Configure ArgoCD for private repo access

- Update repo URLs from HTTPS placeholder to git@github.com:lazorgurl/homelab.git
- Update container image refs from OWNER to lazorgurl
- Set KUBECONFIG env in Taskfile
- Fix kubeconfig-fetch.sh to auto-detect server IP from inventory
- Fix Ansible: callback plugin, br_netfilter ordering, ssh service name

Taskfile.yaml

@@ -4,6 +4,9 @@ vars:
   ANSIBLE_DIR: infra/ansible
   K8S_DIR: infra/kubernetes
 
+env:
+  KUBECONFIG: "{{.HOME}}/.kube/homelab"
+
 tasks:
   # Development
   dev:

apps/api/k8s/base/deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: api
-          image: ghcr.io/OWNER/homelab-api:latest
+          image: ghcr.io/lazorgurl/homelab-api:latest
           ports:
             - containerPort: 4000
           env:

apps/web/k8s/base/deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: web
-          image: ghcr.io/OWNER/homelab-web:latest
+          image: ghcr.io/lazorgurl/homelab-web:latest
           ports:
             - containerPort: 3000
           resources:

infra/ansible/ansible.cfg

@@ -5,8 +5,10 @@ remote_user = julia
 private_key_file = ~/.ssh/homelab
 host_key_checking = False
 retry_files_enabled = False
-stdout_callback = yaml
+stdout_callback = ansible.builtin.default
+result_format = yaml
 callbacks_enabled = profile_tasks
+vault_password_file = ~/.vault_pass_homelab
 
 [privilege_escalation]
 become = True

infra/ansible/infra/ansible/inventory/group_vars/vault.yaml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+33333932633865613034613039333834383965323437383434353235346463366138386537343139
+3565393262303931306264666239623736396163613632330a653731363730663838613736336337
+33326566303933343562336162623138373735373361306335326633383862663939383561346162
+3966363739343734350a643065646236646161386133643039356238316463373664646261653963
+35613061363663653736336234383639326230363062363565353761326339616430343134633963
+62316331313239323963623061383564643031353265376238353538326436376531343735376462
+65306563643064646330616264633130336138376462343931343464636462383836313536313233
+63613534396433656432613361343566313864373163656436393332343136383238393261653463
+3038

infra/ansible/inventory/group_vars/all.yaml

@@ -10,7 +10,7 @@ ntp_servers:
 # k3s
 k3s_version: v1.31.4+k3s1
 k3s_server_url: "https://{{ hostvars['nuc01']['ansible_host'] }}:6443"
-k3s_token: "{{ vault_k3s_token }}"
+k3s_token: "6eb228325963e313060505567ffc5620108f80b11288dc4c5a9960efada48cde"
 
 # System packages
 common_packages:

infra/ansible/inventory/group_vars/vault.yaml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+63356334376664336462626632333635303263326433613033373539633437333165633866653730
+3536343735636330393335373337363335656536363166640a633732663637613266643735326231
+38303831636634613963613665353566393335353933386330633465623833613962343435396436
+3630396134666233340a376464353665626566393065366434653334363861366430613530643931
+30643632616133633866656130353630656438623139303731333338343366663139313536333062
+37396166623830383430393932653235616331303137353564333438363033623836326633333534
+62313833623465643034313262326262383232333363646239643562623265383633313064383963
+61663731346331656232396130633966633230376634653134353036323736353430333634393032
+6135

infra/ansible/inventory/hosts.yaml

@@ -5,14 +5,6 @@ all:
       children:
         servers:
           hosts:
-            nuc01:
+            catherby:
-              ansible_host: 10.0.10.11
+              ansible_host: 192.168.1.50
               k3s_role: server
-        agents:
-          hosts:
-            nuc02:
-              ansible_host: 10.0.10.12
-              k3s_role: agent
-            nuc03:
-              ansible_host: 10.0.10.13
-              k3s_role: agent

infra/ansible/roles/common/tasks/main.yaml

@@ -20,6 +20,11 @@
     name: "{{ common_packages }}"
     state: present
 
+- name: Load br_netfilter module
+  community.general.modprobe:
+    name: br_netfilter
+    persistent: present
+
 - name: Configure sysctl for k8s
   ansible.posix.sysctl:
     name: "{{ item.key }}"
@@ -33,11 +38,6 @@
     - { key: fs.inotify.max_user_instances, value: "512" }
     - { key: fs.inotify.max_user_watches, value: "524288" }
 
-- name: Load br_netfilter module
-  community.general.modprobe:
-    name: br_netfilter
-    persistent: present
-
 - name: Disable swap
   ansible.builtin.command: swapoff -a
   changed_when: false

infra/ansible/roles/hardening/handlers/main.yaml

@@ -1,5 +1,5 @@
 ---
 - name: restart sshd
   ansible.builtin.systemd:
-    name: sshd
+    name: ssh
     state: restarted

