Fist commit

Signed-off-by: Nikolai Rodionov <allanger@badhouseplants.net>
2025-10-26 21:54:20 +01:00
commit ddfed61d8e
12 changed files with 1349 additions and 0 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,20 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0 # Use the ref you want to point at
    hooks:
      - id: trailing-whitespace
  - repo: https://github.com/google/yamlfmt
    rev: v0.13.0
    hooks:
      - id: yamlfmt
  - repo: https://github.com/codespell-project/codespell
    rev: v2.2.4
    hooks:
      - id: codespell
  - repo: local
    hooks:
      - id: ansible-lint
        name: Run the ansible linter
        entry: make lint
        language: system
        pass_filenames: false
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,5 @@
 creation_rules:
  - path_regex: .*
    key_groups:
      - age:
          - age1lzythn62c4yug8w2wskckpgyjyja6rreyvgmwl9hj4mjvm0tvq6sl68d4z
--- a/17
+++ b/17
@@ -0,0 +1,17 @@
 Permission is hereby granted, without written agreement and without
 license or royalty fees, to use, copy, modify, and distribute this
 software and its documentation for any purpose, provided that the
 above copyright notice and the following two paragraphs appear in
 all copies of this software.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
 DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
 ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
 IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGE.
 THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
 BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
 ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
 PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
--- a/12
+++ b/12
@@ -0,0 +1,12 @@
 install:
 	poetry install --no-root
 	poetry run ansible-galaxy install -r ./requirements.yml --force
 lint:
 	 poetry run ansible-lint playbook.yml
 check:
 		poetry run ansible-playbook playbook.yml --check
 run:
 	./scripts/run.sh
--- a/README.md
+++ b/README.md
@@ -0,0 +1,32 @@
 # Hetzner Ansilbe Playbook
 Repo for managing the Hetzner infrastructure
 ## Dev
 This project is using poetry for managing ansible and dependencies.
 ```shell
 $ make install
 $ make lint
 $ make install
 ```
 ## Removing stuff
 Since the state of the config is the ansible code itself, you can't just remove something from the code and expect that it's going to be removed from Hetzner.
 Each entity has a variable `state`, to remove anything, you need to set state to `absent` and run the playbook. And only after that you can remove it from the code.
 Also, please, create a git commit, where on object with the `absent` state is tracked.
 ## Outputs
 After running the role you'll see three variables being logged in the last step:
 - Server public IP -> It should be used for `ssh` connection to the server
 - Load balancer public IP -> It should be used by k8s as the load balancer IP
 - Volume device name -> It's the name of device that should be mounted to Longhorn
 ## Notes
 ### Resize the volume
 Don't forget to resize the filesystem, it should be done manually
 - https://docs.hetzner.com/cloud/volumes/faq/
--- a/oslo.yaml
+++ b/oslo.yaml
@@ -0,0 +1,32 @@
 k3s_cluster:
  children:
    server:
      hosts:
        37.27.11.18:
          ansible_user: overlord
  vars:
    ansible_port: 22
    k3s_version: v1.34.1+k3s1
    api_endpoint: "37.27.11.18"
    token: "${TOKEN}"
    extra_server_args: |-
        --write-kubeconfig-mode=644 \
        --tls-san="37.27.202.157" \
        --kubelet-arg "allowed-unsafe-sysctls=net.ipv4.ip_forward" \
        --disable-cloud-controller \
        --disable-helm-controller \
        --disable metrics-server \
        --disable local-storage \
        --disable traefik \
        --flannel-iface eth1 \
        --flannel-backend none \
        --disable coredns \
        --disable servicelb \
        --cluster-cidr=192.168.0.0/16 \
        --disable-network-policy \
        --cluster-init
    extra_agent_args: |-
        --kubelet-arg "allowed-unsafe-sysctls=net.ipv4.ip_forward" \
        --flannel-iface eth1
    extra_service_envs:
      - 'NO_PROXY=10.0.0.0/16,192.168.0.0/16'
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,19 @@
 [project]
 name = "k3s-ansible-playbooks"
 version = "0.1.0"
 description = "Bootstrap k3s cluster"
 authors = [
    {name = "Nikolai Rodionov",email = "allanger@badhouseplants.net"}
 ]
 readme = "README.md"
 requires-python = ">=3.13"
 dependencies = [
    "hcloud (>=2.5.4,<3.0.0)",
    "ansible (>=12.0.0,<12.1.0)",
    "ansible-lint (>=25.8.2,<26.0.0)",
 ]
 [build-system]
 requires = ["poetry-core>=2.0.0,<3.0.0"]
 build-backend = "poetry.core.masonry.api"
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,3 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
 }
--- a/requirements.yml
+++ b/requirements.yml
@@ -0,0 +1,4 @@
 collections:
  - name: https://github.com/k3s-io/k3s-ansible.git
    type: git
    version: main
--- a/scripts/run.sh
+++ b/scripts/run.sh
@@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 export TOKEN=$(sops -d "tokens/${INVENTORY}.yaml" | yq .TOKEN)
 INVENTORY_FILE=$(mktemp --dry-run).yaml
 envsubst < "${INVENTORY}.yaml" > "${INVENTORY_FILE}"
 unset TOKEN
 ansible-playbook k3s.orchestration.site -i "${INVENTORY_FILE}"
 rm $INVENTORY_FILE
--- a/tokens/oslo.yaml
+++ b/tokens/oslo.yaml
@@ -0,0 +1,16 @@
 TOKEN: ENC[AES256_GCM,data:j5fTSYZyWv2MRjfs5TMpppzwVwKLIvLHMcmkcwuox0dzjRTic30cW761ZLGF9s94Y7JJqD5w9g3AT7fTKOREww==,iv:Gg+csfvz2fdfRsR3XaqtD3RcqcNJbqIeKS/z4WlubYA=,tag:RqC6U7u0Ap22iWduo4kwbA==,type:str]
 sops:
    age:
        - recipient: age1lzythn62c4yug8w2wskckpgyjyja6rreyvgmwl9hj4mjvm0tvq6sl68d4z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySGl4YWFjNURaVjRRUDRM
            VkQ4eVVoWFpGZkNMdkprelIwOU5NTnVZUWlBCnhRWWtsM2NNbFNNMFJXUjl3REVY
            bXJLd1FtdkQyLzlpa2RXMURuU2htYUUKLS0tIDlJbzZtTDhrWlJmL0dlYTE5MERi
            Q085VitrTy8rTCs4NWtMc1JOOUFyRDAKs/Rt6U5EaEA8iZ5fXJ9baVLojRv9rNwu
            LpWE+t7LdzV5L0fmXn4MW101K/7OV/Qxh2qm+naVtjEcqPTeQ1QOHQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-10-26T20:34:00Z"
    mac: ENC[AES256_GCM,data:f8/nrKTHlQll5TdcZ85C5o4EipAYYEga7yhhaw4t3kX1d0KB+QOwkdjv3rYppbQipOjB9S4fQbJ+bezmU6DN4dF7FRk4slHRZex+d0gdTSP0PqglvcYjNHge7xYvh8CCpwPRhtUnDBSL/QwLxNfQ44X6WoCGx7WQ4QifDtyFtt8=,iv:lahPMNjz5551RnMPiRB2cAZoWeGEMZEH8qGc725rDJ8=,tag:JNUYcJGIu9Q8NHjsK2tc3w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0