From 9b09e6bd863c6a7b538b411ef4e1e9f4cbd7c00b Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Thu, 9 Oct 2025 17:27:42 +0200 Subject: [PATCH] fixes and set preferred_ip since new interface eth0 --- .../inventory/group_vars/gitea/gitea.yml | 3 +- ansible/arcodange/factory/inventory/hosts.yml | 3 ++ .../arcodange/factory/playbooks/01_system.yml | 23 ++++++++-- .../arcodange/factory/playbooks/03_cicd.yml | 2 +- .../factory/playbooks/backup/gitea.yml | 1 + .../factory/playbooks/backup/postgres.yml | 1 + .../factory/playbooks/setup/backup_nfs.yml | 44 ++++++++++++------- .../playbooks/tools/hashicorp_vault.yml | 10 ++--- .../hashicorp_vault/tasks/gitea_oidc_auth.yml | 4 +- 9 files changed, 62 insertions(+), 29 deletions(-) diff --git a/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml b/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml index 24341e0..f4f350e 100644 --- a/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml +++ b/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml @@ -34,7 +34,8 @@ gitea: GITEA__mailer__SMTP_PORT: 465 GITEA__mailer__PASSWD: '{{ gitea_vault.GITEA__mailer__PASSWD }}' GITEA__server__SSH_PORT: 2222 - GITEA__server__SSH_DOMAIN: "{{ lookup('dig', groups.gitea[0]) }}" + GITEA__server__SSH_DOMAIN: "{{ hostvars[groups.gitea[0]]['preferred_ip'] }}" + # GITEA__server__SSH_DOMAIN: "{{ lookup('dig', groups.gitea[0]) }}" # might work again if deactivate rpi wifi GITEA__server__SSH_LISTEN_PORT: 22 GITEA_server__DOMAIN: localhost GITEA_server__HTTP_PORT: 3000 diff --git a/ansible/arcodange/factory/inventory/hosts.yml b/ansible/arcodange/factory/inventory/hosts.yml index 9bbcf04..97bec53 100644 --- a/ansible/arcodange/factory/inventory/hosts.yml +++ b/ansible/arcodange/factory/inventory/hosts.yml @@ -2,12 +2,15 @@ raspberries: hosts: pi1: ansible_host: pi1.home # setup http://192.168.1.1/ Réseau/DNS + preferred_ip: 192.168.1.201 ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' pi2: ansible_host: pi2.home + preferred_ip: 192.168.1.202 ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' pi3: ansible_host: pi3.home + preferred_ip: 192.168.1.203 ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' internetPi1: diff --git a/ansible/arcodange/factory/playbooks/01_system.yml b/ansible/arcodange/factory/playbooks/01_system.yml index 4621362..a0cc285 100644 --- a/ansible/arcodange/factory/playbooks/01_system.yml +++ b/ansible/arcodange/factory/playbooks/01_system.yml @@ -118,12 +118,12 @@ run_once: true - name: k3s - tags: never + tags: never,k3s ansible.builtin.import_playbook: k3s.orchestration.site # ansible.builtin.import_playbook: k3s.orchestration.upgrade # ansible.builtin.import_playbook: k3s.orchestration.reset vars: - k3s_version: v1.32.7+k3s1 + k3s_version: v1.34.1+k3s1 extra_server_args: "--docker --disable traefik" extra_agent_args: "--docker" api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}" @@ -217,8 +217,23 @@ gitea: loadBalancer: servers: - - url: "http://{{ lookup('dig', groups.gitea[0]) }}:3000" + - url: "http://{{ hostvars[groups.gitea[0]]['preferred_ip'] }}:3000" + # - url: "http://{{ lookup('dig', groups.gitea[0]) }}:3000" # might work again if deactivate rpi wifi routers: + dashboard: + rule: Host(`traefik.arcodange.duckdns.org`) + service: api@internal + middlewares: + - localIp + tls: + certResolver: letsencrypt + domains: + - main: "arcodange.duckdns.org" + sans: + - "traefik.arcodange.duckdns.org" + entryPoints: + - websecure + - web acme-challenge: rule: Host(`arcodange.duckdns.org`) && PathPrefix(`/.well-known/acme-challenge`) service: acme-http@internal @@ -266,7 +281,7 @@ # default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`) # current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml nodeSelector: - node-role.kubernetes.io/master: 'true' # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP + node-role.kubernetes.io/control-plane: 'true' # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP service: spec: externalTrafficPolicy: Local diff --git a/ansible/arcodange/factory/playbooks/03_cicd.yml b/ansible/arcodange/factory/playbooks/03_cicd.yml index bef6ba7..24f37d3 100644 --- a/ansible/arcodange/factory/playbooks/03_cicd.yml +++ b/ansible/arcodange/factory/playbooks/03_cicd.yml @@ -203,7 +203,7 @@ gitea_token_replace: true - name: Figure out k3s master node shell: - kubectl get nodes -l node-role.kubernetes.io/master=true -o name | sed s'#node/##' + kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##' register: get_k3s_master_node changed_when: false - name: Get kubernetes server internal url diff --git a/ansible/arcodange/factory/playbooks/backup/gitea.yml b/ansible/arcodange/factory/playbooks/backup/gitea.yml index c3f5432..ab5be62 100644 --- a/ansible/arcodange/factory/playbooks/backup/gitea.yml +++ b/ansible/arcodange/factory/playbooks/backup/gitea.yml @@ -35,6 +35,7 @@ content: | #!