github-personal/home-ops
1
0
Fork 0
mirror of https://github.com/outbackdingo/home-ops.git synced 2026-01-27 10:19:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: errything, I touched errything

Browse Source
This commit is contained in:
Toboshii Nakama
2022-07-17 03:18:22 -05:00
parent f2ee6e3825
commit dc2d42b358
314 changed files with 3373 additions and 1990 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitattributes vendored
View File

@@ -1,2 +1 @@
secret.enc.yaml diff=sopsdiffer
cluster-secrets.yaml diff=sopsdiffer
*.sops.* diff=sopsdiffer

2
.github/CODEOWNERS vendored
View File

@@ -1,2 +1,2 @@
# https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
* @onedr0p
* @toboshii

7
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@@ -1,5 +1,6 @@
---
blank_issues_enabled: false
contact_links:
- name: Discuss on Discord
url: https://discord.com/invite/sTMX7Vh
about: Join our Discord community
- name: Discuss on Discord
url: https://discord.gg/k8s-at-home
about: Join our Discord community

11
.github/labeler.yaml vendored Normal file
View File

@@ -0,0 +1,11 @@
---
area/ansible:
- "ansible/**/*"
area/github:
- ".github/**/*"
area/cluster:
- "cluster/**/*"
area/hack:
- "hack/**/*"
area/terraform:
- "terraform/**/*"

80
.github/labels.yaml vendored Normal file
View File

@@ -0,0 +1,80 @@
---
# Area
- name: area/ansible
color: "72ccf3"
description: >-
Changes made in the ansible directory
- name: area/github
color: "72ccf3"
description: >-
Changes made in the github directory
- name: area/cluster
color: "72ccf3"
description: >-
Changes made in the cluster directory
- name: area/hack
color: "72ccf3"
description: >-
Changes made in the hack directory
- name: area/terraform
color: "72ccf3"
description: >-
Changes made in the terraform directory
# Renovate
- name: renovate/ansible
color: "ffc300"
- name: renovate/container
color: "ffc300"
- name: renovate/github-action
color: "ffc300"
- name: renovate/github-release
color: "ffc300"
- name: renovate/helm
color: "ffc300"
- name: renovate/terraform
color: "ffc300"
# Semantic Type
- name: type/patch
color: "FFEC19"
- name: type/minor
color: "FF9800"
- name: type/major
color: "F6412D"
# Size
- name: size/XS
color: "009900"
description: >-
Denotes a PR that changes 0-9 lines, ignoring generated files.
- name: size/S
color: "77bb00"
description: >-
Denotes a PR that changes 10-29 lines, ignoring generated files.
- name: size/M
color: "eebb00"
description: >-
Denotes a PR that changes 30-99 lines, ignoring generated files.
- name: size/L
color: "ee9900"
description: >-
Denotes a PR that changes 100-499 lines, ignoring generated files.
- name: size/XL
color: "ee5500"
description: >-
Denotes a PR that changes 500-999 lines, ignoring generated files.
- name: size/XXL
color: "ee0000"
description: >-
Denotes a PR that changes 1000+ lines, ignoring generated files.
# Uncategorized
- name: bug
color: "ee0701"
- name: do-not-merge
color: "ee0701"
- name: docs
color: "F4D1B7"
- name: enhancement
color: "84b6eb"
- name: link-checker
color: "7B55D7"
- name: question
color: "cc317c"

3
.github/linters/.ansible-lint vendored Normal file
View File

@@ -0,0 +1,3 @@
# .ansible-lint
warn_list:
- unnamed-task

23
.github/linters/.markdownlint.yaml vendored Normal file
View File

@@ -0,0 +1,23 @@
---
default: true
# MD013/line-length - Line length
MD013:
# Number of characters
line_length: 240
# Number of characters for headings
heading_line_length: 80
# Number of characters for code blocks
code_block_line_length: 80
# Include code blocks
code_blocks: true
# Include tables
tables: true
# Include headings
headings: true
# Include headings
headers: true
# Strict length checking
strict: false
# Stern length checking
stern: false

7
.github/linters/.prettierignore vendored Normal file
View File

@@ -0,0 +1,7 @@
charts/
docs/
.private/
.terraform/
.vscode/
*.sops.*
talos/cni/install.yaml

7
.github/linters/.prettierrc.yaml vendored Normal file
View File

@@ -0,0 +1,7 @@
---
trailingComma: "es5"
tabWidth: 2
semi: false
singleQuote: false
bracketSpacing: false
useTabs: false

0
server/terraform/outputs.tf → .github/linters/.tflint.hcl vendored
View File

12
.github/yamllint.config.yaml → .github/linters/.yamllint.yaml vendored
View File

@@ -1,10 +1,16 @@
---
ignore: |
.github/
crds.yaml
charts/
docs/
.private/
.terraform/
.vscode/
*.sops.*
talos/cni/install.yaml
extends: default
rules:
truthy:
allowed-values: ['true', 'false', 'on', 'yes']
allowed-values: ["true", "false", "on"]
comments:
min-spaces-from-content: 1
line-length: disable

259
.github/renovate.json5 vendored
View File

@@ -1,210 +1,95 @@
{
"enabled": true,
"timezone": "America/Chicago",
"semanticCommits": "enabled",
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dashboard",
"commitBody": "Signed-off-by: Toboshii Nakama <toboshii@users.noreply.github.com>",
// do not notify on closed unmerged PRs
"extends": [
"config:base",
"docker:enableMajor",
":disableRateLimiting",
":dependencyDashboard",
":semanticCommits",
":enablePreCommit",
":automergeDigest",
":automergeBranchPush",
"github>toboshii/home-ops//.github/renovate/allowedVersions.json5",
"github>toboshii/home-ops//.github/renovate/autoMerge.json5",
"github>toboshii/home-ops//.github/renovate/commitMessage.json5",
"github>toboshii/home-ops//.github/renovate/groups.json5",
"github>toboshii/home-ops//.github/renovate/labels.json5",
"github>toboshii/home-ops//.github/renovate/semanticCommits.json5"
],
"platform": "github",
"username": "chii-bot[bot]",
"repositories": ["toboshii/home-ops"],
"onboarding": false,
"requireConfig": false,
"gitAuthor": "chii-bot <109454249+chii-bot[bot]@users.noreply.github.com>",
"dependencyDashboardTitle": "Renovate Dashboard 🤖",
"suppressNotifications": ["prIgnoreNotification"],
// only rebase PRs when there's a conflict
"rebaseWhen": "conflicted",
"commitBodyTable": true,
"ignoreDeps": [
"ghcr.io/fluxcd/helm-controller",
"ghcr.io/fluxcd/image-automation-controller",
"ghcr.io/fluxcd/image-reflector-controller",
"ghcr.io/fluxcd/kustomize-controller",
"ghcr.io/fluxcd/notification-controller",
"ghcr.io/fluxcd/source-controller"
],
"docker-compose": {
"fileMatch": ["ansible/.+/docker-compose.*\\.ya?ml(\\.j2)?$"]
},
"flux": {
"fileMatch": ["cluster/.+\\.ya?ml$"]
},
"helm-values": {
"fileMatch": [
"cluster/.+/helm-release\\.yaml$",
],
"fileMatch": ["cluster/.+\\.ya?ml$"]
},
"kubernetes": {
"fileMatch": [
"cluster/.+\\.yaml$",
],
"ignorePaths": [
"cluster/base/",
],
"fileMatch": ["cluster/.+\\.ya?ml$"]
},
"regexManagers": [
// regexManager to read and process HelmRelease files
{
"description": "Process CRD dependencies",
"fileMatch": ["cluster/crds/.+\\.ya?ml$"],
"matchStrings": [
// GitRepository where 'Git release/tag' matches 'Helm' version
"registryUrl=(?<registryUrl>\\S+) chart=(?<depName>\\S+)\n.*?(?<currentValue>[^-\\s]*)\n",
// Kustomization where 'GitHub release artifact URL' matches 'Docker image' version
"datasource=(?<datasource>\\S+) image=(?<depName>\\S+)\n.*?-\\s(.*?)\/(?<currentValue>[^/]+)\/[^/]+\n"
],
"datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}helm{{/if}}"
},
{
"description": "Process various dependencies",
"fileMatch": [
"cluster/.+\\.yaml$"
"ansible/.+\\.ya?ml$",
"cluster/.+\\.ya?ml$"
],
"matchStrings": [
// helm releases
"registryUrl=(?<registryUrl>.*?)\n *chart: (?<depName>.*?)\n *version: (?<currentValue>.*)\n",
"datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( versioning=(?<versioning>\\S+))?\n.*?\"(?<currentValue>.*)\"\n"
],
"datasourceTemplate": "helm"
"datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
},
// regexManager to read and process cert-manager CRD's
{
"fileMatch": [
"cluster/crds/cert-manager/.+\\.yaml$"
],
"description": "Process raw GitHub URLs",
"fileMatch": ["cluster/.+\\.ya?ml$"],
"matchStrings": [
"registryUrl=(?<registryUrl>.*?) chart=(?<depName>.*?)\n.*\\/(?<currentValue>.*?)\\/",
"https:\\/\\/raw.githubusercontent.com\\/(?<depName>[\\w\\d\\-_]+\\/[\\w\\d\\-_]+)\\/(?<currentValue>[\\w\\d\\.\\-_]+)\\/.*"
],
"datasourceTemplate": "helm"
},
// regexManager to read and process kube-prometheus-stack CRD's
{
"fileMatch": [
"cluster/crds/kube-prometheus-stack/.+\\.yaml$"
],
"matchStrings": [
"registryUrl=(?<registryUrl>.*?)\n *tag: (?<depName>[a-zA-Z-]+)-(?<currentValue>.*)\n",
],
"datasourceTemplate": "helm"
},
// regexManager to read and process Traefik CRD's
{
"fileMatch": [
"cluster/crds/traefik/.+\\.yaml$"
],
"matchStrings": [
"registryUrl=(?<registryUrl>.*?) chart=(?<depName>.*?)\n *tag: v(?<currentValue>.*)\n",
],
"datasourceTemplate": "helm"
},
// regexManager to read and process Rook-Ceph CRD's
{
"fileMatch": [
"cluster/crds/rook-ceph/.+\\.yaml$"
],
"matchStrings": [
"registryUrl=(?<registryUrl>.*?) chart=(?<depName>.*?)\n *tag: (?<currentValue>.*)\n",
],
"datasourceTemplate": "helm"
},
"datasourceTemplate": "github-releases",
"versioningTemplate": "semver"
}
],
"packageRules": [
// Setup datasources
{
"matchDatasources": ["helm"],
"semanticCommitScope": "charts",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{{newValue}}}",
"separateMinorPatch": true,
"ignoreDeprecated": true,
},
{
"matchDatasources": ["docker"],
"enabled": true,
"matchUpdateTypes": ["major", "minor", "patch"],
},
{
"matchDatasources": ["docker"],
"semanticCommitScope": "images",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{{newValue}}}",
"separateMinorPatch": true,
},
// Add labels according to package and update types
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(images)!: ",
"labels": ["renovate/image", "dep/major"],
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"labels": ["renovate/image", "dep/minor"],
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"labels": ["renovate/image", "dep/patch"],
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(charts)!: ",
"labels": ["renovate/helm", "dep/major"],
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"labels": ["renovate/helm", "dep/minor"],
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"labels": ["renovate/helm", "dep/patch"],
},
// custom version schemes
{
"matchDatasources": ["docker"],
"versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-(?<compatibility>.*)$",
"matchPackageNames": ["blakeblackshear/frigate"],
},
{
"matchDatasources": ["docker"],
"versioning": "regex:^RELEASE\\.(?<major>\\d+)-(?<minor>\\d+)-(?<patch>\\d+)T.*Z(-(?<compatibility>.*))?$",
"matchPackageNames": ["minio/minio"],
},
// pin package versions
{
"matchDatasources": ["docker"],
"allowedVersions": "<13",
"matchPackageNames": [
"postgres",
"prodrigestivill/postgres-backup-local",
],
},
{
"matchDatasources": ["docker"],
"allowedVersions": "<2",
"matchPackageNames": [
"influxdb",
]
},
// {
// "matchDatasources": ["helm"],
// "allowedVersions": "<15",
// "matchPackageNames": ["kube-prometheus-stack"]
// },
// version strategies
{
"matchDatasources": ["docker"],
"description": "Use loose versioning for certain dependencies",
"matchDatasources": ["docker", "github-releases"],
"versioning": "loose",
"matchPackageNames": [
"ghcr.io/k8s-at-home/plex",
"ghcr.io/k8s-at-home/qbittorrent",
],
},
// enable auto-merge
{
"matchDatasources": ["docker"],
"automerge": true,
"automergeType": "branch",
"requiredStatusChecks": null,
"matchUpdateTypes": ["minor", "patch"],
"matchPackageNames": [
"ghcr.io/k8s-at-home/jackett",
"ghcr.io/k8s-at-home/prowlarr",
],
},
{
"matchDatasources": ["helm", "docker"],
"matchPackagePatterns": ["^rook.ceph"],
"groupName": "rook-ceph-suite",
"additionalBranchPrefix": "",
},
{
"matchDatasources": ["docker"],
"allowedVersions": "16.2.5",
"matchPackageNames": ["ceph/ceph"],
},
{
"matchPackageNames": [
"rancher/system-upgrade-controller"
],
"groupName": "rancher/system-upgrade-controller",
"additionalBranchPrefix": "",
"separateMinorPatch": true,
},
],
"ghcr.io/onedr0p/emby",
"ghcr.io/onedr0p/plex",
"ghcr.io/onedr0p/qbittorrent",
"Hypfer/Valetudo"
]
}
]
}

