arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: arcodange-org:943915be747bbedd8fe7f2cb0e0285c2d5628b56
Branches Tags
arcodange-org:main arcodange-org:docs/telegram-gateway-auth-adr arcodange-org:vibe/batch-pr-factory5-conditional-vault-disable arcodange-org:vibe/batch-pr-factory4-secret-propagation-inventory arcodange-org:vibe/batch-pr-factory3-vault-oauth-user arcodange-org:vibe/batch-pr-factory2-postgres-dlc arcodange-org:vibe/batch-pr-factory1-argocd-dlc
...
compare: arcodange-org:fc9164f11e5974bfc7aa82bc50bb0c1687d22b2a
Branches Tags
arcodange-org:main arcodange-org:docs/telegram-gateway-auth-adr arcodange-org:vibe/batch-pr-factory5-conditional-vault-disable arcodange-org:vibe/batch-pr-factory4-secret-propagation-inventory arcodange-org:vibe/batch-pr-factory3-vault-oauth-user arcodange-org:vibe/batch-pr-factory2-postgres-dlc arcodange-org:vibe/batch-pr-factory1-argocd-dlc

5 Commits
943915be74 ... fc9164f11e

Author SHA1 Message Date
Gabriel Radureau
fc9164f11e Update README with detailed playbook execution sequence 
This commit updates the README to include a detailed timeline of the playbook execution sequence, organized into sections for system setup, application setup, CI/CD, tools, and backups.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
 2026-04-08 11:04:11 +02:00
Gabriel Radureau
c751b621ba Enable PostgreSQL backup in backup playbook 
This commit uncomments the PostgreSQL backup section in the backup playbook to enable regular backups of the PostgreSQL database.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
 2026-04-08 11:04:07 +02:00
Gabriel Radureau
07a619b274 Fix step-issuer ARM64 compatibility on pi3 
The default kube-rbac-proxy image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3 (ARM64). This commit overrides the image to use quay.io/brancz/kube-rbac-proxy:v0.15.0, which supports ARM64.

Note: pi2 (ARMv7) may work with AMD64 images, but pi3 (ARM64) requires an ARM64-compatible image.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
 2026-04-08 11:04:03 +02:00
Gabriel Radureau
9931f81998 Update Docker storage configuration and revoke token task 2026-04-07 19:19:03 +02:00
Gabriel Radureau
437fd506ed Fix Vault Gitea OIDC setup: remove trailing slash from bound_issuer and pass CA certificate 2026-04-07 19:17:47 +02:00
6 changed files with 133 additions and 51 deletions
Expand all files Collapse all files

99
ansible/arcodange/factory/README.md
View File

@@ -10,41 +10,68 @@ kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKE
```mermaid ```mermaid
%%{init: { 'logLevel': 'debug', 'theme': 'dark' } }%% %%{init: { 'logLevel': 'debug', 'theme': 'dark' } }%%
timeline timeline
title ordre des playbook title Playbook Execution Sequence
section Setup DNS, OS, ... section 01_system
configuration manuelle rpi
: installer OS, réserver IP statique, configurer SSH,VNC : set hostname
: formater et créer des partitions avec gparted dns
section Docker & K3S : install pi-hole
system ssl
: install Docker : step-ca
: install K3S working with docker : fetch root certificate
: configure Traefik : build docker image with CA
prepare_disks
section Volume, NFS : list partitions
setup hard_disk : format disk
: monter les partitions : mount disk
: installer NFS system_docker
system : install docker
: déployer provisionner NFS : configure docker storage
: restart docker
section postgres longhorn
setup : deploy longhorn
: postgres k3s
section gitea : prepare inventory
setup : install k3s collection
: install socat
: deploy k3s cluster
: configure kubeconfig
: configure traefik
: configure cert-manager
section 02_setup
backup_nfs
: create RWX volume
: create recurring job
: deploy NFS
: mount NFS
postgres
: create database
: create user
gitea
: deploy gitea
: create admin user
: create organization
section 03_cicd
cicd : CI/CD
gitea_token
: generate token
deploy_docker_compose
: deploy gitea action
argocd
: generate token
: deploy argocd
section 04_tools
Hashicorp Vault
: gitea_token
: hashicorp_vault
Crowdsec
: crowdsec
section 05_backup
Gitea Backup
: gitea : gitea
section gitea action runner K3s PVC Backup
setup : k3s_pvc
: gitea action runner Postgres Backup
section argo cd : create backup script
argo_cd : create restore script
: argo cd
section hello world app
setup git repository
: terraform
setup CI
deploy
: dev : list exposed deployments with label and port as a landpage
: expose (as ngrock ? direct ? port ? )
``` ```

10
ansible/arcodange/factory/playbooks/backup/backup.yml
View File

@@ -2,11 +2,11 @@
# - name: setup cron report # - name: setup cron report
# ansible.builtin.import_playbook: cron_report.yml # ansible.builtin.import_playbook: cron_report.yml
# - name: postgres - name: postgres
# ansible.builtin.import_playbook: postgres.yml ansible.builtin.import_playbook: postgres.yml
# vars: vars:
# backup_root_dir: "/mnt/backups" backup_root_dir: "/mnt/backups"
# backup_dirname: "postgres" backup_dirname: "postgres"
- name: gitea - name: gitea
ansible.builtin.import_playbook: gitea.yml ansible.builtin.import_playbook: gitea.yml

