feat: wtf

Co-authored-by: Lino Silva <lino.silva@farfetch.com>
Reviewed-on: #1

.ansible-lint

@@ -1,3 +1,11 @@
 ---
+exclude_paths:
+  # default paths
+  - ".cache/"
+  - ".github/"
+  - "test/fixtures/formatting-before/"
+  - "test/fixtures/formatting-prettier/"
+
 skip_list:
-  - 'fqcn-builtins'
+  - "fqcn-builtins"
+  - "name[play]"

.editorconfig

@@ -0,0 +1,13 @@
+root = true
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+end_of_line = lf
+max_line_length = off
+[Makefile]
+indent_style = tab
+[*.go]
+indent_style = tab

.github/FUNDING.yml

@@ -1,3 +0,0 @@
----
-github: timothystewart6
-patreon: technotim

.github/ISSUE_TEMPLATE.md

@@ -1,77 +0,0 @@
-
-<!-- It's a good idea to check this post first for general troubleshooting https://github.com/techno-tim/k3s-ansible/discussions/19   -->
-
-<!--- Provide a general summary of the issue in the Title above -->
-
-## Expected Behavior
-
-<!--- Tell us what should happen -->
-
-## Current Behavior
-<!--- Tell us what happens instead of the expected behavior -->
-
-## Steps to Reproduce
-
-<!--- reproduce this bug. Include code to reproduce, if relevant -->
-
-1.
-2.
-3.
-4.
-
-## Context (variables)
-<!--- please include which OS, along with the variables used when running the playbook -->
-
-Operating system:
-
-Hardware:
-
-### Variables Used
-
-`all.yml`
-
-```yml
-k3s_version: ""
-ansible_user: NA
-systemd_dir: ""
-
-flannel_iface: ""
-
-apiserver_endpoint: ""
-
-k3s_token: "NA"
-
-extra_server_args: ""
-extra_agent_args: ""
-
-kube_vip_tag_version: ""
-
-metal_lb_speaker_tag_version: ""
-metal_lb_controller_tag_version: ""
-
-metal_lb_ip_range: ""
-```
-
-### Hosts
-
-`host.ini`
-
-```ini
-[master]
-IP.ADDRESS.ONE
-IP.ADDRESS.TWO
-IP.ADDRESS.THREE
-
-[node]
-IP.ADDRESS.FOUR
-IP.ADDRESS.FIVE
-
-[k3s_cluster:children]
-master
-node
-```
-
-## Possible Solution
-<!--- Not obligatory, but suggest a fix/reason for the bug, -->
-
-- [ ] I've checked the [General Troubleshooting Guide](https://github.com/techno-tim/k3s-ansible/discussions/20)

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,14 +0,0 @@
-# Proposed Changes
-<!--- Provide a general summary of your changes -->
-
--
--
--
-
-## Checklist
-
-- [ ] Tested locally
-- [ ] Ran `site.yml` playbook
-- [ ] Ran `reset.yml` playbook
-- [ ] Did not add any unnecessary changes
-- [ ] 🚀

.github/dependabot.yml

@@ -1,11 +0,0 @@
----
-version: 2
-updates:
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    rebase-strategy: "auto"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-major"]

.github/workflows/lint.yml

@@ -1,30 +0,0 @@
----
-name: Linting
-on:
-  pull_request:
-  push:
-    branches:
-      - master
-
-jobs:
-  ansible-lint:
-    name: YAML Lint + Ansible Lint
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out the codebase
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # 3.0.2
-
-      - name: Set up Python 3.x
-        uses: actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5 #4.0.2
-        with:
-          python-version: '3.x'
-
-      - name: Install test dependencies
-        run: pip3 install yamllint ansible-lint ansible
-
-      - name: Run yamllint
-        run: yamllint .
-
-      - name: Run ansible-lint
-        run: ansible-lint

.github/workflows/test.yml

@@ -1,69 +0,0 @@
----
-name: Test
-on:
-  pull_request:
-  push:
-    branches:
-      - master
-
-jobs:
-  vagrant:
-    name: Vagrant
-    runs-on: macos-12
-
-    env:
-      HOMEBREW_NO_INSTALL_CLEANUP: 1
-      VAGRANT_CWD: ${{ github.workspace }}/vagrant
-
-    steps:
-      - name: Check out the codebase
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # 3.0.2
-
-      - name: Install Ansible
-        run: brew install ansible
-
-      - name: Install role dependencies
-        run: ansible-galaxy install -r collections/requirements.yml
-
-      - name: Configure VirtualBox
-        run: >-
-          sudo mkdir -p /etc/vbox &&
-          echo "* 192.168.30.0/24" | sudo tee -a /etc/vbox/networks.conf > /dev/null
-
-      - name: Cache Vagrant boxes
-        uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # 3.0.8
-        with:
-          path: |
-            ~/.vagrant.d/boxes
-          key: vagrant-boxes-${{ hashFiles('**/Vagrantfile') }}
-          restore-keys: |
-            vagrant-boxes
-
-      - name: Create virtual machines
-        run: vagrant up
-        timeout-minutes: 10
-
-      - name: Provision cluster using Ansible
-        # Since Ansible sets up _all_ machines, it is sufficient to run it only
-        # once (i.e, for a single node - we are choosing control1 here)
-        run: vagrant provision control1 --provision-with ansible
-        timeout-minutes: 25
-
-      - name: Set up kubectl on the host
-        run: brew install kubectl &&
-          mkdir -p ~/.kube &&
-          vagrant ssh control1 --command "cat ~/.kube/config" > ~/.kube/config
-
-      - name: Show cluster nodes
-        run: kubectl describe -A nodes
-
-      - name: Show cluster pods
-        run: kubectl describe -A pods
-
-      - name: Test cluster
-        run: $VAGRANT_CWD/test_cluster.py --verbose --locals
-        timeout-minutes: 5
-
-      - name: Destroy virtual machines
-        if: always() # do this even if a step before has failed
-        run: vagrant destroy --force

.gitignore

@@ -1 +1,2 @@
-.vagrant
+.env/
+*.log

.pre-commit-config.yaml

@@ -0,0 +1,21 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+      - id: requirements-txt-fixer
+      - id: sort-simple-yaml
+      - id: detect-private-key
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.28.0
+    hooks:
+      - id: yamllint
+        args: [-c=.yamllint]
+  - repo: https://github.com/ansible-community/ansible-lint.git
+    rev: v6.8.2
+    hooks:
+      - id: ansible-lint
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.8.0.4
+    hooks:
+      - id: shellcheck

README.md

@@ -16,21 +16,26 @@ If you want more context on how this works, see:
 
 Build a Kubernetes cluster using Ansible with k3s. The goal is easily install a HA Kubernetes cluster on machines running:
 
-- [X] Debian
+- [x] Debian (tested on version 11)
-- [X] Ubuntu
+- [x] Ubuntu (tested on version 22.04)
-- [X] CentOS
+- [x] Rocky (tested on version 9)
 
 on processor architecture:
 
-- [X] x64
+- [x] x64
-- [X] arm64
+- [x] arm64
-- [X] armhf
+- [x] armhf
 
 ## ✅ System requirements
 
 - Deployment environment must have Ansible 2.4.0+. If you need a quick primer on Ansible [you can check out my docs and setting up Ansible](https://docs.technotim.live/posts/ansible-automation/).
+
+- [`netaddr` package](https://pypi.org/project/netaddr/) must be available to Ansible. If you have installed Ansible via apt, this is already taken care of. If you have installed Ansible via `pip`, make sure to install `netaddr` into the respective virtual environment.
+
 - `server` and `agent` nodes should have passwordless SSH access, if not you can supply arguments to provide credentials `--ask-pass --ask-become-pass` to each command.
 
