ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df628983d1987c8a46d6e862455ea1d1531ad20f
infra-automation/INFRASTRUCTURE_INVENTORY.md
ansible 455133c600 Initial commit: Ansible infrastructure automation 
- Add comprehensive Ansible guidelines and best practices (CLAUDE.md)
- Add infrastructure inventory documentation
- Add VM deployment playbooks and configurations
- Add dynamic inventory plugins (libvirt_kvm, ssh_config)
- Add cloud-init and preseed configurations for automated deployments
- Add security-first configuration templates
- Add role and setup documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-10 23:02:32 +01:00

423 lines
10 KiB
Markdown
Raw Blame History

# Infrastructure Inventory - grokbox
**Generated:** 2025-11-10
**Hypervisor:** grokbox (grok.home.serneels.xyz)
**Libvirt URI:** qemu:///system
**Security Model:** AppArmor (enforcing)
---
## Summary
| Metric | Value |
|--------|-------|
| **Total VMs** | 3 |
| **Running VMs** | 3 |
| **Stopped VMs** | 0 |
| **Total vCPUs Allocated** | 12 |
| **Total Memory Allocated** | 20 GB |
| **Network** | virbr0 (192.168.122.0/24) |
---
## Virtual Machines
### 1. derp (Development VM)
**Status:** ✅ Running (ID: 2)
#### Configuration
| Property | Value |
|----------|-------|
| **UUID** | `9ede717f-879b-48aa-add0-2dfd33e10765` |
| **OS Type** | HVM |
| **vCPUs** | 2 |
| **Memory** | 2 GB (2097152 KiB) |
| **CPU Time** | 33278.4s |
| **Autostart** | Enabled |
| **Persistent** | Yes |
#### Network
| Interface | MAC Address | IP Address | Network |
|-----------|-------------|------------|---------|
| vnet1 | `52:54:00:d9:b8:0a` | `192.168.122.99/24` | virbr0 (NAT) |
#### Storage
| Type | Device | Target | Source |
|------|--------|--------|--------|
| file | disk | vda | `/var/lib/libvirt/images/derp.qcow2` |
| file | cdrom | sda | - |
#### Security
- **Security Model:** AppArmor
- **Security Label:** `libvirt-9ede717f-879b-48aa-add0-2dfd33e10765` (enforcing)
#### Ansible Access
```bash
# Direct SSH (via ProxyJump)
ssh -J grokbox ansible@192.168.122.99
# Ansible ad-hoc
ansible derp -i inventories/development/hosts.yml -m ping
# Using dynamic inventory
ansible derp -i plugins/inventory/libvirt_kvm.py -m ping
```
---
### 2. pihole (DNS/DHCP Server)
**Status:** ✅ Running (ID: 5)
#### Configuration
| Property | Value |
|----------|-------|
| **UUID** | `6d714c93-16fb-41c8-8ef8-9001f9066b3a` |
| **OS Type** | HVM |
| **vCPUs** | 2 |
| **Memory** | 2 GB (2097152 KiB) |
| **CPU Time** | 74968.5s |
| **Autostart** | Enabled |
| **Persistent** | Yes |
#### Network
| Interface | MAC Address | IP Address | Network |
|-----------|-------------|------------|---------|
| vnet4 | `52:54:00:3b:ea:52` | `192.168.122.12/24` | virbr0 (NAT) |
#### Storage
| Type | Device | Target | Source |
|------|--------|--------|--------|
| file | disk | vda | `/var/lib/libvirt/images/pihole.qcow2` |
#### Security
- **Security Model:** AppArmor
- **Security Label:** `libvirt-6d714c93-16fb-41c8-8ef8-9001f9066b3a` (enforcing)
#### Services
- Pi-hole (DNS ad-blocking)
- dnsmasq (DHCP server)
- lighttpd (Web interface)
#### Ansible Access
```bash
# Direct SSH (via ProxyJump)
ssh -J grokbox ansible@192.168.122.12
# Ansible ad-hoc
ansible pihole -i inventories/development/hosts.yml -m ping
# Using dynamic inventory
ansible dns_servers -i plugins/inventory/libvirt_kvm.py -m ping
```
---
### 3. mymx (Mail Server)
**Status:** ✅ Running (ID: 21)
#### Configuration
| Property | Value |
|----------|-------|
| **UUID** | `7cd5a220-bea4-49a1-a44e-a247dbdfd085` |
| **OS Type** | HVM |
| **vCPUs** | 8 |
| **Memory** | 16 GB (16777216 KiB) |
| **CPU Time** | 476431.1s |
| **Autostart** | Enabled |
