infra-automation/inventories/production/group_vars/all.yml

---
# =============================================================================
# Production Environment - Global Variables
# =============================================================================

# Environment designation
environment: production

# Ansible connection settings
ansible_user: ansible
ansible_become: true
ansible_become_method: sudo

# SSH connection settings
ansible_ssh_pipelining: true
ansible_ssh_extra_args: '-o StrictHostKeyChecking=accept-new'

# =============================================================================
# Network Configuration
# =============================================================================

# NTP servers for time synchronization
ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
  - 3.pool.ntp.org

# DNS servers
dns_servers:
  - 8.8.8.8
  - 8.8.4.4
  - 1.1.1.1

# DNS search domains
dns_search_domains:
  - example.com
  - production.local

# =============================================================================
# Security Configuration
# =============================================================================

# Automatic security updates
security_auto_updates: true
security_auto_reboot: false
security_update_schedule: "daily"

# Firewall settings
firewall_enabled: true
firewall_default_policy: deny

# SELinux/AppArmor enforcement
selinux_state: enforcing
apparmor_enabled: true

# SSH hardening
ssh_permit_root_login: no
ssh_password_authentication: no
ssh_gssapi_authentication: no
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300

# Audit logging
auditd_enabled: true
auditd_log_retention_days: 365

# =============================================================================
# Logging and Monitoring
# =============================================================================

# Log retention
log_retention_days: 365
log_compression_enabled: true

# Syslog configuration
syslog_remote_server: null  # Set to remote syslog server if available
syslog_remote_port: 514

# Monitoring
monitoring_enabled: true
monitoring_agent: null  # Set to 'prometheus', 'zabbix', 'datadog', etc.

# =============================================================================
# Backup Configuration
# =============================================================================

backup_enabled: true
backup_schedule: "0 2 * * *"  # Daily at 2 AM
backup_retention_days: 30
backup_destination: /var/backups

# =============================================================================
# Package Management
# =============================================================================

# Essential packages (CLAUDE.md compliance)
essential_packages:
  - vim
  - htop
  - tmux
  - jq
  - bc
  - curl
  - wget
  - rsync
  - git
  - python3
  - python3-pip

# Security packages
security_packages:
  - aide
  - auditd
  - chrony

# Additional tools
additional_packages:
  - net-tools
  - bind-utils  # RHEL
  # - dnsutils  # Debian (uncomment based on OS)
  - traceroute
  - tcpdump
  - strace
  - lsof

# =============================================================================
# Performance Tuning
# =============================================================================

# System limits
system_max_open_files: 65535
system_max_processes: 4096

# Kernel parameters (sysctl)
kernel_parameters:
  net.ipv4.tcp_syncookies: 1
  net.ipv4.conf.all.rp_filter: 1
  net.ipv4.conf.default.rp_filter: 1
  net.ipv4.icmp_echo_ignore_broadcasts: 1
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv6.conf.all.accept_source_route: 0
  net.ipv4.conf.all.send_redirects: 0
  net.ipv4.conf.default.send_redirects: 0

# =============================================================================
# Application Configuration
# =============================================================================

# Default application user
app_user: appuser
app_group: appgroup

# Application directories
app_base_dir: /opt/apps
app_data_dir: /var/lib/apps
app_log_dir: /var/log/apps

# =============================================================================
# Compliance and Standards
# =============================================================================

# Compliance frameworks
compliance_frameworks:
  - CIS
  - NIST

# Configuration management
config_management_tool: ansible
config_management_version: "{{ ansible_version.full }}"

# =============================================================================
# Custom Variables
# =============================================================================

# Add production-specific custom variables here