cloud/validate-infrastructure.yml at master · straightchlorine/cloud · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
---
# Infrastructure Validation Playbook
# Centralized validation for all deployment types and infrastructure components
#
# Usage Examples:
#   Full validation: ansible-playbook validate-infrastructure.yml
#   Backup only: ansible-playbook validate-infrastructure.yml -e "validation_type=backup"
#   Vault only: ansible-playbook validate-infrastructure.yml -e "validation_type=vault"
#   Pre-deployment: ansible-playbook validate-infrastructure.yml -e "validation_type=pre_deployment"
#   Post-deployment: ansible-playbook validate-infrastructure.yml -e "validation_type=post_deployment"
#   Service startup: ansible-playbook validate-infrastructure.yml -e "validation_type=service_startup"
#   SSL/Domain: ansible-playbook validate-infrastructure.yml -e "validation_type=ssl_domain"
#
# This follows the "No Redundancy" principle by centralizing all validation logic

- name: Infrastructure validation
  hosts: all
  gather_facts: true
  become: false

  # Validation type control - determines which validations to run
  # validation_type must be passed via -e validation_type=<type> - no default allowed
  # Control flags - must be explicitly set when needed
  # quick_mode: must be passed via -e quick_mode=true - no default

  pre_tasks:
    - name: Validate required parameters
      ansible.builtin.fail:
        msg: >-
          validation_type must be explicitly set via -e validation_type=<type>.
          Valid types: full, backup, vault, pre_deployment, post_deployment, service_startup, ssl_domain
      when: validation_type is not defined

    - name: Set validation scope based on type
      ansible.builtin.set_fact:
        run_backup_validation: "{{ validation_type in ['full', 'backup'] }}"
        run_vault_validation: "{{ validation_type in ['full', 'vault'] }}"
        run_pre_deployment_validation: "{{ validation_type in ['full', 'pre_deployment'] }}"
        run_post_deployment_validation: "{{ validation_type in ['full', 'post_deployment'] }}"
        run_service_startup_validation: "{{ validation_type in ['full', 'service_startup'] }}"
        run_ssl_domain_validation: "{{ validation_type in ['full', 'ssl_domain'] }}"

    - name: Display validation start message
      ansible.builtin.debug:
        msg: |
          🔍 Starting {{ validation_type }} validation for {{ inventory_hostname }}
          Host groups: {{ group_names }}
          Quick mode: {{ quick_mode if quick_mode is defined else 'disabled' }}

  tasks:
    # === PRE-DEPLOYMENT VALIDATION ===
    - name: Pre-deployment system validation
      block:
        - name: Check basic connectivity
          ansible.builtin.ping:

        - name: Validate OS compatibility
          ansible.builtin.fail:
            msg: "Unsupported OS family: {{ ansible_os_family }}. Only Debian-based systems supported."
          when: ansible_os_family != "Debian"

        - name: Check minimum memory requirements
          ansible.builtin.fail:
            msg: "Insufficient memory: {{ ansible_memtotal_mb }}MB. Minimum 1GB required."
          when: ansible_memtotal_mb < 1024

        - name: Validate architecture
          ansible.builtin.fail:
            msg: "Unsupported architecture: {{ ansible_architecture }}"
          when: ansible_architecture not in ['aarch64', 'x86_64']

        - name: Test network connectivity
          ansible.builtin.uri:
            url: "{{ item }}"
            method: HEAD
            timeout: 10
          loop:
            - "https://hub.docker.com"
            - "https://github.com"
            - "https://archive.ubuntu.com"
          register: network_check
          when: quick_mode is defined and quick_mode is not defined or not quick_mode

        - name: Check available disk space
          ansible.builtin.shell: df / | tail -1 | awk '{print $4}'
          register: root_disk_space
          changed_when: false

        - name: Fail if insufficient disk space
          ansible.builtin.fail:
            msg: >-
              Insufficient root disk space. Available: {{ (root_disk_space.stdout | int / 1024 / 1024) | round(2) }}GB.
              Required: 2GB minimum
          when: (root_disk_space.stdout | int) < 2097152
      when: run_pre_deployment_validation

    # === BACKUP VALIDATION ===
    - name: Backup directory and configuration validation
      block:
        - name: Run common backup validation
          ansible.builtin.include_role:
            name: common
            tasks_from: backup_validation

        - name: Run role-specific backup validation
          ansible.builtin.include_role:
            name: "{{ item }}"
            tasks_from: backup_validation
          loop:
            - dns
            - automation
            - music-stack
          when: "item.replace('-', '_') in group_names"
      when: run_backup_validation

    # === VAULT VALIDATION ===
    - name: Vault variable validation
      block:
        - name: Run role-specific vault validation
          ansible.builtin.include_role:
            name: "{{ item }}"
            tasks_from: vault_validation
          loop:
            - dns
            - automation
            - music-stack
          when: "item.replace('-', '_') in group_names"