| **Persistent** | Yes |
#### Network
| Interface | MAC Address | IP Address | Network |
|-----------|-------------|------------|---------|
| vnet20 | `52:54:00:de:fc:e9` | `192.168.122.119/24` | virbr0 (NAT) |
#### Storage
| Type | Device | Target | Source |
|------|--------|--------|--------|
| file | disk | vda | `/var/lib/libvirt/images/mymx.qcow2` |
#### Security
- **Security Model:** AppArmor
- **Security Label:** `libvirt-7cd5a220-bea4-49a1-a44e-a247dbdfd085` (enforcing)
#### Services
- Postfix (Mail Transfer Agent)
- Dovecot (IMAP/POP3 server)
#### Ansible Access
```bash
# Direct SSH (via ProxyJump)
ssh -J grokbox ansible@192.168.122.119
# Ansible ad-hoc
ansible mymx -i inventories/development/hosts.yml -m ping
# Using dynamic inventory
ansible mail_servers -i plugins/inventory/libvirt_kvm.py -m ping
```
---
## Network Configuration
### NAT Network (virbr0)
| Property | Value |
|----------|-------|
| **Network** | 192.168.122.0/24 |
| **Gateway** | 192.168.122.1 (grokbox) |
| **DHCP Range** | 192.168.122.2 - 192.168.122.254 |
| **DNS** | Provided by dnsmasq |
### IP Allocation
| VM | IP Address | MAC Address | Status |
|----|------------|-------------|--------|
| pihole | 192.168.122.12 | 52:54:00:3b:ea:52 | ✅ Active |
| derp | 192.168.122.99 | 52:54:00:d9:b8:0a | ✅ Active |
| mymx | 192.168.122.119 | 52:54:00:de:fc:e9 | ✅ Active |
---
## Resource Allocation Summary
### CPU Allocation
| VM | vCPUs | CPU Time | % of Total |
|----|-------|----------|------------|
| mymx | 8 | 476431.1s | 66.7% |
| derp | 2 | 33278.4s | 16.7% |
| pihole | 2 | 74968.5s | 16.7% |
| **Total** | **12** | **584678.0s** | **100%** |
### Memory Allocation
| VM | Memory | % of Total |
|----|--------|------------|
| mymx | 16 GB | 80% |
| derp | 2 GB | 10% |
| pihole | 2 GB | 10% |
| **Total** | **20 GB** | **100%** |
### Storage
| VM | Disk Type | Location | Format |
|----|-----------|----------|--------|
| mymx | file (qcow2) | `/var/lib/libvirt/images/mymx.qcow2` | qcow2 |
| derp | file (qcow2) | `/var/lib/libvirt/images/derp.qcow2` | qcow2 |
| pihole | file (qcow2) | `/var/lib/libvirt/images/pihole.qcow2` | qcow2 |
---
## Security Status
### All VMs
-**Security Model:** AppArmor enforcing
-**Unique Security Labels:** Per-VM isolation
-**Persistent Configuration:** All VMs persistent
-**Autostart:** All VMs set to autostart
-**Network Isolation:** NAT network with gateway
### Access Control
- **Hypervisor Access:** SSH to grokbox (user: grok)
- **VM Access:** SSH via ProxyJump through grokbox (user: ansible)
- **Authentication:** SSH key-based (no password auth)
- **Privilege Escalation:** Passwordless sudo for ansible user
---
## Ansible Integration
### Available Inventory Sources
#### 1. Static Inventory
```bash
ansible all -i inventories/development/hosts.yml --list-hosts
```
#### 2. Libvirt Dynamic Inventory
```bash
ansible running_vms -i plugins/inventory/libvirt_kvm.py --list-hosts
```
#### 3. SSH Config Inventory
```bash
ansible kvm_guests -i plugins/inventory/ssh_config_inventory.py --list-hosts
```
### Group Memberships
| VM | Groups |
|----|--------|
| **derp** | all, kvm_guests, development, running_vms |
| **pihole** | all, kvm_guests, dns_servers, running_vms |
| **mymx** | all, kvm_guests, mail_servers, running_vms |
### Testing Connectivity
```bash
# Test all VMs
ansible kvm_guests -i plugins/inventory/libvirt_kvm.py -m ping
# Test specific groups
ansible dns_servers -i inventories/development/hosts.yml -m ping
ansible mail_servers -i inventories/development/hosts.yml -m ping
ansible development -i inventories/development/hosts.yml -m ping
# Gather facts
ansible derp -i plugins/inventory/libvirt_kvm.py -m setup