/bin/bash set -e + mkdir -p {{ backup_dir }} {{ backup_cmd }} > {{ backup_dir }}/backup_$(date +\%Y\%m\%d).gitea.gz find {{ backup_dir }} -type f -name 'backup_*.gitea.gz' -mtime +{{ keep_days }} -delete diff --git a/ansible/arcodange/factory/playbooks/backup/postgres.yml b/ansible/arcodange/factory/playbooks/backup/postgres.yml index 05cd8c3..d31daa1 100644 --- a/ansible/arcodange/factory/playbooks/backup/postgres.yml +++ b/ansible/arcodange/factory/playbooks/backup/postgres.yml @@ -33,6 +33,7 @@ content: | #!/bin/bash set -e + mkdir -p {{ backup_dir }} {{ backup_cmd }} | gzip > {{ backup_dir }}/backup_$(date +\%Y\%m\%d).sql.gz find {{ backup_dir }} -type f -name 'backup_*.sql.gz' -mtime +{{ keep_days }} -delete diff --git a/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml b/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml index 5c27684..3657318 100644 --- a/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml +++ b/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml @@ -37,6 +37,9 @@ namespace: "{{ namespace_longhorn }}" name: "{{ backup_volume_name }}" register: pvc_info + retries: 3 + delay: 3 + until: pvc_info.resources is defined - name: Extraire le nom du volume set_fact: @@ -75,29 +78,37 @@ path: "/metadata/labels/recurring-job.longhorn.io~1{{ recurring_job }}" value: "enabled" - - name: Lancer un pod temporaire pour déclencher NFS + - name: Lancer un Deployment pour déclencher NFS tags: never kubernetes.core.k8s: state: present definition: - apiVersion: v1 - kind: Pod + apiVersion: apps/v1 + kind: Deployment metadata: name: rwx-nfs namespace: "{{ namespace_longhorn }}" spec: - containers: - - name: busybox - image: busybox - command: ["sleep", "infinity"] - # command: ["sh", "-c", "sleep 600"] - volumeMounts: - - mountPath: "/mnt/backups" - name: backup-vol - volumes: - - name: backup-vol - persistentVolumeClaim: - claimName: "{{ backup_volume_name }}" + replicas: 1 + selector: + matchLabels: + app: rwx-nfs + template: + metadata: + labels: + app: rwx-nfs + spec: + containers: + - name: busybox + image: busybox + command: ["sleep", "infinity"] + volumeMounts: + - mountPath: "/mnt/backups" + name: backup-vol + volumes: + - name: backup-vol + persistentVolumeClaim: + claimName: "{{ backup_volume_name }}" - name: Attendre que le pod rwx-nfs soit Running tags: never @@ -105,7 +116,8 @@ api_version: v1 kind: Pod namespace: "{{ namespace_longhorn }}" - name: rwx-nfs + label_selectors: + - app = rwx-nfs register: pod_info until: pod_info.resources[0].status.phase == "Running" retries: 30 diff --git a/ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml b/ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml index ae8eb89..c53634a 100644 --- a/ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml +++ b/ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml @@ -35,12 +35,12 @@ password: '{{ pg_conf.POSTGRES_PASSWORD }}' gitea_admin_token: '{{ vault_GITEA_ADMIN_TOKEN }}' - - name: share VAULT CA - block: + # - name: share VAULT CA + # block: - - name: read traefik CA - include_role: - name: arcodange.factory.traefik_certs + # - name: read traefik CA + # include_role: + # name: arcodange.factory.traefik_certs post_tasks: - include_role: diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml index 28c0a8a..f2309be 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml @@ -15,8 +15,8 @@ - include_role: name: arcodange.factory.playwright -- include_role: - name: arcodange.factory.traefik_certs +# - include_role: +# name: arcodange.factory.traefik_certs - set_fact: gitea_app: '{{ playwright_job.stdout | from_json }}'