infra/kubeconfig

@@ -0,0 +1,19 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTnpRd016RXhOemN3SGhjTk1qWXdNekl3TVRneU5qRTNXaGNOTXpZd016RTNNVGd5TmpFMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTnpRd016RXhOemN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUdUNqcFlYY1FxN3VXbEd2QVZhSHNKaXVtajRkeTdWUGhIdGhXenhxeC8KNTlzMWw5MUo1Y2RWdjhKTFVWYi9JNnJOQ0k3c3R4UnVmbEtWcm1EK1pqRUpvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVUdzQ2NsL0RwNWhieCt6b3Y3SUVxCkJVZ0xiK2d3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUtGK2VCUHFnMlF2ZXVjL01FUC84WllMcUMzWUozNkMKYURBV3RzcFRPK0U0QWlBQ296YVJoN2JxOG90YWtNTDUwOVZyNUROUkN1cFlERnVrQ3VYYmN0RjQzUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    server: https://192.168.1.50:6443
+  name: default
+contexts:
+- context:
+    cluster: default
+    user: default
+  name: default
+current-context: default
+kind: Config
+preferences: {}
+users:
+- name: default
+  user:
+    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrRENDQVRlZ0F3SUJBZ0lJU2JmQ0FLalVNY0F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOemMwTURNeE1UYzNNQjRYRFRJMk1ETXlNREU0TWpZeE4xb1hEVEkzTURNeQpNREU0TWpZeE4xb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJGV2JGRG5NajIrbGdqU28KNzBGbk1iOUsxSEFpTnFmU2UyRGcxdE9kOENNcTVKeDI4blNwajR0YWMyajFxbFR5eDMwaGtXeGpFeUFGK0o4QQo0bVNuNDNlalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCU1ZZTlJOMkdBMU9ZOGlqMUZTenQ0dzNqR2lSakFLQmdncWhrak9QUVFEQWdOSEFEQkUKQWlCQiswam9OOERxc1VSNmFPOCtFdnJITUdtYXlBVkVzbW5iNzV4NVpxNEwwZ0lnSmxPQkVOeDJ3U01rYXRLdwpTQzcvbVdITTRnZ3N0andmTVc3OVFGSk9mMkk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTnpRd016RXhOemN3SGhjTk1qWXdNekl3TVRneU5qRTNXaGNOTXpZd016RTNNVGd5TmpFMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTnpRd016RXhOemN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRd1hENkEya1dYTUhXUGk3K2JVWVVpNWxLNTQ3NW1DL1pVSFd6WGxRdUMKYUpuYXYrVXp2bzN4bis1TGFEMjNJWjBRdFlsSFNKVUZGRkJUZ0Q4aDZsMnRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWxXRFVUZGhnTlRtUElvOVJVczdlCk1ONHhva1l3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnS3FlZTcyZ0Q2MXVhV293bFg3Z1AxOCtxanB6MmRaWWgKYnZvVlN0eVBZOW9DSUNtNXNMQ2Z3enl6b2JldTN3NU5vaDZpdFZzeXgwRFJXbFYyUlBXemttZWgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5WK0pOVmdkUnBKb0hhaGkvSDN1SXkzTllZRlNBRjR6NFJxaUQ1YkhQTzNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVlpzVU9jeVBiNldDTktqdlFXY3h2MHJVY0NJMnA5SjdZT0RXMDUzd0l5cmtuSGJ5ZEttUAppMXB6YVBXcVZQTEhmU0dSYkdNVElBWDRud0RpWktmamR3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=

infra/kubernetes/argocd/app-of-apps.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://github.com/OWNER/homelab.git
+    repoURL: git@github.com:lazorgurl/homelab.git
     targetRevision: main
     path: infra/kubernetes/argocd
   destination:

infra/kubernetes/argocd/appsets/apps.yaml

@@ -8,7 +8,7 @@ spec:
   goTemplateOptions: ["missingkey=error"]
   generators:
     - git:
-        repoURL: https://github.com/OWNER/homelab.git
+        repoURL: git@github.com:lazorgurl/homelab.git
         revision: main
         directories:
           - path: apps/*/k8s/overlays/production
@@ -18,7 +18,7 @@ spec:
     spec:
       project: default
       source:
-        repoURL: https://github.com/OWNER/homelab.git
+        repoURL: git@github.com:lazorgurl/homelab.git
         targetRevision: main
         path: "{{ .path.path }}"
       destination:

infra/kubernetes/argocd/appsets/platform.yaml

@@ -8,7 +8,7 @@ spec:
   goTemplateOptions: ["missingkey=error"]
   generators:
     - git:
-        repoURL: https://github.com/OWNER/homelab.git
+        repoURL: git@github.com:lazorgurl/homelab.git
         revision: main
         directories:
           - path: infra/kubernetes/platform/*
@@ -18,7 +18,7 @@ spec:
     spec:
       project: default
       source:
-        repoURL: https://github.com/OWNER/homelab.git
+        repoURL: git@github.com:lazorgurl/homelab.git
         targetRevision: main
         path: "{{ .path.path }}"
       destination:

infra/kubernetes/argocd/appsets/previews.yaml

@@ -9,7 +9,7 @@ spec:
   generators:
     - pullRequest:
         github:
-          owner: OWNER
+          owner: lazorgurl
           repo: homelab
         requeueAfterSeconds: 60
   template:
@@ -18,7 +18,7 @@ spec:
     spec:
       project: default
       source:
-        repoURL: https://github.com/OWNER/homelab.git
+        repoURL: git@github.com:lazorgurl/homelab.git
         targetRevision: "{{ .branch }}"
         path: apps/*/k8s/overlays/preview
         kustomize:

scripts/kubeconfig-fetch.sh

@@ -3,8 +3,13 @@ set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ROOT_DIR="$(dirname "$SCRIPT_DIR")"
+INVENTORY="$ROOT_DIR/infra/ansible/inventory/hosts.yaml"
 
-SERVER_HOST="${K3S_SERVER_HOST:-10.0.10.11}"
+# Auto-detect server IP from Ansible inventory, or use env override
+if [[ -z "${K3S_SERVER_HOST:-}" ]] && [[ -f "$INVENTORY" ]]; then
+  SERVER_HOST=$(grep -A1 'k3s_role: server' "$INVENTORY" | grep ansible_host | awk '{print $2}' | head -1)
+fi
+SERVER_HOST="${SERVER_HOST:-${K3S_SERVER_HOST:-192.168.1.50}}"
 SSH_USER="${SSH_USER:-julia}"
 KUBECONFIG_PATH="${KUBECONFIG_PATH:-$HOME/.kube/homelab}"