        - name: Run template rendering validation
          ansible.builtin.include_role:
            name: common
            tasks_from: template_validation
          when: quick_mode is defined and quick_mode is not defined or not quick_mode
      when: run_vault_validation

    # === SERVICE STARTUP VALIDATION ===
    - name: Service startup order validation
      block:
        - name: Run common service startup validation
          ansible.builtin.include_role:
            name: common
            tasks_from: service_startup_validation

        - name: Run role-specific service startup validation
          ansible.builtin.include_role:
            name: "{{ item }}"
            tasks_from: service_startup_validation
          loop:
            - dns
            - automation
            - music-stack
          when: "item.replace('-', '_') in group_names"
      when: run_service_startup_validation

    # === SSL/DOMAIN VALIDATION (automation hosts only) ===
    - name: SSL and domain validation
      block:
        - name: Validate domain resolution and SSL prerequisites
          ansible.builtin.include_role:
            name: automation
            tasks_from: ssl_domain_validate

        - name: Validate Traefik routing configuration
          ansible.builtin.include_role:
            name: automation
            tasks_from: traefik_routing_validate

        - name: Validate DNS01 challenge prerequisites
          ansible.builtin.include_role:
            name: automation
            tasks_from: dns01_prerequisites
      when:
        - run_ssl_domain_validation
        - "'automation' in group_names"

    # === POST-DEPLOYMENT VALIDATION ===
    - name: Post-deployment service validation
      block:
        - name: Run common port connectivity tests
          ansible.builtin.include_role:
            name: common
            tasks_from: port_connectivity_test

        - name: Run role-specific post-deployment validation
          ansible.builtin.include_role:
            name: "{{ item }}"
            tasks_from: post_deploy_validate
          loop:
            - dns
            - automation
            - music-stack
          when: "item.replace('-', '_') in group_names"
      when: run_post_deployment_validation

    # === QUICK VALIDATION FOR CI/MONITORING ===
    - name: Quick health checks
      block:
        - name: Quick connectivity test
          ansible.builtin.wait_for:
            port: 22
            timeout: 5

        - name: Quick core vault variable check
          ansible.builtin.fail:
            msg: "Core vault variable '{{ item }}' is missing or contains placeholder"
          when:
            - vars[item] is not defined or vars[item] == ""
            - >-
              "your-" in (vars[item] | string) or "example" in (vars[item] | string) or
              "CHANGEME" in (vars[item] | string)
          loop:
            - vault_domain_name
            - vault_letsencrypt_email

        - name: Quick backup directory check
          ansible.builtin.stat:
            path: /opt/backup
          register: quick_backup_check

        - name: Display quick status
          ansible.builtin.debug:
            msg: |
              [POWER] Quick Validation Status for {{ inventory_hostname }}:
              SSH: [OK] Connected
              Core Vault: [OK] Configured
              Backup Dir: {{ '[OK] Ready' if quick_backup_check.stat.exists else '[WARN] Setup Required' }}
      when: quick_mode is defined and quick_mode

    # === VALIDATION SUMMARY ===
    - name: Generate comprehensive validation summary
      ansible.builtin.debug:
        msg: |
          [OK] {{ validation_type.title() }} Validation Summary for {{ inventory_hostname }}:

          Validation Type: {{ validation_type }}
          Host Groups: {{ group_names }}

          {% if run_pre_deployment_validation %}
          Pre-deployment:
          [OK] System compatibility verified
          [OK] Network connectivity confirmed
          [OK] Disk space requirements met
          {% endif %}

          {% if run_backup_validation %}
          Backup Validation:
          [OK] Common backup directories validated
          {% for group in group_names %}
          {% if group in ['dns', 'automation', 'music'] %}
          [OK] {{ group.title() }} backup configuration verified
          {% endif %}
          {% endfor %}
          {% endif %}

          {% if run_vault_validation %}
          Vault Validation:
          [OK] Core vault variables configured
          {% for group in group_names %}
          {% if group in ['dns', 'automation', 'music'] %}
          [OK] {{ group.title() }} vault credentials validated
          {% endif %}
          {% endfor %}
          {% endif %}

          {% if run_service_startup_validation %}
          Service Startup:
          [OK] Service dependencies validated
          [OK] Startup order verified
          {% endif %}

          {% if run_ssl_domain_validation and 'automation' in group_names %}
          SSL/Domain:
          [OK] Domain resolution verified
          [OK] Cloudflare API access confirmed
          [OK] SSL prerequisites met
          {% endif %}

          {% if run_post_deployment_validation %}
          Post-deployment:
          [OK] Service connectivity verified
          [OK] All deployed services operational
          {% endif %}

          [DEPLOY] {{ validation_type.title() }} validation completed successfully!
      when: not quick_mode

  handlers:
    - name: Validation complete
      ansible.builtin.debug:
        msg: "[OK] {{ validation_type.title() }} validation completed for all targeted hosts"