ansible
608a9d508c
Executed gather_system_info playbook against all KVM guests and created detailed analysis with remediation plans. ## Analysis Summary Playbook Execution Results: - ✅ pihole (192.168.122.12): SUCCESS - 127 tasks completed - ✅ mymx/cow (192.168.122.119): SUCCESS - 128 tasks (after SSH fix) - ❌ derp (192.168.122.99): UNREACHABLE - SSH authentication failed ## Critical Findings ### pihole (pihole.grokbox) 1. **No Swap Configured** (CRITICAL) - System has 0B swap space - High risk of OOM killer under memory pressure - CLAUDE.md violation: requires minimum 1GB swap 2. **No LVM Configuration** (HIGH) - Using traditional /dev/vda1 partitioning - CLAUDE.md violation: all systems must use LVM - Missing all required logical volumes (lv_opt, lv_tmp, lv_home, lv_var, etc.) 3. **Docker Running** (MEDIUM) - Security posture unknown - Multiple overlay mounts detected - Requires security audit ### mymx / cow.mymx.me 1. **SSH Authentication Fixed** (RESOLVED) - Created ansible user - Deployed SSH key - Configured passwordless sudo - Host now fully accessible 2. **QEMU Guest Agent Missing** (HIGH) - Agent not responding - Limits VM management capabilities - Cannot freeze filesystem for snapshots 3. **Resource Pressure** (MEDIUM) - 16GB RAM: 6.1GB used (38%) - Swap: 439MB used of 976MB (45%) - Heavy services: ClamAV (8.7%), YaCy (7.9%), OpenWebUI (4.8%) - 24 Docker containers running 4. **LVM Status**: ✅ COMPLIANT - Proper LVM configuration detected - Volume group: mymx-vg ### derp 1. **Completely Unreachable** (CRITICAL) - SSH permission denied (publickey,password) - Console access failed - Requires manual intervention ## Remediation Plans Included ### Immediate Actions (This Week) 1. Configure swap on pihole (10 min) 2. Recover derp VM access (30-60 min) 3. Install qemu-guest-agent on all VMs (15 min) ### Short-term Actions (Week 2) 1. Docker security audit (2-4 hours) 2. Fix dynamic inventory UUID warnings (1 hour) 3. Plan pihole LVM migration or document exception (2-4 hours) ### Long-term Actions (Week 3+) 1. Implement monitoring (Prometheus/node_exporter) 2. Capacity planning for mymx 3. Standardize VM deployments with CLAUDE.md compliance checks ## Deliverables ### SYSTEM_ANALYSIS_AND_REMEDIATION.md (393 lines) Comprehensive document including: - Executive summary with health status - Host-by-host detailed analysis - Infrastructure-wide issues (dynamic inventory, QEMU agent) - Detailed remediation plans: - Plan 1: Pihole LVM migration (3 options) - Plan 2: Docker security audit (complete playbook) - Plan 3: Swap configuration (complete playbook) - Plan 4: Derp VM recovery procedures - Priority matrix (Critical/High/Medium/Low) - 3-week execution timeline - Monitoring and validation procedures - Documentation update requirements - Lessons learned - Commands reference appendix ### Ready-to-Execute Playbooks Created complete playbooks for: 1. `playbooks/configure_swap.yml` - Automated swap configuration 2. `playbooks/install_qemu_agent.yml` - QEMU guest agent deployment 3. `playbooks/audit_docker.yml` - Docker security audit ## Infrastructure Compliance Status CLAUDE.md Compliance: - **pihole**: ~60% compliant (missing LVM, swap) - **mymx**: ~95% compliant (missing QEMU agent) - **derp**: Unknown (unreachable) ## Next Steps See detailed execution timeline in SYSTEM_ANALYSIS_AND_REMEDIATION.md Priority focus: 1. Restore derp access 2. Configure swap on pihole 3. Deploy QEMU guest agents 4. Conduct Docker security audits ## References - gather_system_info playbook execution output - CLAUDE.md infrastructure standards - CIS Benchmark security controls - NIST cybersecurity framework 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Ansible Infrastructure Automation
Enterprise-grade Ansible infrastructure with security-first principles, modularity, and scalability.
Quick Start
# Test connectivity with SSH config inventory
ansible all -i plugins/inventory/ssh_config_inventory.py -m ping
# Test connectivity with Libvirt dynamic inventory
ansible running_vms -i plugins/inventory/libvirt_kvm.py -m ping
# Use static development inventory
ansible all -i inventories/development/hosts.yml -m ping
# Run a playbook
ansible-playbook -i inventories/development/hosts.yml site.yml
Project Structure
.
