feat: reverse proxy and certs working

2022-11-19 23:42:06 +00:00
parent 645dacdca4
commit b27354241d
16 changed files with 1496 additions and 46397 deletions
@@ -1 +1,2 @@
 .env/
+*.log
@@ -112,3 +112,7 @@ This repo is really standing on the shoulders of giants. Thank you to all those
 - [k3s-io/k3s-ansible](https://github.com/k3s-io/k3s-ansible)
 - [geerlingguy/turing-pi-cluster](https://github.com/geerlingguy/turing-pi-cluster)
 - [212850a/k3s-ansible](https://github.com/212850a/k3s-ansible)
+
+## TODO
+
+https://www.phillipsj.net/posts/k3s-enable-nfs-storage/
@@ -48,7 +48,7 @@ metal_lb_speaker_tag_version: "v0.13.6"
 metal_lb_controller_tag_version: "v0.13.6"

 # metallb ip range for load balancer
-metal_lb_ip_range: "10.1.1.2-10.1.1.254"
+metal_lb_ip_range: "10.0.4.1-10.0.4.254"

 lxc_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
@@ -0,0 +1 @@
+---
@@ -1,5 +1,20 @@
 ---
- name: Add helm chart
-  ansible.builtin.shell: |
-    helm repo add authelia https://charts.authelia.com
-    helm repo update
+- name: Add traefik helm repo
+  kubernetes.core.helm_repository:
+    name: authelia
+    repo_url: "https://charts.authelia.com"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Deploy latest version of Authelia chart inside
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: authelia
+    chart_ref: authelia/authelia
+    values: "{{ lookup('template', 'values.yml') | from_yaml }}"
@@ -15,7 +15,7 @@

 - name: Download cert-manager.crds manifest to the cluster.
  ansible.builtin.get_url:
-    url: https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+    url: https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.crds.yaml
    dest: /tmp/cert-manager.crds.yaml
    mode: "0664"

@@ -14,7 +14,7 @@ spec:
          cloudflare:
            email: D5&YbHe&oKx82uuTQ^AfW#$*D8GsDE#K3x^446S^wvH#8T@W2C
            apiTokenSecretRef:
-              name: cloudflare-token-secret
+              name: cloudflare-api-token-secret
              key: cloudflare-token
        selector:
          dnsZones:
@@ -6,4 +6,4 @@ metadata:
  namespace: cert-manager
 type: Opaque
 stringData:
-  api-token: "{{ cloudflare_api_key }}"
+  cloudflare-token: "{{ cloudflare_api_key }}"
@@ -1,28 +1,24 @@
 ---
 - name: Add cgroup rule
  ansible.builtin.lineinfile:
-    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
    state: present
    line: lxc.apparmor.profile{{":"}} unconfined
-    validate: /usr/sbin/visudo -cf %s

 - name: Add cgroup rule
  ansible.builtin.lineinfile:
-    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
    state: present
    line: lxc.cap.drop{{":"}}
-    validate: /usr/sbin/visudo -cf %s

 - name: Add cgroup rule
  ansible.builtin.lineinfile:
-    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
    state: present
    line: lxc.mount.auto"{{":"}}" "proc{{":"}}rw sys{{":"}}rw"
-    validate: /usr/sbin/visudo -cf %s

 - name: Add cgroup rule
  ansible.builtin.lineinfile:
-    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/"{{ hostvars[ansible_hostname]['k3s_vmid'] }}".conf
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
    state: present
    line: lxc.cgroup2.devices.allow{{":"}} c 10{{":"}}200 rwm
-    validate: /usr/sbin/visudo -cf %s
@@ -8,6 +8,7 @@
    state: stopped
  loop: "{{ groups['baremetal'] }}"
  ignore_errors: true
+  timeout: 90

 - name: Remove containers
  community.general.proxmox:
@@ -18,6 +19,7 @@
    state: absent
  loop: "{{ groups['baremetal'] }}"
  ignore_errors: true
+  timeout: 90

 - name: Remove .ssh/known_hosts lines
  ansible.builtin.lineinfile:
@@ -22,25 +22,25 @@
    create_namespace: true
    values: "{{ lookup('template', 'values.yml') | from_yaml }}"

