diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint new file mode 100644 index 0000000..666de00 --- /dev/null +++ b/ansible/.ansible-lint @@ -0,0 +1,34 @@ +--- +# .ansible-lint - Architecture Enforcement Configuration +# This ensures idempotency, security, and best practices. + +# Use the 'safety' profile to enforce strict security and reliability rules +profile: safety + +# Stop the build if these rules are violated +strict: true + +# Rules to explicitly enforce or ignore +warn_list: + - experimental # Notify me of experimental features but don't fail + - name[casing] # Warning only for task name capitalization + +skip_list: + - yaml[line-length] # Homelab scripts often have long strings/URLs + +# Exclude these paths from linting +exclude_paths: + - .cache/ + - .git/ + - roles/external/ # Don't lint roles downloaded from Galaxy + +# Enforce specific tagging for organization +require_status: + - shared + - production + +# Custom configurations for specific rules +# Ensures we always use Fully Qualified Collection Names (FQCN) +# e.g., ansible.builtin.copy instead of just 'copy' +fqcn: + - ansible.builtin \ No newline at end of file diff --git a/ansible/.ansible-standards.md b/ansible/.ansible-standards.md new file mode 100644 index 0000000..9a27014 --- /dev/null +++ b/ansible/.ansible-standards.md @@ -0,0 +1,25 @@ +# Ansible Architectural Standards v1.0 +--- +metadata: + role: Lead Ansible Architect + enforcement: Strict + idempotency: Required + vault_encryption: Required +--- + +## 1. Project Philosophy +- **Agentless Execution:** Rely on SSH and Python 3. +- **Desired State:** Tasks must define the *result*, not the *command* (e.g., use `apt`, not `shell: apt install`). +- **Failure Domains:** Use `block/rescue` for all destructive or system-level changes (updates, partitioning). + +## 2. Technical Specs +- **Connection:** SSH via ED25519 keys; `ansible_user` must have passwordless sudo or Vault-stored credentials. +- **Variables:** - `defaults/main.yml`: Default values (lowest priority). + - `vars/main.yml`: Role-specific constants. + - `group_vars/`: Environment-specific overrides. +- **Naming:** Kebab-case for files (`web-server.yml`), snake_case for variables (`web_server_port`). + +## 3. Maintenance Logic +- **Serial Execution:** `serial: 1` for hypervisor/cluster nodes. +- **Reboot Strategy:** Always check for `/var/run/reboot-required` before initiating a `reboot` task. +- **Service Verification:** Post-task loops must verify that critical services (e.g., `pveproxy`) are `started`. \ No newline at end of file diff --git a/ansible/DEVELOPMENT-SETUP.md b/ansible/DEVELOPMENT-SETUP.md new file mode 100644 index 0000000..830fbe2 --- /dev/null +++ b/ansible/DEVELOPMENT-SETUP.md @@ -0,0 +1,69 @@ +# Development Setup Manifest +**Version:** 1.0 +**Target Environment:** Ansible Control Node & Local Workstation + +This document outlines the software and configurations required to develop, lint, and execute Ansible playbooks within this ecosystem. + +--- + +## 1. CLI Tools (The Engine Room) + +These tools must be installed on your **Control Node**. If you are developing locally, they should also be installed on your workstation. + +| Tool | Function | Purpose | Cost | +| :--- | :--- | :--- | :--- | +| **Ansible-Core** | Execution Engine | Processes YAML playbooks and manages SSH connections. | Free | +| **Ansible-Lint** | Static Analysis | Validates code against best practices and idempotency rules. | Free | +| **Molecule** | Testing Framework | Runs playbooks against temporary containers to verify roles. | Free | +| **Ansible-Vault** | Secret Management | Encrypts sensitive data (passwords/API keys) at rest. | Free | +| **Proxmoxer** | Python API Library | Allows Ansible to communicate with the Proxmox VE API. | Free | +| **ssh-pass** | Auth Utility | Enables password-based login during the initial key-copy phase. | Free | + +### Installation Command (Debian/Ubuntu) +```bash +sudo apt update && sudo apt install -y ansible ansible-lint sshpass python3-pip +pip3 install proxmoxer --break-system-packages +``` + +--- + +## 2. VSCode Extensions (The Cockpit) + +For the best development experience, install these extensions in Visual Studio Code. + +### **Ansible (by Red Hat)** +* **What it does:** Provides syntax highlighting, jinja2 auto-completion, and direct linting integration. +* **Why you want it:** It catches "broken" YAML and missing parameters while you type. +* **Cost:** Free + +### **YAML (by Red Hat)** +* **What it does:** Validates the structure of `.yml` and `.yaml` files. +* **Why you want it:** Ansible is hypersensitive to indentation; this extension prevents 90% of syntax errors. +* **Cost:** Free + +### **GitLens (by GitKraken)** +* **What it does:** Provides "blame" annotations and repository heatmaps. +* **Why you want it:** Crucial for tracking *why* a system configuration was changed three months ago. +* **Cost:** Free Core (Pro features available via sub) + +### **Remote - SSH (by Microsoft)** +* **What it does:** Connects VSCode directly to your Control Node over SSH. +* **Why you want it:** Allows you to code on your main PC but use the environment/tools installed on the Control Node. +* **Cost:** Free + +--- + +## 3. Configuration Files + +To ensure the tools above work correctly, the following files should exist in your project root: + +1. **`.ansible-lint`**: Defines the "Safety" profile to enforce architecture standards. +2. **`ansible.cfg`**: Configures default inventory paths and SSH behavior. +3. **`.ssh/id_ed25519`**: The private key used for node authentication. + +--- + +## 4. LLM Context Hook +When using an LLM to generate code for this project, provide the following context to ensure compatibility: + +> "My environment uses **Ansible-Core** with the **Proxmoxer** API library. I enforce standards via **Ansible-Lint** using the **safety** profile. All playbooks must pass these checks and use **ED25519** keys for authentication." \ No newline at end of file