+- You will also need to install collections that this playbook uses by running `ansible-galaxy collection install -r ./collections/requirements.yml`
+
 ## 🚀 Getting Started
 
 ### 🍴 Preparation
@@ -71,7 +76,7 @@ If needed, you can also edit `inventory/my-cluster/group_vars/all.yml` to match
 Start provisioning of the cluster using the following command:
 
 ```bash
-ansible-playbook site.yml -i inventory/my-cluster/hosts.ini
+ansible-playbook site.yml -i inventory/my-cluster/hosts.ini --ask-become-pass --ask-vault-pass
 ```
 
 After deployment control plane will be accessible via virtual ip-address which is defined in inventory/group_vars/all.yml as `apiserver_endpoint`
@@ -100,19 +105,16 @@ See the commands [here](https://docs.technotim.live/posts/k3s-etcd-ansible/#test
 
 Be sure to see [this post](https://github.com/techno-tim/k3s-ansible/discussions/20) on how to troubleshoot common problems
 
-### 🔷 Vagrant
-
-You may want to kickstart your k3s cluster by using Vagrant to quickly build you all needed VMs with one command.
-Head to the `vagrant` subfolder and type `vagrant up` to get your environment setup.
-After the VMs have got build, deploy k3s using the Ansible playbook `site.yml` by the
-`vagrant provision --provision-with ansible` command.
-
 ## Thanks 🤝
 
-This repo is really standing on the shoulders of giants.  To all those who have contributed.
+This repo is really standing on the shoulders of giants. Thank you to all those who have contributed and tanks to these repos for code and ideas:
-
-Thanks to these repos for code and ideas:
 
 - [k3s-io/k3s-ansible](https://github.com/k3s-io/k3s-ansible)
 - [geerlingguy/turing-pi-cluster](https://github.com/geerlingguy/turing-pi-cluster)
 - [212850a/k3s-ansible](https://github.com/212850a/k3s-ansible)
+
+## TODO
+
+- https://docs.k3s.io/installation/kube-dashboard
+- https://www.phillipsj.net/posts/k3s-enable-nfs-storage/
+- https://www.authelia.com/integration/kubernetes/chart/

ansible.cfg

@@ -1,12 +1,23 @@
 [defaults]
 nocows                  = True
 roles_path              = ./roles
-inventory  = ./hosts.ini
+inventory               = ./inventory/my-cluster/hosts.ini
+stdout_callback         = yaml
 
 remote_tmp              = $HOME/.ansible/tmp
 local_tmp               = $HOME/.ansible/tmp
-pipelining = True
+timeout                 = 60
-become = True
 host_key_checking       = False
 deprecation_warnings    = False
 callback_whitelist      = profile_tasks
+log_path                = ./ansible.log
+
+[privilege_escalation]
+become                  = True
+
+[ssh_connection]
+scp_if_ssh              = smart
+retries                 = 3
+ssh_args                = -o ControlMaster=auto -o ControlPersist=30m -o Compression=yes -o ServerAliveInterval=15s
+pipelining              = True
+control_path            = %(directory)s/%%h-%%r

collections/requirements.yml

@@ -1,4 +1,7 @@
 ---
 collections:
+  - name: ansible.utils
   - name: community.general
   - name: ansible.posix
+  - name: kubernetes.core
+  - name: community.docker

inventory/.gitignore

@@ -1,3 +0,0 @@
-/*
-!.gitignore
-!sample/

inventory/my-cluster/group_vars/all.yml

@@ -0,0 +1,86 @@
+---
+k3s_version: v1.24.6+k3s1
+# this is the user that has ssh access to these machines
+ansible_user: lino
+systemd_dir: /etc/systemd/system
+
+# Set your timezone
+system_timezone: "Europe/Lisbon"
+
+# interface which will be used for flannel
+flannel_iface: "eth0"
+
+# apiserver_endpoint is virtual ip-address which will be configured on each master
+apiserver_endpoint: "10.0.3.1"
+
+# k3s_token is required  masters can talk together securely
+# this token should be alpha numeric only
+k3s_token: "7qXiuKpSY9uLwdVSNSnEF5RkttoERixCpc2EVJW7vh7Ws4NMN3"
+
+# The IP on which the node is reachable in the cluster.
+# Here, a sensible default is provided, you can still override
+# it for each of your hosts, though.
+k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}'
+
+# Disable the taint manually by setting: k3s_master_taint = false
+k3s_master_taint: false
+
+# these arguments are recommended for servers as well as agents:
+extra_args: >-
+  --flannel-iface={{ flannel_iface }}
+  --node-ip={{ k3s_node_ip }}
+
+# change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }}
+extra_server_args: >-
+  {{ extra_args }}
+  {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }}
+  --tls-san {{ apiserver_endpoint }}
+  --disable servicelb
+  --disable traefik
+extra_agent_args: >-
+  {{ extra_args }}
+
+# image tag for kube-vip
+kube_vip_tag_version: "v0.5.5"
+
+# image tag for metal lb
+metal_lb_speaker_tag_version: "v0.13.6"
+metal_lb_controller_tag_version: "v0.13.6"
+
+# metallb ip range for load balancer
+metal_lb_ip_range: "10.0.4.1-10.0.4.254"
+
+lxc_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38303735306236303463613632623161643633663631303931396564346565666236643562316264
+  6533643331306364653564653763356537303932313531350a393261643137636232616335376461
+  66383966333765626539363561613361393665616333303964373761356166623766663232303063
+  3138353333373935660a383230393330646538303933336366383736643333623663333934663131
+  3064
+
+proxmox_api_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  35376334616332386130656335663736343337396532663266383934643632363664646631653935
+  6533343936353734343761343465646365616130643130360a316234333036303738663566666364
+  61653638373830383733323563373862346662363339656632643661336533363162616435616531
+  6331326462356366320a303331616366356333306638386130666538633833623162653934616338
+  3566
+
+traefik_http_auth_user: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38323532616336373939646333613338626431363466633631343162636235623563393135653231
+  3961383965356631613164303566393632323938386664360a373037616335643662613564353130
+  30353832376431633834336234386161313062373437613132623733646166303639313364373637
+  3933626639646536320a303163353835633837356530613931346165353939363235373561333836
+  39366266303064393334383835323330353934643862323330343337393761353166393333376131
+  33303439393531303031653361393530313930363039646566613831373366326432653634653165
+  313735383263623836363030386531613033
+
+cloudflare_api_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38363363386466666266613930386237623430646531303734613863306530666530376433633339
+  3166373361393839363439326661396136616637393865630a666637366132643035343832666335
+  33376139643533313730313135653064393239316162376339653965313366643565643664666534
+  6631393564333230370a303634643030346166383235643666356164393232643832333238313664
+  38346161306138653735303861646638653830633938326566663136393862643264353437623963
+  3462616435653132623563316231343739333761653365333437

inventory/my-cluster/host_vars/daruk

@@ -0,0 +1,14 @@
+---
+ansible_user: root
+ansible_host: 10.0.2.6
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+ip_addr: 10.0.2.6
+k3s_mac_addr: DE:05:FF:02:47:D8
+k3s_hostname: k3s-agent-daruk
+k3s_lxc_host: 10.0.3.6
+k3s_vm_host: 10.0.3.106
+k3s_cores: 8
+k3s_memory: 4096
+k3s_disk: 150
+k3s_vmid: 606
+k3s_template_id: 900

inventory/my-cluster/host_vars/epona

@@ -0,0 +1,14 @@
+---
+ansible_user: root
+ansible_host: 10.0.2.2
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+ip_addr: 10.0.2.2
+k3s_mac_addr: de:05:ff:02:47:d7
+k3s_hostname: k3s-master-epona
+k3s_lxc_host: 10.0.3.2
+k3s_vm_host: 10.0.3.102
+k3s_cores: 4
+k3s_memory: 8192
+k3s_disk: 75
+k3s_vmid: 601
+k3s_template_id: 901

inventory/my-cluster/host_vars/epona-pihole

@@ -0,0 +1,8 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.13
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+mac_addr: EA:11:8B:05:5A:88
+vmid: 203
+node: epona

inventory/my-cluster/host_vars/frigate

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.14
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/host_vars/k3s-agent-daruk

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.3.106
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/host_vars/k3s-agent-revali

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.3.104
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/host_vars/k3s-agent-urbosa

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.3.105
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/host_vars/k3s-master-epona

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.3.102
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/host_vars/k3s-master-mipha

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.3.103
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/host_vars/mipha

