Lab 6: blocks/tags, Docker Compose, wipe logic, CI/CD

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,70 @@
+name: Ansible Deployment
+
+on:
+  push:
+    branches: [master, lab06]
+    paths:
+      - 'ansible/**'
+      - '!ansible/docs/**'
+      - '.github/workflows/ansible-deploy.yml'
+  pull_request:
+    branches: [master]
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+
+jobs:
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible and ansible-lint
+        run: pip install ansible ansible-lint
+
+      - name: Run ansible-lint
+        env:
+          ANSIBLE_VAULT_PASSWORD_FILE: ""
+        run: |
+          cd ansible
+          # Remove vault_password_file from cfg for lint
+          sed -i '/vault_password_file/d' ansible.cfg
+          ansible-lint playbooks/provision.yml playbooks/deploy.yml playbooks/site.yml
+
+  deploy:
+    name: Deploy Application
+    needs: lint
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install Ansible
+        run: pip install ansible
+      - name: Install collections
+        run: ansible-galaxy collection install community.docker community.general
+      - name: Configure SSH
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H "${{ secrets.VM_HOST }}" >> ~/.ssh/known_hosts
+      - name: Deploy
+        env:
+          VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+        run: |
+          printf '%s' "$VAULT_PASS" > /tmp/vault_pass
+          cd ansible
+          ansible-playbook playbooks/deploy.yml --vault-password-file /tmp/vault_pass
+      - name: Cleanup
+        if: always()
+        run: rm -f /tmp/vault_pass
+      - name: Verify health
+        run: sleep 10 && curl -f "http://${{ secrets.VM_HOST }}:5000/health"

.gitignore

@@ -1 +1 @@
-test
+test.vault_pass

ansible/.ansible-lint

@@ -0,0 +1,9 @@
+warn_list:
+  - key-order
+  - var-naming
+  - name
+
+skip_list:
+  - key-order[task]
+  - var-naming[no-role-prefix]
+  - name[casing]

ansible/ansible.cfg

@@ -1,12 +1,11 @@
-[defaults]
-vault_password_file = .vault_pass
-inventory = inventory/hosts.ini
-roles_path = roles
-host_key_checking = False
-remote_user = ubuntu
-retry_files_enabled = False
-
-[privilege_escalation]
-become = True
-become_method = sudo
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+remote_user = ubuntu
+retry_files_enabled = False
+
+[privilege_escalation]
+become = True
+become_method = sudo
 become_user = root