mirror of
https://github.com/outbackdingo/Biohazard.git
synced 2026-01-27 10:18:27 +00:00
feat(hercules/kairos): working config w/ WG+nodeIP
This commit is contained in:
JJGadgets
@@ -1,4 +1,5 @@
|
||||
#cloud-config
|
||||
# This config is oriented entirely for use with a single node k3s cluster running on my OVH VPS, which will act as my homelab's ingress point, and to host some off-cluster stuff too.
|
||||
hostname: "hercules"
|
||||
users:
|
||||
- name: "jj"
|
||||
@@ -39,7 +40,7 @@ kubevip:
|
||||
k3s:
|
||||
enabled: true
|
||||
replace_args: true
|
||||
args: ["--disable=flannel,traefik,servicelb,local-storage,metrics-server", "--flannel-backend=none", "--disable-network-policy", "--service-cidr 172.24.0.0/16", "--cluster-cidr 172.23.0.0/16", "--disable-cloud-controller", "--disable-kube-proxy", "--write-kubeconfig-mode 0644"]
|
||||
args: ["--disable=flannel,traefik,servicelb,local-storage,metrics-server", "--flannel-backend=none", "--disable-network-policy", "--service-cidr 172.24.0.0/16", "--cluster-cidr 172.23.0.0/16", "--disable-cloud-controller", "--disable-kube-proxy", "--write-kubeconfig-mode 0644", "--node-ip ${SECRET_HERCULES_WG_ADDRESS_V4}"]
|
||||
stages:
|
||||
after-install-chroot: &apt
|
||||
- name: Install extra packages
|
||||
@@ -48,15 +49,30 @@ stages:
|
||||
- apt install -y wireguard-tools
|
||||
after-upgrade-chroot: *apt
|
||||
boot:
|
||||
- name: "1. Load WireGuard kernel module"
|
||||
- name: "Setup sysctls to more aggressively use zram"
|
||||
sysctl:
|
||||
vm.vfs_cache_pressure: "500"
|
||||
vm.swappiness: "180"
|
||||
vm.dirty_background_ratio: "1"
|
||||
vm.dirty_ratio: "50"
|
||||
vm.watermark_scale_factor: "100"
|
||||
vm.page-cluster: "0"
|
||||
- name: "1. Load zram kernel module"
|
||||
modules: ["zram"]
|
||||
- name: "2. Configure zram swap"
|
||||
commands:
|
||||
- zramctl -f -s 2G -a lz4
|
||||
- mkswap /dev/zram0
|
||||
- swapon -d -p 1000 /dev/zram0
|
||||
- name: "3. Load WireGuard kernel module"
|
||||
modules: ["wireguard"]
|
||||
- name: "2. Create WireGuard config folder"
|
||||
- name: "4. Create WireGuard config folder"
|
||||
directories:
|
||||
- path: "/etc/wireguard"
|
||||
permissions: 0700
|
||||
owner: 0
|
||||
group: 0
|
||||
- name: "3. Install WireGuard config"
|
||||
- name: "5. Install WireGuard config"
|
||||
files:
|
||||
- path: "/etc/wireguard/wg0.conf"
|
||||
permissions: 0700
|
||||
@@ -65,7 +81,7 @@ stages:
|
||||
content: |
|
||||
[Interface]
|
||||
PrivateKey = ${SECRET_HERCULES_WG_PRIVKEY}
|
||||
Address = ${SECRET_HERCULES_WG_ADDRESS}