@@ -0,0 +1,14 @@
+---
+ansible_user: root
+ansible_host: 10.0.2.3
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+ip_addr: 10.0.2.3
+k3s_mac_addr: 0e:a0:ff:8c:70:df
+k3s_hostname: k3s-master-mipha
+k3s_lxc_host: 10.0.3.3
+k3s_vm_host: 10.0.3.103
+k3s_cores: 4
+k3s_memory: 6144
+k3s_disk: 75
+k3s_vmid: 602
+k3s_template_id: 902

inventory/my-cluster/host_vars/revali

@@ -0,0 +1,14 @@
+---
+ansible_user: root
+ansible_host: 10.0.2.4
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+ip_addr: 10.0.2.4
+k3s_mac_addr: 32:47:89:3f:1a:e2
+k3s_hostname: k3s-agent-revali
+k3s_lxc_host: 10.0.3.4
+k3s_vm_host: 10.0.3.104
+k3s_cores: 2
+k3s_memory: 4096
+k3s_disk: 200
+k3s_vmid: 603
+k3s_template_id: 903

inventory/my-cluster/host_vars/revali-pihole

@@ -0,0 +1,8 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.12
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+mac_addr: C2:F5:B2:99:92:51
+vmid: 202
+node: revali

inventory/my-cluster/host_vars/urbosa

@@ -0,0 +1,14 @@
+---
+ansible_user: root
+ansible_host: 10.0.2.5
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+ip_addr: 10.0.2.5
+# k3s_mac_addr: ee:36:d5:79:f8:ff
+# k3s_hostname: k3s-agent-urbosa
+# k3s_lxc_host: 10.0.3.5
+# k3s_vm_host: 10.0.3.105
+# k3s_cores: 3
+# k3s_memory: 2048
+# k3s_disk: 80
+# k3s_vmid: 604
+# k3s_template_id: 904

inventory/my-cluster/host_vars/urbosa-pihole

@@ -0,0 +1,8 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.11
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+mac_addr: 72:2E:3C:F0:2A:B3
+vmid: 201
+node: urbosa

inventory/my-cluster/hosts.ini

@@ -0,0 +1,35 @@
+[master]
+k3s-master-mipha
+k3s-master-epona
+
+[node]
+k3s-agent-revali
+k3s-agent-daruk
+
+[k3s_cluster:children]
+master
+node
+
+[lxc]
+frigate
+
+[lxc:children]
+k3s_cluster
+
+[k3s_hosts]
+mipha
+epona
+revali
+daruk
+
+[baremetal]
+mipha
+epona
+urbosa
+revali
+daruk
+
+[pihole]
+epona-pihole
+revali-pihole
+urbosa-pihole

inventory/sample/group_vars/all.yml

@@ -1,32 +0,0 @@
----
-k3s_version: v1.24.4+k3s1
-# this is the user that has ssh access to these machines
-ansible_user: ansibleuser
-systemd_dir: /etc/systemd/system
-
-# Set your timezone
-system_timezone: "Your/Timezone"
-
-# interface which will be used for flannel
-flannel_iface: "eth0"
-
-# apiserver_endpoint is virtual ip-address which will be configured on each master
-apiserver_endpoint: "192.168.30.222"
-
-# k3s_token is required  masters can talk together securely
-# this token should be alpha numeric only
-k3s_token: "some-SUPER-DEDEUPER-secret-password"
-
-# change these to your liking, the only required one is--disable servicelb
-extra_server_args: "--disable servicelb --disable traefik"
-extra_agent_args: ""
-
-# image tag for kube-vip
-kube_vip_tag_version: "v0.5.0"
-
-# image tag for metal lb
-metal_lb_speaker_tag_version: "v0.13.5"
-metal_lb_controller_tag_version: "v0.13.5"
-
-# metallb ip range for load balancer
-metal_lb_ip_range: "192.168.30.80-192.168.30.90"

inventory/sample/hosts.ini

@@ -1,12 +0,0 @@
-[master]
-192.168.30.38
-192.168.30.39
-192.168.30.40
-
-[node]
-192.168.30.41
-192.168.30.42
-
-[k3s_cluster:children]
-master
-node

playbook-frigate.yml

@@ -0,0 +1,28 @@
+---
+- hosts: localhost
+  become: yes
+  roles:
+    - role: frigate/provision/delete
+    - role: frigate/provision/create
+
+- hosts: epona
+  become: yes
+  roles:
+    - role: frigate/provision/cgroup
+
+- hosts: localhost
+  become: yes
+  roles:
+    - role: frigate/provision/start
+
+- hosts: epona
+  become: yes
+  roles:
+    - role: frigate/provision/enable-ssh
+
+- hosts: frigate
+  become: yes
+  roles:
+    - role: frigate/update
+    - role: frigate/install-docker
+    - role: frigate/install-app

playbook-k3s.yml

@@ -0,0 +1,56 @@
+---
+# - hosts: localhost
+#   gather_facts: no
+#   become: yes
+#   roles:
+#     - role: k3s/provision/delete
+- hosts: localhost
+  gather_facts: no
+  become: yes
+  roles:
+    - role: k3s/provision/create
+- hosts: k3s_hosts
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: k3s/provision/pre
+    - role: k3s/provision/cloud-init
+- hosts: localhost
+  gather_facts: no
+  become: yes
+  roles:
+    - role: k3s/provision/start
+- hosts: k3s_cluster
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: prereq
+    - role: download
+- hosts: master
+  become: yes
+  roles:
+    - role: k3s/master
+
+- hosts: node
+  become: yes
+  roles:
+    - role: k3s/node
+
+- hosts: master
+  become: yes
+  roles:
+    - role: k3s/post
+
+- hosts: master
+  become: yes
+  roles:
+    - role: k3s/copy-config
+- hosts: localhost
+  become: yes
+  roles:
+    - role: longhorn
+    - role: traefik
+    - role: nginx
+    - role: cert-manager
+    - role: authelia
+    - role: redis

reboot.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ansible-playbook reboot.yml -i inventory/my-cluster/hosts.ini

reboot.yml

@@ -0,0 +1,9 @@
+---
+- name: Reboot k3s_cluster
+  hosts: k3s_cluster
+  gather_facts: yes
+  become: yes
+  tasks:
+    - name: Reboot the nodes (and Wait upto 5 mins max)
+      reboot:
+        reboot_timeout: 300

requirements.in

@@ -0,0 +1,10 @@
+ansible-core>=2.13.2
+ansible-lint>=6.6.0
+kubernetes>=12.0.0
+netaddr>=0.8.0
+pyyaml>=3.11
+yamllint>=1.28.0
+jmespath>=1.0.1
+jsonpatch>=1.32
+pre-commit>=2.20.0
+netaddr>=0.8.0

