Ansible/DevOpsLab
Template
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat: Переименование geop в cod и добавление ARM64 поддержки

Browse Source 
- Переименован пресет geop.yml в cod.yml
- Обновлены все группы с geop на cod
- Добавлена поддержка ARM64 для Astra Linux и RedOS
- Создан Dockerfile.arm64 для RedOS с исправлением конфликтов пакетов
- Улучшены разделители в логах Molecule
- Зашифрован файл vault/secrets.yml
- Обновлена роль devops с поддержкой vault
- Добавлены шаблоны для SSH и sudoers конфигураций
This commit is contained in:
Сергей Антропов
2025-10-27 19:43:26 +03:00
parent c66bb35f97
commit 5543ae4d27
25 changed files with 1531 additions and 931 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
molecule/default/converge.yml
View File

@@ -1,4 +1,7 @@
---
# =============================================================================
# CONVERGE - Сборка и запуск тестовых сценариев
# =============================================================================
- hosts: localhost
gather_facts: false
vars:
@@ -15,6 +18,18 @@
- /workspace/roles/**/vars/vault.yml
tasks:
# =============================================================================
# НАСТРОЙКА - Загрузка конфигурации и подготовка
# =============================================================================
- name: Configuration setup
debug:
msg: |
================================================================================
НАСТРОЙКА - Загрузка конфигурации и подготовка
================================================================================
Preset: {{ preset_name }}
================================================================================
- name: Load preset configuration
include_vars: "{{ preset_file }}"
when: preset_file is file
@@ -25,52 +40,55 @@
# container: ansible-controller
# command: bash -lc "ansible-galaxy collection install -r /workspace/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"
# =============================================================================
# VAULT - Работа с зашифрованными файлами
# =============================================================================
- name: Vault operations
debug:
msg: |
================================================================================
VAULT - Работа с зашифрованными файлами
================================================================================
Files: {{ vault_targets | length }} targets
================================================================================
- name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
set -euo pipefail; shopt -s nullglob globstar;
for p in {{ vault_targets | map('quote') | join(' ') }}; do
for f in $p; do
[ -f "$f" ] || continue;
if head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;"; then
echo "[vault] already encrypted: $f";
else
echo "[vault] plaintext -> encrypt: $f";
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /workspace/vault/.vault "$f";
fi
echo "[vault] decrypt for run: $f";
ansible-vault decrypt --vault-password-file /workspace/vault/.vault "$f";
done
done
'
command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault decrypt --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
ignore_errors: true
# =============================================================================
# PLAYBOOK - Запуск основного playbook
# =============================================================================
- name: Playbook execution
debug:
msg: |
================================================================================
PLAYBOOK - Запуск основного playbook
================================================================================
File: /workspace/molecule/default/site.yml
================================================================================
- name: Run lab playbook
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc "
ANSIBLE_ROLES_PATH=/workspace/roles
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /workspace/molecule/default/site.yml
"
command: "bash -c 'ANSIBLE_ROLES_PATH=/workspace/roles; VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; VAULT_SECRETS_FILE=\"/workspace/vault/secrets.yml\"; INVENTORY_FILE=\"/tmp/molecule_workspace/inventory/hosts.ini\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"$VAULT_SECRETS_FILE\" ]; then ansible-playbook -i \"$INVENTORY_FILE\" /workspace/molecule/default/site.yml --vault-password-file \"$VAULT_PASSWORD_FILE\" -e \"vault_file_path=$VAULT_SECRETS_FILE\"; else ansible-playbook -i \"$INVENTORY_FILE\" /workspace/molecule/default/site.yml; fi'"
# =============================================================================
# CLEANUP - Перешифровка файлов после выполнения
# =============================================================================
- name: Cleanup operations
debug:
msg: |
================================================================================
CLEANUP - Перешифровка файлов после выполнения
================================================================================
Re-encrypting vault files
================================================================================
- name: Post-run — re-encrypt secrets
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
set -euo pipefail; shopt -s nullglob globstar;
for p in {{ vault_targets | map('quote') | join(' ') }}; do
for f in $p; do
[ -f "$f" ] || continue;
if head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;"; then
echo "[vault] ok (encrypted): $f";
else
echo "[vault] encrypt back: $f";
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /workspace/vault/.vault "$f" || true;
fi
done
done
'
command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
ignore_errors: true