arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: arcodange-org:943915be747bbedd8fe7f2cb0e0285c2d5628b56
Branches Tags
arcodange-org:main arcodange-org:docs/telegram-gateway-auth-adr arcodange-org:vibe/batch-pr-factory5-conditional-vault-disable arcodange-org:vibe/batch-pr-factory4-secret-propagation-inventory arcodange-org:vibe/batch-pr-factory3-vault-oauth-user arcodange-org:vibe/batch-pr-factory2-postgres-dlc arcodange-org:vibe/batch-pr-factory1-argocd-dlc
..
compare: arcodange-org:fc9164f11e5974bfc7aa82bc50bb0c1687d22b2a
Branches Tags
arcodange-org:main arcodange-org:docs/telegram-gateway-auth-adr arcodange-org:vibe/batch-pr-factory5-conditional-vault-disable arcodange-org:vibe/batch-pr-factory4-secret-propagation-inventory arcodange-org:vibe/batch-pr-factory3-vault-oauth-user arcodange-org:vibe/batch-pr-factory2-postgres-dlc arcodange-org:vibe/batch-pr-factory1-argocd-dlc

5 Commits
943915be74 ... fc9164f11e

Author SHA1 Message Date
Gabriel Radureau
fc9164f11e Update README with detailed playbook execution sequence 
This commit updates the README to include a detailed timeline of the playbook execution sequence, organized into sections for system setup, application setup, CI/CD, tools, and backups.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
 2026-04-08 11:04:11 +02:00
Gabriel Radureau
c751b621ba Enable PostgreSQL backup in backup playbook 
This commit uncomments the PostgreSQL backup section in the backup playbook to enable regular backups of the PostgreSQL database.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
 2026-04-08 11:04:07 +02:00
Gabriel Radureau
07a619b274 Fix step-issuer ARM64 compatibility on pi3 
The default kube-rbac-proxy image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3 (ARM64). This commit overrides the image to use quay.io/brancz/kube-rbac-proxy:v0.15.0, which supports ARM64.

Note: pi2 (ARMv7) may work with AMD64 images, but pi3 (ARM64) requires an ARM64-compatible image.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
 2026-04-08 11:04:03 +02:00
Gabriel Radureau
9931f81998 Update Docker storage configuration and revoke token task 2026-04-07 19:19:03 +02:00
Gabriel Radureau
437fd506ed Fix Vault Gitea OIDC setup: remove trailing slash from bound_issuer and pass CA certificate 2026-04-07 19:17:47 +02:00
6 changed files with 133 additions and 51 deletions
Expand all files Collapse all files

101
ansible/arcodange/factory/README.md
View File

@@ -10,41 +10,68 @@ kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKE
```mermaid ```mermaid
%%{init: { 'logLevel': 'debug', 'theme': 'dark' } }%% %%{init: { 'logLevel': 'debug', 'theme': 'dark' } }%%
timeline timeline
title ordre des playbook title Playbook Execution Sequence
section Setup DNS, OS, ... section 01_system
configuration manuelle rpi
: installer OS, réserver IP statique, configurer SSH,VNC : set hostname
: formater et créer des partitions avec gparted dns
section Docker & K3S : install pi-hole
system ssl
: install Docker : step-ca
: install K3S working with docker : fetch root certificate
: configure Traefik : build docker image with CA
prepare_disks
section Volume, NFS : list partitions
setup hard_disk : format disk
: monter les partitions : mount disk
: installer NFS system_docker
system : install docker
: déployer provisionner NFS : configure docker storage
: restart docker
section postgres longhorn
setup : deploy longhorn
: postgres k3s
section gitea : prepare inventory
setup : install k3s collection
: gitea : install socat
section gitea action runner : deploy k3s cluster
setup : configure kubeconfig
: gitea action runner : configure traefik
section argo cd : configure cert-manager
argo_cd section 02_setup
: argo cd backup_nfs
section hello world app : create RWX volume
setup git repository : create recurring job
: terraform : deploy NFS
setup CI : mount NFS
deploy postgres
: dev : list exposed deployments with label and port as a landpage : create database
: expose (as ngrock ? direct ? port ? ) : create user
gitea
: deploy gitea
: create admin user
: create organization
section 03_cicd
cicd : CI/CD
gitea_token
: generate token
deploy_docker_compose
: deploy gitea action
argocd
: generate token
: deploy argocd
section 04_tools
Hashicorp Vault
: gitea_token
: hashicorp_vault
Crowdsec
: crowdsec
section 05_backup
Gitea Backup
: gitea
K3s PVC Backup
: k3s_pvc
Postgres Backup
: create backup script
: create restore script
``` ```

10
ansible/arcodange/factory/playbooks/backup/backup.yml
View File

@@ -2,11 +2,11 @@
# - name: setup cron report # - name: setup cron report
# ansible.builtin.import_playbook: cron_report.yml # ansible.builtin.import_playbook: cron_report.yml
# - name: postgres - name: postgres
# ansible.builtin.import_playbook: postgres.yml ansible.builtin.import_playbook: postgres.yml
# vars: vars:
# backup_root_dir: "/mnt/backups" backup_root_dir: "/mnt/backups"
# backup_dirname: "postgres" backup_dirname: "postgres"
- name: gitea - name: gitea
ansible.builtin.import_playbook: gitea.yml ansible.builtin.import_playbook: gitea.yml

