Lab 9: Murzin Ivan

.flake8

@@ -0,0 +1,3 @@
+[flake8]
+max-line-length = 120
+exclude = .git,__pycache__,.venv,venv,app_python/.venv,app_python/venv

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,124 @@
+name: Ansible Deploy (Python App)
+
+on:
+  push:
+    branches: [main, master, lab06]
+    paths:
+      - 'ansible/vars/app_python.yml'
+      - 'ansible/playbooks/provision.yml'
+      - 'ansible/playbooks/deploy.yml'
+      - 'ansible/playbooks/deploy_python.yml'
+      - 'ansible/roles/common/**'
+      - 'ansible/roles/docker/**'
+      - 'ansible/roles/web_app/**'
+      - '.github/workflows/ansible-deploy.yml'
+      - '!ansible/docs/**'
+  pull_request:
+    branches: [main, master, lab06]
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+  workflow_dispatch:
+
+jobs:
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible tooling
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible-core ansible-lint
+          ansible-galaxy collection install community.docker community.general
+
+      - name: Run ansible-lint
+        run: |
+          cd ansible
+          ansible-lint playbooks/*.yml roles/*
+
+  deploy:
+    name: Deploy Python App
+    needs: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible and collections
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible-core
+          ansible-galaxy collection install community.docker community.general
+
+      - name: Configure SSH access
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.ssh
+          KEY="${SSH_PRIVATE_KEY:-}"
+          if [ -z "$KEY" ]; then
+            echo "SSH_PRIVATE_KEY secret is empty" >&2
+            exit 1
+          fi
+
+          # Detect public key accidentally pasted into secret.
+          if printf '%s' "$KEY" | grep -qE '^(ssh-ed25519|ssh-rsa|ecdsa-sha2-) '; then
+            echo "SSH_PRIVATE_KEY looks like a public key. Paste private key block (BEGIN ... PRIVATE KEY)." >&2
+            exit 1
+          fi
+
+          # Support both escaped newlines (\\n) and regular multiline secrets.
+          if printf '%s' "$KEY" | grep -q '\\n'; then
+            printf '%b' "$KEY" > ~/.ssh/id_ed25519
+          else
+            printf '%s\n' "$KEY" > ~/.ssh/id_ed25519
+          fi
+          tr -d '\r' < ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.clean
+          mv ~/.ssh/id_ed25519.clean ~/.ssh/id_ed25519
+
+          # Fallback: support base64-encoded private key secret.
+          if ! grep -Eq 'BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY' ~/.ssh/id_ed25519; then
+            if printf '%s' "$KEY" | base64 -d > ~/.ssh/id_ed25519 2>/dev/null && grep -Eq 'BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY' ~/.ssh/id_ed25519; then
+              :
+            else
+              echo "SSH_PRIVATE_KEY has invalid format. Provide raw private key block or base64-encoded private key." >&2
+              exit 1
+            fi
+          fi
+
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H ${{ secrets.VM_HOST }} >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+
+      - name: Run deployment playbook
+        env:
+          ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          cd ansible
+          printf "%s" "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault_pass
+          ansible-playbook playbooks/deploy_python.yml \
+            -i inventory/hosts.ini \
+            --vault-password-file /tmp/vault_pass
+          rm -f /tmp/vault_pass
+
+      - name: Verify deployment
+        run: |
+          sleep 10
+          curl -fsS http://${{ secrets.VM_HOST }}:5000
+          curl -fsS http://${{ secrets.VM_HOST }}:5000/health

.github/workflows/python-ci.yml

@@ -0,0 +1,132 @@
+name: Python CI — tests, lint, build & push
+
+on:
+  push:
+    branches: [ main, master, lab3 ]
+    tags: [ '*' ]
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+  pull_request:
+    branches: [ main, master ]
+    paths:
+      - 'app_python/**'
+  workflow_dispatch:
+
+concurrency:
+  group: python-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  IMAGE: ${{ secrets.DOCKERHUB_REPO }}
+
+permissions:
+  contents: read
+
+jobs:
+  test-and-lint:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12"]
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: |
+            app_python/requirements.txt
+            app_python/requirements-dev.txt
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r app_python/requirements.txt
+          pip install -r app_python/requirements-dev.txt
+
+      - name: Lint (flake8)
+        run: flake8 app_python
+
+      - name: Run tests
+        run: pytest --maxfail=1 -q
+
+      - name: Snyk dependency scan
+        if: ${{ env.SNYK_TOKEN != '' }}
+        uses: snyk/actions/python@master
+        with:
+          command: test
+          args: >-
+            --file=app_python/requirements.txt
+            --package-manager=pip
+            --skip-unresolved
+            --severity-threshold=high
+        timeout-minutes: 5
+        env:
+          SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
+
+  build-and-push:
+    runs-on: ubuntu-latest
+    needs: test-and-lint
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.ref == 'refs/heads/lab3' || startsWith(github.ref, 'refs/tags/')
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Ensure target image is configured
+        run: |
+          if [ -z "${IMAGE}" ]; then
+            echo "DOCKERHUB_REPO secret is not configured" >&2
+            exit 1
+          fi
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Determine version (CalVer)
+        id: calver
+        run: |
+          DATE=$(date -u +%Y.%m.%d)
+          VERSION="$DATE-${GITHUB_RUN_NUMBER}"
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./app_python
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:${{ env.VERSION }}
+            ${{ env.IMAGE }}:latest
+
+      - name: Snyk scan (optional)
+        if: ${{ env.SNYK_TOKEN != '' }}
+        uses: snyk/actions/python@master
+        with:
+          command: test
+          args: >-
+            --file=app_python/requirements.txt
+            --package-manager=pip
+            --skip-unresolved
+            --severity-threshold=high
+        timeout-minutes: 5
+        env:
+          SNYK_TOKEN: ${{ env.SNYK_TOKEN }}

.gitignore

@@ -1 +1,13 @@
-test
+test
+
+# Environment secrets
+.env
+**/.env
+*.env
+
+# Local vault password helper
+.vault_pass_tmp
+
+# Python cache
+__pycache__/
+*.pyc

.vault_pass_tmp

@@ -0,0 +1 @@
+lab05-temp-vault

ansible/ansible.cfg

@@ -0,0 +1,11 @@
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+remote_user = devops
+retry_files_enabled = False
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root