infra-general

Ansible-based infrastructure automation for server normalization.

Features

• DDNS: Dynamic DNS registration via dynv6.com
• Passwordless sudo: Configures sudo group for passwordless access
• User management: Creates user from ANSIBLE_USER env var

Project Structure

.
├── .github/workflows/
│   └── deploy.yaml           # CI/CD workflow (supports manual runs)
├── ansible/
│   ├── ansible.cfg            # Ansible configuration
│   ├── normalize.yaml         # Main playbook
│   ├── inventory/
│   │   └── dev/
│   │       └── hosts.yaml     # Development inventory
│   └── roles/
│       ├── ddns/              # Dynamic DNS registration
│       ├── sudo/              # Passwordless sudo configuration
│       ├── user/              # User creation and management
│       └── nftables/          # Firewall rules
├── pyproject.toml             # Python dependencies
└── README.md

Roles

The normalize.yaml playbook applies the following roles in order:

1. sudo - Configures passwordless sudo access

   • Creates sudoers configuration for sudo group members
   • Enables passwordless sudo for administrative tasks

2. ddns - Registers host with dynv6.com DDNS service

   • Deploys update script and systemd service
   • Configures periodic IP updates via cron

3. user - Creates and configures user account

   • Creates user from ANSIBLE_USER environment variable
   • Adds user to sudo group
   • Sets system-wide ENVIRONMENT=dev marker

Note: The nftables role exists in ansible/roles/ but is not currently applied by the playbook.

Quick Start

cd ansible
ansible-playbook normalize.yaml -v

Adding a New Host

1. Update Inventory

Edit ansible/inventory/dev/hosts.yaml:

hosts:
  host_2:
    ansible_host: "{{ lookup('env', 'HOST_2') | default('failed_to_provide_host') }}"
    ansible_host_fallback: "{{ lookup('env', 'HOST_2_IP') | default('') }}"
    ansible_become_password: "{{ lookup('env', 'HOST_2_ROOT_PASSWORD') | default('') }}"
    ddns_hostname: "{{ lookup('env', 'HOST_2') | default('failed_to_provide_host') }}"
    ddns_token: "{{ lookup('env', 'DDNS_TOKEN') | default('failed_to_provide_ddns_token') }}"

2. Update GitHub Actions Workflow

Edit .github/workflows/deploy.yaml to add environment variables:

- name: Set environment variables
  run: |
    # ... existing vars ...
    # - host_2
    echo "HOST_2=${{ vars.HOST_2 }}" >> $GITHUB_ENV
    echo "HOST_2_IP=${{ vars.HOST_2_IP }}" >> $GITHUB_ENV
    echo "HOST_2_ROOT_PASSWORD=${{ secrets.HOST_2_ROOT_PASSWORD }}" >> $GITHUB_ENV

3. Configure GitHub Secrets/Variables

In your GitHub repository settings:

Variables (Settings → Secrets and variables → Actions → Variables):

• HOST_2: Hostname (e.g., server.example.com)
• HOST_2_IP: Fallback IP address (e.g., 203.0.113.1)

Secrets (Settings → Secrets and variables → Actions → Secrets):

• HOST_2_ROOT_PASSWORD: Root/sudo password for initial setup

Environment Variables

• ANSIBLE_USER: Username to create (default: ansible)
• DDNS_TOKEN: Dynamic DNS token
• HOST_N: Hostname for host N
• HOST_N_IP: Fallback IP for host N
• HOST_N_ROOT_PASSWORD: Root password for host N

Note: INBOUND_ALLOWED_IPV4_SUBNETS and INBOUND_ALLOWED_IPV6_SUBNETS are defined in the workflow but not used since the nftables role is not applied.

Connection Fallback

If the primary hostname (HOST_N) is unreachable, Ansible automatically falls back to the IP address (HOST_N_IP). Connection timeout is 10 seconds.

CI/CD

GitHub Actions workflow (.github/workflows/deploy.yaml):

• Manual runs enabled: Trigger workflow manually via workflow_dispatch with environment selection (dev/prod)
• Automatic runs: Triggers on merge commits to development branch
• Steps: Syntax check → ansible-lint → deploy to remote host
• Python version: 3.12 (CI/CD), >=3.13 (local development per pyproject.toml)