Lab05 - Danil Valiev

.github/workflows/python-ci.yml

@@ -0,0 +1,114 @@
+name: python-ci
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["lab03", "lab05", "master"]
+    paths:
+      - "app_python/**"
+      - ".github/workflows/python-ci.yml"
+  pull_request:
+    branches: ["master"]
+    paths:
+      - "app_python/**"
+      - ".github/workflows/python-ci.yml"
+
+concurrency:
+  group: python-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: devops-info-service
+  APP_DIR: app_python
+
+jobs:
+  test-and-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: "pip"
+          cache-dependency-path: |
+            app_python/requirements.txt
+            app_python/requirements-dev.txt
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r app_python/requirements.txt
+          pip install -r app_python/requirements-dev.txt
+
+      - name: Lint (ruff)
+        run: |
+          cd app_python
+          ruff check .
+
+      - name: Tests (pytest) + coverage
+        run: |
+          cd app_python
+          pytest -q tests --cov=. --cov-report=term-missing --cov-report=xml
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-xml
+          path: app_python/coverage.xml
+
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+
+      - name: Snyk scan (dependencies)
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          cd app_python
+          snyk test --severity-threshold=high --file=requirements.txt
+
+  docker-build-and-push:
+    runs-on: ubuntu-latest
+    needs: test-and-lint
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/lab03' || github.ref == 'refs/heads/lab05')
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Prepare CalVer tags
+        run: |
+          echo "CALVER_MONTH=$(date -u +'%Y.%m')" >> $GITHUB_ENV
+          echo "CALVER_BUILD=$(date -u +'%Y.%m').${{ github.run_number }}" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ env.APP_DIR }}
+          file: ${{ env.APP_DIR }}/Dockerfile
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.CALVER_BUILD }}
+            ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.CALVER_MONTH }}
+            ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/terraform-ci.yml

@@ -0,0 +1,57 @@
+name: Terraform CI
+
+on:
+  pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-ci.yml"
+  push:
+    branches:
+      - master
+      - lab04
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-ci.yml"
+
+jobs:
+  terraform-check:
+    name: "fmt / validate / tflint"
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        workdir:
+          - terraform
+          - terraform/github
+
+    defaults:
+      run:
+        working-directory: ${{ matrix.workdir }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: false
+
+      - name: Terraform fmt
+        run: terraform fmt -check -recursive
+
+      - name: Terraform init (no backend)
+        run: terraform init -backend=false
+
+      - name: Terraform validate
+        run: terraform validate -no-color
+
+      - name: Setup TFLint
+        uses: terraform-linters/setup-tflint@v3
+
+      - name: TFLint init
+        run: tflint --init
+
+      - name: TFLint
+        run: tflint

.gitignore

@@ -1 +1,15 @@
-test
+test
+.env
+key.json
+# --- Ansible ---
+*.retry
+.vault_pass
+ansible/inventory/*.pyc
+ansible/inventory/__pycache__/
+__pycache__/
+
+# --- Vagrant ---
+.vagrant/
+
+# Do not commit real inventory with IPs if you don't want
+# ansible/inventory/hosts.ini

Vagrantfile

@@ -0,0 +1,21 @@
+Vagrant.configure("2") do |config|
+  config.vm.box = "ubuntu/jammy64"
+  config.vm.hostname = "lab05"
+
+  # ВАЖНО: отключаем шаринг папки проекта в VM
+  # (часто ломается из-за кириллицы/пробелов в пути + нам не нужен репозиторий в VM)
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+  # Пробрасываем порты на Windows-хост
+  # host_ip "0.0.0.0" нужно, чтобы WSL мог подключиться к проброшенному порту через IP Windows-хоста.
+  config.vm.network "forwarded_port", guest: 22, host: 2222, host_ip: "0.0.0.0", id: "ssh", auto_correct: true
+  config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "0.0.0.0", id: "app", auto_correct: true
+
+  config.ssh.insert_key = true
+
+  config.vm.provider "virtualbox" do |vb|
+    vb.name = "lab05-ansible"
+    vb.memory = 2048
+    vb.cpus = 2
+  end
+end

ansible/README.md

@@ -0,0 +1,24 @@
+# Lab05 — Ansible
+
+See:
+- `labs/lab05.md` — assignment
+- `ansible/docs/LAB05.md` — report template
+
+## Quick start
+
+```bash
+cd ansible
+
+# Install required collections
+ansible-galaxy collection install -r requirements.yml
+
+# Connectivity test
+ansible all -m ping
+
+# Provision the target VM (run twice to prove idempotency)
+ansible-playbook playbooks/provision.yml
+ansible-playbook playbooks/provision.yml
+
+# Deploy the application (uses Ansible Vault)
+ansible-playbook playbooks/deploy.yml --ask-vault-pass
+```

ansible/ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+# For Vagrant boxes the default SSH user is usually "vagrant".
+# You can still override this per-host in inventory/hosts.ini.
+remote_user = vagrant
+retry_files_enabled = False
+interpreter_python = auto_silent
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root