9
.github/renovate/allowedVersions.json5 vendored Normal file
View File

@@ -0,0 +1,9 @@
{
"packageRules": [
{
"matchDatasources": ["docker"],
"matchPackageNames": ["docker.io/kopia/kopia"],
"allowedVersions": "<10"
}
]
}

40
.github/renovate/autoMerge.json5 vendored Normal file
View File

@@ -0,0 +1,40 @@
{
"packageRules": [
{
"description": "Auto merge container digests",
"matchDatasources": ["docker"],
"automerge": true,
"automergeType": "branch",
"requiredStatusChecks": null,
"matchUpdateTypes": ["digest"],
"matchPackagePattern": ["ghcr.io/k8s-at-home","ghcr.io/onedr0p"]
},
{
"description": "Auto merge containers",
"matchDatasources": ["docker"],
"automerge": true,
"automergeType": "branch",
"requiredStatusChecks": null,
"matchUpdateTypes": ["minor", "patch"],
"matchPackageNames": ["ghcr.io/onedr0p/prowlarr-nightly"]
},
{
"description": "Auto merge GitHub Actions",
"matchDatasources": ["github-tags"],
"automerge": true,
"automergeType": "branch",
"requiredStatusChecks": null,
"matchUpdateTypes": ["minor", "patch"],
"matchPackageNames": ["lycheeverse/lychee-action", "renovatebot/github-action"]
},
{
"description": "Auto merge Helm charts",
"matchDatasources": ["helm"],
"automerge": true,
"automergeType": "branch",
"requiredStatusChecks": null,
"matchUpdateTypes": ["minor", "patch"],
"matchPackageNames": ["minio"]
}
]
}

15
.github/renovate/commitMessage.json5 vendored Normal file
View File

@@ -0,0 +1,15 @@
{
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}",
"commitMessageSuffix": "",
"packageRules": [
{
"matchDatasources": ["helm"],
"commitMessageTopic": "chart {{depName}}"
},
{
"matchDatasources": ["docker"],
"commitMessageTopic": "image {{depName}}"
}
]
}

54
.github/renovate/groups.json5 vendored Normal file
View File

@@ -0,0 +1,54 @@
{
"packageRules": [
{
"description": "Cert-Manager image (for CRDs) and chart",
"groupName": "Cert-Manager",
"matchPackagePatterns": ["cert-manager"],
"matchDatasources": ["docker", "helm"],
"group": { "commitMessageTopic": "{{{groupName}}} group" },
"separateMinorPatch": true
},
{
"description": "External Snapshotter kustomization (for CRDs) and chart",
"groupName": "External Snapshotter",
"matchPackagePatterns": ["external-snapshotter", "snapshot-controller"],
"matchDatasources": ["docker", "github-tags"],
"group": { "commitMessageTopic": "{{{groupName}}} group" },
"separateMinorPatch": true
},
{
"description": "Node Feature Discovery kustomization (for CRDs) and chart",
"groupName": "Node Feature Discovery",
"matchPackagePatterns": ["node-feature-discovery"],
"matchDatasources": ["helm", "github-tags"],
"group": { "commitMessageTopic": "{{{groupName}}} group" },
"separateMinorPatch": true
},
{
"description": "Rook-Ceph image and chart",
"groupName": "Rook-Ceph",
"matchPackagePatterns": ["rook.ceph"],
"matchDatasources": ["docker", "helm"],
"group": { "commitMessageTopic": "{{{groupName}}} group" },
"separateMinorPatch": true
},
{
"description": "Thanos image and chart - mismatched versions",
"groupName": "Thanos",
"matchPackagePatterns": ["thanos"],
"matchDatasources": ["docker", "github-releases", "helm"],
"matchUpdateTypes": ["minor", "patch"],
"group": { "commitMessageTopic": "{{{groupName}}} group" },
"separateMinorPatch": false
},
{
"description": "Vector image and chart - mismatched versions",
"groupName": "Vector",
"matchPackagePatterns": ["vector"],
"matchDatasources": ["docker", "github-releases", "helm"],
"matchUpdateTypes": ["minor", "patch"],
"group": { "commitMessageTopic": "{{{groupName}}} group" },
"separateMinorPatch": false
}
]
}

44
.github/renovate/labels.json5 vendored Normal file
View File

@@ -0,0 +1,44 @@
{
"packageRules": [
{
"matchUpdateTypes": ["major"],
"labels": ["type/major"]
},
{
"matchUpdateTypes": ["minor"],
"labels": ["type/minor"]
},
{
"matchUpdateTypes": ["patch"],
"labels": ["type/patch"]
},
{
"matchDatasources": ["docker"],
"addLabels": ["renovate/container"]
},
{
"matchDatasources": ["helm"],
"addLabels": ["renovate/helm"]
},
{
"matchDatasources": ["galaxy", "galaxy-collection"],
"addLabels": ["renovate/ansible"]
},
{
"matchDatasources": ["terraform-provider"],
"addLabels": ["renovate/terraform"]
},
{
"matchDatasources": ["github-releases", "github-tags"],
"addLabels": ["renovate/github-release"]
},
{
"matchManagers": ["github-actions"],
"addLabels": ["renovate/github-action"]
},
{
"matchDatasources": ["pypi"],
"addLabels": ["renovate/pip"]
}
]
}

125
.github/renovate/semanticCommits.json5 vendored Normal file
View File

@@ -0,0 +1,125 @@
{
"packageRules": [
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(container)!: "
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["digest", "patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(helm)!: "
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "helm"
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "helm"
},
{
"matchDatasources": ["galaxy", "galaxy-collection"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(ansible)!: "
},
{
"matchDatasources": ["galaxy", "galaxy-collection"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "ansible"
},
{
"matchDatasources": ["galaxy", "galaxy-collection"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "ansible"
},
{
"matchDatasources": ["terraform-provider"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(terraform)!: "
},
{
"matchDatasources": ["terraform-provider"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "terraform"
},
{
"matchDatasources": ["terraform-provider"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "terraform"
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(github-release)!: "
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "github-release"
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "github-release"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(github-action)!: "
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "github-action"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "github-action"
},
{
"matchDatasources": ["pypi"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(pip)!: "
},
{
"matchDatasources": ["pypi"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "pip"
},
{
"matchDatasources": ["pypi"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "pip"
}
]
}