requirements.txt

@@ -0,0 +1,218 @@
+#
+# This file is autogenerated by pip-compile with python 3.8
+# To update, run:
+#
+#    pip-compile requirements.in
+#
+ansible-compat==2.2.4
+    # via
+    #   ansible-lint
+ansible-core==2.13.5
+    # via
+    #   -r requirements.in
+    #   ansible-lint
+ansible-lint==6.8.6
+    # via -r requirements.in
+arrow==1.2.3
+    # via jinja2-time
+attrs==22.1.0
+    # via jsonschema
+binaryornot==0.4.4
+    # via cookiecutter
+black==22.10.0
+    # via ansible-lint
+bracex==2.3.post1
+    # via wcmatch
+cachetools==5.2.0
+    # via google-auth
+certifi==2022.9.24
+    # via
+    #   kubernetes
+    #   requests
+cffi==1.15.1
+    # via cryptography
+cfgv==3.3.1
+    # via pre-commit
+chardet==5.0.0
+    # via binaryornot
+charset-normalizer==2.1.1
+    # via requests
+click==8.1.3
+    # via
+    #   black
+    #   click-help-colors
+    #   cookiecutter
+click-help-colors==0.9.1
+commonmark==0.9.1
+    # via rich
+cookiecutter==2.1.1
+cryptography==38.0.3
+    # via ansible-core
+distlib==0.3.6
+    # via virtualenv
+distro==1.8.0
+    # via selinux
+enrich==1.2.7
+    # via molecule
+filelock==3.8.0
+    # via
+    #   ansible-lint
+    #   virtualenv
+google-auth==2.14.0
+    # via kubernetes
+identify==2.5.8
+    # via pre-commit
+idna==3.4
+    # via requests
+importlib-resources==5.10.0
+    # via jsonschema
+jinja2==3.1.2
+    # via
+    #   ansible-core
+    #   cookiecutter
+    #   jinja2-time
+    #   molecule
+    #   molecule-vagrant
+jinja2-time==0.2.0
+    # via cookiecutter
+jmespath==1.0.1
+    # via -r requirements.in
+jsonpatch==1.32
+    # via -r requirements.in
+jsonpointer==2.3
+    # via jsonpatch
+jsonschema==4.17.0
+    # via
+    #   ansible-compat
+    #   ansible-lint
+    #   molecule
+kubernetes==25.3.0
+    # via -r requirements.in
+markupsafe==2.1.1
+    # via jinja2
+molecule==4.0.3
+    # via
+    #   -r requirements.in
+    #   molecule-vagrant
+molecule-vagrant==1.0.0
+    # via -r requirements.in
+mypy-extensions==0.4.3
+    # via black
+netaddr==0.8.0
+    # via -r requirements.in
+nodeenv==1.7.0
+    # via pre-commit
+oauthlib==3.2.2
+    # via requests-oauthlib
+packaging==21.3
+    # via
+    #   ansible-compat
+    #   ansible-core
+    #   ansible-lint
+    #   molecule
+pathspec==0.10.1
+    # via
+    #   black
+    #   yamllint
+pkgutil-resolve-name==1.3.10
+    # via jsonschema
+platformdirs==2.5.2
+    # via
+    #   black
+    #   virtualenv
+pluggy==1.0.0
+    # via molecule
+pre-commit==2.20.0
+    # via -r requirements.in
+pyasn1==0.4.8
+    # via
+    #   pyasn1-modules
+    #   rsa
+pyasn1-modules==0.2.8
+    # via google-auth
+pycparser==2.21
+    # via cffi
+pygments==2.13.0
+    # via rich
+pyparsing==3.0.9
+    # via packaging
+pyrsistent==0.19.2
+    # via jsonschema
+python-dateutil==2.8.2
+    # via
+    #   arrow
+    #   kubernetes
+python-slugify==6.1.2
+    # via cookiecutter
+python-vagrant==1.0.0
+    # via molecule-vagrant
+pyyaml==6.0
+    # via
+    #   -r requirements.in
+    #   ansible-compat
+    #   ansible-core
+    #   ansible-lint
+    #   cookiecutter
+    #   kubernetes
+    #   molecule
+    #   molecule-vagrant
+    #   pre-commit
+    #   yamllint
+requests==2.28.1
+    # via
+    #   cookiecutter
+    #   kubernetes
+    #   requests-oauthlib
+requests-oauthlib==1.3.1
+    # via kubernetes
+resolvelib==0.8.1
+    # via ansible-core
+rich==12.6.0
+    # via
+    #   ansible-lint
+    #   enrich
+    #   molecule
+rsa==4.9
+    # via google-auth
+ruamel-yaml==0.17.21
+    # via ansible-lint
+ruamel-yaml-clib==0.2.7
+    # via ruamel-yaml
+selinux==0.2.1
+    # via molecule-vagrant
+six==1.16.0
+    # via
+    #   google-auth
+    #   kubernetes
+    #   python-dateutil
+subprocess-tee==0.3.5
+    # via ansible-compat
+text-unidecode==1.3
+    # via python-slugify
+toml==0.10.2
+    # via pre-commit
+tomli==2.0.1
+    # via black
+typing-extensions==4.4.0
+    # via
+    #   black
+    #   rich
+urllib3==1.26.12
+    # via
+    #   kubernetes
+    #   requests
+virtualenv==20.16.6
+    # via pre-commit
+wcmatch==8.4.1
+    # via ansible-lint
+websocket-client==1.4.2
+    # via kubernetes
+yamllint==1.28.0
+    # via
+    #   -r requirements.in
+    #   ansible-lint
+zipp==3.10.0
+    # via importlib-resources
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools

reset.yml

@@ -1,7 +1,10 @@
 ---
-
 - hosts: k3s_cluster
   gather_facts: yes
   become: yes
   roles:
     - role: reset
+  post_tasks:
+    - name: Reboot and wait for node to come back up
+      reboot:
+        reboot_timeout: 3600

roles/authelia/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Add traefik helm repo
+  kubernetes.core.helm_repository:
+    name: authelia
+    repo_url: "https://charts.authelia.com"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Deploy latest version of Authelia chart inside
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: authelia
+    chart_ref: authelia/authelia
+    values: "{{ lookup('template', 'values.yml') | from_yaml }}"

roles/cert-manager/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+# From repository
+- name: Add traefik helm repo
+  kubernetes.core.helm_repository:
+    name: jetstack
+    repo_url: "https://charts.jetstack.io"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Download cert-manager.crds manifest to the cluster.
+  ansible.builtin.get_url:
+    url: https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.crds.yaml
+    dest: /tmp/cert-manager.crds.yaml
+    mode: "0664"
+
+- name: Apply cert-manager.crds manifest to the cluster.
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    src: /tmp/cert-manager.crds.yaml
+
+- name: Deploy latest version of cert-manager chart inside cert-manager namespace (and create it)
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: cert-manager
+    chart_ref: jetstack/cert-manager
+    release_namespace: cert-manager
+    create_namespace: true
+    values: "{{ lookup('template', 'values.yml') | from_yaml }}"
+
+- name: Deploy cert-manager secret - Cloudflare
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'secret-cf-token.yml') | from_yaml }}"
+
+- name: Deploy lets encrypt staging
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'letsencrypt-staging.yml') | from_yaml }}"
+
+- name: Deploy cert-manager staging
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'lino-cooking.staging.yml') | from_yaml }}"
+
+- name: Deploy lets encrypt production
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'letsencrypt-production.yml') | from_yaml }}"
+
+- name: Deploy cert-manager production
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'lino-cooking.prod.yml') | from_yaml }}"

roles/cert-manager/templates/letsencrypt-production.yml

@@ -0,0 +1,21 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@lino.cooking
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            email: D5&YbHe&oKx82uuTQ^AfW#$*D8GsDE#K3x^446S^wvH#8T@W2C
+            apiTokenSecretRef:
+              name: cloudflare-api-token-secret
+              key: cloudflare-token
+        selector:
+          dnsZones:
+            - "lino.cooking"

roles/cert-manager/templates/letsencrypt-staging.yml

@@ -0,0 +1,21 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: letsencrypt@lino.cooking
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - dns01:
+          cloudflare:
+            email: okulto+cloudflare@gmail.com
+            apiTokenSecretRef:
+              name: cloudflare-api-token-secret
+              key: api-token
+        selector:
+          dnsZones:
+            - "lino.cooking"

roles/cert-manager/templates/lino-cooking.prod.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: lino-cooking
+  namespace: default
+spec:
+  secretName: lino-cooking-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.lino.cooking"
+  dnsNames:
+    - "lino.cooking"
+    - "*.lino.cooking"

roles/cert-manager/templates/lino-cooking.staging.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: lino-cooking
+  namespace: default
+spec:
+  secretName: lino-cooking-staging-tls
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  commonName: "*.lino.cooking"
+  dnsNames:
+    - "lino.cooking"
+    - "*.lino.cooking"

roles/cert-manager/templates/secret-cf-token.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+type: Opaque
+stringData:
+  cloudflare-token: "{{ cloudflare_api_key }}"

roles/cert-manager/templates/values.yml

@@ -0,0 +1,10 @@
+installCRDs: false
+replicaCount: 3
+extraArgs:
+  - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+  - --dns01-recursive-nameservers-only
+podDnsPolicy: None
+podDnsConfig:
+  nameservers:
+    - "1.1.1.1"
+    - "9.9.9.9"

roles/frigate/install-app/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Create directory for docker-compose
+  ansible.builtin.file:
+    path: /root/docker/frigate/
+    state: directory
+    mode: "0755"
+
+- name: Copy docker-compose file
+  template:
+    src: "docker-compose.yml"
+    dest: /root/docker/frigate/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Run docker-compose
+  ansible.builtin.shell:
+  args:
+    cmd: docker compose up -d
+    chdir: /root/docker/frigate/

roles/frigate/install-app/templates/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.9"
+services:
+  frigate:
+    container_name: frigate
+    privileged: true
+    restart: unless-stopped
+    image: blakeblackshear/frigate:stable
+    shm_size: "256mb"
+    devices:
+      - /dev/bus/usb:/dev/bus/usb
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /config/config.yml:/config/config.yml:ro
+      - /db:/db
+      - type: tmpfs
+        target: /tmp/cache
+        tmpfs:
+          size: 1000000000
+    ports:
+      - "5000:5000"

roles/frigate/install-docker/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Get convenience script
+  uri:
+    url: "https://get.docker.com"
+    method: GET
+    dest: /tmp/get-docker.sh
+    mode: a+x
+    creates: /tmp/get-docker.sh
+
+- name: Execute script
+  ansible.builtin.shell: /tmp/get-docker.sh
+
+- name: Ensure group "docker" exists
+  ansible.builtin.group:
+    name: docker
+    state: present
+
+- name: Add root user to docker group
+  ansible.builtin.user:
+    name: root
+    groups: docker
+    append: yes
+
+- name: Enable docker on startup
+  ansible.builtin.shell: |
+    systemctl enable docker.service
+    systemctl enable containerd.service

