Initial monorepo scaffold

Turborepo + pnpm monorepo for k3s homelab cluster on Intel NUCs.

- Apps: Next.js web frontend, Express API (TypeScript, Dockerfiles, k8s manifests)
- Packages: shared UI, ESLint config, TypeScript config, Drizzle DB schemas
- Infra/Ansible: bare-metal provisioning with roles for common, k3s-server, k3s-agent, hardening
- Infra/Kubernetes: ArgoCD GitOps (app-of-apps + ApplicationSets), platform components
  (cert-manager, Traefik, CloudNativePG, Valkey, Longhorn, Sealed Secrets), namespaces
- Observability: kube-prometheus-stack, Loki, Promtail as ArgoCD Applications
- CI/CD: GitHub Actions for PR builds, preview deploys, production deploys
- DX: Taskfile, utility scripts, copier templates, Ubiquiti network docs

infra/ansible/ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+inventory = inventory/hosts.yaml
+roles_path = roles
+remote_user = julia
+private_key_file = ~/.ssh/homelab
+host_key_checking = False
+retry_files_enabled = False
+stdout_callback = yaml
+callbacks_enabled = profile_tasks
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root

infra/ansible/inventory/group_vars/agents.yaml

@@ -0,0 +1,3 @@
+---
+k3s_agent_args: >-
+  --node-label=node-role.kubernetes.io/worker=true

infra/ansible/inventory/group_vars/all.yaml

@@ -0,0 +1,37 @@
+---
+# Timezone
+timezone: America/New_York
+
+# NTP
+ntp_servers:
+  - 0.ubuntu.pool.ntp.org
+  - 1.ubuntu.pool.ntp.org
+
+# k3s
+k3s_version: v1.31.4+k3s1
+k3s_server_url: "https://{{ hostvars['nuc01']['ansible_host'] }}:6443"
+k3s_token: "{{ vault_k3s_token }}"
+
+# System packages
+common_packages:
+  - curl
+  - wget
+  - git
+  - htop
+  - iotop
+  - net-tools
+  - unzip
+  - jq
+  - open-iscsi
+  - nfs-common
+  - cryptsetup
+
+# Container runtime
+containerd_config:
+  max_container_log_size: 10M
+  max_container_log_files: 3
+
+# Network
+cluster_cidr: 10.42.0.0/16
+service_cidr: 10.43.0.0/16
+cluster_dns: 10.43.0.10

infra/ansible/inventory/group_vars/servers.yaml

@@ -0,0 +1,12 @@
+---
+k3s_server_args: >-
+  --cluster-cidr={{ cluster_cidr }}
+  --service-cidr={{ service_cidr }}
+  --cluster-dns={{ cluster_dns }}
+  --disable=servicelb
+  --write-kubeconfig-mode=644
+  --tls-san={{ ansible_host }}
+  --tls-san=k3s.homelab.local
+  --kube-apiserver-arg=audit-log-maxage=30
+  --kube-apiserver-arg=audit-log-maxbackup=10
+  --kube-apiserver-arg=audit-log-maxsize=100

infra/ansible/inventory/host_vars/nuc01.yaml

@@ -0,0 +1,4 @@
+---
+node_labels:
+  - topology.kubernetes.io/zone=rack1
+  - node.kubernetes.io/instance-type=nuc

infra/ansible/inventory/hosts.yaml

@@ -0,0 +1,18 @@
+---
+all:
+  children:
+    k3s_cluster:
+      children:
+        servers:
+          hosts:
+            nuc01:
+              ansible_host: 10.0.10.11
+              k3s_role: server
+        agents:
+          hosts:
+            nuc02:
+              ansible_host: 10.0.10.12
+              k3s_role: agent
+            nuc03:
+              ansible_host: 10.0.10.13
+              k3s_role: agent

infra/ansible/playbooks/bootstrap.yaml

@@ -0,0 +1,7 @@
+---
+- name: Bootstrap all nodes
+  hosts: k3s_cluster
+  become: true
+  roles:
+    - common
+    - hardening

infra/ansible/playbooks/k3s-agent.yaml

@@ -0,0 +1,6 @@
+---
+- name: Install k3s agent nodes
+  hosts: agents
+  become: true
+  roles:
+    - k3s-agent

infra/ansible/playbooks/k3s-server.yaml

@@ -0,0 +1,6 @@
+---
+- name: Install k3s server nodes
+  hosts: servers
+  become: true
+  roles:
+    - k3s-server