26
.github/scripts/cloudflare-proxied-networks.sh vendored Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env bash
# Get all local networks
# ipv4_rfc1918='[ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]'
# Get all cloudflare ipv4 ranges in an array
ipv4_cloudflare="$(curl -sL https://www.cloudflare.com/ips-v4 | jq --raw-input --slurp 'split("\n")')"
if [[ -z "${ipv4_cloudflare}" ]]; then
exit 1
fi
# Get all cloudflare ipv6 ranges in an array
ipv6_cloudflare="$(curl -sL https://www.cloudflare.com/ips-v6 | jq --raw-input --slurp 'split("\n")')"
if [[ -z "${ipv6_cloudflare}" ]]; then
exit 1
fi
# Merge rfc1918 ipv4, cloudflare ipv4, and cloudflare ipv6 ranges into one array
combined=$(jq \
--argjson ipv4_cloudflare "${ipv4_cloudflare}" \
--argjson ipv6_cloudflare "${ipv6_cloudflare}" \
-n '$ipv4_cloudflare + $ipv6_cloudflare' \
)
# Output array as a string with \, as delimiter
echo "${combined}" | jq --raw-output '. | join("\\,")'

124
.github/scripts/container-parser.sh vendored Executable file
View File

@@ -0,0 +1,124 @@
#!/usr/bin/env bash
# shellcheck source=/dev/null
source "$(dirname "${0}")/lib/functions.sh"
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
show_help() {
cat << EOF
Usage: $(basename "$0") <options>
-h, --help Display help
-f, --file File to scan for container images
--nothing Enable nothing mode
EOF
}
main() {
local file=
local nothing=
parse_command_line "$@"
check "jo"
check "jq"
check "yq"
entry
}
parse_command_line() {
while :; do
case "${1:-}" in
-h|--help)
show_help
exit
;;
-f|--file)
if [[ -n "${2:-}" ]]; then
file="$2"
shift
else
echo "ERROR: '-f|--file' cannot be empty." >&2
show_help
exit 1
fi
;;
--nothing)
nothing=1
;;
*)
break
;;
esac
shift
done
if [[ -z "$file" ]]; then
echo "ERROR: '-f|--file' is required." >&2
show_help
exit 1
fi
if [[ -z "$nothing" ]]; then
nothing=0
fi
}
entry() {
# create new array to hold the images
images=()
# look in hydrated flux helm releases
chart_registry_url=$(chart_registry_url "${file}")
chart_name=$(yq eval-all .spec.chart.spec.chart "${file}" 2>/dev/null)
if [[ -n ${chart_registry_url} && -n "${chart_name}" && ! "${chart_name}" =~ "null" ]]; then
chart_version=$(yq eval .spec.chart.spec.version "${file}" 2>/dev/null)
chart_values=$(yq eval .spec.values "${file}" 2>/dev/null)
pushd "$(mktemp -d)" > /dev/null 2>&1
helm repo add main "${chart_registry_url}" > /dev/null 2>&1
helm pull "main/${chart_name}" --untar --version "${chart_version}"
resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -)
popd > /dev/null 2>&1
images+=("$(echo "${resources}" | yq eval-all '.spec.template.spec.containers.[].image' -)")
helm repo remove main > /dev/null 2>&1
fi
# look in helm values
images+=("$(yq eval-all '[.. | select(has("repository")) | select(has("tag"))] | .[] | .repository + ":" + .tag' "${file}" 2>/dev/null)")
# look in kubernetes deployments, statefulsets and daemonsets
images+=("$(yq eval-all '.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)")
# look in kubernetes pods
images+=("$(yq eval-all '.spec.containers.[].image' "${file}" 2>/dev/null)")
# look in kubernetes cronjobs
images+=("$(yq eval-all '.spec.jobTemplate.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)")
# look in docker compose
images+=("$(yq eval-all '.services.*.image' "${file}" 2>/dev/null)")
# remove duplicate values xD
IFS=" " read -r -a images <<< "$(tr ' ' '\n' <<< "${images[@]}" | sort -u | tr '\n' ' ')"
# create new array to hold the parsed images
parsed_images=()
# loop thru the images removing any invalid items
for i in "${images[@]}"; do
# loop thru each image and split on new lines (for when yq finds multiple containers in the same file)
for b in ${i//\\n/ }; do
if [[ -z "${b}" || "${b}" == "null" || "${b}" == "---" ]]; then
continue
fi
parsed_images+=("${b}")
done
done
# check if parsed_images array has items
if (( ${#parsed_images[@]} )); then
# convert the bash array to json and wrap array in an containers object
jo -a "${parsed_images[@]}" | jq -c '{containers: [(.[])]}'
fi
}
main "$@"

175
.github/scripts/helm-release-differ.sh vendored Executable file
View File

@@ -0,0 +1,175 @@
#!/usr/bin/env bash
# shellcheck source=/dev/null
source "$(dirname "${0}")/lib/functions.sh"
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
show_help() {
cat << EOF
Usage: $(basename "$0") <options>
-h, --help Display help
--source-file Original helm release
--target-file New helm release
--remove-common-labels Remove common labels from manifests
EOF
}
main() {
local source_file=
local target_file=
local remove_common_labels=
parse_command_line "$@"
check "helm"
check "yq"
entry
}
parse_command_line() {
while :; do
case "${1:-}" in
-h|--help)
show_help
exit
;;
--source-file)
if [[ -n "${2:-}" ]]; then
source_file="$2"
shift
else
echo "ERROR: '--source-file' cannot be empty." >&2
show_help
exit 1
fi
;;
--target-file)
if [[ -n "${2:-}" ]]; then
target_file="$2"
shift
else
echo "ERROR: '--target-file' cannot be empty." >&2
show_help
exit 1
fi
;;
--remove-common-labels)
remove_common_labels=true
;;
*)
break
;;
esac
shift
done
if [[ -z "${source_file}" ]]; then
echo "ERROR: '--source-file' is required." >&2
show_help
exit 1
fi
if [[ $(yq eval .kind "${source_file}" 2>/dev/null) != "HelmRelease" ]]; then
echo "ERROR: '--source-file' is not a HelmRelease"
show_help
exit 1
fi
if [[ -z "${target_file}" ]]; then
echo "ERROR: '--target-file' is required." >&2
show_help
exit 1
fi
if [[ $(yq eval .kind "${target_file}" 2>/dev/null) != "HelmRelease" ]]; then
echo "ERROR: '--target-file' is not a HelmRelease"
show_help
exit 1
fi
if [[ -z "$remove_common_labels" ]]; then
remove_common_labels=false
fi
}
_resources() {
local chart_name=${1}
local chart_version=${2}
local chart_registry_url=${3}
local chart_values=${4}
local resources=
helm repo add main "${chart_registry_url}" > /dev/null 2>&1
pushd "$(mktemp -d)" > /dev/null 2>&1
helm pull "main/${chart_name}" --untar --version "${chart_version}"
resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -)
if [[ "${remove_common_labels}" == "true" ]]; then
labels='.metadata.labels."helm.sh/chart"'
labels+=',.metadata.labels.chart'
labels+=',.metadata.labels."app.kubernetes.io/version"'
labels+=',.spec.template.metadata.labels."helm.sh/chart"'
labels+=',.spec.template.metadata.labels.chart'
labels+=',.spec.template.metadata.labels."app.kubernetes.io/version"'
echo "${resources}" | yq eval "del($labels)" -
else
echo "${resources}"
fi
popd > /dev/null 2>&1
helm repo remove main > /dev/null 2>&1
}
entry() {
local comments=
source_chart_name=$(chart_name "${source_file}")
source_chart_version=$(chart_version "${source_file}")
source_chart_registry_url=$(chart_registry_url "${source_file}")
source_chart_values=$(chart_values "${source_file}")
source_resources=$(_resources "${source_chart_name}" "${source_chart_version}" "${source_chart_registry_url}" "${source_chart_values}")
echo "${source_resources}" > /tmp/source_resources
target_chart_version=$(chart_version "${target_file}")
target_chart_name=$(chart_name "${target_file}")
target_chart_registry_url=$(chart_registry_url "${target_file}")
target_chart_values=$(chart_values "${target_file}")
target_resources=$(_resources "${target_chart_name}" "${target_chart_version}" "${target_chart_registry_url}" "${target_chart_values}")
echo "${target_resources}" > /tmp/target_resources
# Diff the files and always return true
diff -u /tmp/source_resources /tmp/target_resources > /tmp/diff || true
# Remove the filenames
sed -i -e '1,2d' /tmp/diff
# Store the comment in an array
comments=()
# shellcheck disable=SC2016
comments+=( "$(printf 'Path: `%s`' "${target_file}")" )
if [[ "${source_chart_name}" != "${target_chart_name}" ]]; then
# shellcheck disable=SC2016
comments+=( "$(printf 'Chart: `%s` -> `%s`' "${source_chart_name}" "${target_chart_name}")" )
fi
if [[ "${source_chart_version}" != "${target_chart_version}" ]]; then
# shellcheck disable=SC2016
comments+=( "$(printf 'Version: `%s` -> `%s`' "${source_chart_version}" "${target_chart_version}")" )
fi
if [[ "${source_chart_registry_url}" != "${target_chart_registry_url}" ]]; then
# shellcheck disable=SC2016
comments+=( "$(printf 'Registry URL: `%s` -> `%s`' "${source_chart_registry_url}" "${target_chart_registry_url}")" )
fi
comments+=( "$(printf '\n\n')" )
if [[ -f /tmp/diff && -s /tmp/diff ]]; then
# shellcheck disable=SC2016
comments+=( "$(printf '```diff\n%s\n```' "$(cat /tmp/diff)")" )
else
# shellcheck disable=SC2016
comments+=( "$(printf '```\nNo changes in detected in resources\n```')" )
fi
# Join the array with a new line and print it
printf "%s\n" "${comments[@]}"
}
main "$@"