- name: Create a Deployment by reading the definition from a local file
+- name: Deploy traefik default headers
  kubernetes.core.k8s:
    kubeconfig: /Users/lino.silva/.kube/config
    state: present
    definition: "{{ lookup('template', 'default-headers.yml') | from_yaml }}"

- name: Create a Deployment by reading the definition from a local file
+- name: Deploy secret for traefik dashboard
  kubernetes.core.k8s:
    kubeconfig: /Users/lino.silva/.kube/config
    state: present
    definition: "{{ lookup('template', 'secret-dashboard.yml') | from_yaml }}"

- name: Create a Deployment by reading the definition from a local file
+- name: Deploy dashboard middleware for auth
  kubernetes.core.k8s:
    kubeconfig: /Users/lino.silva/.kube/config
    state: present
    definition: "{{ lookup('template', 'dashboard-middleware.yml') | from_yaml }}"

- name: Create a Deployment by reading the definition from a local file
+- name: Create dashboard ingress
  kubernetes.core.k8s:
    kubeconfig: /Users/lino.silva/.kube/config
    state: present
@@ -17,5 +17,5 @@ spec:
      services:
        - name: api@internal
          kind: TraefikService
- tls:
-   secretName: lino-cooking-staging-tls
+#  tls:
+#    secretName: lino-cooking-staging-tls
@@ -45,6 +45,6 @@ service:
  annotations: {}
  labels: {}
  spec:
-    loadBalancerIP: 10.1.1.3 # this should be an IP in the MetalLB range
+    loadBalancerIP: 10.0.4.1 # this should be an IP in the MetalLB range
  loadBalancerSourceRanges: []
  externalIPs: []
@@ -1,66 +1,66 @@
 ---
-# - hosts: localhost
-#   gather_facts: no
-#   become: yes
-#   roles:
-#     - role: provision/delete
+- hosts: localhost
+  gather_facts: no
+  become: yes
+  roles:
+    - role: provision/delete

-# - hosts: localhost
-#   gather_facts: no
-#   become: yes
-#   roles:
-#     - role: provision/create
+- hosts: localhost
+  gather_facts: no
+  become: yes
+  roles:
+    - role: provision/create

-# - hosts: baremetal
-#   gather_facts: yes
-#   become: yes
-#   roles:
-#     - role: provision/pre
-#     - role: provision/cgroup
+- hosts: baremetal
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: provision/pre
+    - role: provision/cgroup

-# - hosts: localhost
-#   gather_facts: no
-#   become: yes
-#   roles:
-#     - role: provision/start
+- hosts: localhost
+  gather_facts: no
+  become: yes
+  roles:
+    - role: provision/start

-# - hosts: baremetal
-#   gather_facts: yes
-#   become: yes
-#   roles:
-#     - role: provision/enable-ssh
+- hosts: baremetal
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: provision/enable-ssh

-# - hosts: k3s_cluster
-#   gather_facts: yes
-#   become: yes
-#   roles:
-#     - role: prereq
-#     - role: download
+- hosts: k3s_cluster
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: prereq
+    - role: download

-# - hosts: master
-#   become: yes
-#   roles:
-#     - role: k3s/master
+- hosts: master
+  become: yes
+  roles:
+    - role: k3s/master

-# - hosts: node
-#   become: yes
-#   roles:
-#     - role: k3s/node
+- hosts: node
+  become: yes
+  roles:
+    - role: k3s/node

-# - hosts: master
-#   become: yes
-#   roles:
-#     - role: k3s/post
+- hosts: master
+  become: yes
+  roles:
+    - role: k3s/post

-# - hosts: master
-#   become: yes
-#   roles:
-#     - role: k3s/copy-config
+- hosts: master
+  become: yes
+  roles:
+    - role: k3s/copy-config

 - hosts: localhost
  become: yes
  roles:
-    #    - role: traefik
-    #    - role: nginx
+    - role: traefik
+    - role: nginx
    - role: cert-manager
-#    - role: authelia
+    - role: authelia