refactor(core): update ansible configuration and playbooks

- Update ansible.cfg with new configuration
- Modify inventory/group_vars/all.yml for group variables
- Update playbooks/services.yml service definitions
- Remove deprecated playbooks/deploy.yml

Implements: Configuration updates for new service architecture

ansible.cfg

@@ -7,4 +7,4 @@ interpreter_python=/usr/bin/python3
 vault_password_file = secrets/.vault_pass
 
 [ssh_connection]
-ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=~/.ansible/cp/ansible-ssh-%%h-%%p-%%r -o StrictHostKeyChecking=accept-new -o IdentitiesOnly=yes
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=~/.ansible/cp/ansible-ssh-%%h-%%p-%%r -o StrictHostKeyChecking=yes -o IdentitiesOnly=yes

inventory/group_vars/all.yml

@@ -15,6 +15,32 @@ web_apps_port: 80
 auth_hostname: "auth.jfraeys.com"
 lldap_base_dn: "dc=jfraeys,dc=com"
 
+# Cloudflare IP ranges for firewall allowlisting
+cloudflare_ips:
+  - 173.245.48.0/20
+  - 103.21.244.0/22
+  - 103.22.200.0/22
+  - 103.31.4.0/22
+  - 141.101.64.0/18
+  - 108.162.192.0/18
+  - 190.93.240.0/20
+  - 188.114.96.0/20
+  - 197.234.240.0/22
+  - 198.41.128.0/17
+  - 162.158.0.0/15
+  - 104.16.0.0/13
+  - 104.24.0.0/14
+  - 172.64.0.0/13
+  - 131.0.72.0/22
+  # IPv6 ranges
+  - 2400:cb00::/32
+  - 2606:4700::/32
+  - 2803:f800::/32
+  - 2405:b500::/32
+  - 2405:8100::/32
+  - 2a06:98c0::/29
+  - 2c0f:f248::/32
+
 # App deployment versioning - overridden at deploy time via --extra-vars
 app_version: "latest"
 app_name: ""

playbooks/deploy.yml

@@ -1,27 +0,0 @@
----
-- name: Deploy all services
-  hosts: services_hosts
-  become: true
-
-  pre_tasks:
-    - name: Load vault vars if present
-      include_vars:
-        file: ../secrets/vault.yml
-      ignore_errors: true
-
-  roles:
-    - docker
-    - fail2ban
-    - traefik
-    - lldap
-    - authelia
-    - exporters
-    - prometheus
-    - loki
-    - grafana
-    - forgejo
-    - watchtower
-    - role: airflow
-      when: deploy_airflow | default(false)
-    - role: spark
-      when: deploy_spark | default(false)

playbooks/services.yml

@@ -169,24 +169,3 @@
       delay: 5
       until: authelia_origin_tls.rc == 0
       tags: [authelia]
-
-# Prometheus post-tasks disabled (monitoring stack not deployed on 1GB node)
-    # - name: Trigger Traefik certificate request for Prometheus hostname
-    #   command: curl -k -s -o /dev/null -w "%{http_code}" --resolve "{{ prometheus_hostname }}:443:127.0.0.1" "https://{{ prometheus_hostname }}/"
-    #   register: prometheus_tls_warmup
-    #   changed_when: false
-    #   retries: 30
-    #   delay: 2
-    #   until: prometheus_tls_warmup.stdout != '000'
-    #   tags: [prometheus]
-    #
-    # - name: Wait for Traefik certificate SAN to include Prometheus hostname
-    #   shell: |
-    #     set -euo pipefail
-    #     echo | openssl s_client -servername "{{ prometheus_hostname }}" -connect 127.0.0.1:443 2>/dev/null | openssl x509 -noout -text | grep -q "DNS:{{ prometheus_hostname }}"
-    #   register: prometheus_origin_tls
-    #   changed_when: false
-    #   retries: 90
-    #   delay: 5
-    #   until: prometheus_origin_tls.rc == 0
-    #   tags: [prometheus]