47
.github/scripts/lib/functions.sh vendored Normal file
View File

@@ -0,0 +1,47 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
check() {
command -v "${1}" >/dev/null 2>&1 || {
echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2
exit 1
}
}
chart_registry_url() {
local helm_release=
local chart_id=
helm_release="${1}"
chart_id=$(yq eval .spec.chart.spec.sourceRef.name "${helm_release}" 2>/dev/null)
# Discover all HelmRepository
find . -iname '*-charts.yaml' -type f -print0 | while IFS= read -r -d '' file; do
# Skip non HelmRepository
[[ $(yq eval .kind "${file}" 2>/dev/null) != "HelmRepository" ]] && continue
# Skip unrelated HelmRepository
[[ "${chart_id}" != $(yq eval .metadata.name "${file}" 2>/dev/null) ]] && continue
yq eval .spec.url "${file}"
break
done
}
chart_name() {
local helm_release=
helm_release="${1}"
yq eval .spec.chart.spec.chart "${helm_release}" 2>/dev/null
}
chart_version() {
local helm_release=
helm_release="${1}"
yq eval .spec.chart.spec.version "${helm_release}" 2>/dev/null
}
chart_values() {
local helm_release=
helm_release="${1}"
yq eval .spec.values "${helm_release}" 2>/dev/null
}

122
.github/workflows/diff-hr-on-pr.yaml vendored
View File

@@ -1,122 +0,0 @@
---
name: Create diff on updated HelmReleases
on:
pull_request:
branches:
- main
paths:
- "cluster/**.yaml"
env:
conf_live_branch: main
conf_allow_repeating_same_comment: true
jobs:
changes:
name: Detect changes
runs-on: ubuntu-latest
outputs:
files: "${{ steps.extract.outputs.files }}"
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Get changes
uses: dorny/paths-filter@v2
id: filter
with:
list-files: shell
filters: |
changed:
- '**'
- name: Keep HelmReleases only
id: extract
run: |
filtered=$(grep -zl "kind: HelmRelease.*registryUrl=" ${{ steps.filter.outputs.changed_files }} | \
jq -R '[.]' | \
jq -s -c add)
echo ::set-output name=files::${filtered}
helm:
name: Template HelmReleases
runs-on: ubuntu-latest
needs:
- changes
strategy:
matrix:
file: ${{ fromJson(needs.changes.outputs.files) }}
fail-fast: false
steps:
- name: Setup Kubernetes Tools
uses: yokawasa/action-setup-kube-tools@v0.8.0
with:
setup-tools: |
helmv3
yq
- name: Checkout live branch
uses: actions/checkout@v2
with:
ref: ${{ env.conf_live_branch }}
path: live
- name: Checkout PR branch
uses: actions/checkout@v2
with:
path: pr
- name: Create diff
id: diff
run: |
hr_live_url=$(sed -nr 's|.*registryUrl=(.+)$|\1|p' live/${{ matrix.file }})
hr_live_chart=$(yq e .spec.chart.spec.chart live/${{ matrix.file }})
hr_live_version=$(yq e .spec.chart.spec.version live/${{ matrix.file }})
hr_live_values=$(yq e .spec.values live/${{ matrix.file }})
hr_pr_url=$(sed -nr 's|.*registryUrl=(.+)$|\1|p' pr/${{ matrix.file }})
hr_pr_chart=$(yq e .spec.chart.spec.chart pr/${{ matrix.file }})
hr_pr_version=$(yq e .spec.chart.spec.version pr/${{ matrix.file }})
hr_pr_values=$(yq e .spec.values pr/${{ matrix.file }})
helm repo add live "$hr_live_url"
helm repo add pr "$hr_pr_url"
resources_live=$(echo "$hr_live_values" | \
helm template "$hr_live_chart" \
live/"$hr_live_chart" \
--version "$hr_live_version" -f -)
echo "$resources_live"
echo "#####################################################"
resources_pr=$(echo "$hr_pr_values" | \
helm template "$hr_pr_chart" \
pr/"$hr_pr_chart" \
--version "$hr_pr_version" -f -)
echo "$resources_pr"
echo "#####################################################"
diff=$((diff -u <(echo "$resources_live") <(echo "$resources_pr") || true) | tail +3)
echo "$diff"
message="Path: \`${{ matrix.file }}\`"
if [ "$hr_live_chart" != "$hr_pr_chart" ]; then
message="$message"$'\n'"Chart: \`$hr_live_chart\` -> \`$hr_pr_chart\`"
fi
if [ "$hr_live_version" != "$hr_pr_version" ]; then
message="$message"$'\n'"Version: \`$hr_live_version\` -> \`$hr_pr_version\`"
fi
if [ "$hr_live_url" != "$hr_pr_url" ]; then
message="$message"$'\n'"Repo: \`$hr_live_url\` -> \`$hr_pr_url\`"
fi
message="$message"$'\n'$'\n'
if [ -z "$diff" ]; then
message="$message"'```'$'\n'"No changes in detected in resources"$'\n''```'
else
message="$message"'```diff'$'\n'"$diff"$'\n''```'
fi
echo "::set-output name=message::$(echo "$message" | jq --raw-input --slurp)"
- name: Add PR Comment
uses: mshick/add-pr-comment@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
allow-repeats: ${{ env.conf_allow_repeating_same_comment }}
message: "${{ fromJSON(steps.diff.outputs.message) }}"

44
.github/workflows/flux-schedule.yaml vendored
View File

@@ -1,44 +0,0 @@
---
name: Schedule - Update Flux
on: # yamllint disable-line rule:truthy
workflow_dispatch:
schedule:
- cron: '0 12 * * *'
jobs:
flux-upgrade:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 1
- name: Setup Flux CLI
uses: fluxcd/flux2/action@main
- name: Upgrade Flux
id: upgrade
run: |
CLI_VERSION="$(flux -v)"
VERSION="v${CLI_VERSION#*flux version }"
flux install --version="${VERSION}" \
--network-policy=false \
--export > ./cluster/base/flux-system/gotk-components.yaml
echo "::set-output name=flux_version::$VERSION"
- name: Create pull request for Flux upgrade
uses: peter-evans/create-pull-request@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: "flux/upgrade-${{ steps.upgrade.outputs.flux_version }}"
delete-branch: true
title: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}"
signoff: false
committer: GitHub <noreply@github.com>
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
commit-message: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}"
body: |
Release notes: https://github.com/fluxcd/flux2/releases/tag/${{ steps.upgrade.outputs.flux_version }}
labels: flux/upgrade

79
.github/workflows/helm-release-differ.yaml vendored Normal file
View File

@@ -0,0 +1,79 @@
---
name: Helm Release Differ
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
paths:
- "cluster/**.yaml"
env:
# Currently no way to detect automatically
DEFAULT_BRANCH: main
BOT_USERNAME: "chii-bot[bot]"
jobs:
detect-file-changes:
name: Detect File Changes
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: dorny/paths-filter@v2
id: filter
with:
list-files: json
filters: |
yaml:
- added|modified: "**/helm-release.yaml"
outputs:
yaml_files: ${{ steps.filter.outputs.yaml_files }}
helm-release-differ:
name: Helm Release Differ
runs-on: ubuntu-latest
needs: detect-file-changes
strategy:
matrix:
file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: ${{ secrets.BOT_APP_ID }}
private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- name: Checkout default branch
uses: actions/checkout@v3
with:
ref: "${{ env.DEFAULT_BRANCH }}"
path: default
- name: Install Helm
uses: azure/setup-helm@v3
with:
version: v3.6.3
- name: Helm Release Differ
id: diff
run: |
diff=$(.github/scripts/helm-release-differ.sh --source-file "default/${{ matrix.file }}" --target-file "${{ matrix.file }}" --remove-common-labels)
echo "${diff}"
diff="${diff//'%'/'%25'}"
diff="${diff//$'\n'/'%0A'}"
diff="${diff//$'\r'/'%0D'}"
echo "::set-output name=diff::$(echo ${diff})"
- name: Find Comment
uses: peter-evans/find-comment@v2
id: find-comment
with:
issue-number: "${{ github.event.pull_request.number }}"
comment-author: "${{ env.BOT_USERNAME }}"
body-includes: "${{ matrix.file }}"
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v2
with:
token: "${{ steps.generate-token.outputs.token }}"
comment-id: "${{ steps.find-comment.outputs.comment-id }}"
issue-number: "${{ github.event.pull_request.number }}"
body: "${{ steps.diff.outputs.diff }}"
edit-mode: replace

24
.github/workflows/invalid-template.yaml vendored
View File

@@ -1,24 +0,0 @@
---
name: Invalid Template
on:
issues:
types:
- labeled
- unlabeled
- reopened
jobs:
support:
runs-on: ubuntu-20.04
steps:
- uses: dessant/support-requests@v2
with:
github-token: ${{ github.token }}
support-label: 'template-incomplete'
issue-comment: >
:wave: @{issue-author}, please follow the template provided.
close-issue: true
lock-issue: true
issue-lock-reason: 'resolved'

67
.github/workflows/lint.yaml vendored
View File

@@ -1,19 +1,66 @@
---
name: Lint
on: # yamllint disable-line rule:truthy
workflow_dispatch:
pull_request:
branches:
- main
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
yaml:
runs-on: ubuntu-20.04
build:
name: MegaLinter
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: yamllint
uses: reviewdog/action-yamllint@v1
with:
github_token: ${{ secrets.github_token }}
reporter: github-pr-review
yamllint_flags: '-c .github/yamllint.config.yaml ./cluster/'
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: MegaLinter
uses: oxsecurity/megalinter@v6.0.5
env:
GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
PRINT_ALPACA: false
VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'workflow_dispatch' }}
ENABLE_LINTERS: |-
${{
join(
fromJSON('
[
"ACTION_ACTIONLINT",
"ANSIBLE_ANSIBLE_LINT",
"COPYPASTE_JSCPD",
"KUBERNETES_KUBEVAL",
"MARKDOWN_MARKDOWNLINT",
"REPOSITORY_GIT_DIFF",
"REPOSITORY_SECRETLINT",
"TERRAFORM_TERRAFORM_FMT",
"YAML_PRETTIER",
"YAML_YAMLLINT"
]
'),
','
)
}}
ANSIBLE_DIRECTORY: ansible
ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: .ansible-lint
KUBERNETES_DIRECTORY: cluster
KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas
KUBERNETES_KUBEVAL_FILTER_REGEX_INCLUDE: "(kubernetes)"
MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .github/linters/.markdownlint.yaml
MARKDOWN_MARKDOWNLINT_RULES_PATH: .github/
YAML_YAMLLINT_CONFIG_FILE: .github/linters/.yamllint.yaml
YAML_PRETTIER_CONFIG_FILE: .github/linters/.prettierrc.yaml
YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "(.*\\.sops\\.ya?ml)"

