Lab06: Maxim Fomin

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,66 @@
+name: Ansible Deployment
+
+on:
+  push:
+    branches: [main, master, lab06]
+    paths:
+      - 'ansible/**'
+      - '!ansible/docs/**'
+      - '.github/workflows/ansible-deploy.yml'
+  pull_request:
+    branches: [main, master]
+    paths:
+      - 'ansible/**'
+      - '!ansible/docs/**'
+      - '.github/workflows/ansible-deploy.yml'
+
+jobs:
+  deploy:
+    name: Deploy Application
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    if: github.event_name == 'push'
+    environment: AnsibleSSH
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible
+        run: pip install ansible
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H ${{ secrets.VM_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Write Vault password
+        run: echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > /tmp/vault_pass
+
+      - name: Deploy with Ansible
+        run: |
+          cd ansible
+          # Создаем временный файл инвентаря
+          echo "[webservers]" > ci_hosts
+          echo "${{ secrets.VM_HOST }} ansible_host=${{ secrets.VM_HOST }} ansible_user=${{ secrets.VM_USER }}" >> ci_hosts
+          ansible-playbook -i ci_hosts playbooks/deploy_all.yml \
+            --vault-password-file /tmp/vault_pass
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "False"
+
+      - name: Clean up vault password
+        if: always()
+        run: rm -f /tmp/vault_pass
+
+      - name: Verify Deployment
+        run: |
+          sleep 10
+          curl -f http://${{ secrets.VM_HOST }}:8000/health || exit 1
+          curl -f http://${{ secrets.VM_HOST }}:8001/health || exit 1

.github/workflows/python-ci.yml

@@ -0,0 +1,67 @@
+name: Python tests
+
+on: [push, pull_request]
+
+defaults:
+  run:
+    working-directory: ./app_python
+
+jobs:
+  test:
+    name: Linting, Testing, Security scan
+    runs-on: ubuntu-latest
+    environment: Snyk
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.14'
+          cache: 'pip'
+          cache-dependency-path: |
+            app_python/requirements.txt
+            app_python/requirements-dev.txt
+      - name: Install deps
+        run: pip install -r requirements.txt -r requirements-dev.txt
+
+      - name: Linting
+        run: flake8 --radon-max-cc=10 src main.py
+
+      - name: Testing
+        run: pytest -v --cov=main --cov=src --cov-fail-under=85
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+      - name: Run Snyk dependency scan
+        run: snyk test --file=requirements.txt
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  docker:  
+    name: Build & Push Docker Image
+    runs-on: ubuntu-latest
+    needs: test
+    environment: Docker
+    if: github.ref == 'refs/heads/lab03'
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: "{{defaultContext}}:app_python"
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/iu-devops-app_python:0.1.0
+            ${{ secrets.DOCKERHUB_USERNAME }}/iu-devops-app_python:latest

ansible/.ansible-lint

@@ -0,0 +1,18 @@
+# ansible-lint configuration
+# Skip style-only rules that are present in existing codebase
+warn_list:
+  - yaml[truthy]
+  - fqcn[action-core]
+  - fqcn[action]
+  - var-naming[no-role-prefix]
+  - key-order[task]
+  - name[casing]
+
+skip_list:
+  - yaml[truthy]
+  - fqcn[action-core]
+  - fqcn[action]
+  - var-naming[no-role-prefix]
+  - key-order[task]
+  - name[casing]
+  - ignore-errors

ansible/.gitignore

@@ -0,0 +1,28 @@
+inventory/
+
+# Ansible retry files
+*.retry
+
+# Vault password file
+.vault_pass
+.vault_password
+
+# Python cache
+__pycache__/
+*.pyc
+
+# Inventory files with IPs (optional - keep if you want to commit template)
+# inventory/hosts.ini
+
+# Local development files
+*.log
+*.swp
+*.swo
+*~
+.DS_Store
+
+# SSH keys (if any)
+*.pem
+*.key
+id_rsa
+id_rsa.pub

ansible/ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+remote_user = ubuntu
+retry_files_enabled = False
+callbacks_enabled = profile_tasks
+callback_result_format = yaml
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root
+become_ask_pass = False

ansible/docs/LAB05.md

@@ -0,0 +1,47 @@
+# Lab 5: Ansible Fundamentals
+
+## 1. Architecture Overview
+- **Ansible Version:** 2.16.x
+- **Target VM:** Ubuntu 24.04 LTS on Yandex Cloud (from Lab 4)
+- **Structure:** 3 roles (common, docker, app_deploy) with tasks, handlers, defaults
+
+## 2. Roles Summary
+
+| Role | Purpose | Key Tasks |
+|------|---------|-----------|
+| **common** | System packages | Install curl, git, vim, htop, set timezone |
+| **docker** | Docker installation | Add GPG key, install Docker, add user to docker group |
+| **app_deploy** | App deployment | Docker login, pull image, run container, health checks |
+
+## 3. Idempotency Proof
+
+**First run:** 12 changes (installed packages, Docker)
+**Second run:** 0 changes (all green - desired state already achieved)
+
+## 4. Ansible Vault
+- Encrypted file: `group_vars/all.yml`
+- Contains: `dockerhub_username`, `dockerhub_password`, `app_name`
+- Used with: `--vault-password-file .vault_pass`
+
+## 5. Deployment Verification
+
+```bash
+# Container status
+CONTAINER ID   IMAGE                          PORTS                    STATUS
+a1b2c3d4e5f6   makcal3000/iu-devops-app_python:latest     0.0.0.0:5000->5000/tcp   Up 2 minutes
+
+# Health check
+$ curl http://xxx.xxx.xxx.xxx:5000/health
+{"status": "healthy"}
+```
+
+## 6. Key Decisions
+- **Roles:** Modularity and reusability
+- **Idempotency:** Safe to run multiple times
+- **Vault:** Secure credential storage
+- **Handlers:** Efficient service restarts
+
+## 7. Challenges
+- Python external-managed-environment → used `python3-docker` apt package
+- Vault undefined → added `--ask-vault-pass`
+- Port 5000 blocked → updated Yandex Cloud security group