common-role.md
    • Quick usage examples
    • Common scenarios
    • Troubleshooting
  • Add role to main README.md
  • Update CHANGELOG.md

Acceptance Criteria:

  • Complete documentation
  • Examples tested and working
  • Cheatsheet created

Week 6: Security Hardening Role

Task 6.1: Create Security Hardening Role

Priority: 🔴 HIGH | Effort: 16 hours

Todo List:

  • Create role structure 
    ansible-galaxy init roles/security_hardening
  • Design role architecture with tasks:
    • tasks/main.yml - Orchestration
    • tasks/selinux.yml - SELinux configuration (RHEL)
    • tasks/apparmor.yml - AppArmor configuration (Debian)
    • tasks/firewall.yml - Firewall setup
    • tasks/fail2ban.yml - Fail2ban configuration
    • tasks/aide.yml - File integrity monitoring
    • tasks/auditd.yml - System auditing
    • tasks/kernel.yml - Kernel hardening (sysctl)
    • tasks/pam.yml - PAM configuration
    • tasks/passwords.yml - Password policies
    • tasks/network.yml - Network security
  • Implement SELinux enforcement (RHEL family)
    • Enable SELinux
    • Set to enforcing mode
    • Install setroubleshoot
    • Configure custom policies (if needed)
  • Implement AppArmor (Debian family)
    • Enable AppArmor
    • Install profiles
    • Enforce profiles
  • Implement firewall configuration
    • Install firewalld (RHEL) or ufw (Debian)
    • Configure default deny policy
    • Allow SSH
    • Allow custom ports (configurable)
    • Enable firewall service
  • Implement Fail2ban
    • Install fail2ban
    • Configure SSH jail
    • Configure ban time and retry limits
    • Email notifications (optional)
  • Implement AIDE
    • Install AIDE
    • Initialize database
    • Configure check schedules
    • Email reports
  • Implement auditd
    • Install auditd
    • Configure audit rules
    • Log rotation
    • Remote logging (optional)
  • Implement kernel hardening
    • Create sysctl security settings
    • Disable IPv6 (optional)
    • Enable ASLR
    • Configure IP forwarding
    • SYN flood protection
  • Implement PAM configuration
    • Password complexity
    • Account lockout
    • Login restrictions
  • Implement password policies
    • Password aging
    • Password history
    • Minimum password length
  • Implement network security
    • Disable unnecessary services
    • Configure TCP wrappers
    • Network parameter hardening
  • Create templates for all configs
  • Add CIS Benchmark compliance checks
  • Create Molecule tests for all features
  • Test on multiple distributions
  • Create comprehensive documentation

Acceptance Criteria:

  • Role implements CIS Benchmark controls
  • Tests passing on Debian and RHEL
  • No security vulnerabilities
  • Complete documentation

Week 7-8: Monitoring & Observability

Task 7.1: Create Prometheus Node Exporter Role

Priority: 🟡 MEDIUM | Effort: 8 hours

Todo List:

  • Create role structure 
    ansible-galaxy init roles/prometheus_node_exporter
  • Implement installation
    • Download node_exporter binary
    • Verify checksum
    • Install to /usr/local/bin
    • Create systemd service
  • Configure node_exporter
    • Set listen address
    • Configure collectors
    • TLS configuration (optional)
    • Basic auth (optional)
  • Implement firewall rules
    • Open port 9100
  • Create health check tasks
  • Add monitoring validation
  • Create Molecule tests
  • Document configuration
  • Create usage examples

Acceptance Criteria:

  • Role functional and tested
  • Metrics accessible
  • Documentation complete

Task 7.2: Create Monitoring Client Role

Priority: 🟡 MEDIUM | Effort: 6 hours

Todo List:

  • Create unified monitoring role 
    ansible-galaxy init roles/monitoring_client
  • Integrate with:
    • Prometheus node_exporter
    • Grafana agent (logs)
    • Optional: Custom exporters
  • Create role dependencies in meta/main.yml
  • Configure centralized logging
  • Configure metrics collection
  • Create monitoring playbook
  • Document monitoring architecture
  • Create monitoring dashboard examples