33
.github/workflows/meta-label-size.yaml vendored Normal file
View File

@@ -0,0 +1,33 @@
---
name: Meta - Label Size
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
jobs:
label-size:
name: Label Size
runs-on: ubuntu-latest
steps:
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Label Size
uses: pascalgn/size-label-action@v0.4.3
env:
GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
with:
sizes: >
{
"0": "XS",
"20": "S",
"50": "M",
"200": "L",
"800": "XL",
"2000": "XXL"
}

24
.github/workflows/meta-labeler.yml vendored Normal file
View File

@@ -0,0 +1,24 @@
---
name: Meta - Labeler
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
jobs:
labeler:
name: Labeler
runs-on: ubuntu-latest
steps:
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Labeler
uses: actions/labeler@v4
with:
configuration-path: .github/labeler.yaml
repo-token: "${{ steps.generate-token.outputs.token }}"

30
.github/workflows/meta-sync-labels.yaml vendored Normal file
View File

@@ -0,0 +1,30 @@
---
name: Meta - Sync labels
on: # yamllint disable-line rule:truthy
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/labels.yaml"
jobs:
labels:
name: Sync Labels
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Sync Labels
uses: EndBug/label-sync@v2
with:
config-file: .github/labels.yaml
token: "${{ steps.generate-token.outputs.token }}"
delete-other-labels: true

38
.github/workflows/renovate-schedule.yaml vendored
View File

@@ -1,38 +0,0 @@
---
name: Schedule - Renovate Helm Releases
on: # yamllint disable-line rule:truthy
workflow_dispatch:
schedule:
- cron: '0 */12 * * *'
jobs:
renovate-helm-releases:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 1
- name: Renovate Helm Releases
uses: k8s-at-home/renovate-helm-releases@v1
with:
cluster-path: "./cluster"
- name: Create pull request for renovatebot helm-release annotations
uses: peter-evans/create-pull-request@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: renovate-annotations
delete-branch: true
title: "chore(deps): update renovate annotations"
signoff: false
committer: GitHub <noreply@github.com>
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
commit-message: "chore(deps): update renovate annotations"
body: |
Update HelmReleases inorder for Renovate to pick up new versions of Helm charts
labels: renovate/annotations

72
.github/workflows/scan-containers.yaml vendored Normal file
View File

@@ -0,0 +1,72 @@
---
name: Scan Containers
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
paths:
- "cluster/**.yaml"
- "ansible/**.yml.j2"
jobs:
detect-file-changes:
name: Detect File Changes
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: dorny/paths-filter@v2
id: filter
with:
list-files: json
filters: |
yaml:
- added|modified: "**.yaml"
- added|modified: "**.yml"
- added|modified: "**.yaml.j2"
- added|modified: "**.yml.j2"
outputs:
yaml_files: ${{ steps.filter.outputs.yaml_files }}
detect-containers:
name: Detect Containers
runs-on: ubuntu-latest
needs: detect-file-changes
strategy:
matrix:
file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Jo
run: |
sudo apt-get install jo
- name: Detect Containers in Files
id: containers
run: |
containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}")
echo "${containers}"
echo ::set-output name=containers::${containers}
outputs:
containers: ${{ steps.containers.outputs.containers }}
scan-containers:
name: Scan Containers
runs-on: ubuntu-latest
needs: detect-containers
strategy:
matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }}
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Scan Container
uses: aquasecurity/trivy-action@0.5.1
with:
image-ref: ${{ matrix.containers }}
vuln-type: os,library
severity: CRITICAL,HIGH
format: sarif
output: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif

41
.github/workflows/schedule-cloudflare-proxied-networks-update.yaml vendored Normal file
View File

@@ -0,0 +1,41 @@
---
name: Schedule - Cloudflare Proxied Networks Update
on: # yamllint disable-line rule:truthy
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
env:
CLOUDFLARE_PROXIED_NETWORKS_FILE: >-
cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt
jobs:
cloudflare-proxied-networks-update:
name: Cloudflare Proxied Networks
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Cloudflare Proxied Networks
run: |
bash ./.github/scripts/cloudflare-proxied-networks.sh > ${{ env.CLOUDFLARE_PROXIED_NETWORKS_FILE }}
- name: Create pull request
uses: peter-evans/create-pull-request@v4
with:
token: "${{ steps.generate-token.outputs.token }}"
branch: github-action/update-cloudflare-proxied-networks
delete-branch: true
title: "chore(github-action): update cloudflare proxied networks"
signoff: true
commit-message: "chore(github-action): update cloudflare proxied networks"
body: |
Update cloudflare proxy networks configmap from https://www.cloudflare.com/ips/
labels: |
renovate/github-action

42
.github/workflows/schedule-link-checker.yaml vendored Normal file
View File

@@ -0,0 +1,42 @@
---
name: Schedule - Link Checker
on: # yamllint disable-line rule:truthy
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
jobs:
link-checker:
name: Link Checker
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Link Checker
uses: lycheeverse/lychee-action@v1.5.0
id: lychee
env:
GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
- name: Find Link Checker Issue
id: link-checker-issue
uses: micalevisk/last-issue-action@v2
with:
state: open
labels: |
link-checker
- name: Update Issue
uses: peter-evans/create-issue-from-file@v4
with:
title: Broken links detected in docs 🔗
issue-number: "${{ steps.link-checker-issue.outputs.issue-number }}"
content-filepath: ./lychee/out.md
token: "${{ steps.generate-token.outputs.token }}"
labels: |
link-checker

50
.github/workflows/schedule-renovate.yaml vendored Normal file
View File

@@ -0,0 +1,50 @@
---
name: Schedule - Renovate
on: # yamllint disable-line rule:truthy
workflow_dispatch:
inputs:
dryRun:
description: "Dry-Run"
default: "false"
required: false
logLevel:
description: "Log-Level"
default: "debug"
required: false
schedule:
- cron: "0 * * * *"
push:
branches:
- main
paths:
- ".github/renovate.json5"
- ".github/renovate/**.json5"
env:
LOG_LEVEL: debug
DRY_RUN: false
RENOVATE_CONFIG_FILE: .github/renovate.json5
jobs:
renovate:
name: Renovate
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Override default config from dispatch variables
run: |
echo "DRY_RUN=${{ github.event.inputs.dryRun || env.DRY_RUN }}" >> "${GITHUB_ENV}"
echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}"
- name: Renovate
uses: renovatebot/github-action@v32.117.3
with:
configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}"
token: "x-access-token:${{ steps.generate-token.outputs.token }}"

28
.github/workflows/support.yaml vendored
View File

@@ -1,28 +0,0 @@
---
name: 'Support requests'
on:
issues:
types:
- labeled
- unlabeled
- reopened
jobs:
support:
runs-on: ubuntu-20.04
steps:
- uses: dessant/support-requests@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
support-label: 'support'
issue-comment: >
:wave: @{issue-author}, we use the issue tracker exclusively
for bug reports and feature requests. However, this issue appears
to be a support request. Please use our support channels
to get help with.
- [Discord](https://discord.gg/sTMX7Vh)
close-issue: true
lock-issue: false
issue-lock-reason: 'off-topic'

24
.gitignore vendored
View File

@@ -1,5 +1,6 @@
# Editors
.vscode/
.fttemplates/
# Trash
.DS_Store
Thumbs.db
@@ -16,11 +17,24 @@ bin
.private/
.logs/
.task/
# Terraform
.terraform*
terraform.tfstate*
# Ansible
server/ansible/inventory/e2e/hosts.yml
ansible/inventory/e2e/hosts.yml
xanmanning.k3s*
nvidia.nvidia_driver*
node_modules
node_modules
# Terraform
.terraform*
.terraform.tfstate*
terraform.tfstate*
# Sops
.decrypted~*
*.agekey
# Kubernetes
kubeconfig*
talosconfig*
*.pub
*.key
# Extras
config.xml
*.pid
kubernetes

53
.pre-commit-config.yaml
View File

@@ -1,28 +1,29 @@
---
fail_fast: false
repos:
- repo: https://github.com/adrienverge/yamllint
rev: v1.26.3
hooks:
- args:
- -c
- .github/yamllint.config.yaml
id: yamllint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: mixed-line-ending
- repo: https://github.com/Lucas-C/pre-commit-hooks
rev: v1.1.10
hooks:
- id: remove-crlf
- id: remove-tabs
- repo: https://github.com/sirosen/fix-smartquotes
rev: 0.2.0
hooks:
- id: fix-smartquotes
- repo: https://github.com/k8s-at-home/sops-pre-commit
rev: v2.0.3
hooks:
- id: forbid-secrets
- repo: https://github.com/adrienverge/yamllint
rev: v1.27.1
hooks:
- args:
- --config-file
- .github/linters/.yamllint.yaml
id: yamllint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: mixed-line-ending
- repo: https://github.com/Lucas-C/pre-commit-hooks
rev: v1.3.0
hooks:
- id: remove-crlf
- id: remove-tabs
- repo: https://github.com/sirosen/texthooks
rev: 0.3.1
hooks:
- id: fix-smartquotes
- repo: https://github.com/k8s-at-home/sops-pre-commit
rev: v2.1.1
hooks:
- id: forbid-secrets

2
.sops.yaml
View File

@@ -9,4 +9,4 @@ creation_rules:
encrypted_regex: "^(data|stringData)$"
key_groups:
- age:
- age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
- age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc

18
.sourceignore Normal file
View File

@@ -0,0 +1,18 @@
# See https://toolkit.fluxcd.io/components/source/gitrepositories/#excluding-files
.github/
.taskfiles/
.vscode/
ansible/
docs/
hack/
shared/
terraform/
talos/
.envrc
.gitattributes
.gitignore
.pre-commit-config.yaml
.sops.yaml
LICENSE
README.md
Taskfile.yaml

11
.taskfiles/AnsibleTasks.yml Normal file
View File

@@ -0,0 +1,11 @@
---
version: "3"
tasks:
init:
desc: install/upgrade ansible deps
dir: ansible
cmds:
- "ansible-galaxy install -r requirements.yml --roles-path ~/.ansible/roles --force"
- "ansible-galaxy collection install -r requirements.yml --collections-path ~/.ansible/collections --force"