roles/frigate/provision/cgroup/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Add cgroup rule
+  ansible.builtin.blockinfile:
+    path: /etc/pve/nodes/epona/lxc/605.conf
+    state: present
+    block: |
+      lxc.cgroup2.devices.allow: c 226:0 rwm
+      lxc.cgroup2.devices.allow: c 226:128 rwm
+      lxc.cgroup2.devices.allow: c 29:0 rwm
+      lxc.cgroup2.devices.allow: c 189:* rwm
+      lxc.cgroup2.devices.allow: a
+      lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0, 0
+      lxc.mount.entry: /dev/bus/usb/002 dev/bus/usb/002 none bind,optional,create=dir 0, 0
+      lxc.cap.drop:
+      lxc.mount.auto: cgroup:rw

roles/frigate/provision/create/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Create container
+  community.general.proxmox:
+    vmid: 605
+    node: epona
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    password: "{{ lxc_password }}"
+    hostname: frigate
+    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+    netif: "{'net0':'name=eth0,\
+      gw=10.0.0.1,\
+      ip=10.0.2.14/21,\
+      hwaddr=44:ae:9f:cd:b9:2a,\
+      bridge=vmbr0'}"
+    cores: 1
+    memory: 6144
+    unprivileged: no
+    swap: 0
+    searchdomain: "home"
+    onboot: 1
+    mounts: '{"mp0":"/mnt/pve/hyrule-8tb-nfs/frigate/config,mp=/config","mp1":"/mnt/pve/hyrule-8tb-nfs/frigate/media,mp=/media/frigate","mp2":"local-lvm:50,mp=/db"}'
+    features:
+      - nesting=1
+      - keyctl=1
+    disk: local-lvm:50
+    force: yes

roles/frigate/provision/delete/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Stop container
+  community.general.proxmox:
+    vmid: 605
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: stopped
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove containers
+  community.general.proxmox:
+    vmid: 605
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: absent
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    regexp: "^10.0.2.14"

roles/frigate/provision/enable-ssh/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n 605 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n 605 service ssh restart

roles/frigate/provision/start/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Start deployments
+  community.general.proxmox:
+    vmid: 605
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: started

roles/frigate/update/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Update all packages to their latest version
+  become: true
+  ansible.builtin.apt:    
+    update_cache: yes
+    upgrade: full

roles/k3s/copy-config/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Store kube configuration
+  ansible.builtin.fetch:
+    src: ~/.kube/config
+    dest: ~/.kube/config
+    flat: true
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']

roles/k3s/dashboard/templates/dashboard.admin-user-role.yml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: admin-user
+    namespace: kubernetes-dashboard

roles/k3s/dashboard/templates/dashboard.admin-user.yml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kubernetes-dashboard

roles/k3s/master/defaults/main.yml

@@ -2,10 +2,10 @@
 ansible_user: root
 server_init_args: >-
   {% if groups['master'] | length > 1 %}
-    {% if ansible_host == hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0]) %}
+    {% if ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname'] %}
       --cluster-init
     {% else %}
-      --server https://{{ hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0]) }}:6443
+      --server https://{{ hostvars[groups['master'][0]].k3s_node_ip }}:6443
     {% endif %}
     --token {{ k3s_token }}
   {% endif %}

roles/k3s/master/tasks/fetch_k3s_init_logs.yml

@@ -0,0 +1,28 @@
+---
+# Download logs of k3s-init.service from the nodes to localhost.
+# Note that log_destination must be set.
+
+- name: Fetch k3s-init.service logs
+  ansible.builtin.command:
+    cmd: journalctl --all --unit=k3s-init.service
+  changed_when: false
+  register: k3s_init_log
+
+- name: Create {{ log_destination }}
+  delegate_to: localhost
+  run_once: true
+  become: false
+  ansible.builtin.file:
+    path: "{{ log_destination }}"
+    state: directory
+    mode: "0755"
+
+- name: Store logs to {{ log_destination }}
+  delegate_to: localhost
+  become: false
+  ansible.builtin.template:
+    src: content.j2
+    dest: "{{ log_destination }}/k3s-init@{{ ansible_hostname }}.log"
+    mode: 0644
+  vars:
+    content: "{{ k3s_init_log.stdout }}"

roles/k3s/master/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Clean previous runs of k3s-init
   systemd:
     name: k3s-init
@@ -20,7 +19,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_host == hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0])
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
 
 - name: Copy vip rbac manifest to first master
   template:
@@ -29,7 +28,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_host == hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0])
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
 
 - name: Copy vip manifest to first master
   template:
@@ -38,7 +37,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_host == hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0])
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
 
 # these will be copied and installed now, then tested later and apply config
 - name: Copy metallb namespace to first master
@@ -48,7 +47,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_host == hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0])
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
 
 - name: Copy metallb namespace to first master
   template:
@@ -57,7 +56,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_host == hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0])
+  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
 
 - name: Init cluster inside the transient k3s-init service
   command:
@@ -76,10 +75,16 @@
         cmd: k3s kubectl get nodes -l "node-role.kubernetes.io/master=true" -o=jsonpath="{.items[*].metadata.name}"
       register: nodes
       until: nodes.rc == 0 and (nodes.stdout.split() | length) == (groups['master'] | length)
-      retries: "{{ retry_count | default(20) }}"
+      retries: "{{ retry_count | default(40) }}"
-      delay: 10
+      delay: 20
       changed_when: false
   always:
+    - name: Save logs of k3s-init.service
+      include_tasks: fetch_k3s_init_logs.yml
+      when: log_destination
+      vars:
+        log_destination: >-
+          {{ lookup('ansible.builtin.env', 'ANSIBLE_K3S_LOG_DIR', default=True) }}
     - name: Kill the temporary service used for initialization
       systemd:
         name: k3s-init
@@ -146,12 +151,19 @@
     owner: "{{ ansible_user }}"
     mode: "u=rw,g=,o="
 
-- name: Configure kubectl cluster to https://{{ apiserver_endpoint }}:6443
+- name: Configure kubectl cluster to {{ endpoint_url }}
   command: >-
     k3s kubectl config set-cluster default
-      --server=https://{{ apiserver_endpoint }}:6443
+      --server={{ endpoint_url }}
       --kubeconfig ~{{ ansible_user }}/.kube/config
   changed_when: true
+  vars:
+    endpoint_url: >-
+      https://{{ apiserver_endpoint | ansible.utils.ipwrap }}:6443
+  # Deactivated linter rules:
+  #   - jinja[invalid]: As of version 6.6.0, ansible-lint complains that the input to ipwrap
+  #                     would be undefined. This will not be the case during playbook execution.
+  # noqa jinja[invalid]
 
 - name: Create kubectl symlink
   file:

roles/k3s/master/templates/content.j2

@@ -0,0 +1,5 @@
+{#
+    This is a really simple template that just outputs the
+    value of the "content" variable.
+#}
+{{ content }}

roles/k3s/master/templates/metallb.namespace.j2

@@ -4,4 +4,3 @@ metadata:
   name: metallb-system
   labels:
     app: metallb
-    

roles/k3s/master/templates/vip.yaml.j2

@@ -33,7 +33,7 @@ spec:
         - name: vip_interface
           value: {{ flannel_iface }}
         - name: vip_cidr
-          value: "32"
+          value: "{{ apiserver_endpoint | ansible.utils.ipsubnet | ansible.utils.ipaddr('prefix') }}"
         - name: cp_enable
           value: "true"
         - name: cp_namespace

roles/k3s/node/templates/k3s.service.j2

@@ -7,7 +7,7 @@ After=network-online.target
 Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s agent --server https://{{ apiserver_endpoint }}:6443 --token {{ hostvars[groups['master'][0]]['token'] | default(k3s_token) }} {{ extra_agent_args | default("") }}
+ExecStart=/usr/local/bin/k3s agent --server https://{{ apiserver_endpoint | ansible.utils.ipwrap }}:6443 --token {{ hostvars[groups['master'][0]]['token'] | default(k3s_token) }} {{ extra_agent_args | default("") }}
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead

roles/k3s/post/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# Timeout to wait for MetalLB services to come up
+metal_lb_available_timeout: 120s

roles/k3s/post/tasks/main.yml

@@ -3,9 +3,8 @@
   file:
     path: /tmp/k3s
     state: directory
-    owner: root
+    owner: "{{ ansible_user }}"
-    group: root
+    mode: 0755
-    mode: 0644
   with_items: "{{ groups['master'] }}"
   run_once: true
 