infra/ansible/playbooks/k3s-upgrade.yaml

@@ -0,0 +1,49 @@
+---
+- name: Upgrade k3s cluster
+  hosts: k3s_cluster
+  become: true
+  serial: 1
+  vars:
+    k3s_upgrade_version: "{{ k3s_version }}"
+  tasks:
+    - name: Cordon node
+      ansible.builtin.command:
+        cmd: k3s kubectl cordon {{ inventory_hostname }}
+      delegate_to: "{{ groups['servers'][0] }}"
+      changed_when: true
+
+    - name: Drain node
+      ansible.builtin.command:
+        cmd: >-
+          k3s kubectl drain {{ inventory_hostname }}
+          --ignore-daemonsets
+          --delete-emptydir-data
+          --timeout=120s
+      delegate_to: "{{ groups['servers'][0] }}"
+      changed_when: true
+
+    - name: Upgrade k3s
+      ansible.builtin.command:
+        cmd: /tmp/k3s-install.sh
+      environment:
+        INSTALL_K3S_VERSION: "{{ k3s_upgrade_version }}"
+        K3S_TOKEN: "{{ k3s_token }}"
+        INSTALL_K3S_EXEC: "{{ 'server ' + k3s_server_args if k3s_role == 'server' else 'agent ' + k3s_agent_args }}"
+        K3S_URL: "{{ '' if k3s_role == 'server' else k3s_server_url }}"
+      changed_when: true
+
+    - name: Wait for node to be ready
+      ansible.builtin.command:
+        cmd: k3s kubectl get node {{ inventory_hostname }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
+      delegate_to: "{{ groups['servers'][0] }}"
+      register: node_ready
+      retries: 30
+      delay: 10
+      until: node_ready.stdout == "True"
+      changed_when: false
+
+    - name: Uncordon node
+      ansible.builtin.command:
+        cmd: k3s kubectl uncordon {{ inventory_hostname }}
+      delegate_to: "{{ groups['servers'][0] }}"
+      changed_when: true

infra/ansible/playbooks/reset.yaml

@@ -0,0 +1,38 @@
+---
+- name: Reset k3s cluster (DESTRUCTIVE)
+  hosts: k3s_cluster
+  become: true
+  tasks:
+    - name: Confirm reset
+      ansible.builtin.pause:
+        prompt: "This will DESTROY the k3s cluster. Type 'yes' to continue"
+      register: confirm
+      run_once: true
+
+    - name: Abort if not confirmed
+      ansible.builtin.fail:
+        msg: "Reset aborted"
+      when: confirm.user_input != "yes"
+      run_once: true
+
+    - name: Uninstall k3s agent
+      ansible.builtin.command:
+        cmd: /usr/local/bin/k3s-agent-uninstall.sh
+      when: k3s_role == 'agent'
+      ignore_errors: true
+      changed_when: true
+
+    - name: Uninstall k3s server
+      ansible.builtin.command:
+        cmd: /usr/local/bin/k3s-uninstall.sh
+      when: k3s_role == 'server'
+      ignore_errors: true
+      changed_when: true
+
+    - name: Clean up data directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /var/lib/rancher
+        - /etc/rancher

infra/ansible/playbooks/site.yaml

@@ -0,0 +1,9 @@
+---
+- name: Full cluster deployment
+  ansible.builtin.import_playbook: bootstrap.yaml
+
+- name: Install k3s servers
+  ansible.builtin.import_playbook: k3s-server.yaml
+
+- name: Install k3s agents
+  ansible.builtin.import_playbook: k3s-agent.yaml

infra/ansible/requirements.yaml

@@ -0,0 +1,8 @@
+---
+collections:
+  - name: ansible.posix
+    version: ">=1.5.0"
+  - name: community.general
+    version: ">=9.0.0"
+  - name: kubernetes.core
+    version: ">=4.0.0"

infra/ansible/roles/common/handlers/main.yaml

@@ -0,0 +1,6 @@
+---
+- name: restart timesyncd
+  ansible.builtin.systemd:
+    name: systemd-timesyncd
+    state: restarted
+    enabled: true

infra/ansible/roles/common/tasks/main.yaml

@@ -0,0 +1,55 @@
+---
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+
+- name: Configure NTP
+  ansible.builtin.template:
+    src: timesyncd.conf.j2
+    dest: /etc/systemd/timesyncd.conf
+    mode: "0644"
+  notify: restart timesyncd
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Install common packages
+  ansible.builtin.apt:
+    name: "{{ common_packages }}"
+    state: present
+
+- name: Configure sysctl for k8s
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    sysctl_set: true
+    reload: true
+  loop:
+    - { key: net.bridge.bridge-nf-call-iptables, value: "1" }
+    - { key: net.bridge.bridge-nf-call-ip6tables, value: "1" }
+    - { key: net.ipv4.ip_forward, value: "1" }
+    - { key: fs.inotify.max_user_instances, value: "512" }
+    - { key: fs.inotify.max_user_watches, value: "524288" }
+
+- name: Load br_netfilter module
+  community.general.modprobe:
+    name: br_netfilter
+    persistent: present
+
+- name: Disable swap
+  ansible.builtin.command: swapoff -a
+  changed_when: false
+
+- name: Remove swap from fstab
+  ansible.builtin.lineinfile:
+    path: /etc/fstab
+    regexp: '\sswap\s'
+    state: absent
+
+- name: Enable iscsid service (for Longhorn)
+  ansible.builtin.systemd:
+    name: iscsid
+    enabled: true
+    state: started