7
ansible/arcodange/factory/playbooks/system/k3s_ssl.yml
View File

@@ -162,4 +162,11 @@
name: {{ jwk_secret_name }} name: {{ jwk_secret_name }}
namespace: {{ namespace }} namespace: {{ namespace }}
key: password key: password
# Override kube-rbac-proxy image to use ARM64-compatible version.
# Note: pi3 (ARM64) requires an ARM64-compatible image, while pi2 (ARMv7) may work with AMD64 images.
# The default image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3.
kubeRBACproxy:
image:
repository: quay.io/brancz/kube-rbac-proxy
tag: v0.15.0

33
ansible/arcodange/factory/playbooks/system/system_docker.yml
View File

@@ -40,11 +40,7 @@
register: docker_config_raw register: docker_config_raw
ignore_errors: yes ignore_errors: yes
changed_when: false changed_when: false
when: ansible.facts.stat.exists when: (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists
vars:
ansible_facts:
stat:
exists: "{{ (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists }}"
- name: Initialiser la variable de config Docker - name: Initialiser la variable de config Docker
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -66,6 +62,33 @@
} }
}, recursive=True) }} }, recursive=True) }}
- name: Ensure Docker storage directory exists on external disk
ansible.builtin.file:
path: /mnt/arcodange/docker
state: directory
mode: '0755'
owner: root
group: docker
when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
- name: Configure Docker to use external storage
ansible.builtin.set_fact:
docker_config: >
{{ docker_config | combine({
'data-root': '/mnt/arcodange/docker',
'storage-driver': 'overlay2'
}, recursive=True) }}
when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
- name: Ensure docker_config is a dictionary
ansible.builtin.set_fact:
docker_config: >
{% if docker_config is mapping %}
{{ docker_config }}
{% else %}
{}
{% endif %}
- name: Écrire la configuration mise à jour - name: Écrire la configuration mise à jour
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json

8
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
View File

@@ -19,7 +19,7 @@ variable "admin_email" {
} }
variable "gitea_app" { variable "gitea_app" {
type = object({ type = object({
url = optional(string, "https://gitea.arcodange.lab/") url = optional(string, "https://gitea.arcodange.lab")
id = string id = string
secret = string secret = string
description = optional(string, "Arcodange Gitea Auth") description = optional(string, "Arcodange Gitea Auth")
@@ -66,7 +66,7 @@ resource "vault_jwt_auth_backend" "gitea" {
oidc_discovery_ca_pem = file(var.ca_pem) oidc_discovery_ca_pem = file(var.ca_pem)
oidc_client_id = var.gitea_app.id oidc_client_id = var.gitea_app.id
oidc_client_secret = var.gitea_app.secret oidc_client_secret = var.gitea_app.secret
bound_issuer = var.gitea_app.url bound_issuer = trimsuffix(var.gitea_app.url, "/")
tune { tune {
allowed_response_headers = [] allowed_response_headers = []
@@ -103,7 +103,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
type = "jwt" type = "jwt"
oidc_discovery_url = var.gitea_app.url oidc_discovery_url = var.gitea_app.url
oidc_discovery_ca_pem = file(var.ca_pem) oidc_discovery_ca_pem = file(var.ca_pem)
bound_issuer = var.gitea_app.url bound_issuer = trimsuffix(var.gitea_app.url, "/")
tune { tune {
allowed_response_headers = [] allowed_response_headers = []
@@ -167,7 +167,7 @@ resource "vault_kv_secret" "google_credentials" {
path = "${vault_mount.kvv1.path}/google/credentials" path = "${vault_mount.kvv1.path}/google/credentials"
data_json = jsonencode( data_json = jsonencode(
{ {
credentials = file("~/.config/gcloud/application_default_credentials.json") credentials = file("/root/.config/gcloud/application_default_credentials.json")
} }
) )
} }

25
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
View File

@@ -24,6 +24,31 @@
volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }} volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}
- name: Check SSL certificate for Gitea
shell: >-
openssl s_client -connect gitea.arcodange.lab:443 -CAfile /etc/ssl/certs/arcodange-root.pem -servername gitea.arcodange.lab < /dev/null 2>&1 | grep -E "Verify return code:|subject=|issuer="
register: ssl_check
ignore_errors: true
- name: Debug SSL certificate check
debug:
var: ssl_check.stdout_lines
- name: Delete existing Gitea OIDC backends if they exist
include_tasks: vault_cmd.yml
vars:
vault_cmd: vault auth disable {{ backend_name }}
vault_cmd_can_fail: true
vault_cmd_json_attr: ''
vault_cmd_output_var: false
loop:
- gitea
- gitea_jwt
loop_control:
loop_var: backend_name
- name: use tofu to provision vault - name: use tofu to provision vault
block: block:
- shell: docker volume create {{ volume_name }} - shell: docker volume create {{ volume_name }}