@@ -13,9 +12,8 @@
   template:
     src: "metallb.crs.j2"
     dest: "/tmp/k3s/metallb-crs.yaml"
-    owner: root
+    owner: "{{ ansible_user }}"
-    group: root
+    mode: 0755
-    mode: 0644
   with_items: "{{ groups['master'] }}"
   run_once: true
 
@@ -26,52 +24,43 @@
   with_items: "{{ groups['master'] }}"
   run_once: true
 
-- name: Wait for metallb controller to be running
+- name: Wait for MetalLB resources
   command: >-
-    kubectl wait deployment -n metallb-system controller --for condition=Available=True --timeout=60s
+    k3s kubectl wait {{ item.resource }}
+    --namespace='metallb-system'
+    {% if item.name | default(False) -%}{{ item.name }}{%- endif %}
+    {% if item.selector | default(False) -%}--selector='{{ item.selector }}'{%- endif %}
+    {% if item.condition | default(False) -%}{{ item.condition }}{%- endif %}
+    --timeout='{{ metal_lb_available_timeout }}'
   changed_when: false
-  with_items: "{{ groups['master'] }}"
-  run_once: true
-
-- name: Wait for metallb webhook service to be running
-  command: >-
-    kubectl wait -n metallb-system --for=jsonpath='{.status.phase}'=Running pods \
-    --selector component=controller --timeout=60s
-  changed_when: false
-  with_items: "{{ groups['master'] }}"
-  run_once: true
-
-- name: Wait for metallb pods in replicasets
-  command: >-
-    kubectl wait pods -n metallb-system --for condition=Ready \
-    --selector component=controller,app=metallb --timeout=60s
-  changed_when: false
-  with_items: "{{ groups['master'] }}"
-  run_once: true
-
-- name: Wait for the metallb controller readyReplicas
-  command: >-
-    kubectl wait -n metallb-system --for=jsonpath='{.status.readyReplicas}'=1 replicasets \
-      --selector component=controller,app=metallb --timeout=60s
-  changed_when: false
-  with_items: "{{ groups['master'] }}"
-  run_once: true
-
-- name: Wait for the metallb controller fullyLabeledReplicas
-  command: >-
-    kubectl wait -n metallb-system --for=jsonpath='{.status.fullyLabeledReplicas}'=1 replicasets \
-      --selector component=controller,app=metallb --timeout=60s
-  changed_when: false
-  with_items: "{{ groups['master'] }}"
-  run_once: true
-
-- name: Wait for the metallb  controller availableReplicas
-  command: >-
-    kubectl wait -n metallb-system --for=jsonpath='{.status.availableReplicas}'=1 replicasets \
-      --selector component=controller,app=metallb --timeout=60s
-  changed_when: false
-  with_items: "{{ groups['master'] }}"
   run_once: true
+  with_items:
+    - description: controller
+      resource: deployment
+      name: controller
+      condition: --for condition=Available=True
+    - description: webhook service
+      resource: pod
+      selector: component=controller
+      condition: --for=jsonpath='{.status.phase}'=Running
+    - description: pods in replica sets
+      resource: pod
+      selector: component=controller,app=metallb
+      condition: --for condition=Ready
+    - description: ready replicas of controller
+      resource: replicaset
+      selector: component=controller,app=metallb
+      condition: --for=jsonpath='{.status.readyReplicas}'=1
+    - description: fully labeled replicas of controller
+      resource: replicaset
+      selector: component=controller,app=metallb
+      condition: --for=jsonpath='{.status.fullyLabeledReplicas}'=1
+    - description: available replicas of controller
+      resource: replicaset
+      selector: component=controller,app=metallb
+      condition: --for=jsonpath='{.status.availableReplicas}'=1
+  loop_control:
+    label: "{{ item.description }}"
 
 - name: Test metallb-system webhook-service endpoint
   command: >-
@@ -83,25 +72,23 @@
 - name: Apply metallb CRs
   command: >-
     k3s kubectl apply -f /tmp/k3s/metallb-crs.yaml
+    --timeout='{{ metal_lb_available_timeout }}'
+  register: this
   changed_when: false
-  with_items: "{{ groups['master'] }}"
   run_once: true
+  until: this.rc == 0
+  retries: 5
 
-- name: Test metallb-system IPAddressPool
+- name: Test metallb-system resources
   command: >-
-    k3s kubectl -n metallb-system get IPAddressPool
+    k3s kubectl -n metallb-system get {{ item }}
   changed_when: false
-  with_items: "{{ groups['master'] }}"
   run_once: true
+  with_items:
+    - IPAddressPool
+    - L2Advertisement
 
-- name: Test metallb-system L2Advertisement
+- name: Remove tmp directory used for manifests
-  command: >-
-    k3s kubectl -n metallb-system get L2Advertisement
-  changed_when: false
-  with_items: "{{ groups['master'] }}"
-  run_once: true
-
-- name: Remove tmp director used for manifests
   file:
     path: /tmp/k3s
     state: absent

roles/k3s/post/tasks/templates/metallb.crs.j2

@@ -1,14 +0,0 @@
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: first-pool
-  namespace: metallb-system
-spec:
-  addresses:
-  - {{ metal_lb_ip_range }}
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
-  name: default
-  namespace: metallb-system

roles/k3s/post/templates/metallb.crs.j2

@@ -0,0 +1,21 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: first-pool
+  namespace: metallb-system
+spec:
+  addresses:
+{% if metal_lb_ip_range is string %}
+{# metal_lb_ip_range was used in the legacy way: single string instead of a list #}
+{#   => transform to list with single element #}
+{% set metal_lb_ip_range = [metal_lb_ip_range] %}
+{% endif %}
+{% for range in metal_lb_ip_range %}
+  - {{ range }}
+{% endfor %}
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: default
+  namespace: metallb-system

roles/k3s/provision/cgroup/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
+    state: present
+    line: lxc.apparmor.profile{{":"}} unconfined
+
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
+    state: present
+    line: lxc.cap.drop{{":"}}
+
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
+    state: present
+    line: lxc.mount.auto"{{":"}}" "proc{{":"}}rw sys{{":"}}rw"
+
+- name: Add cgroup rule
+  ansible.builtin.lineinfile:
+    path: /etc/pve/nodes/{{ ansible_hostname }}/lxc/{{ hostvars[ansible_hostname]['k3s_vmid'] }}.conf
+    state: present
+    line: lxc.cgroup2.devices.allow{{":"}} c 10{{":"}}200 rwm

roles/k3s/provision/cloud-init/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Configure cloud-init - IP
+  ansible.builtin.command: qm set "{{ k3s_vmid }}" --ipconfig0 ip="{{ k3s_vm_host }}"/21,gw=10.0.0.1
+
+- name: Configure cloud-init - User
+  ansible.builtin.command: qm set "{{ k3s_vmid }}" --ciuser "root"
+
+- name: Configure cloud-init - Password
+  ansible.builtin.command: qm set "{{ k3s_vmid }}" --cipassword "{{ ansible_ssh_pass }}"
+
+- name: Copy SSH Pub key
+  ansible.builtin.copy:
+    src: ~/.ssh/id_rsa.pub
+    dest: /tmp/ansible_controller-key.pub
+    mode: 0600
+
+- name: Configure cloud-init - SSH Key
+  ansible.builtin.command: qm set "{{ k3s_vmid }}" --sshkey /tmp/ansible_controller-key.pub
+
+- name: Configure networking
+  ansible.builtin.command: qm set "{{ k3s_vmid }}" --net0 virtio={{ k3s_mac_addr }},bridge=vmbr0