|
||||
Address = ${SECRET_HERCULES_WG_ADDRESS_V4}/32, ${SECRET_HERCULES_WG_ADDRESS_V6}/128
|
||||
DNS = ${SECRET_HERCULES_WG_DNS}
|
||||
ListenPort = ${SECRET_HERCULES_WG_LISTEN}
|
||||
MTU = 1420
|
||||
@@ -74,6 +90,21 @@ stages:
|
||||
PresharedKey = ${SECRET_HERCULES_WG_PEERPSK}
|
||||
AllowedIPs = ${SECRET_HERCULES_WG_ALLOWEDIPS}
|
||||
PersistentKeepalive = 15
|
||||
- name: "4. Enable wg0.conf"
|
||||
- name: "6. Enable wg0.conf"
|
||||
systemctl:
|
||||
enable: ["wg-quick@wg0.service"]
|
||||
enable: ["wg-quick@wg0.service"]
|
||||
start: ["wg-quick@wg0.service"]
|
||||
- name: "Setup $KUBECONFIG"
|
||||
environment:
|
||||
KUBECONFIG: "/etc/rancher/k3s/k3s.yaml"
|
||||
- name: "Setup /etc/hosts"
|
||||
files:
|
||||
- path: "/etc/hosts"
|
||||
permissions: 0644
|
||||
owner: 0
|
||||
group: 0
|
||||
content: |
|
||||
127.0.0.1 localhost hercules
|
||||
${IP_ROUTER_VLAN_K8S_PREFIX}1 biohazard.mesh.cilium.io
|
||||
${IP_ROUTER_VLAN_K8S_PREFIX}2 biohazard.mesh.cilium.io
|
||||
${IP_ROUTER_VLAN_K8S_PREFIX}3 biohazard.mesh.cilium.io
|
||||
|
||||
@@ -1,16 +1,17 @@
|
||||
SECRET_HERCULES_WG_PRIVKEY=ENC[AES256_GCM,data:tbeQdf3Dc4JL81tcCfKbQcXNpKgZrE1tsI0Joh3Uyrk0gpRjYZZYv0vgHBM=,iv:435QcjfiB5lkPZmBZf8w7DRAJD0zjmR6DRW/qdG6o8k=,tag:Y/Trzvavo/deU/C7bWhfxg==,type:str]
|
||||
SECRET_HERCULES_WG_ADDRESS=ENC[AES256_GCM,data:KVoNRos39x0VmcCFDuAY6+im/AR230U3m4NUZQ==,iv:4SUCWr3mgQJWRE2qKZK1iH58oujlQBew+fUxdHiqw0k=,tag:uWOiITmvn7CSJXTrtLH29w==,type:str]
|
||||
SECRET_HERCULES_WG_ADDRESS_V4=ENC[AES256_GCM,data:NA2oiQj7oLTO,iv:OdqpuZFxALVJz15ZgZdi0wavcus6NAxj8W8OkYMV0XM=,tag:GGLZ2YrWDgLXQegCOCEirw==,type:str]
|
||||
SECRET_HERCULES_WG_ADDRESS_V6=ENC[AES256_GCM,data:tCoDsG1bZMc7DQ==,iv:R8xnnDJk361ILT7gPZQM/6uSeqVId3sBTTBJdsgQhh0=,tag:YZ7Cctk/m+IdbJxu6SjjyQ==,type:str]
|
||||
SECRET_HERCULES_WG_DNS=ENC[AES256_GCM,data:nlHkJepNuPE=,iv:VnPm37xUbCVfN/3SCfEhQWoYznqSgJV5+o1Ijnm2+TY=,tag:nLekwxCtBpx8jICQxCxiBQ==,type:str]
|
||||
SECRET_HERCULES_WG_LISTEN=ENC[AES256_GCM,data:4MhwTQI=,iv:bKbdM2cAcymF7Fi6m9IXdYMtKgwQ+r58MHgg4twzlFI=,tag:0Yl6zl0Nsa0ZKJpMKnOCBQ==,type:str]
|
||||
SECRET_HERCULES_WG_PEERKEY=ENC[AES256_GCM,data:JxiAINVZ2M1b8dpmOcatXSv6dQFcGQvI0V6ClbQ8aK8Rj0fb2XZOesYSPQ0=,iv:fy/gGO6shUS0pMoF20SkHngd6fJjhf8a7vSiumPbCqM=,tag:WHTUswewN/UkiA9ojTHRdg==,type:str]
|
||||
SECRET_HERCULES_WG_PEERKEY=ENC[AES256_GCM,data:XVeT6M/qGuirKG77fz3jHJX8Um7wvRyShBAiaYTw3Z8kIAl6OeJ77ObCbLA=,iv:QMqVgiC4CGM7/LzlhilDjk0jC980dw7kZmrHQqUKJpo=,tag:vIAsC06T5RArSv8E4PWdig==,type:str]
|
||||
