diff --git a/Taskfile.yaml b/Taskfile.yaml index 994133a..14b7722 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -4,6 +4,9 @@ vars: ANSIBLE_DIR: infra/ansible K8S_DIR: infra/kubernetes +env: + KUBECONFIG: "{{.HOME}}/.kube/homelab" + tasks: # Development dev: diff --git a/apps/api/k8s/base/deployment.yaml b/apps/api/k8s/base/deployment.yaml index 8ccf547..1f10840 100644 --- a/apps/api/k8s/base/deployment.yaml +++ b/apps/api/k8s/base/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: api - image: ghcr.io/OWNER/homelab-api:latest + image: ghcr.io/lazorgurl/homelab-api:latest ports: - containerPort: 4000 env: diff --git a/apps/web/k8s/base/deployment.yaml b/apps/web/k8s/base/deployment.yaml index 8bf0b46..4121964 100644 --- a/apps/web/k8s/base/deployment.yaml +++ b/apps/web/k8s/base/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: web - image: ghcr.io/OWNER/homelab-web:latest + image: ghcr.io/lazorgurl/homelab-web:latest ports: - containerPort: 3000 resources: diff --git a/infra/ansible/ansible.cfg b/infra/ansible/ansible.cfg index 046309d..7d4698d 100644 --- a/infra/ansible/ansible.cfg +++ b/infra/ansible/ansible.cfg @@ -5,8 +5,10 @@ remote_user = julia private_key_file = ~/.ssh/homelab host_key_checking = False retry_files_enabled = False -stdout_callback = yaml +stdout_callback = ansible.builtin.default +result_format = yaml callbacks_enabled = profile_tasks +vault_password_file = ~/.vault_pass_homelab [privilege_escalation] become = True diff --git a/infra/ansible/infra/ansible/inventory/group_vars/vault.yaml b/infra/ansible/infra/ansible/inventory/group_vars/vault.yaml new file mode 100644 index 0000000..ee8eb8d --- /dev/null +++ b/infra/ansible/infra/ansible/inventory/group_vars/vault.yaml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +33333932633865613034613039333834383965323437383434353235346463366138386537343139 +3565393262303931306264666239623736396163613632330a653731363730663838613736336337 +33326566303933343562336162623138373735373361306335326633383862663939383561346162 +3966363739343734350a643065646236646161386133643039356238316463373664646261653963 +35613061363663653736336234383639326230363062363565353761326339616430343134633963 +62316331313239323963623061383564643031353265376238353538326436376531343735376462 +65306563643064646330616264633130336138376462343931343464636462383836313536313233 +63613534396433656432613361343566313864373163656436393332343136383238393261653463 +3038 diff --git a/infra/ansible/inventory/group_vars/all.yaml b/infra/ansible/inventory/group_vars/all.yaml index 5b82594..4e84234 100644 --- a/infra/ansible/inventory/group_vars/all.yaml +++ b/infra/ansible/inventory/group_vars/all.yaml @@ -10,7 +10,7 @@ ntp_servers: # k3s k3s_version: v1.31.4+k3s1 k3s_server_url: "https://{{ hostvars['nuc01']['ansible_host'] }}:6443" -k3s_token: "{{ vault_k3s_token }}" +k3s_token: "6eb228325963e313060505567ffc5620108f80b11288dc4c5a9960efada48cde" # System packages common_packages: diff --git a/infra/ansible/inventory/group_vars/vault.yaml b/infra/ansible/inventory/group_vars/vault.yaml new file mode 100644 index 0000000..5d4be3b --- /dev/null +++ b/infra/ansible/inventory/group_vars/vault.yaml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +63356334376664336462626632333635303263326433613033373539633437333165633866653730 +3536343735636330393335373337363335656536363166640a633732663637613266643735326231 +38303831636634613963613665353566393335353933386330633465623833613962343435396436 +3630396134666233340a376464353665626566393065366434653334363861366430613530643931 +30643632616133633866656130353630656438623139303731333338343366663139313536333062 +37396166623830383430393932653235616331303137353564333438363033623836326633333534 +62313833623465643034313262326262383232333363646239643562623265383633313064383963 +61663731346331656232396130633966633230376634653134353036323736353430333634393032 +6135 diff --git a/infra/ansible/inventory/hosts.yaml b/infra/ansible/inventory/hosts.yaml index 7bb7a6a..61bf430 100644 --- a/infra/ansible/inventory/hosts.yaml +++ b/infra/ansible/inventory/hosts.yaml @@ -5,14 +5,6 @@ all: children: servers: hosts: - nuc01: - ansible_host: 10.0.10.11 + catherby: + ansible_host: 192.168.1.50 k3s_role: server - agents: - hosts: - nuc02: - ansible_host: 10.0.10.12 - k3s_role: agent - nuc03: - ansible_host: 10.0.10.13 - k3s_role: agent diff --git a/infra/ansible/roles/common/tasks/main.yaml b/infra/ansible/roles/common/tasks/main.yaml index c274c01..d478b13 100644 --- a/infra/ansible/roles/common/tasks/main.yaml +++ b/infra/ansible/roles/common/tasks/main.yaml @@ -20,6 +20,11 @@ name: "{{ common_packages }}" state: present +- name: Load br_netfilter module + community.general.modprobe: + name: br_netfilter + persistent: present + - name: Configure sysctl for k8s ansible.posix.sysctl: name: "{{ item.key }}" @@ -33,11 +38,6 @@ - { key: fs.inotify.max_user_instances, value: "512" } - { key: fs.inotify.max_user_watches, value: "524288" } -- name: Load br_netfilter module - community.general.modprobe: - name: br_netfilter - persistent: present - - name: Disable swap ansible.builtin.command: swapoff -a changed_when: false diff --git a/infra/ansible/roles/hardening/handlers/main.yaml b/infra/ansible/roles/hardening/handlers/main.yaml index 2000127..57d0861 100644 --- a/infra/ansible/roles/hardening/handlers/main.yaml +++ b/infra/ansible/roles/hardening/handlers/main.yaml @@ -1,5 +1,5 @@ --- - name: restart sshd ansible.builtin.systemd: - name: sshd + name: ssh state: restarted diff --git a/infra/kubeconfig b/infra/kubeconfig new file mode 100644 index 0000000..6ab1ed2 --- /dev/null +++ b/infra/kubeconfig @@ -0,0 +1,19 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTnpRd016RXhOemN3SGhjTk1qWXdNekl3TVRneU5qRTNXaGNOTXpZd016RTNNVGd5TmpFMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTnpRd016RXhOemN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUdUNqcFlYY1FxN3VXbEd2QVZhSHNKaXVtajRkeTdWUGhIdGhXenhxeC8KNTlzMWw5MUo1Y2RWdjhKTFVWYi9JNnJOQ0k3c3R4UnVmbEtWcm1EK1pqRUpvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVUdzQ2NsL0RwNWhieCt6b3Y3SUVxCkJVZ0xiK2d3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUtGK2VCUHFnMlF2ZXVjL01FUC84WllMcUMzWUozNkMKYURBV3RzcFRPK0U0QWlBQ296YVJoN2JxOG90YWtNTDUwOVZyNUROUkN1cFlERnVrQ3VYYmN0RjQzUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + server: https://192.168.1.50:6443 + name: default +contexts: +- context: + cluster: default + user: default + name: default +current-context: default +kind: Config +preferences: {} +users: +- name: default + user: + client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrRENDQVRlZ0F3SUJBZ0lJU2JmQ0FLalVNY0F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOemMwTURNeE1UYzNNQjRYRFRJMk1ETXlNREU0TWpZeE4xb1hEVEkzTURNeQpNREU0TWpZeE4xb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJGV2JGRG5NajIrbGdqU28KNzBGbk1iOUsxSEFpTnFmU2UyRGcxdE9kOENNcTVKeDI4blNwajR0YWMyajFxbFR5eDMwaGtXeGpFeUFGK0o4QQo0bVNuNDNlalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCU1ZZTlJOMkdBMU9ZOGlqMUZTenQ0dzNqR2lSakFLQmdncWhrak9QUVFEQWdOSEFEQkUKQWlCQiswam9OOERxc1VSNmFPOCtFdnJITUdtYXlBVkVzbW5iNzV4NVpxNEwwZ0lnSmxPQkVOeDJ3U01rYXRLdwpTQzcvbVdITTRnZ3N0andmTVc3OVFGSk9mMkk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTnpRd016RXhOemN3SGhjTk1qWXdNekl3TVRneU5qRTNXaGNOTXpZd016RTNNVGd5TmpFMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTnpRd016RXhOemN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRd1hENkEya1dYTUhXUGk3K2JVWVVpNWxLNTQ3NW1DL1pVSFd6WGxRdUMKYUpuYXYrVXp2bzN4bis1TGFEMjNJWjBRdFlsSFNKVUZGRkJUZ0Q4aDZsMnRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWxXRFVUZGhnTlRtUElvOVJVczdlCk1ONHhva1l3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnS3FlZTcyZ0Q2MXVhV293bFg3Z1AxOCtxanB6MmRaWWgKYnZvVlN0eVBZOW9DSUNtNXNMQ2Z3enl6b2JldTN3NU5vaDZpdFZzeXgwRFJXbFYyUlBXemttZWgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5WK0pOVmdkUnBKb0hhaGkvSDN1SXkzTllZRlNBRjR6NFJxaUQ1YkhQTzNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVlpzVU9jeVBiNldDTktqdlFXY3h2MHJVY0NJMnA5SjdZT0RXMDUzd0l5cmtuSGJ5ZEttUAppMXB6YVBXcVZQTEhmU0dSYkdNVElBWDRud0RpWktmamR3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= diff --git a/infra/kubernetes/argocd/app-of-apps.yaml b/infra/kubernetes/argocd/app-of-apps.yaml index dd3da65..ae9124d 100644 --- a/infra/kubernetes/argocd/app-of-apps.yaml +++ b/infra/kubernetes/argocd/app-of-apps.yaml @@ -8,7 +8,7 @@ metadata: spec: project: default source: - repoURL: https://github.com/OWNER/homelab.git + repoURL: git@github.com:lazorgurl/homelab.git targetRevision: main path: infra/kubernetes/argocd destination: diff --git a/infra/kubernetes/argocd/appsets/apps.yaml b/infra/kubernetes/argocd/appsets/apps.yaml index 0293523..e05985f 100644 --- a/infra/kubernetes/argocd/appsets/apps.yaml +++ b/infra/kubernetes/argocd/appsets/apps.yaml @@ -8,7 +8,7 @@ spec: goTemplateOptions: ["missingkey=error"] generators: - git: - repoURL: https://github.com/OWNER/homelab.git + repoURL: git@github.com:lazorgurl/homelab.git revision: main directories: - path: apps/*/k8s/overlays/production @@ -18,7 +18,7 @@ spec: spec: project: default source: - repoURL: https://github.com/OWNER/homelab.git + repoURL: git@github.com:lazorgurl/homelab.git targetRevision: main path: "{{ .path.path }}" destination: diff --git a/infra/kubernetes/argocd/appsets/platform.yaml b/infra/kubernetes/argocd/appsets/platform.yaml index 250b1de..e49a888 100644 --- a/infra/kubernetes/argocd/appsets/platform.yaml +++ b/infra/kubernetes/argocd/appsets/platform.yaml @@ -8,7 +8,7 @@ spec: goTemplateOptions: ["missingkey=error"] generators: - git: - repoURL: https://github.com/OWNER/homelab.git + repoURL: git@github.com:lazorgurl/homelab.git revision: main directories: - path: infra/kubernetes/platform/* @@ -18,7 +18,7 @@ spec: spec: project: default source: - repoURL: https://github.com/OWNER/homelab.git + repoURL: git@github.com:lazorgurl/homelab.git targetRevision: main path: "{{ .path.path }}" destination: diff --git a/infra/kubernetes/argocd/appsets/previews.yaml b/infra/kubernetes/argocd/appsets/previews.yaml index 5095855..1bc4e74 100644 --- a/infra/kubernetes/argocd/appsets/previews.yaml +++ b/infra/kubernetes/argocd/appsets/previews.yaml @@ -9,7 +9,7 @@ spec: generators: - pullRequest: github: - owner: OWNER + owner: lazorgurl repo: homelab requeueAfterSeconds: 60 template: @@ -18,7 +18,7 @@ spec: spec: project: default source: - repoURL: https://github.com/OWNER/homelab.git + repoURL: git@github.com:lazorgurl/homelab.git targetRevision: "{{ .branch }}" path: apps/*/k8s/overlays/preview kustomize: diff --git a/scripts/kubeconfig-fetch.sh b/scripts/kubeconfig-fetch.sh index 91a8754..d9a9fa2 100755 --- a/scripts/kubeconfig-fetch.sh +++ b/scripts/kubeconfig-fetch.sh @@ -3,8 +3,13 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(dirname "$SCRIPT_DIR")" +INVENTORY="$ROOT_DIR/infra/ansible/inventory/hosts.yaml" -SERVER_HOST="${K3S_SERVER_HOST:-10.0.10.11}" +# Auto-detect server IP from Ansible inventory, or use env override +if [[ -z "${K3S_SERVER_HOST:-}" ]] && [[ -f "$INVENTORY" ]]; then + SERVER_HOST=$(grep -A1 'k3s_role: server' "$INVENTORY" | grep ansible_host | awk '{print $2}' | head -1) +fi +SERVER_HOST="${SERVER_HOST:-${K3S_SERVER_HOST:-192.168.1.50}}" SSH_USER="${SSH_USER:-julia}" KUBECONFIG_PATH="${KUBECONFIG_PATH:-$HOME/.kube/homelab}"