Acceptance Criteria:

  • Unified monitoring setup
  • All components integrated
  • Documentation complete

Phase 3: Secrets Management (Weeks 9-10)

Week 9: Ansible Vault Implementation

Task 9.1: Configure Ansible Vault

Priority: 🔴 HIGH | Effort: 6 hours

Todo List:

  • Create vault structure in secrets repository 
    secrets/
├── production/
│   ├── vault.yml (encrypted)
│   └── vault_password.txt (gitignored)
├── staging/
│   └── vault.yml
└── development/
    └── vault.yml
  • Create vault password management procedure
    • Document password generation
    • Secure storage guidelines
    • Rotation procedure
  • Create vault templates
    • Database credentials
    • API keys
    • SSL certificates
    • SSH keys
  • Encrypt existing secrets 
    ansible-vault encrypt secrets/production/vault.yml
  • Configure ansible.cfg for vault 
    [defaults]
vault_password_file = ~/.ansible/vault_password.txt
  • Create vault management scripts
    • encrypt-secret.sh
    • decrypt-secret.sh
    • rotate-vault-password.sh
  • Test vault operations
    • Encrypt/decrypt
    • Edit encrypted files
    • Use in playbooks
  • Document vault procedures in docs/secrets-management.md
  • Create cheatsheet for vault operations
  • Update CLAUDE.md with vault requirements

Acceptance Criteria:

  • Vault structure created
  • Secrets encrypted
  • Procedures documented
  • Scripts tested and working

Task 9.2: Implement Vault Best Practices

Priority: 🟡 MEDIUM | Effort: 4 hours | Depends On: Task 9.1

Todo List:

  • Implement vault password rotation
    • Create rotation procedure
    • Test re-keying process
    • Schedule regular rotations (90 days)
  • Create vault usage patterns
    • Variable precedence with vault
    • Combining vault with group_vars
    • Environment-specific vaults
  • Implement vault validation
    • Pre-commit hook for unencrypted secrets
    • CI/CD checks for exposed secrets
  • Create vault backup procedures
    • Backup encrypted vaults
    • Secure password backups
    • Disaster recovery plan
  • Document security considerations
  • Create training materials
  • Add vault examples to playbooks

Acceptance Criteria:

  • Best practices documented
  • Validation working
  • Backup procedures in place

Week 10: HashiCorp Vault (Optional)

Task 10.1: Evaluate HashiCorp Vault

Priority: 🟢 LOW | Effort: 8 hours

Todo List:

  • Research HashiCorp Vault features
  • Compare with Ansible Vault
  • Evaluate deployment requirements
  • Test Vault in development
    • Install Vault server
    • Configure authentication
    • Test secret storage
    • Test Ansible integration
  • Document findings
  • Create POC deployment
  • Assess costs and benefits
  • Make recommendation
  • Document decision in ADR (Architecture Decision Record)

Acceptance Criteria:

  • Evaluation complete
  • POC tested
  • Recommendation documented

Phase 4: Application Deployment (Weeks 11-12)

Week 11: Web Server Roles

Task 11.1: Create Nginx Role

Priority: 🟡 MEDIUM | Effort: 10 hours

Todo List:

  • Create role structure
  • Implement Nginx installation
    • Official repository setup
    • Package installation
    • Service management
  • Configure Nginx
    • Main configuration
    • Virtual host templates
    • SSL/TLS configuration
    • Security headers
    • Rate limiting
  • Implement SSL certificate management
    • Let's Encrypt integration
    • Certificate renewal
    • Self-signed certificates (dev)
  • Configure logging
    • Access logs
    • Error logs
    • Log rotation
  • Implement security hardening
    • Hide version
    • Disable unnecessary modules
    • Security headers (HSTS, CSP, etc.)
  • Create health checks
  • Add firewall rules
  • Create Molecule tests
  • Document configuration options
  • Create usage examples