20
.taskfiles/ClusterTasks.yml Normal file
View File

@@ -0,0 +1,20 @@
---
version: "3"
tasks:
list-dockerhub:
desc: What dockerhub images are running in my cluster
cmds:
- kubectl get pods --all-namespaces -o=jsonpath="{range .items[*]}{'\n'}{range .spec.containers[*]}{.image}{'\n'}{end}{end}" | sort | uniq | grep -Ev 'quay|gcr|ghcr|ecr|us-docker' | grep -Ev 'bitnami|rook|intel|grafana' | sed -e 's/docker\.io\///g' | sort | uniq
delete-failed-pods:
desc: Deletes failed pods
cmds:
- kubectl delete pods --field-selector status.phase=Failed -A --ignore-not-found=true
hr-restart:
desc: Restart all failed Helm Releases
cmds:
- kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -l bash -c 'flux suspend hr $0 -n $1'
- kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -l bash -c 'flux resume hr $0 -n $1'

75
.taskfiles/DebugTasks.yml Normal file
View File

@@ -0,0 +1,75 @@
---
version: "3"
tasks:
network:
desc: Create a netshoot container for debugging
cmds:
- kubectl run netshoot --rm -i --tty --image ghcr.io/nicolaka/netshoot:latest {{.CLI_ARGS}}
volume:
desc: |-
Create a container for debugging a PVC (ex. task PVC=plex-config-v1 debug:volume)
interactive: true
cmds:
- |
kubectl run -n $(kubectl get pvc -A | grep {{.PVC}} | awk '{print $1}') debug-{{.PVC}} -i --tty --rm --image=null --privileged --overrides='
{
"apiVersion": "v1",
"spec": {
"containers": [
{
"name": "debug",
"image": "ghcr.io/onedr0p/alpine:rolling",
"command": [
"/bin/bash"
],
"stdin": true,
"stdinOnce": true,
"tty": true,
"volumeMounts": [
{
"name": "config",
"mountPath": "/data/config"
},
{
"name": "backups",
"mountPath": "/data/backups"
}
]
}
],
"volumes": [
{
"name": "config",
"persistentVolumeClaim": {
"claimName": "{{.PVC}}"
}
},
{
"name": "backups",
"nfs": {
"server": "{{.NAS_ADDRESS | default "nas01"}}",
"path": "{{.NAS_PATH | default "/tank/data/backups"}}"
}
}
],
"restartPolicy": "Never"
}
}'
node:
desc: |-
Create a privileged container on a node for debugging (ex. task NODE=k8s-control01 debug:node)
interactive: true
cmds:
- |
kubectl run debug-{{.NODE}} -i --tty --rm --image="docker.io/library/alpine:3.16" --privileged --overrides='
{
"spec": {
"nodeSelector": {
"kubernetes.io/hostname": "{{.NODE}}"
},
"restartPolicy": "Never"
}
}'

19
.taskfiles/PreCommitTasks.yml Normal file
View File

@@ -0,0 +1,19 @@
---
version: "3"
tasks:
init:
desc: Install pre-commit hooks
cmds:
- pre-commit install --install-hooks
update:
desc: Update pre-commit hooks
cmds:
- pre-commit autoupdate
run:
desc: Run pre-commit on all files
cmds:
- pre-commit run --all-files

31
.taskfiles/RestoreTasks.yml Normal file
View File

@@ -0,0 +1,31 @@
---
version: "3"
tasks:
volume:
desc: Create a job to restore a kopia snapshot (ex. task PVC=plex-config-v1 restore:volume)
interactive: true
cmds:
- flux -n {{.NAMESPACE}} suspend helmrelease {{.APP}}
- kubectl -n {{.NAMESPACE}} scale deployment {{.APP}} --replicas 0
- kubectl -n {{.NAMESPACE}} wait --for delete pod --selector="app.kubernetes.io/name={{.APP}}" --timeout=2m
- envsubst < <(cat ./hack/restore-job.yaml) | kubectl apply -f -
- kubectl -n {{.NAMESPACE}} wait --for condition=complete job {{.APP}}-restore --timeout=60m
- flux -n {{.NAMESPACE}} resume helmrelease {{.APP}}
- kubectl -n {{.NAMESPACE}} logs job/{{.APP}}-restore
- defer: kubectl -n {{.NAMESPACE}} delete job/{{.APP}}-restore
vars:
NAMESPACE:
sh: kubectl get pvc -A | grep {{.PVC}} | awk '{print $1}'
APP:
sh: kubectl -n {{.NAMESPACE}} get pvc {{.PVC}} -o jsonpath='{.metadata.labels.app\.kubernetes\.io\/name}'
env:
PVC: "{{.PVC}}"
NAMESPACE:
sh: kubectl get pvc -A | grep {{.PVC}} | awk '{print $1}'
APP:
sh: kubectl -n {{.NAMESPACE}} get pvc {{.PVC}} -o jsonpath='{.metadata.labels.app\.kubernetes\.io\/name}'
preconditions:
- sh: kubectl -n {{.NAMESPACE}} get pvc {{.PVC}}
msg: "Error: pvc/{{.PVC}} in namespace/{{.NAMESPACE}} not found"

15
.taskfiles/RookTasks.yml Normal file
View File

@@ -0,0 +1,15 @@
---
version: "3"
tasks:
toolbox:
desc: Exec into the Rook Ceph toolbox
interactive: true
cmds:
- kubectl -n rook-ceph exec -it $(kubectl -n rook-ceph get pod -l "app=rook-direct-mount" -o jsonpath='{.items[0].metadata.name}') -- bash
password:
desc: Retrieve the rook-ceph dashboard password
cmds:
- kubectl -n rook-ceph get secret rook-ceph-dashboard-password -o jsonpath="{['data']['password']}" | base64 --decode && echo

23
.taskfiles/TerraformTasks.yml Normal file
View File

@@ -0,0 +1,23 @@
---
version: "3"
tasks:
init:
desc: Initialize terraform dependencies
dir: terraform
cmds:
- find . -maxdepth 1 -type d \( ! -name . \) -exec bash -c "cd '{}' && terraform init {{.CLI_ARGS}}" \;
plan:
desc: Show the terraform plan
dir: terraform
cmds:
- find . -maxdepth 1 -type d \( ! -name . \) -exec bash -c "cd '{}' && terraform plan {{.CLI_ARGS}}" \;
apply:
desc: Apply the terraform changes
dir: terraform
interactive: true
cmds:
- find . -maxdepth 1 -type d \( ! -name . \) -exec bash -c "cd '{}' && terraform apply {{.CLI_ARGS}}" \;

72
.taskfiles/ansible.yml
View File

@@ -1,72 +0,0 @@
---
version: '3'
env:
ANSIBLE_CONFIG: "{{.PROJECT_DIR}}/server/ansible/ansible.cfg"
vars:
ANSIBLE_PLAYBOOK_DIR: "{{.ANSIBLE_DIR}}/playbooks"
ANSIBLE_INVENTORY_DIR: "{{.ANSIBLE_DIR}}/inventory"
ANSIBLE_MASTER_GROUP: "master-nodes"
ANSIBLE_WORKER_GROUP: "worker-nodes"
tasks:
list:
desc: List all the k8s nodes
cmds:
- "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --list-hosts"
silent: true
ping:
desc: Ping all the k8s nodes
cmds:
- "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -m 'ping'"
silent: true
uptime:
desc: Uptime of all the k8s nodes
cmds:
- "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'uptime -p'"
silent: true
clean-images:
desc: Clean up stale container images
cmds:
- "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'k3s crictl rmi --prune' --become"
silent: true
purge-manifests:
desc: Delete all manifests under /var/lib/rancher/k3s/server/manifests
cmds:
- "ansible {{.ANSIBLE_MASTER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'rm /var/lib/rancher/k3s/server/manifests/*' --become"
playbook:ubuntu-prepare:
desc: Prepare all the k8s nodes for running k3s
cmds:
- "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/ubuntu/prepare.yml"
silent: true
playbook:ubuntu-upgrade:
desc: Upgrade all the k8s nodes operating system
cmds:
- "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/ubuntu/upgrade.yml"
silent: true
playbook:ubuntu-reboot:
desc: Reboot all the k8s nodes
cmds:
- "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml -m reboot"
silent: true
playbook:k3s-install:
desc: Install k3s on the nodes
cmds:
- "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/k3s/install.yml"
silent: true
playbook:k3s-upgrade:
desc: Install k3s on the nodes
cmds:
- "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/k3s/upgrade.yml"
silent: true

20
.taskfiles/blocky.yml
View File

@@ -1,20 +0,0 @@
---
version: '3'
tasks:
enable:
desc: Enable adblocking in blocky
cmds:
- "{{.PROJECT_DIR}}/hack/blocky.sh enable"
preconditions:
- "test -f {{.PROJECT_DIR}}/hack/blocky.sh"
silent: true
disable:
desc: Disable adblocking in blocky
cmds:
- "{{.PROJECT_DIR}}/hack/blocky.sh disable"
preconditions:
- "test -f {{.PROJECT_DIR}}/hack/blocky.sh"
silent: true

10
.taskfiles/flux.yml
View File

@@ -1,10 +0,0 @@
---
version: '3'
tasks:
sync:
desc: Sync flux-system with the Git Repository
cmds:
- flux reconcile source git flux-system
silent: true

30
Taskfile.yml
View File

@@ -1,26 +1,10 @@
---
version: '3'
vars:
PROJECT_DIR:
sh: "git rev-parse --show-toplevel"
CLUSTER_DIR: "{{.PROJECT_DIR}}/cluster"
ANSIBLE_DIR: "{{.PROJECT_DIR}}/server/ansible"
env:
KUBECONFIG: "{{.PROJECT_DIR}}/kubeconfig"
version: "3"
includes:
ansible: .taskfiles/ansible.yml
blocky: .taskfiles/blocky.yml
flux: .taskfiles/flux.yml
tasks:
kubeconfig:
desc: Remotely fetch kubeconfig from k3s
cmds:
- rsync --verbose --progress --partial --rsync-path="sudo rsync" ubuntu@10.75.40.10:/etc/rancher/k3s/k3s.yaml ./kubeconfig
- sed -i '' 's/127.0.0.1/10.75.45.5/g' ./kubeconfig
- chmod go-r kubeconfig
silent: true
ansible: .taskfiles/AnsibleTasks.yml
cluster: .taskfiles/ClusterTasks.yml
debug: .taskfiles/DebugTasks.yml
precommit: .taskfiles/PreCommitTasks.yml
restore: .taskfiles/RestoreTasks.yml
terraform: .taskfiles/TerraformTasks.yml