7
ansible/arcodange/factory/playbooks/system/k3s_ssl.yml
View File

@@ -162,4 +162,11 @@
name: {{ jwk_secret_name }} name: {{ jwk_secret_name }}
namespace: {{ namespace }} namespace: {{ namespace }}
key: password key: password
# Override kube-rbac-proxy image to use ARM64-compatible version.
# Note: pi3 (ARM64) requires an ARM64-compatible image, while pi2 (ARMv7) may work with AMD64 images.
# The default image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3.
kubeRBACproxy:
image:
repository: quay.io/brancz/kube-rbac-proxy
tag: v0.15.0

33
ansible/arcodange/factory/playbooks/system/system_docker.yml
View File

@@ -40,11 +40,7 @@
register: docker_config_raw register: docker_config_raw
ignore_errors: yes ignore_errors: yes
changed_when: false changed_when: false
when: ansible.facts.stat.exists when: (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists
vars:
ansible_facts:
stat:
exists: "{{ (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists }}"
- name: Initialiser la variable de config Docker - name: Initialiser la variable de config Docker
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -66,6 +62,33 @@
} }
}, recursive=True) }} }, recursive=True) }}
- name: Ensure Docker storage directory exists on external disk
ansible.builtin.file:
path: /mnt/arcodange/docker
state: directory
mode: '0755'
owner: root
group: docker
when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
- name: Configure Docker to use external storage
ansible.builtin.set_fact:
docker_config: >
{{ docker_config | combine({
'data-root': '/mnt/arcodange/docker',
'storage-driver': 'overlay2'
}, recursive=True) }}
when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
- name: Ensure docker_config is a dictionary
ansible.builtin.set_fact:
docker_config: >
{% if docker_config is mapping %}
{{ docker_config }}
{% else %}
{}
{% endif %}
- name: Écrire la configuration mise à jour - name: Écrire la configuration mise à jour
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json

8
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
View File

@@ -19,7 +19,7 @@ variable "admin_email" {
} }
variable "gitea_app" { variable "gitea_app" {
type = object({ type = object({
url = optional(string, "https://gitea.arcodange.lab/") url = optional(string, "https://gitea.arcodange.lab")
id = string id = string
secret = string secret = string
description = optional(string, "Arcodange Gitea Auth") description = optional(string, "Arcodange Gitea Auth")
@@ -66,7 +66,7 @@ resource "vault_jwt_auth_backend" "gitea" {
oidc_discovery_ca_pem = file(var.ca_pem) oidc_discovery_ca_pem = file(var.ca_pem)
oidc_client_id = var.gitea_app.id oidc_client_id = var.gitea_app.id
oidc_client_secret = var.gitea_app.secret oidc_client_secret = var.gitea_app.secret
bound_issuer = var.gitea_app.url bound_issuer = trimsuffix(var.gitea_app.url, "/")
tune { tune {
allowed_response_headers = [] allowed_response_headers = []
@@ -103,7 +103,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
type = "jwt" type = "jwt"
oidc_discovery_url = var.gitea_app.url oidc_discovery_url = var.gitea_app.url
oidc_discovery_ca_pem = file(var.ca_pem) oidc_discovery_ca_pem = file(var.ca_pem)
bound_issuer = var.gitea_app.url bound_issuer = trimsuffix(var.gitea_app.url, "/")
tune { tune {
allowed_response_headers = [] allowed_response_headers = []
@@ -167,7 +167,7 @@ resource "vault_kv_secret" "google_credentials" {
path = "${vault_mount.kvv1.path}/google/credentials" path = "${vault_mount.kvv1.path}/google/credentials"
data_json = jsonencode( data_json = jsonencode(
{ {
credentials = file("~/.config/gcloud/application_default_credentials.json") credentials = file("/root/.config/gcloud/application_default_credentials.json")
} }
) )
} }

25
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
View File

@@ -24,6 +24,31 @@
volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }} volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}
- name: Check SSL certificate for Gitea
shell: >-
openssl s_client -connect gitea.arcodange.lab:443 -CAfile /etc/ssl/certs/arcodange-root.pem -servername gitea.arcodange.lab < /dev/null 2>&1 | grep -E "Verify return code:|subject=|issuer="
register: ssl_check
ignore_errors: true
- name: Debug SSL certificate check
debug:
var: ssl_check.stdout_lines
- name: Delete existing Gitea OIDC backends if they exist
include_tasks: vault_cmd.yml
vars:
vault_cmd: vault auth disable {{ backend_name }}
vault_cmd_can_fail: true
vault_cmd_json_attr: ''
vault_cmd_output_var: false
loop:
- gitea
- gitea_jwt
loop_control:
loop_var: backend_name
- name: use tofu to provision vault - name: use tofu to provision vault
block: block:
- shell: docker volume create {{ volume_name }} - shell: docker volume create {{ volume_name }}