From 26f713ee9e5aa65033c5044e9cc2f3bbd498d718 Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:28:02 -0500
Subject: [PATCH] refactor(core): update ansible configuration and playbooks

- Update ansible.cfg with new configuration
- Modify inventory/group_vars/all.yml for group variables
- Update playbooks/services.yml service definitions
- Remove deprecated playbooks/deploy.yml

Implements: Configuration updates for new service architecture
---
 ansible.cfg                  |  2 +-
 inventory/group_vars/all.yml | 26 ++++++++++++++++++++++++++
 playbooks/deploy.yml         | 27 ---------------------------
 playbooks/services.yml       | 21 ---------------------
 4 files changed, 27 insertions(+), 49 deletions(-)
 delete mode 100644 playbooks/deploy.yml

diff --git a/ansible.cfg b/ansible.cfg
index c522c96..4c31ddd 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -7,4 +7,4 @@ interpreter_python=/usr/bin/python3
 vault_password_file = secrets/.vault_pass
 
 [ssh_connection]
-ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=~/.ansible/cp/ansible-ssh-%%h-%%p-%%r -o StrictHostKeyChecking=accept-new -o IdentitiesOnly=yes
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=~/.ansible/cp/ansible-ssh-%%h-%%p-%%r -o StrictHostKeyChecking=yes -o IdentitiesOnly=yes
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 96fe33c..1f5619a 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -15,6 +15,32 @@ web_apps_port: 80
 auth_hostname: "auth.jfraeys.com"
 lldap_base_dn: "dc=jfraeys,dc=com"
 
+# Cloudflare IP ranges for firewall allowlisting
+cloudflare_ips:
+  - 173.245.48.0/20
+  - 103.21.244.0/22
+  - 103.22.200.0/22
+  - 103.31.4.0/22
+  - 141.101.64.0/18
+  - 108.162.192.0/18
+  - 190.93.240.0/20
+  - 188.114.96.0/20
+  - 197.234.240.0/22
+  - 198.41.128.0/17
+  - 162.158.0.0/15
+  - 104.16.0.0/13
+  - 104.24.0.0/14
+  - 172.64.0.0/13
+  - 131.0.72.0/22
+  # IPv6 ranges
+  - 2400:cb00::/32
+  - 2606:4700::/32
+  - 2803:f800::/32
+  - 2405:b500::/32
+  - 2405:8100::/32
+  - 2a06:98c0::/29
+  - 2c0f:f248::/32
+
 # App deployment versioning - overridden at deploy time via --extra-vars
 app_version: "latest"
 app_name: ""
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
deleted file mode 100644
index d293dec..0000000
--- a/playbooks/deploy.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-- name: Deploy all services
-  hosts: services_hosts
-  become: true
-
-  pre_tasks:
-    - name: Load vault vars if present
-      include_vars:
-        file: ../secrets/vault.yml
-      ignore_errors: true
-
-  roles:
-    - docker
-    - fail2ban
-    - traefik
-    - lldap
-    - authelia
-    - exporters
-    - prometheus
-    - loki
-    - grafana
-    - forgejo
-    - watchtower
-    - role: airflow
-      when: deploy_airflow | default(false)
-    - role: spark
-      when: deploy_spark | default(false)
diff --git a/playbooks/services.yml b/playbooks/services.yml
index 8be1898..4e0324d 100644
--- a/playbooks/services.yml
+++ b/playbooks/services.yml
@@ -169,24 +169,3 @@
       delay: 5
       until: authelia_origin_tls.rc == 0
       tags: [authelia]
-
-# Prometheus post-tasks disabled (monitoring stack not deployed on 1GB node)
-    # - name: Trigger Traefik certificate request for Prometheus hostname
-    #   command: curl -k -s -o /dev/null -w "%{http_code}" --resolve "{{ prometheus_hostname }}:443:127.0.0.1" "https://{{ prometheus_hostname }}/"
-    #   register: prometheus_tls_warmup
-    #   changed_when: false
-    #   retries: 30
-    #   delay: 2
-    #   until: prometheus_tls_warmup.stdout != '000'
-    #   tags: [prometheus]
-    #
-    # - name: Wait for Traefik certificate SAN to include Prometheus hostname
-    #   shell: |
-    #     set -euo pipefail
-    #     echo | openssl s_client -servername "{{ prometheus_hostname }}" -connect 127.0.0.1:443 2>/dev/null | openssl x509 -noout -text | grep -q "DNS:{{ prometheus_hostname }}"
-    #   register: prometheus_origin_tls
-    #   changed_when: false
-    #   retries: 90
-    #   delay: 5
-    #   until: prometheus_origin_tls.rc == 0
-    #   tags: [prometheus]