0
server/ansible/ansible.cfg → ansible/ansible.cfg
View File

0
server/ansible/inventory/home-cluster/group_vars/all/calico.yml → ansible/inventory/home-cluster/group_vars/all/calico.yml
View File

15
server/ansible/inventory/home-cluster/group_vars/all/k3s.yml → ansible/inventory/home-cluster/group_vars/all/k3s.yml
View File

@@ -1,5 +1,4 @@
---
#
# Below vars are for the xanmanning.k3s role
# ...see https://github.com/PyratLabs/ansible-role-k3s#globalcluster-variables
@@ -24,13 +23,13 @@ k3s_registration_address: 10.75.45.5
k3s_registration_domain: k8s-api.dfw.56k.sh
k3s_server_manifests_templates:
- "calico/calico-installation.yaml.j2"
- "calico/calico-bgpconfiguration.yaml.j2"
- "calico/calico-bgppeer.yaml.j2"
- "kube-vip/kube-vip-rbac.yaml.j2"
- "kube-vip/kube-vip-daemonset.yaml.j2"
- "calico/calico-installation.yaml.j2"
- "calico/calico-bgpconfiguration.yaml.j2"
- "calico/calico-bgppeer.yaml.j2"
- "kube-vip/kube-vip-rbac.yaml.j2"
- "kube-vip/kube-vip-daemonset.yaml.j2"
# Custom manifest URLs
k3s_server_manifests_urls:
- url: https://docs.projectcalico.org/archive/v3.19/manifests/tigera-operator.yaml
filename: tigera-operator.yaml
- url: https://docs.projectcalico.org/archive/v3.19/manifests/tigera-operator.yaml
filename: tigera-operator.yaml

0
server/ansible/inventory/home-cluster/group_vars/all/kube-vip.yml → ansible/inventory/home-cluster/group_vars/all/kube-vip.yml
View File

0
server/ansible/inventory/home-cluster/group_vars/all/rsyslog.yml → ansible/inventory/home-cluster/group_vars/all/rsyslog.yml
View File

14
server/ansible/inventory/home-cluster/group_vars/all/ubuntu.yml → ansible/inventory/home-cluster/group_vars/all/ubuntu.yml
View File

@@ -1,5 +1,4 @@
---
# Enable to skip apt upgrade
skip_upgrade_packages: false
# Enable to skip removing crufty packages
@@ -11,12 +10,11 @@ timezone: "America/Chicago"
# Set custom ntp servers
ntp_servers:
primary:
- "gw.dfw.56k.sh"
- "gw.dfw.56k.sh"
fallback:
- "0.us.pool.ntp.org"
- "1.us.pool.ntp.org"
- "2.us.pool.ntp.org"
- "3.us.pool.ntp.org"
- "0.us.pool.ntp.org"
- "1.us.pool.ntp.org"
- "2.us.pool.ntp.org"
- "3.us.pool.ntp.org"
# Additional ssh public keys to add to the nodes
#ssh_authorized_keys:
# ssh_authorized_keys:

2
server/ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml → ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml
View File

@@ -6,4 +6,4 @@ nvidia_driver:
nvidia_patch:
version: "d5d564b888aaef99fdd45e23f2fc3eae8e337a39"
checksum: "sha256:d80928c381d141734c13463d69bfaecff77ac66ee6f9036b2f0348b8602989d8"
checksum: "sha256:d80928c381d141734c13463d69bfaecff77ac66ee6f9036b2f0348b8602989d8"

29
server/ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml → ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml
View File

@@ -1,5 +1,4 @@
---
# https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/
# https://github.com/PyratLabs/ansible-role-k3s#server-control-plane-configuration
@@ -10,16 +9,16 @@ k3s_control_node: true
k3s_server:
node-ip: "{{ ansible_host }}"
tls-san:
- "{{ k3s_registration_domain }}"
- "{{ k3s_registration_address }}"
- "{{ k3s_registration_domain }}"
- "{{ k3s_registration_address }}"
docker: false
flannel-backend: 'none' # This needs to be in quotes
flannel-backend: "none" # This needs to be in quotes
disable:
- flannel
- traefik
- servicelb
- metrics-server
- local-storage
- flannel
- traefik
- servicelb
- metrics-server
- local-storage
disable-network-policy: true
disable-cloud-controller: true
write-kubeconfig-mode: "644"
@@ -28,14 +27,14 @@ k3s_server:
# Network CIDR to use for service IPs
service-cidr: "172.24.0.0/16"
kubelet-arg:
- "feature-gates=GracefulNodeShutdown=true"
- "feature-gates=GracefulNodeShutdown=true"
# Required to use kube-prometheus-stack
kube-controller-manager-arg:
- "address=0.0.0.0"
- "bind-address=0.0.0.0"
- "address=0.0.0.0"
- "bind-address=0.0.0.0"
kube-proxy-arg:
- "metrics-bind-address=0.0.0.0"
- "metrics-bind-address=0.0.0.0"
kube-scheduler-arg:
- "address=0.0.0.0"
- "bind-address=0.0.0.0"
- "address=0.0.0.0"
- "bind-address=0.0.0.0"
etcd-expose-metrics: true

3
server/ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml → ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml
View File

@@ -1,5 +1,4 @@
---
# https://rancher.com/docs/k3s/latest/en/installation/install-options/agent-config/
# https://github.com/PyratLabs/ansible-role-k3s#agent-worker-configuration
@@ -10,4 +9,4 @@ k3s_control_node: false
k3s_agent:
node-ip: "{{ ansible_host }}"
kubelet-arg:
- "feature-gates=GracefulNodeShutdown=true"
- "feature-gates=GracefulNodeShutdown=true"

3
server/ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml → ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml
View File

@@ -1,5 +1,4 @@
---
# IP address of node
ansible_host: "10.75.40.24"
@@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu"
rook_ceph:
enabled: false
devices:
- /dev/nvme0n1
- /dev/nvme0n1

0
server/ansible/inventory/home-cluster/host_vars/k8s-master01.yml → ansible/inventory/home-cluster/host_vars/k8s-master01.yml
View File

0
server/ansible/inventory/home-cluster/host_vars/k8s-master02.yml → ansible/inventory/home-cluster/host_vars/k8s-master02.yml
View File

0
server/ansible/inventory/home-cluster/host_vars/k8s-master03.yml → ansible/inventory/home-cluster/host_vars/k8s-master03.yml
View File

3
server/ansible/inventory/home-cluster/host_vars/k8s-worker01.yml → ansible/inventory/home-cluster/host_vars/k8s-worker01.yml
View File

@@ -1,5 +1,4 @@
---
# IP address of node
ansible_host: "10.75.40.20"
@@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu"
rook_ceph:
enabled: false
devices:
- /dev/nvme0n1
- /dev/nvme0n1

3
server/ansible/inventory/home-cluster/host_vars/k8s-worker02.yml → ansible/inventory/home-cluster/host_vars/k8s-worker02.yml
View File

@@ -1,5 +1,4 @@
---
# IP address of node
ansible_host: "10.75.40.21"
@@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu"
rook_ceph:
enabled: false
devices:
- /dev/nvme0n1
- /dev/nvme0n1

3
server/ansible/inventory/home-cluster/host_vars/k8s-worker03.yml → ansible/inventory/home-cluster/host_vars/k8s-worker03.yml
View File

@@ -1,5 +1,4 @@
---
# IP address of node
ansible_host: "10.75.40.22"
@@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu"
rook_ceph:
enabled: false
devices:
- /dev/nvme0n1
- /dev/nvme0n1

3
server/ansible/inventory/home-cluster/host_vars/k8s-worker04.yml → ansible/inventory/home-cluster/host_vars/k8s-worker04.yml
View File

@@ -1,5 +1,4 @@
---
# IP address of node
ansible_host: "10.75.40.23"
@@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu"
rook_ceph:
enabled: false
devices:
- /dev/nvme0n1
- /dev/nvme0n1

0
server/ansible/inventory/home-cluster/host_vars/nas-franxx.yml → ansible/inventory/home-cluster/host_vars/nas-franxx.yml
View File

0
server/ansible/inventory/home-cluster/hosts.yml → ansible/inventory/home-cluster/hosts.yml
View File

26
ansible/playbooks/k3s/install.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- hosts:
- master-nodes
- worker-nodes
- gpu-nodes
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 5 seconds...
pause:
seconds: 5
roles:
- k3s
- hosts:
- gpu-nodes
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 5 seconds...
pause:
seconds: 5
roles:
- nvidia

33
ansible/playbooks/k3s/nuke.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- hosts:
- master-nodes
- worker-nodes
- gpu-nodes
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 5 seconds...
pause:
seconds: 5
tasks:
- name: kill k3s
ansible.builtin.command: /usr/local/bin/k3s-killall.sh
- name: uninstall k3s
ansible.builtin.command:
cmd: /usr/local/bin/k3s-uninstall.sh
removes: /usr/local/bin/k3s-uninstall.sh
- name: uninstall k3s agent
ansible.builtin.command:
cmd: /usr/local/bin/k3s-agent-uninstall.sh
removes: /usr/local/bin/k3s-agent-uninstall.sh
- name: gather list of CNI files to delete
find:
paths: /etc/cni/net.d
patterns: "*"
register: files_to_delete
- name: delete CNI files
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ files_to_delete.files }}"

14
ansible/playbooks/k3s/upgrade.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- hosts:
- master-nodes
- worker-nodes
- gpu-nodes
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 5 seconds...
pause:
seconds: 5
roles:
- k3s

14
ansible/playbooks/ubuntu/prepare.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- hosts:
- master-nodes
- worker-nodes
- gpu-nodes
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 5 seconds...
pause:
seconds: 5
roles:
- ubuntu