infra/ansible/roles/common/templates/timesyncd.conf.j2

@@ -0,0 +1,5 @@
+[Time]
+{% for server in ntp_servers %}
+NTP={{ server }}
+{% endfor %}
+FallbackNTP=ntp.ubuntu.com

infra/ansible/roles/hardening/handlers/main.yaml

@@ -0,0 +1,5 @@
+---
+- name: restart sshd
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted

infra/ansible/roles/hardening/tasks/main.yaml

@@ -0,0 +1,81 @@
+---
+- name: Ensure SSH password authentication is disabled
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication"
+    line: "PasswordAuthentication no"
+  notify: restart sshd
+
+- name: Disable root SSH login
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin"
+    line: "PermitRootLogin no"
+  notify: restart sshd
+
+- name: Install and configure UFW
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+
+- name: Set UFW default deny incoming
+  community.general.ufw:
+    direction: incoming
+    default: deny
+
+- name: Set UFW default allow outgoing
+  community.general.ufw:
+    direction: outgoing
+    default: allow
+
+- name: Allow SSH
+  community.general.ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+
+- name: Allow k3s API server (servers only)
+  community.general.ufw:
+    rule: allow
+    port: "6443"
+    proto: tcp
+  when: k3s_role == 'server'
+
+- name: Allow k3s flannel VXLAN
+  community.general.ufw:
+    rule: allow
+    port: "8472"
+    proto: udp
+
+- name: Allow kubelet metrics
+  community.general.ufw:
+    rule: allow
+    port: "10250"
+    proto: tcp
+
+- name: Allow HTTP/HTTPS (for Traefik ingress)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Configure automatic security updates
+  ansible.builtin.apt:
+    name: unattended-upgrades
+    state: present
+
+- name: Enable automatic security updates
+  ansible.builtin.copy:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
+    mode: "0644"

infra/ansible/roles/k3s-agent/tasks/main.yaml

@@ -0,0 +1,29 @@
+---
+- name: Check if k3s-agent is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/k3s
+  register: k3s_binary
+
+- name: Download k3s installer
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s-install.sh
+    mode: "0755"
+  when: not k3s_binary.stat.exists
+
+- name: Install k3s agent
+  ansible.builtin.command:
+    cmd: /tmp/k3s-install.sh
+  environment:
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+    K3S_URL: "{{ k3s_server_url }}"
+    K3S_TOKEN: "{{ k3s_token }}"
+    INSTALL_K3S_EXEC: "agent {{ k3s_agent_args }}"
+  when: not k3s_binary.stat.exists
+  changed_when: true
+
+- name: Wait for k3s-agent to be ready
+  ansible.builtin.systemd:
+    name: k3s-agent
+    state: started
+    enabled: true

infra/ansible/roles/k3s-server/tasks/main.yaml

@@ -0,0 +1,47 @@
+---
+- name: Check if k3s is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/k3s
+  register: k3s_binary
+
+- name: Download k3s installer
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s-install.sh
+    mode: "0755"
+  when: not k3s_binary.stat.exists
+
+- name: Install k3s server
+  ansible.builtin.command:
+    cmd: /tmp/k3s-install.sh
+  environment:
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+    K3S_TOKEN: "{{ k3s_token }}"
+    INSTALL_K3S_EXEC: "server {{ k3s_server_args }}"
+  when: not k3s_binary.stat.exists
+  changed_when: true
+
+- name: Wait for k3s to be ready
+  ansible.builtin.command:
+    cmd: k3s kubectl get nodes
+  register: k3s_ready
+  retries: 30
+  delay: 10
+  until: k3s_ready.rc == 0
+  changed_when: false
+
+- name: Fetch kubeconfig
+  ansible.builtin.fetch:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: "{{ playbook_dir }}/../../kubeconfig"
+    flat: true
+  run_once: true
+
+- name: Update kubeconfig server URL
+  ansible.builtin.lineinfile:
+    path: "{{ playbook_dir }}/../../kubeconfig"
+    regexp: "server: https://127.0.0.1:6443"
+    line: "    server: https://{{ ansible_host }}:6443"
+  delegate_to: localhost
+  become: false
+  run_once: true