# Check uptime
ansible all -i plugins/inventory/libvirt_kvm.py -m shell -a "uptime"
```
---
## Management Commands
### VM Lifecycle
```bash
# Start VM
ssh grokbox "virsh -c qemu:///system start <vm_name>"
# Shutdown VM gracefully
ssh grokbox "virsh -c qemu:///system shutdown <vm_name>"
# Force stop VM
ssh grokbox "virsh -c qemu:///system destroy <vm_name>"
# Reboot VM
ssh grokbox "virsh -c qemu:///system reboot <vm_name>"
# Check VM status
ssh grokbox "virsh -c qemu:///system domstate <vm_name>"
```
### VM Information
```bash
# Detailed VM info
ssh grokbox "virsh -c qemu:///system dominfo <vm_name>"
# VM network addresses
ssh grokbox "virsh -c qemu:///system domifaddr <vm_name>"
# VM disk info
ssh grokbox "virsh -c qemu:///system domblklist <vm_name> --details"
# VM console access
ssh grokbox "virsh -c qemu:///system console <vm_name>"
```
### Snapshots
```bash
# Create snapshot
ssh grokbox "virsh -c qemu:///system snapshot-create-as <vm_name> <snapshot_name> --description '<description>'"
# List snapshots
ssh grokbox "virsh -c qemu:///system snapshot-list <vm_name>"
# Revert to snapshot
ssh grokbox "virsh -c qemu:///system snapshot-revert <vm_name> <snapshot_name>"
# Delete snapshot
ssh grokbox "virsh -c qemu:///system snapshot-delete <vm_name> <snapshot_name>"
```
---
## Maintenance Recommendations
### Immediate Actions
- ✅ All VMs running and accessible
- ✅ Network connectivity verified
- ✅ Security models enforcing (AppArmor)
- ⚠️ Consider implementing LVM partitioning per CLAUDE.md on next rebuild
### Short-term
1. **Backup Strategy**
- Implement regular VM snapshots
- Export VM definitions: `virsh dumpxml <vm_name> > <vm_name>.xml`
- Backup qcow2 images from `/var/lib/libvirt/images/`
2. **Monitoring**
- Deploy node_exporter on all VMs
- Implement centralized logging
- Set up alerting for resource thresholds
3. **Security Hardening**
- Run security audit playbooks
- Verify AIDE/auditd installation
- Review and harden SSH configurations
### Long-term
1. **Infrastructure as Code**
- Create Terraform/Pulumi for VM provisioning
- Implement cloud-init templates
- Standardize VM configurations
2. **High Availability**
- Consider VM clustering
- Implement backup hypervisor
- Set up automated failover
3. **Compliance**
- Implement CIS benchmark scanning
- Run OpenSCAP compliance checks
- Generate compliance reports
---
## Troubleshooting
### Connection Issues
```bash
# Test SSH to hypervisor
ssh grokbox "hostname"
# Test SSH to VM (direct)
ssh -J grokbox ansible@192.168.122.12 "hostname"
# Check libvirt connectivity
ssh grokbox "virsh -c qemu:///system version"
# Verify network
ssh grokbox "virsh -c qemu:///system net-list --all"
```
### VM Not Starting
```bash
# Check VM definition
ssh grokbox "virsh -c qemu:///system dumpxml <vm_name>"
# Check logs
ssh grokbox "journalctl -u libvirtd -n 50"
# Validate configuration
ssh grokbox "virt-xml-validate /etc/libvirt/qemu/<vm_name>.xml"
```
### Network Issues
```bash
# Check network status
ssh grokbox "virsh -c qemu:///system net-info default"
# Restart network
ssh grokbox "virsh -c qemu:///system net-destroy default && virsh -c qemu:///system net-start default"
# Check DHCP leases
ssh grokbox "virsh -c qemu:///system net-dhcp-leases default"
```
---
## References
- **CLAUDE.md:** Infrastructure guidelines and standards
- **docs/inventory.md:** Complete inventory documentation
- **cheatsheets/inventory.md:** Quick reference commands
- **SSH Config:** `~/.ssh/config` - Connection configurations
---
**Last Updated:** 2025-11-10
**Updated By:** Automated infrastructure discovery
**Next Review:** Weekly or on infrastructure changes
Reference in New Issue View Git Blame Copy Permalink