Update README with detailed playbook execution sequence

This commit updates the README to include a detailed timeline of the playbook execution sequence, organized into sections for system setup, application setup, CI/CD, tools, and backups. Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
Enable PostgreSQL backup in backup playbook
2026-04-08 11:04:11 +02:00 · 2026-04-08 11:04:07 +02:00 · 2026-04-08 11:04:03 +02:00 · 2026-04-07 19:19:03 +02:00 · 2026-04-07 19:17:47 +02:00
6 changed files with 133 additions and 51 deletions
--- a/ansible/arcodange/factory/README.md
+++ b/ansible/arcodange/factory/README.md
@@ -10,41 +10,68 @@ kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKE
 ```mermaid
 %%{init: { 'logLevel': 'debug', 'theme': 'dark' } }%%
 timeline
-title ordre des playbook
-section Setup DNS, OS, ...
-    configuration manuelle
-        : installer OS, réserver IP statique, configurer SSH,VNC
-        : formater et créer des partitions avec gparted
-section Docker & K3S
-    system
-        : install Docker
-        : install K3S working with docker
-        : configure Traefik
-
-section Volume, NFS
-    setup hard_disk
-        : monter les partitions
-        : installer NFS
-    system
-        : déployer provisionner NFS
-    
-section postgres
-    setup
-        : postgres
-section gitea
-    setup
+    title Playbook Execution Sequence
+    section 01_system
+        rpi
+            : set hostname
+        dns
+            : install pi-hole
+        ssl
+            : step-ca
+            : fetch root certificate
+            : build docker image with CA
+        prepare_disks
+            : list partitions
+            : format disk
+            : mount disk
+        system_docker
+            : install docker
+            : configure docker storage
+            : restart docker
+        longhorn
+            : deploy longhorn
+        k3s
+            : prepare inventory
+            : install k3s collection
+            : install socat
+            : deploy k3s cluster
+            : configure kubeconfig
+            : configure traefik
+            : configure cert-manager
+    section 02_setup
+        backup_nfs
+            : create RWX volume
+            : create recurring job
+            : deploy NFS
+            : mount NFS
+        postgres
+            : create database
+            : create user
+        gitea
+            : deploy gitea
+            : create admin user
+            : create organization
+    section 03_cicd
+        cicd : CI/CD
+        gitea_token
+            : generate token
+        deploy_docker_compose
+            : deploy gitea action
+        argocd
+            : generate token
+            : deploy argocd
+    section 04_tools
+        Hashicorp Vault
+            : gitea_token
+            : hashicorp_vault
+        Crowdsec
+            : crowdsec
+    section 05_backup
+        Gitea Backup
            : gitea
-section gitea action runner
-    setup
-        : gitea action runner
-section argo cd
-    argo_cd
-        : argo cd
-section hello world app
-    setup git repository
-        : terraform
-    setup CI
-    deploy
-        : dev : list exposed deployments with label and port as a landpage
-        : expose (as ngrock ? direct ? port ? )
+        K3s PVC Backup
+            : k3s_pvc
+        Postgres Backup
+            : create backup script
+            : create restore script
 ```
--- a/ansible/arcodange/factory/playbooks/backup/backup.yml
+++ b/ansible/arcodange/factory/playbooks/backup/backup.yml
@@ -2,11 +2,11 @@
 # - name: setup cron report
 #   ansible.builtin.import_playbook: cron_report.yml

-# - name: postgres
-#   ansible.builtin.import_playbook: postgres.yml
-#   vars:
-#     backup_root_dir: "/mnt/backups"
-#     backup_dirname: "postgres"
+- name: postgres
+  ansible.builtin.import_playbook: postgres.yml
+  vars:
+    backup_root_dir: "/mnt/backups"
+    backup_dirname: "postgres"

 - name: gitea
  ansible.builtin.import_playbook: gitea.yml
--- a/ansible/arcodange/factory/playbooks/system/k3s_ssl.yml
+++ b/ansible/arcodange/factory/playbooks/system/k3s_ssl.yml
@@ -162,4 +162,11 @@
                    name: {{ jwk_secret_name }}
                    namespace: {{ namespace }}
                    key: password
+              # Override kube-rbac-proxy image to use ARM64-compatible version.
+              # Note: pi3 (ARM64) requires an ARM64-compatible image, while pi2 (ARMv7) may work with AMD64 images.
+              # The default image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3.
+              kubeRBACproxy:
+                image:
+                  repository: quay.io/brancz/kube-rbac-proxy
+                  tag: v0.15.0

--- a/ansible/arcodange/factory/playbooks/system/system_docker.yml
+++ b/ansible/arcodange/factory/playbooks/system/system_docker.yml
@@ -40,11 +40,7 @@
      register: docker_config_raw
      ignore_errors: yes
      changed_when: false
-      when: ansible.facts.stat.exists
-      vars:
-        ansible_facts:
-          stat:
-            exists: "{{ (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists }}"
+      when: (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists

    - name: Initialiser la variable de config Docker
      ansible.builtin.set_fact:
@@ -66,6 +62,33 @@
            }
          }, recursive=True) }}

+    - name: Ensure Docker storage directory exists on external disk
+      ansible.builtin.file:
+        path: /mnt/arcodange/docker
+        state: directory
+        mode: '0755'
+        owner: root
+        group: docker
+      when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
+
+    - name: Configure Docker to use external storage
+      ansible.builtin.set_fact:
+        docker_config: >
+          {{ docker_config | combine({
+            'data-root': '/mnt/arcodange/docker',
+            'storage-driver': 'overlay2'
+          }, recursive=True) }}
+      when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
+
+    - name: Ensure docker_config is a dictionary
+      ansible.builtin.set_fact:
+        docker_config: >
+          {% if docker_config is mapping %}
+            {{ docker_config }}
+          {% else %}
+            {}
+          {% endif %}
+
    - name: Écrire la configuration mise à jour
      ansible.builtin.copy:
        dest: /etc/docker/daemon.json
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
@@ -19,7 +19,7 @@ variable "admin_email" {
 }
 variable "gitea_app" {
  type = object({
-    url = optional(string, "https://gitea.arcodange.lab/")
+    url = optional(string, "https://gitea.arcodange.lab")
    id = string
    secret = string
    description = optional(string, "Arcodange Gitea Auth")
@@ -66,7 +66,7 @@ resource "vault_jwt_auth_backend" "gitea" {
    oidc_discovery_ca_pem = file(var.ca_pem)
    oidc_client_id      = var.gitea_app.id
    oidc_client_secret  = var.gitea_app.secret
-    bound_issuer        = var.gitea_app.url
+    bound_issuer        = trimsuffix(var.gitea_app.url, "/")
    
    tune {
        allowed_response_headers     = []
@@ -103,7 +103,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
    type                = "jwt"
    oidc_discovery_url  = var.gitea_app.url
    oidc_discovery_ca_pem = file(var.ca_pem)
-    bound_issuer        = var.gitea_app.url
+    bound_issuer        = trimsuffix(var.gitea_app.url, "/")
    
    tune {
        allowed_response_headers     = []
@@ -167,7 +167,7 @@ resource "vault_kv_secret" "google_credentials" {
  path = "${vault_mount.kvv1.path}/google/credentials"
  data_json = jsonencode(
  {
-    credentials = file("~/.config/gcloud/application_default_credentials.json")
+    credentials = file("/root/.config/gcloud/application_default_credentials.json")
  }
  )
 }
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -24,6 +24,31 @@

    volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}

+- name: Check SSL certificate for Gitea
+  shell: >-
+    openssl s_client -connect gitea.arcodange.lab:443 -CAfile /etc/ssl/certs/arcodange-root.pem -servername gitea.arcodange.lab < /dev/null 2>&1 | grep -E "Verify return code:|subject=|issuer="
+  register: ssl_check
+  ignore_errors: true
+
+- name: Debug SSL certificate check
+  debug:
+    var: ssl_check.stdout_lines
+
+
+
+- name: Delete existing Gitea OIDC backends if they exist
+  include_tasks: vault_cmd.yml
+  vars:
+    vault_cmd: vault auth disable {{ backend_name }}
+    vault_cmd_can_fail: true
+    vault_cmd_json_attr: ''
+    vault_cmd_output_var: false
+  loop:
+    - gitea
+    - gitea_jwt
+  loop_control:
+    loop_var: backend_name
+
 - name: use tofu to provision vault
  block:
  - shell: docker volume create {{ volume_name }}
Author	SHA1	Message	Date
Gabriel Radureau	fc9164f11e	Update README with detailed playbook execution sequence This commit updates the README to include a detailed timeline of the playbook execution sequence, organized into sections for system setup, application setup, CI/CD, tools, and backups. Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>	2026-04-08 11:04:11 +02:00
Gabriel Radureau	c751b621ba	Enable PostgreSQL backup in backup playbook This commit uncomments the PostgreSQL backup section in the backup playbook to enable regular backups of the PostgreSQL database. Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>	2026-04-08 11:04:07 +02:00
Gabriel Radureau	07a619b274	Fix step-issuer ARM64 compatibility on pi3 The default kube-rbac-proxy image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3 (ARM64). This commit overrides the image to use quay.io/brancz/kube-rbac-proxy:v0.15.0, which supports ARM64. Note: pi2 (ARMv7) may work with AMD64 images, but pi3 (ARM64) requires an ARM64-compatible image. Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>	2026-04-08 11:04:03 +02:00
Gabriel Radureau	9931f81998	Update Docker storage configuration and revoke token task	2026-04-07 19:19:03 +02:00
Gabriel Radureau	437fd506ed	Fix Vault Gitea OIDC setup: remove trailing slash from bound_issuer and pass CA certificate	2026-04-07 19:17:47 +02:00