Acceptance Criteria:

  • Role functional and secure
  • SSL working
  • Tests passing
  • Documentation complete

Week 12: Database Roles

Task 12.1: Create PostgreSQL Role

Priority: 🟡 MEDIUM | Effort: 12 hours

Todo List:

  • Create role structure
  • Implement PostgreSQL installation
    • Official repository
    • Version selection
    • Package installation
  • Configure PostgreSQL
    • Main configuration (postgresql.conf)
    • Authentication (pg_hba.conf)
    • Connection limits
    • Memory settings
    • Logging configuration
  • Implement database management
    • Create databases
    • Create users
    • Grant privileges
    • Password management (vault integration)
  • Implement backup configuration
    • pg_dump automation
    • Backup schedules
    • Retention policy
    • Backup verification
  • Implement replication (optional)
    • Primary/replica setup
    • Streaming replication
    • Failover procedures
  • Security hardening
    • Network restrictions
    • SSL connections
    • Password encryption
  • Add monitoring
    • PostgreSQL exporter
    • Query statistics
  • Create Molecule tests
  • Document administration procedures
  • Create backup/restore guides

Acceptance Criteria:

  • Role functional and secure
  • Backup working
  • Tests passing
  • Documentation complete

Tracking and Reporting

Issue Creation

Each task above should be created as an issue in Gitea:

# Example using Gitea API
curl -X POST "https://git.mymx.me/api/v1/repos/ansible/infra-automation/issues" \
  -H "Content-Type: application/json" \
  -u "ansible@mymx.me:PASSWORD" \
  -d '{
    "title": "Task 1.1: Create Inventories Repository",
    "body": "[Task details from execution plan]",
    "labels": ["enhancement", "phase-1", "high-priority"]
  }'

Progress Tracking

Create labels in Gitea:

  • phase-1, phase-2, phase-3, phase-4
  • priority-high, priority-medium, priority-low
  • status-todo, status-in-progress, status-blocked, status-done
  • type-feature, type-bug, type-docs, type-test

Weekly Review Process

  1. Monday: Week planning, assign tasks
  2. Wednesday: Mid-week check-in, unblock issues
  3. Friday: Week review, update roadmap
  4. Monthly: Progress report, roadmap adjustment

Reporting Template

## Weekly Progress Report - Week X

### Completed Tasks
- [x] Task X.X: Description
- [x] Task X.X: Description

### In Progress Tasks
- [ ] Task X.X: Description (75% complete)
- [ ] Task X.X: Description (40% complete)

### Blocked Tasks
- [ ] Task X.X: Description
  - Blocker: [description]
  - Resolution plan: [plan]

### Next Week Plan
- [ ] Task X.X: Description
- [ ] Task X.X: Description

### Metrics
- Tasks completed: X
- Tests written: X
- Test coverage: X%
- Roles created: X
- Documentation pages: X

### Risks and Issues
- [Issue description and mitigation]

Success Criteria Summary

Phase 1 Success (Week 4)

  • Inventories repository created and integrated
  • CI/CD pipeline operational
  • Molecule testing framework working
  • deploy_linux_vm role has >80% test coverage
  • All documentation updated

Phase 2 Success (Week 8)

  • Common role production-ready
  • Security hardening role complete
  • Monitoring client role functional
  • All roles tested on Debian and RHEL
  • Complete documentation for all roles

Phase 3 Success (Week 10)

  • Ansible Vault implemented
  • All secrets encrypted
  • Vault procedures documented
  • HashiCorp Vault evaluated

Phase 4 Success (Week 12)

  • Nginx role production-ready
  • PostgreSQL role complete
  • Application deployment patterns established
  • Backup procedures implemented

Document Owner: Ansible Infrastructure Team Last Updated: 2025-11-10 Next Review: Weekly

Reference in New Issue View Git Blame Copy Permalink