4842c71cae
- Add deploy-app.yml playbook for application-specific deployments - Add web.yml playbook for web infrastructure management - Restructure tests/test_config.yml for better organization - Update inventory/group_vars/all.yml with new hostnames and settings
158 lines
5.1 KiB
YAML
158 lines
5.1 KiB
YAML
---
|
|
# Generic app deployment playbook
|
|
# Deploys any app without requiring per-app playbooks
|
|
# Required extra-vars: app_name, app_version
|
|
# Optional extra-vars: env (default: prod), app_port, app_env_vars
|
|
# Run on the web host (which acts as deployment server)
|
|
|
|
- hosts: localhost
|
|
become: true
|
|
vars:
|
|
env: "{{ env | default('prod') }}"
|
|
app_dir: "/opt/apps/{{ app_name }}"
|
|
app_binary: "{{ app_dir }}/app"
|
|
systemd_service: "{{ app_name }}"
|
|
artifacts_dir: "/opt/artifacts"
|
|
max_artifacts_to_keep: 5 # Keep last 5 versions for rollback
|
|
pre_tasks:
|
|
- name: Load vault vars if present
|
|
include_vars:
|
|
file: "{{ playbook_dir }}/../secrets/vault.yml"
|
|
when: (lookup('ansible.builtin.fileglob', playbook_dir ~ '/../secrets/vault.yml', wantlist=True) | length) > 0
|
|
tags: [vault]
|
|
|
|
- name: Validate required variables
|
|
assert:
|
|
that:
|
|
- app_name | length > 0
|
|
- app_version | length > 0
|
|
fail_msg: "app_name and app_version are required. Use --extra-vars 'app_name=myapp app_version=abc123'"
|
|
|
|
- name: Ensure app artifact exists on deployment server
|
|
stat:
|
|
path: "{{ artifacts_dir }}/{{ app_name }}-{{ app_version }}"
|
|
register: app_artifact
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: Check for artifact checksum file
|
|
stat:
|
|
path: "{{ artifacts_dir }}/{{ app_name }}-{{ app_version }}.sha256"
|
|
register: artifact_checksum_file
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: Verify artifact checksum (if available)
|
|
shell: |
|
|
cd {{ artifacts_dir }} && sha256sum -c {{ app_name }}-{{ app_version }}.sha256
|
|
register: checksum_result
|
|
changed_when: false
|
|
failed_when: checksum_result.rc != 0
|
|
when: artifact_checksum_file.stat.exists
|
|
delegate_to: localhost
|
|
become: false
|
|
vars:
|
|
ansible_ssh_pipelining: false
|
|
|
|
- name: Fail if artifact checksum verification fails
|
|
fail:
|
|
msg: "Artifact checksum verification failed for {{ app_name }}-{{ app_version }}. Possible tampering or corruption."
|
|
when:
|
|
- artifact_checksum_file.stat.exists
|
|
- checksum_result.rc != 0
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: Warn if no checksum available
|
|
debug:
|
|
msg: "WARNING: No checksum file found for {{ app_name }}-{{ app_version }}. Skipping integrity verification."
|
|
when: not artifact_checksum_file.stat.exists
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
tasks:
|
|
- name: Ensure deploy user exists
|
|
user:
|
|
name: "{{ app_name }}"
|
|
system: true
|
|
create_home: false
|
|
shell: /bin/false
|
|
state: present
|
|
|
|
- name: Create app directory
|
|
file:
|
|
path: "{{ app_dir }}"
|
|
state: directory
|
|
owner: "{{ app_name }}"
|
|
group: "{{ app_name }}"
|
|
mode: '0755'
|
|
|
|
- name: Copy app artifact to target host
|
|
copy:
|
|
src: "{{ artifacts_dir }}/{{ app_name }}-{{ app_version }}"
|
|
dest: "{{ app_binary }}-{{ app_version }}"
|
|
owner: "{{ app_name }}"
|
|
group: "{{ app_name }}"
|
|
mode: '0755'
|
|
|
|
- name: Create/update current symlink for rollback capability
|
|
file:
|
|
src: "{{ app_binary }}-{{ app_version }}"
|
|
dest: "{{ app_binary }}"
|
|
state: link
|
|
force: yes
|
|
owner: "{{ app_name }}"
|
|
group: "{{ app_name }}"
|
|
|
|
- name: Record deployed version for rollback tracking
|
|
copy:
|
|
content: "{{ app_version }}"
|
|
dest: "{{ app_dir }}/.current-version"
|
|
owner: "{{ app_name }}"
|
|
group: "{{ app_name }}"
|
|
mode: '0644'
|
|
|
|
- name: Cleanup old artifacts (keep last {{ max_artifacts_to_keep }})
|
|
shell: |
|
|
ls -t {{ artifacts_dir }}/{{ app_name }}-* 2>/dev/null | grep -v '.sha256$' | tail -n +{{ max_artifacts_to_keep + 1 }} | xargs -r rm -f
|
|
ls -t {{ artifacts_dir }}/{{ app_name }}-*.sha256 2>/dev/null | tail -n +{{ max_artifacts_to_keep + 1 }} | xargs -r rm -f
|
|
changed_when: true
|
|
failed_when: false
|
|
delegate_to: localhost
|
|
become: false
|
|
when: app_artifact.stat.exists
|
|
|
|
- name: Write environment file if app_env_vars provided
|
|
copy:
|
|
dest: "{{ app_dir }}/.env"
|
|
owner: "{{ app_name }}"
|
|
group: "{{ app_name }}"
|
|
mode: '0600'
|
|
content: "{% for key, value in app_env_vars.items() %}{{ key }}={{ value }}\n{% endfor %}"
|
|
when: app_env_vars is defined
|
|
notify: restart app
|
|
|
|
- name: Remove environment file if not provided
|
|
file:
|
|
path: "{{ app_dir }}/.env"
|
|
state: absent
|
|
when: app_env_vars is not defined
|
|
|
|
- name: Write systemd service for app
|
|
template:
|
|
src: "/opt/deploy/templates/app.service.j2"
|
|
dest: "/etc/systemd/system/{{ systemd_service }}.service"
|
|
notify: restart app
|
|
|
|
- name: Enable and start app service
|
|
systemd:
|
|
name: "{{ systemd_service }}"
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|
|
|
|
handlers:
|
|
- name: restart app
|
|
systemd:
|
|
name: "{{ systemd_service }}"
|
|
state: restarted
|