SECRET_HERCULES_WG_PEERPSK=ENC[AES256_GCM,data:rRSwU47diWgT7xtBJbax/4xKlRjHquz8xWsT87ojdaHPKb/FNLuv016qzJw=,iv:R6+MlqIyqerrEdbT+MM/v1j27mlTDHzEVzcpPLecUOw=,tag:qrI8a/O/rwtrDO0q54oXNw==,type:str]
|
||||
SECRET_HERCULES_WG_ALLOWEDIPS=ENC[AES256_GCM,data:wFN+8JfCd6nAf6YfxU8idRIECQi4GxHtXEns4wB7zpdyazvIILlzrLQDnXBN7BrEls+rMLbDkDeBM8Ca7V+HRlLVKMdDManLrKXHkUl+7+SYs+2AU+3phMopolrvjpcQqYRponlVIoW6Vo1MWTwo7t4vFe8v9CgHH2tj7wkQ0tAsTXg=,iv:a3awW73iMNpFmAh+EmQ8uRRMF5TTcvlrLvzw8U68ky0=,tag:tkuFQ1WQNk/9haRqccYHDg==,type:str]
|
||||
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
|
||||
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdA/k6vL+0d2JWBQ93Su/a6+M7AknpqOD0esx+eZNjJGyMw\njZPZczHcH+0TNY8aH+CuI/Vvb7Afju9jtsMn/J3w+wsaFvAiZ5ByLjAH7/1qr4AA\n0l4BNhy+mOUBqy/h3VJGXNQ/5Re1zknwiicF42EM6DAgVlMiGuCTeZufV//HO5zH\nzdoOpGucoYLwZDYvu6nYSgk13CA2rZUhjdG0a2qFWtoln5LzNPSlMC4hy7aKuu49\n=RJ7w\n-----END PGP MESSAGE-----\n
|
||||
sops_lastmodified=2023-11-25T17:10:54Z
|
||||
sops_mac=ENC[AES256_GCM,data:hT+hexuIV55WkSUOW30WQU1Jg8HRZpQTOWCcBPiQxcEwQ3WLZWgtYusTI62ggUpIrfqS+sT4HSz4k3uZb+p9rCv+DJb8a3xr3lkVRz9jZR1IzKY8GlDbfRu9nhuRbys1ORTFZPXKdDO7e6uUoVOzWtYruyfo+UNjV4D9EbDQb3I=,iv:p6D7keIrqfuhoHJ7bbyGn8htdtMKaJ/9BM12CXf2Ydw=,tag:oZXIwSpM9HTmnMwFwCFAJQ==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRnMxRnBsOElOSVRBY0dv\nK1JmTEM5L2FpT2pDRTVyNUo3M2p0V1lkc2pnCmFFb3hPaGdaaFo5alZRc04zVmFE\ndU1LU1pwclQ3YVVrVktwR0JjNGhucE0KLS0tIENiOHZ2ZndldEdzTE9id0hqRW8y\nbUFiSnhROEkxN0NOSWtub0pSRnU4YTgKhV0qtJe4OmmHAdUKggM1DQafXwsRBK7J\nWjb18TNPnxp0cPQaCit/keeOUzbgsj48twei51z+pLXCFPZjDsmn9Q==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_lastmodified=2023-10-15T11:08:09Z
|
||||
sops_pgp__list_0__map_created_at=2023-10-15T11:00:20Z
|
||||
sops_mac=ENC[AES256_GCM,data:dIqwPIc7KEFMUUvAZGMViHJ9qB/KJo2ILnXXr0hJrGlQMWVrW4I1bdJIriCFPgDRe+9GculyDxHqvByceBh+rnlsDwi+cUrZfmPf6pgsiIHVabNZzB5Ai69z5FMVxA/n3xjdU1t1Z95MmqOUI0bytBG24Ww5YBNaxinZrCHUVFU=,iv:4V7GSvnjWocjHaBonGJuJJ9qGKseA4/fawvuELtxe4Q=,tag:mHR9Yom7zb6++7V3nK6Urw==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.7.3
|
||||
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdA/k6vL+0d2JWBQ93Su/a6+M7AknpqOD0esx+eZNjJGyMw\njZPZczHcH+0TNY8aH+CuI/Vvb7Afju9jtsMn/J3w+wsaFvAiZ5ByLjAH7/1qr4AA\n0l4BNhy+mOUBqy/h3VJGXNQ/5Re1zknwiicF42EM6DAgVlMiGuCTeZufV//HO5zH\nzdoOpGucoYLwZDYvu6nYSgk13CA2rZUhjdG0a2qFWtoln5LzNPSlMC4hy7aKuu49\n=RJ7w\n-----END PGP MESSAGE-----\n
|
||||
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
|
||||
sops_pgp__list_0__map_created_at=2023-10-15T11:00:20Z
|
||||
|
||||
Reference in New Issue
Block a user