├── README.md # This file
├── CLAUDE.md # Development guidelines and standards
├── ansible.cfg # Ansible configuration
├── site.yml # Master playbook
│
├── inventories/ # Inventory configurations
│ ├── production/ # Production (dynamic only)
│ ├── staging/ # Staging (dynamic only)
│ └── development/ # Development environment
│ ├── hosts.yml # Static inventory
│ ├── libvirt_kvm.yml # Libvirt config
│ └── group_vars/ # Group variables
│ ├── all.yml
│ ├── kvm_guests.yml
│ └── hypervisors.yml
│
├── plugins/ # Custom plugins
│ └── inventory/ # Dynamic inventory scripts
│ ├── ssh_config_inventory.py # SSH config parser
│ └── libvirt_kvm.py # Libvirt/KVM discovery
│
├── roles/ # Ansible roles
├── playbooks/ # Playbooks
├── collections/ # Ansible collections
│
├── docs/ # Documentation
│ ├── inventory.md # Inventory documentation
│ └── [other docs]
│
└── cheatsheets/ # Quick reference guides
└── inventory.md # Inventory cheatsheet
Infrastructure Overview
Current Environment
| Component | Type | Description |
|---|---|---|
| odin | External VPS | Mail server (Debian 13) |
| grokbox | Hypervisor | KVM/libvirt host (physical) |
| pihole | VM Guest | DNS/DHCP server (via grokbox) |
| mymx | VM Guest | Mail server (via grokbox) |
| derp | VM Guest | Development VM (via grokbox) |
| seed | VM Guest | Discovery pending |
Network Architecture
Internet
│
├─── odin (65.108.217.156) ─────────── External VPS
│
└─── grokbox (grok.home.serneels.xyz)
│
└─── virbr0 (192.168.122.0/24) ── NAT Network
│
├─── pihole (192.168.122.12)
├─── mymx (192.168.122.119)
├─── derp (192.168.122.99)
└─── seed (192.168.129.1)
Available Inventory Solutions
1. SSH Config Parser (Dynamic)
Best for: Quick discovery from existing SSH configuration
ansible all -i plugins/inventory/ssh_config_inventory.py --list-hosts
2. Libvirt/KVM Dynamic Inventory
Best for: Real-time VM discovery with state and resource information
ansible running_vms -i plugins/inventory/libvirt_kvm.py -m ping
3. Static YAML Inventory (Development)
Best for: Detailed host metadata and development environments
ansible all -i inventories/development/hosts.yml --list-hosts
Key Features
Security-First Design
- SELinux/AppArmor enforcement
- Automated security updates
- SSH hardening (key-based auth, no root login)
- File integrity monitoring (AIDE)
- System auditing (auditd)
- Secrets management with Ansible Vault
Scalability
- Dynamic inventory for infrastructure discovery
- Fact caching for performance
- Parallel execution with configurable forks
- ProxyJump for nested VM access
- Efficient SSH connection reuse
Modularity & Reusability
- Role-based architecture
- OS-agnostic design (Debian/RHEL families)
- Comprehensive variable management
- Task tagging for selective execution
- Molecule testing framework
Documentation
| Document | Description |
|---|---|
| CLAUDE.md | Complete development guidelines and standards |
| docs/inventory.md | Inventory configuration and usage |
| cheatsheets/inventory.md | Quick reference guide |
Requirements
Control Node
- Python 3.6+
- Ansible 2.10+
- SSH client with ProxyJump support
Managed Nodes
- Python 3.x
- SSH server
ansibleuser with passwordless sudo
Optional Dependencies
# For libvirt dynamic inventory
apt-get install python3-libvirt # Debian/Ubuntu
dnf install python3-libvirt # RHEL/Rocky/Fedora
Configuration
ansible.cfg Example
[defaults]
inventory = ./inventories/development/hosts.yml
roles_path = ./roles
collections_path = ./collections
remote_user = ansible
become = True
become_method = sudo
# Performance
forks = 20
gathering = smart
fact_caching = jsonfile
fact_caching_connection = /tmp/ansible_facts
fact_caching_timeout = 86400
# SSH
host_key_checking = False
ssh_args = -o ControlMaster=auto -o ControlPersist=600s
[inventory]
enable_plugins = yaml, ini, script, auto
[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False
Common Tasks
Test Connectivity
# All hosts
ansible all -i <inventory> -m ping
# Specific group
ansible kvm_guests -i <inventory> -m ping
# With verbose output
ansible all -i <inventory> -m ping -vvv
Gather Facts
ansible all -i <inventory> -m setup
Run Ad-Hoc Commands
# Check uptime
ansible all -i <inventory> -m shell -a "uptime"
# Check disk usage
ansible all -i <inventory> -m shell -a "df -h"
# List running VMs on hypervisor
ansible hypervisors -i <inventory> -m shell -a "virsh list --all"
Execute Playbooks
# Full run
ansible-playbook -i <inventory> site.yml
# Check mode (dry-run)
ansible-playbook -i <inventory> site.yml --check
# Limit to group
ansible-playbook -i <inventory> site.yml --limit kvm_guests
# With tags
ansible-playbook -i <inventory> site.yml --tags "install,configure"
Development Guidelines
Please refer to CLAUDE.md for complete development guidelines including:
- Security requirements
- Role development standards
- Testing procedures
- Documentation requirements
- LVM partitioning schema
- Package management
- And much more...
Troubleshooting
Connection Issues
# Test SSH connectivity
ssh -J grokbox ansible@192.168.122.12
# Test with verbose Ansible
ansible pihole -i <inventory> -m ping -vvv
# Check SSH config
cat ~/.ssh/config
Inventory Issues
# Validate inventory
ansible-inventory -i <inventory> --list
# Check specific host
ansible-inventory -i <inventory> --host <hostname>
# Graph structure
ansible-inventory -i <inventory> --graph
Python/Libvirt Issues
# Check Python version
ansible all -i <inventory> -m setup -a "filter=ansible_python_version"
# Install libvirt support
apt-get install python3-libvirt # Debian/Ubuntu
dnf install python3-libvirt # RHEL/Rocky
# Test libvirt connection
virsh -c qemu+ssh://grok@grok.home.serneels.xyz/system list
Contributing
- Follow guidelines in CLAUDE.md
- Use feature branches for development
- Test roles with Molecule
- Update documentation
- Create pull request for review
Security
- Never commit secrets to version control
- Use Ansible Vault for sensitive data
- Rotate SSH keys every 90-180 days
- Regular security audits with Lynis/OpenSCAP
- Keep systems updated with automatic security patches
Support
- Documentation: docs/
- Cheatsheets: cheatsheets/
- Guidelines: CLAUDE.md
Project Version: 1.0.0 Last Updated: 2025-11-10 Maintainer: Ansible Infrastructure Team