roles/k3s/provision/create/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+- name: Create containers
+  # community.general.proxmox:
+  #   vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+  #   node: "{{ item }}"
+  #   api_user: root@pam
+  #   api_password: "{{ proxmox_api_password }}"
+  #   api_host: 10.0.2.2
+  #   password: "{{ lxc_password }}"
+  #   hostname: "{{ hostvars[item]['k3s_hostname'] }}"
+  #   ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+  #   netif: "{'net0':'name=eth0,\
+  #     gw=10.0.0.1,\
+  #     ip={{ hostvars[item]['k3s_lxc_host'] }}/21,\
+  #     hwaddr={{ hostvars[item]['k3s_mac_addr'] }},\
+  #     bridge=vmbr0'}"
+  #   cores: "{{ hostvars[item]['k3s_cores'] }}"
+  #   memory: "{{ hostvars[item]['k3s_memory'] }}"
+  #   unprivileged: no
+  #   swap: 0
+  #   searchdomain: "home"
+  #   onboot: 1
+  #   features:
+  #     - nesting=1
+  #   disk: local-lvm:{{ hostvars[item]['k3s_disk'] }}
+  #   force: yes
+  # loop: "{{ groups['k3s_hosts'] }}"
+  proxmox_kvm:
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    name: "{{ hostvars[item]['k3s_hostname'] }}"
+    node: "{{ item }}"
+    newid: "{{ hostvars[item]['k3s_vmid'] }}"
+    clone: debian-10-openstack-amd64
+    vmid: "{{ hostvars[item]['k3s_template_id'] }}"
+    timeout: 900
+  loop: "{{ groups['k3s_hosts'] }}"
+
+- name: Update VMs
+  proxmox_kvm:
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    memory: "{{ hostvars[item]['k3s_memory'] }}"
+    cores: "{{ hostvars[item]['k3s_cores'] }}"
+    vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+    node: "{{ item }}"
+    update: yes
+    agent: yes
+  loop: "{{ groups['k3s_hosts'] }}"

roles/k3s/provision/delete/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+- name: Stop containers
+  # community.general.proxmox:
+  #   vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+  #   api_user: root@pam
+  #   api_password: "{{ proxmox_api_password }}"
+  #   api_host: 10.0.2.2
+  #   state: stopped
+  proxmox_kvm:
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    name: "{{ hostvars[item]['k3s_hostname'] }}"
+    node: "{{ item }}"
+    state: stopped
+    timeout: 240
+  loop: "{{ groups['k3s_hosts'] }}"
+  ignore_errors: true
+
+- name: Remove containers
+  # community.general.proxmox:
+  # vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+  # api_user: root@pam
+  # api_password: "{{ proxmox_api_password }}"
+  # api_host: "{{ hostvars[item]['ip_addr'] }}"
+  # state: absent
+  proxmox_kvm:
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    name: "{{ hostvars[item]['k3s_hostname'] }}"
+    node: "{{ item }}"
+    state: absent
+    timeout: 90
+  loop: "{{ groups['k3s_hosts'] }}"
+  ignore_errors: true
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    # regexp: '^{{ hostvars[item]["k3s_lxc_host"] }}'
+    regexp: '^{{ hostvars[item]["k3s_vm_host"] }}'
+  loop: "{{ groups['k3s_hosts'] }}"

roles/k3s/provision/enable-ssh/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n "{{ k3s_vmid }}" -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n "{{ k3s_vmid }}" service ssh restart

roles/k3s/provision/pre/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+# - name: Move storage to local_lvm
+#   ansible.builtin.command: qm disk move "{{ k3s_vmid }}" scsi0 local-lvm
+#   ignore_errors: true
+
+# - name: Resize storage
+#   ansible.builtin.command: qm disk resize "{{ k3s_vmid }}" scsi0 +"{{ k3s_disk }}G"
+
+- name: Allow ipv4 forwarding
+  ansible.builtin.shell: "sysctl net.ipv4.ip_forward=1"
+
+- name: Allow ipv6 forwarding
+  ansible.builtin.shell: "sysctl net.ipv6.conf.all.forwarding=1"
+
+- name: Uncomment ipv4 forward line on /etc/sysctl.conf
+  ansible.builtin.shell: "sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf"
+
+- name: Uncomment ipv6 forward line on /etc/sysctl.conf
+  ansible.builtin.shell: "sed -i 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf"

roles/k3s/provision/start/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Start deployments
+  # community.general.proxmox:
+  #   vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+  #   api_user: root@pam
+  #   api_password: "{{ proxmox_api_password }}"
+  #   api_host: 10.0.2.2
+  #   state: started
+  community.general.cloud.misc.proxmox_kvm:
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    name: "{{ hostvars[item]['k3s_hostname'] }}"
+    node: "{{ item }}"
+    state: started
+  loop: "{{ groups['k3s_hosts'] }}"

roles/longhorn/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Add longhorn helm repo
+  kubernetes.core.helm_repository:
+    name: longhorn
+    repo_url: "https://charts.longhorn.io"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Deploy latest version of Longhorn chart inside longhorn-system namespace (and create it)
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: longhorn
+    chart_ref: longhorn/longhorn
+    release_namespace: longhorn-system
+    create_namespace: true
+    chart_version: 1.2.4

roles/nginx/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Deploy nginx - deployment
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'deployment.yml') | from_yaml }}"
+
+- name: Deploy nginx - service
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'service.yml') | from_yaml }}"
+
+- name: Deploy nginx - ingress
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'ingress.yml') | from_yaml }}"

roles/nginx/templates/deployment.yml

@@ -1,13 +1,20 @@
 ---
-apiVersion: apps/v1
 kind: Deployment
+apiVersion: apps/v1
 metadata:
   name: nginx
+  namespace: default
+  labels:
+    app: nginx
 spec:
+  replicas: 3
+  progressDeadlineSeconds: 600
+  revisionHistoryLimit: 2
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: nginx
-  replicas: 3
   template:
     metadata:
       labels:
@@ -15,6 +22,4 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: nginx:alpine
+          image: nginx:latest
-          ports:
-            - containerPort: 80

roles/nginx/templates/ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx
+  namespace: default
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`www.nginx.lino.cooking`)
+      kind: Rule
+      services:
+        - name: nginx
+          port: 80
+    - match: Host(`nginx.lino.cooking`)
+      kind: Rule
+      services:
+        - name: nginx
+          port: 80
+      middlewares:
+        - name: default-headers
+  tls:
+    secretName: lino-cooking-tls

roles/nginx/templates/service.yml

@@ -3,10 +3,11 @@ apiVersion: v1
 kind: Service
 metadata:
   name: nginx
+  namespace: default
 spec:
   selector:
     app: nginx
   ports:
-    - port: 80
+    - name: http
       targetPort: 80
-  type: LoadBalancer
+      port: 80

roles/pihole/provision/create/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Create Piholes
+  community.general.proxmox:
+    vmid: "{{ hostvars[item]['vmid'] }}"
+    node: "{{ hostvars[item]['node'] }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    password: "{{ lxc_password }}"
+    hostname: "{{ item }}"
+    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+    netif: "{'net0':'name=eth0,\
+      gw=10.0.0.1,\
+      ip={{ hostvars[item]['ansible_host'] }}/21,\
+      hwaddr={{ hostvars[item]['mac_addr'] }},\
+      bridge=vmbr0'}"
+    cores: 1
+    memory: 2048
+    unprivileged: no
+    swap: 512
+    searchdomain: "home"
+    onboot: 1
+    disk: local-lvm:8
+    force: yes
+  loop: "{{ groups['pihole'] }}"

roles/pihole/provision/delete/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Stop containers
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: stopped
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove containers
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: absent
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    regexp: "^{{ ansible_host }}"

roles/pihole/provision/enable-ssh/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n "{{ vmid }}" -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n "{{ vmid }}" service ssh restart

roles/pihole/provision/pre/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Allow ipv4 forwarding
+  ansible.builtin.shell: "sysctl net.ipv4.ip_forward=1"
+
+- name: Allow ipv6 forwarding
+  ansible.builtin.shell: "sysctl net.ipv6.conf.all.forwarding=1"
+
+- name: Uncomment ipv4 forward line on /etc/sysctl.conf
+  ansible.builtin.shell: "sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf"
+
+- name: Uncomment ipv6 forward line on /etc/sysctl.conf
+  ansible.builtin.shell: "sed -i 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf"

roles/pihole/provision/start/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Start deployments
+  community.general.proxmox:
+    vmid: "{{ hostvars[item]['k3s_vmid'] }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: started
+  loop: "{{ groups['baremetal'] }}"

roles/prereq/tasks/main.yml

@@ -1,43 +1,91 @@
 ---
+- name: Run the equivalent of "apt-get update" as a separate step
+  ansible.builtin.apt:
+    update_cache: yes
+
+- name: Upgrade the OS (apt-get dist-upgrade)
+  ansible.builtin.apt:
+    upgrade: full
+
+- name: Install QMEU Guest Agent
+  ansible.builtin.apt:
+    name: qemu-guest-agent
+    update_cache: yes
+    state: present
+
+- name: Install NFS-Common
+  ansible.builtin.apt:
+    name: nfs-common
+    update_cache: yes
+    state: present
+
+- name: Install open-iscsi
+  ansible.builtin.apt:
+    name: open-iscsi
+    update_cache: yes
+    state: present
+
+- name: Install util-linux
+  ansible.builtin.apt:
+    name: util-linux
+    update_cache: yes
+    state: present
+
 - name: Set same timezone on every Server
-  timezone:
+  community.general.system.timezone:
     name: "{{ system_timezone }}"
   when: (system_timezone is defined) and (system_timezone != "Your/Timezone")
 