23
ansible/playbooks/ubuntu/upgrade.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- hosts:
- master-nodes
- worker-nodes
- gpu-nodes
become: true
gather_facts: true
any_errors_fatal: true
pre_tasks:
- name: Pausing for 5 seconds...
pause:
seconds: 5
tasks:
- name: upgrade
ansible.builtin.apt:
upgrade: full
update_cache: true
cache_valid_time: 3600
autoclean: true
autoremove: true
register: apt_upgrade
retries: 5
until: apt_upgrade is success

0
server/ansible/requirements.txt → ansible/requirements.txt
View File

6
ansible/requirements.yml Normal file
View File

@@ -0,0 +1,6 @@
---
roles:
- src: xanmanning.k3s
version: v2.11.1
collections:
- name: community.general

0
server/ansible/roles/k3s/tasks/addons.yml → ansible/roles/k3s/tasks/addons.yml
View File

0
server/ansible/roles/k3s/tasks/cleanup.yml → ansible/roles/k3s/tasks/cleanup.yml
View File

9
server/ansible/roles/k3s/tasks/main.yml → ansible/roles/k3s/tasks/main.yml
View File

@@ -1,18 +1,17 @@
---
- include: addons.yml
tags:
- addons
- addons
- name: k3s | cluster configuration
include_role:
name: xanmanning.k3s
public: yes
public: true
- include: cleanup.yml
tags:
- cleanup
- cleanup
- include: kubeconfig.yml
tags:
- kubeconfig
- kubeconfig

0
server/ansible/roles/k3s/templates/calico/calico-bgpconfiguration.yaml.j2 → ansible/roles/k3s/templates/calico/calico-bgpconfiguration.yaml.j2
View File

0
server/ansible/roles/k3s/templates/calico/calico-bgppeer.yaml.j2 → ansible/roles/k3s/templates/calico/calico-bgppeer.yaml.j2
View File

0
server/ansible/roles/k3s/templates/calico/calico-installation.yaml.j2 → ansible/roles/k3s/templates/calico/calico-installation.yaml.j2
View File

0
server/ansible/roles/k3s/templates/kube-vip/kube-vip-daemonset.yaml.j2 → ansible/roles/k3s/templates/kube-vip/kube-vip-daemonset.yaml.j2
View File

0
server/ansible/roles/k3s/templates/kube-vip/kube-vip-rbac.yaml.j2 → ansible/roles/k3s/templates/kube-vip/kube-vip-rbac.yaml.j2
View File

2
ansible/roles/nvidia/files/blacklist-nouveau.conf Normal file
View File

@@ -0,0 +1,2 @@
blacklist nouveau
options nouveau modeset=0

2
server/ansible/roles/nvidia/files/config.toml.tmpl → ansible/roles/nvidia/files/config.toml.tmpl
View File

@@ -50,4 +50,4 @@
{{ if $v.TLS.InsecureSkipVerify }}insecure_skip_verify = true{{end}}
{{end}}
{{end}}
{{end}}
{{end}}

9
server/ansible/roles/nvidia/tasks/container-runtime.yml → ansible/roles/nvidia/tasks/container-runtime.yml
View File

@@ -1,5 +1,4 @@
---
- name: container-runtime | add apt key
ansible.builtin.apt_key:
url: https://nvidia.github.io/nvidia-container-runtime/gpgkey
@@ -10,13 +9,13 @@
repo: "{{ item }}"
state: present
mode: 0644
update_cache: yes
update_cache: true
filename: nvidia-container-runtime
with_items:
- "deb https://nvidia.github.io/libnvidia-container/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /"
- "deb https://nvidia.github.io/nvidia-container-runtime/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /"
- "deb https://nvidia.github.io/libnvidia-container/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /"
- "deb https://nvidia.github.io/nvidia-container-runtime/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /"
- name: container-runtime | install nvidia-container-runtime
ansible.builtin.apt:
name: "nvidia-container-runtime"
state: present
state: present

7
server/ansible/roles/nvidia/tasks/driver.yml → ansible/roles/nvidia/tasks/driver.yml
View File

@@ -1,5 +1,4 @@
---
- name: driver | blacklist nouveau driver
ansible.builtin.copy:
src: files/blacklist-nouveau.conf
@@ -19,15 +18,15 @@
name: "{{ item }}"
state: present
with_items:
- "dkms"
- "build-essential"
- "dkms"
- "build-essential"
- name: driver | download nvidia driver
ansible.builtin.get_url:
url: https://international.download.nvidia.com/XFree86/Linux-x86_64/{{ nvidia_driver.version }}/NVIDIA-Linux-x86_64-{{ nvidia_driver.version }}.run
dest: /tmp/NVIDIA-Linux-x86_64-{{ nvidia_driver.version }}.run
checksum: "{{ nvidia_driver.checksum }}"
mode: '0755'
mode: "0755"
- name: driver | install nvidia driver
ansible.builtin.command:

0
server/ansible/roles/nvidia/tasks/k3s-agent.yml → ansible/roles/nvidia/tasks/k3s-agent.yml
View File

4
server/ansible/roles/nvidia/tasks/main.yml → ansible/roles/nvidia/tasks/main.yml
View File

@@ -7,11 +7,11 @@
- include: patch.yml
tags:
- patch
- include: container-runtime.yml
tags:
- container-runtime
- include: k3s-agent.yml
tags:
- k3s-agent
- k3s-agent

0
server/ansible/roles/nvidia/tasks/patch.yml → ansible/roles/nvidia/tasks/patch.yml
View File

46
ansible/roles/ubuntu/defaults/main.yml Normal file
View File

@@ -0,0 +1,46 @@
---
packages:
apt_install:
- apt-transport-https
- arptables
- ca-certificates
- curl
- ebtables
- gdisk
- hdparm
- htop
- iputils-ping
- ipvsadm
- net-tools
- nfs-common
- nano
- ntpdate
- open-iscsi
- psmisc
- socat
- software-properties-common
- unattended-upgrades
- unzip
apt_remove:
- apport
- bcache-tools
- btrfs-progs
- byobu
- cloud-init
- cloud-guest-utils
- cloud-initramfs-copymods
- cloud-initramfs-dyn-netconf
- friendly-recovery
- fwupd
- landscape-common
- lxd-agent-loader
- ntfs-3g
- open-vm-tools
- plymouth
- plymouth-theme-ubuntu-text
- popularity-contest
- snapd
- sosreport
- tmux
- ubuntu-advantage-tools
- ufw

0
server/ansible/roles/ubuntu/handlers/main.yml → ansible/roles/ubuntu/handlers/main.yml
View File

9
server/ansible/roles/ubuntu/tasks/boot.yml → ansible/roles/ubuntu/tasks/boot.yml
View File

@@ -1,5 +1,4 @@
---
- name: boot | grub | check for existence of grub
ansible.builtin.stat:
path: /etc/default/grub
@@ -14,7 +13,7 @@
option: apparmor
value: 0
when:
- grub_result.stat.exists
- grub_result.stat.exists
notify: reboot
- name: boot | grub | set mitigations=off
@@ -26,7 +25,7 @@
option: mitigations
value: "off"
when:
- grub_result.stat.exists
- grub_result.stat.exists
notify: reboot
- name: boot | grub | set pti=off
@@ -38,10 +37,10 @@
option: pti
value: "off"
when:
- grub_result.stat.exists
- grub_result.stat.exists
notify: reboot
- name: boot | grub | run grub-mkconfig
ansible.builtin.command: grub-mkconfig -o /boot/grub/grub.cfg
when:
- grub_result.stat.exists
- grub_result.stat.exists

0
server/ansible/roles/ubuntu/tasks/filesystem.yml → ansible/roles/ubuntu/tasks/filesystem.yml
View File

3
server/ansible/roles/ubuntu/tasks/host.yml → ansible/roles/ubuntu/tasks/host.yml
View File

@@ -1,7 +1,6 @@
---
- name: host | hostname | update inventory hostname
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
when:
- ansible_hostname != inventory_hostname
- ansible_hostname != inventory_hostname

13
server/ansible/roles/ubuntu/tasks/kernel.yml → ansible/roles/ubuntu/tasks/kernel.yml
View File

@@ -1,13 +1,12 @@
---
- name: kernel | modules | enable at runtime
community.general.modprobe:
name: "{{ item }}"
state: present
loop:
- br_netfilter
- overlay
- rbd
- br_netfilter
- overlay
- rbd
- name: kernel | modules | enable on boot
ansible.builtin.copy:
@@ -15,6 +14,6 @@
content: "{{ item }}"
dest: "/etc/modules-load.d/{{ item }}.conf"
loop:
- br_netfilter
- overlay
- rbd
- br_netfilter
- overlay
- rbd

15
server/ansible/roles/ubuntu/tasks/locale.yml → ansible/roles/ubuntu/tasks/locale.yml
View File

@@ -1,5 +1,4 @@
---
- name: locale | set timezone
community.general.timezone:
name: "{{ timezone | default('America/Chicago') }}"
@@ -13,12 +12,12 @@
FallbackNTP={{ ntp_servers.fallback | join(" ") }}
dest: /etc/systemd/timesyncd.conf
when:
- ntp_servers.primary is defined
- ntp_servers.primary is iterable
- ntp_servers.primary | length > 0
- ntp_servers.fallback is defined
- ntp_servers.fallback is iterable
- ntp_servers.fallback | length > 0
- ntp_servers.primary is defined
- ntp_servers.primary is iterable
- ntp_servers.primary | length > 0
- ntp_servers.fallback is defined
- ntp_servers.fallback is iterable
- ntp_servers.fallback | length > 0
- name: locale | start systemd service
ansible.builtin.systemd:
@@ -42,4 +41,4 @@
- name: locale | enable ntp
ansible.builtin.command: /usr/bin/timedatectl set-ntp true
when:
- "'NTP=no' in timedatectl_result.stdout"
- "'NTP=no' in timedatectl_result.stdout"

0
server/ansible/roles/ubuntu/tasks/main.yml → ansible/roles/ubuntu/tasks/main.yml
View File

Some files were not shown because too many files have changed in this diff Show More