Feature/lab18

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,97 @@
+name: Ansible Deploy
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - lab6
+      - lab06
+      - lab7
+      - lab07
+    paths:
+      - "ansible/**"
+      - ".github/workflows/ansible-deploy.yml"
+  pull_request:
+    paths:
+      - "ansible/**"
+      - ".github/workflows/ansible-deploy.yml"
+
+concurrency:
+  group: ansible-deploy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  syntax-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install Ansible
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible
+
+      - name: Write vault password file
+        run: |
+          echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > ~/.vault_pass.txt
+          chmod 600 ~/.vault_pass.txt
+
+      - name: Show Ansible version
+        run: ansible --version
+
+      - name: Syntax check provision playbook
+        working-directory: ansible
+        run: ansible-playbook -i inventory/hosts.ini playbooks/provision.yml --syntax-check --vault-password-file ~/.vault_pass.txt
+
+      - name: Syntax check deploy playbook
+        working-directory: ansible
+        run: ansible-playbook -i inventory/hosts.ini playbooks/deploy.yml --syntax-check --vault-password-file ~/.vault_pass.txt
+
+  deploy:
+    needs: syntax-check
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts
+
+      - name: Write vault password file
+        run: |
+          echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > ~/.vault_pass.txt
+          chmod 600 ~/.vault_pass.txt
+
+      - name: Write inventory from secrets
+        run: |
+          cat > ansible/inventory/hosts.ini <<INVENTORY
+          [webservers]
+          app-server ansible_host=${{ secrets.SERVER_HOST }} ansible_user=${{ secrets.SERVER_USER }} ansible_ssh_private_key_file=~/.ssh/id_rsa
+          INVENTORY
+
+      - name: Install Ansible
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible
+
+      - name: Run provision playbook
+        working-directory: ansible
+        run: ansible-playbook -i inventory/hosts.ini playbooks/provision.yml --vault-password-file ~/.vault_pass.txt
+
+      - name: Run deploy playbook
+        working-directory: ansible
+        run: ansible-playbook -i inventory/hosts.ini playbooks/deploy.yml --vault-password-file ~/.vault_pass.txt

.github/workflows/python-ci.yml

@@ -0,0 +1,87 @@
+name: Python CI (Lab03)
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - "lab*"
+    paths:
+      - "app_python/**"
+      - "monitoring/**"
+      - "ansible/**"
+      - "k8s/**"
+      - "playbooks/**"
+      - "app-python-chart/**"
+      - ".github/workflows/python-ci.yml"
+  pull_request:
+    paths:
+      - "app_python/**"
+      - "monitoring/**"
+      - "ansible/**"
+      - "k8s/**"
+      - "playbooks/**"
+      - ".github/workflows/python-ci.yml"
+
+concurrency:
+  group: python-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-lint:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app_python
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+          cache-dependency-path: "app_python/requirements.txt"
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Lint (ruff)
+        run: ruff check .
+
+      - name: Tests
+        run: pytest -q
+
+  docker-build-push:
+    needs: test-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set version (CalVer)
+        run: |
+          echo "CALVER=$(date +%Y.%m)" >> $GITHUB_ENV
+          echo "BUILD=${{ github.run_number }}" >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build & Push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./app_python
+          file: ./app_python/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_USERNAME }}/devops-lab02-python:${{ env.CALVER }}.${{ env.BUILD }}
+            ${{ secrets.DOCKER_USERNAME }}/devops-lab02-python:latest

.github/workflows/terraform-ci.yml

@@ -0,0 +1,49 @@
+name: Terraform CI
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - lab4
+      - lab04
+      - lab5
+      - lab05
+      - lab6
+      - lab06
+      - lab7
+      - lab07
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-ci.yml"
+  pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-ci.yml"
+
+concurrency:
+  group: terraform-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  terraform-checks:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: terraform
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Terraform fmt check
+        run: terraform fmt -check -recursive
+
+      - name: Terraform init
+        run: terraform init -input=false
+
+      - name: Terraform validate
+        run: terraform validate

ansible/ansible.cfg

@@ -0,0 +1,12 @@
+[defaults]
+result_format = yaml
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+retry_files_enabled = False
+interpreter_python = auto_silent
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root

ansible/docs/LAB05.md

@@ -0,0 +1,142 @@
+# LAB05 --- Ansible Fundamentals
+
+## 1. Architecture Overview
+
+**Control node:** macOS (Apple Silicon M1), Ansible running locally in a
+Python virtual environment\
+**Target host:** Ubuntu 24.04 LTS virtual machine\
+**Automation approach:** role-based Ansible architecture
+
+This project uses a modular Ansible role structure to provision
+infrastructure and deploy a containerized Python application. Roles
+separate responsibilities into reusable components, making automation
+easier to maintain, reuse, and scale.
+
+Project structure:
+
+    ansible/
+    ├── ansible.cfg
+    ├── inventory/
+    │   └── hosts.ini
+    ├── playbooks/
+    │   ├── provision.yml
+    │   └── deploy.yml
+    ├── roles/
+    │   ├── common/
+    │   ├── docker/
+    │   └── web_app/
+    ├── group_vars/
+    │   └── all.yml (encrypted with Ansible Vault)
+    └── docs/
+        └── LAB05.md
+
+Roles were used instead of a single playbook because roles improve
+modularity, readability, and reusability.
+
+------------------------------------------------------------------------
+
+## 2. Roles Documentation
+
+### Role: common
+
+**Purpose:** Base system provisioning.
+
+Tasks performed:
+
+-   Waits for apt lock release
+-   Updates apt cache
+-   Installs essential packages
+-   Sets timezone
+
+------------------------------------------------------------------------
+
+### Role: docker
+
+**Purpose:** Install and configure Docker.
+
+Tasks performed:
+
+-   Adds Docker repository and GPG key
+-   Installs Docker Engine
+-   Starts and enables Docker service
+-   Adds user to docker group
+
+------------------------------------------------------------------------
+
+### Role: web_app
+
+**Purpose:** Deploy containerized application.
+
+Tasks performed:
+
+-   Logs in to Docker Hub using Vault credentials
+-   Pulls Docker image
+-   Starts container
+-   Performs health check
+
+------------------------------------------------------------------------
+
+## 3. Idempotency Demonstration
+
+First run:
+
+    changed=5
+
+Second run:
+
+    changed=0
+
+This proves the playbook is idempotent.
+
+------------------------------------------------------------------------
+
+## 4. Ansible Vault Usage
+
+Vault file:
+
+    group_vars/all.yml
+
+Used to store:
+
+-   Docker Hub username
+-   Docker Hub access token
+
+Vault ensures secrets are encrypted and secure.
+
+------------------------------------------------------------------------
+
+## 5. Deployment Verification
+
+Container running:
+
+    docker ps
+
+Output:
+
+    ostxxp/devops-lab02-python:latest
+    0.0.0.0:5000->5000/tcp
+
+Health check:
+
+    HTTP/1.1 200 OK
+    {"status":"healthy"}
+
+------------------------------------------------------------------------
+
+## 6. Key Decisions
+
+Roles were used to improve modularity and reusability.
+
+Handlers ensure services restart only when needed.
+
+Vault protects sensitive credentials.
+
+Tasks are idempotent to ensure consistent infrastructure state.
+
+------------------------------------------------------------------------
+
+## Conclusion
+
+Infrastructure provisioning and deployment were successfully automated
+using Ansible roles, Vault, and Docker. The deployment is secure,
+modular, and idempotent.