 - name: Set SELinux to disabled state
-  selinux:
+  ansible.posix.selinux:
     state: disabled
   when: ansible_os_family == "RedHat"
 
 - name: Enable IPv4 forwarding
-  sysctl:
+  ansible.posix.sysctl:
     name: net.ipv4.ip_forward
     value: "1"
     state: present
     reload: yes
 
 - name: Enable IPv6 forwarding
-  sysctl:
+  ansible.posix.sysctl:
     name: net.ipv6.conf.all.forwarding
     value: "1"
     state: present
     reload: yes
 
+- name: Enable IPv6 router advertisements
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.accept_ra
+    value: "2"
+    state: present
+    reload: yes
+
 - name: Add br_netfilter to /etc/modules-load.d/
   copy:
     content: "br_netfilter"
     dest: /etc/modules-load.d/br_netfilter.conf
     mode: "u=rw,g=,o="
-  when: ansible_os_family == "RedHat"
 
 - name: Load br_netfilter
-  modprobe:
+  community.general.system.modprobe:
     name: br_netfilter
     state: present
-  when: ansible_os_family == "RedHat"
+
+- name: Add overlay to /etc/modules-load.d/
+  copy:
+    content: "overlay"
+    dest: /etc/modules-load.d/overlay.conf
+    mode: "u=rw,g=,o="
+
+- name: Load overlay
+  community.general.system.modprobe:
+    name: overlay
+    state: present
 
 - name: Set bridge-nf-call-iptables (just to be sure)
-  sysctl:
+  ansible.posix.sysctl:
     name: "{{ item }}"
     value: "1"
     state: present
@@ -49,10 +97,21 @@
 
 - name: Add /usr/local/bin to sudo secure_path
   lineinfile:
-    line: 'Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
+    line: "Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin"
     regexp: "Defaults(\\s)*secure_path(\\s)*="
     state: present
     insertafter: EOF
     path: /etc/sudoers
-    validate: 'visudo -cf %s'
+    validate: "visudo -cf %s"
   when: ansible_os_family == "RedHat"
+
+- name: Copy /etc/rc.local file
+  template:
+    src: "rclocal.j2"
+    dest: "/etc/rc.local"
+    owner: root
+    group: root
+    mode: a+x
+
+- name: Reboot
+  ansible.builtin.reboot:

roles/prereq/templates/rclocal.j2

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+ln -s /dev/console /dev/kmsg
+mount --make-rshared /

roles/raspberrypi/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: Reboot
-  reboot:

roles/raspberrypi/tasks/main.yml

@@ -1,59 +0,0 @@
----
-- name: Test for raspberry pi /proc/cpuinfo
-  command: grep -E "Raspberry Pi|BCM2708|BCM2709|BCM2835|BCM2836" /proc/cpuinfo
-  register: grep_cpuinfo_raspberrypi
-  failed_when: false
-  changed_when: false
-
-- name: Test for raspberry pi /proc/device-tree/model
-  command: grep -E "Raspberry Pi" /proc/device-tree/model
-  register: grep_device_tree_model_raspberrypi
-  failed_when: false
-  changed_when: false
-
-- name: Set raspberry_pi fact to true
-  set_fact:
-    raspberry_pi: true
-  when:
-    grep_cpuinfo_raspberrypi.rc == 0 or grep_device_tree_model_raspberrypi.rc == 0
-
-- name: Set detected_distribution to Raspbian
-  set_fact:
-    detected_distribution: Raspbian
-  when: >
-    raspberry_pi|default(false) and
-    ( ansible_facts.lsb.id|default("") == "Raspbian" or
-      ansible_facts.lsb.description|default("") is match("[Rr]aspbian.*") )
-
-- name: Set detected_distribution to Raspbian (ARM64 on Debian Buster)
-  set_fact:
-    detected_distribution: Raspbian
-  when:
-    - ansible_facts.architecture is search("aarch64")
-    - raspberry_pi|default(false)
-    - ansible_facts.lsb.description|default("") is match("Debian.*buster")
-
-- name: Set detected_distribution_major_version
-  set_fact:
-    detected_distribution_major_version: "{{ ansible_facts.lsb.major_release }}"
-  when:
-    - detected_distribution | default("") == "Raspbian"
-
-- name: Set detected_distribution to Raspbian (ARM64 on Debian Bullseye)
-  set_fact:
-    detected_distribution: Raspbian
-  when:
-    - ansible_facts.architecture is search("aarch64")
-    - raspberry_pi|default(false)
-    - ansible_facts.lsb.description|default("") is match("Debian.*bullseye")
-
-- name: execute OS related tasks on the Raspberry Pi
-  include_tasks: "{{ item }}"
-  with_first_found:
-    - "prereq/{{ detected_distribution }}-{{ detected_distribution_major_version }}.yml"
-    - "prereq/{{ detected_distribution }}.yml"
-    - "prereq/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "prereq/{{ ansible_distribution }}.yml"
-    - "prereq/default.yml"
-  when:
-    - raspberry_pi|default(false)

roles/raspberrypi/tasks/prereq/CentOS.yml

@@ -1,9 +0,0 @@
----
-- name: Enable cgroup via boot commandline if not already enabled for Centos
-  lineinfile:
-    path: /boot/cmdline.txt
-    backrefs: yes
-    regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
-    line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
-  notify: reboot
-  when: not ansible_check_mode

roles/raspberrypi/tasks/prereq/Raspbian.yml

@@ -1,27 +0,0 @@
----
-- name: Activating cgroup support
-  lineinfile:
-    path: /boot/cmdline.txt
-    regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
-    line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
-    backrefs: true
-  notify: reboot
-
-- name: Install iptables
-  apt: name=iptables state=present
-
-- name: Flush iptables before changing to iptables-legacy
-  iptables:
-    flush: true
-
-- name: Changing to iptables-legacy
-  alternatives:
-    path: /usr/sbin/iptables-legacy
-    name: iptables
-  register: ip4_legacy
-
-- name: Changing to ip6tables-legacy
-  alternatives:
-    path: /usr/sbin/ip6tables-legacy
-    name: ip6tables
-  register: ip6_legacy

roles/raspberrypi/tasks/prereq/Ubuntu.yml

@@ -1,13 +0,0 @@
----
-- name: Enable cgroup via boot commandline if not already enabled for Ubuntu on a Raspberry Pi
-  lineinfile:
-    path: /boot/firmware/cmdline.txt
-    backrefs: yes
-    regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
-    line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
-  notify: reboot
-  when: not ansible_check_mode
-
-- name: Install linux-modules-extra-raspi
-  apt: name=linux-modules-extra-raspi state=present
-  when: (raspberry_pi) and (not ansible_check_mode)

roles/redis/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Create redis-server namespace
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: redis-server
+    api_version: v1
+    kind: Namespace
+    state: present
+
+- name: Create PersistentVolumeClaim
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'pvc.yml') | from_yaml }}"
+
+- name: Deploy redis
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'deployment.yml') | from_yaml }}"
+
+- name: Crete redis-server Service
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'service.yml') | from_yaml }}"

roles/redis/templates/deployment.yml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-server
+  namespace: redis-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis-server
+  template:
+    metadata:
+      labels:
+        app: redis-server
+        name: redis-server
+    spec:
+      nodeSelector:
+        node-type: worker
+      containers:
+        - name: redis-server
+          image: redis
+          args: ["--appendonly", "yes"]
+          ports:
+            - name: redis-server
+              containerPort: 6379
+          volumeMounts:
+            - name: lv-storage
+              mountPath: /data
+          env:
+            - name: ALLOW_EMPTY_PASSWORD
+              value: "yes"
+      volumes:
+        - name: lv-storage
+          persistentVolumeClaim:
+            claimName: redis-pvc

roles/redis/templates/pvc.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-pvc
+  namespace: redis-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi