Tellsanguis/Homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: Configuration stockage local et token K3S partagé
Some checks failed
CD - Deploy Infrastructure / Terraform Validation (push) Successful in 17s
Details
CD - Deploy Infrastructure / Deploy on pve1 (push) Successful in 2m12s
Details
CD - Deploy Infrastructure / Deploy on pve2 (push) Successful in 2m11s
Details
CD - Deploy Infrastructure / Deploy on pve3 (push) Successful in 2m28s
Details
CD - Deploy Infrastructure / Validate K3s Cluster (push) Successful in 5m3s
Details
CD - Deploy Infrastructure / Deployment Notification (push) Failing after 1s
Details

Browse source 
- Passage stockage local-nvme pour acemagician et elitedesk (40G)
- Token K3S partagé via cloud-init pour cluster HA
- Configuration FluxCD avec GitRepository Forgejo
- Déploiement Hello World via FluxCD
- Manifestes Kubernetes pour application demo
This commit is contained in:
Tellsanguis 2025-12-09 11:55:19 +01:00
parent a818aab4be
commit 3b5f1fc2d2
17 changed files with 193 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

25
.forgejo/workflows/deploy.yml
View file

@ -4,10 +4,9 @@ on:
push:
branches:
- main
workflow_dispatch: # Allow manual trigger
workflow_dispatch:
jobs:
# Run Terraform validation first
ci-terraform:
name: Terraform Validation
runs-on: self-hosted
@ -63,11 +62,11 @@ jobs:
TF_VAR_k3s_network_bridge: "k3s"
TF_VAR_k3s_gateway: "10.100.20.1"
TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }'
TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }'
TF_VAR_k3s_token: ${{ secrets.K3S_TOKEN }}
TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "40G" }'
TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "40G" }'
TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'
# Deploy infrastructure in parallel
deploy-pve1:
name: Deploy on pve1
runs-on: self-hosted
@ -91,14 +90,15 @@ jobs:
forgejo_token = "${{ secrets.GIT_TOKEN }}"
forgejo_repo_url = "${{ secrets.GIT_REPO_URL }}"
k3s_version = "v1.28.5+k3s1"
k3s_token = "${{ secrets.K3S_TOKEN }}"
ubuntu_template = "ubuntu-2404-cloudinit"
storage_pool = "linstor_storage"
k3s_server_1_storage_pool = "linstor_storage"
k3s_server_1_storage_pool = "local-nvme"
snippets_storage = "local"
k3s_network_bridge = "k3s"
k3s_gateway = "10.100.20.1"
k3s_dns = ["10.100.20.1", "1.1.1.1"]
k3s_server_1_config = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }
k3s_server_1_config = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "40G" }
EOF
tofu init
tofu apply -auto-approve
@ -126,14 +126,15 @@ jobs:
forgejo_token = "${{ secrets.GIT_TOKEN }}"
forgejo_repo_url = "${{ secrets.GIT_REPO_URL }}"
k3s_version = "v1.28.5+k3s1"
k3s_token = "${{ secrets.K3S_TOKEN }}"
ubuntu_template = "ubuntu-2404-cloudinit"
storage_pool = "linstor_storage"
k3s_server_2_storage_pool = "linstor_storage"
k3s_server_2_storage_pool = "local-nvme"
snippets_storage = "local"
k3s_network_bridge = "k3s"
k3s_gateway = "10.100.20.1"
k3s_dns = ["10.100.20.1", "1.1.1.1"]
k3s_server_2_config = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }
k3s_server_2_config = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "40G" }
EOF
tofu init
tofu apply -auto-approve
@ -161,6 +162,7 @@ jobs:
forgejo_token = "${{ secrets.GIT_TOKEN }}"
forgejo_repo_url = "${{ secrets.GIT_REPO_URL }}"
k3s_version = "v1.28.5+k3s1"
k3s_token = "${{ secrets.K3S_TOKEN }}"
ubuntu_template = "ubuntu-2404-cloudinit"
storage_pool = "linstor_storage"
etcd_witness_storage_pool = "local-lvm"
@ -192,13 +194,12 @@ jobs:
- name: Wait for K3s cluster
run: |
echo "Waiting for K3s cluster to be ready..."
sleep 300 # Wait 5 minutes for ansible-pull to configure K3s
- name: Check cluster status (optional)
sleep 300
- name: Check cluster status
run: |
echo "Cluster validation completed"
continue-on-error: true
# Notify on completion
notify:
name: Deployment Notification
runs-on: self-hosted

13
ansible/group_vars/all.yml
View file

@ -1,44 +1,32 @@
---
# Global variables for all nodes
# K3s Configuration
k3s_version: "v1.28.5+k3s1"
k3s_install_url: "https://get.k3s.io"
# K3s Server Configuration
k3s_server_1_ip: "10.100.20.10"
k3s_server_2_ip: "10.100.20.20"
k3s_witness_ip: "10.100.20.30"
# K3s token (shared between servers)
# In production, this should be stored in a vault
k3s_token_file: "/etc/rancher/k3s/token"
# Network Configuration
pod_cidr: "10.42.0.0/16"
service_cidr: "10.43.0.0/16"
cluster_dns: "10.43.0.10"
# System Configuration
timezone: "Europe/Paris"
swap_enabled: false
# Unattended Upgrades Configuration
unattended_upgrades_enabled: true
unattended_upgrades_automatic_reboot: true
unattended_upgrades_automatic_reboot_with_users: false
# Reboot schedule (staggered to maintain availability)
reboot_schedule:
k3s-server-1: "02:00"
k3s-server-2: "04:00"
etcd-witness: "06:00"
# FluxCD Configuration
flux_version: "v2.2.0"
flux_namespace: "flux-system"
# System packages to install on all nodes
common_packages:
- curl
- wget
@ -52,7 +40,6 @@ common_packages:
- python3
- python3-pip
# Kernel parameters for K3s
sysctl_config:
net.bridge.bridge-nf-call-iptables: 1
net.bridge.bridge-nf-call-ip6tables: 1

18
ansible/roles/etcd-witness/tasks/main.yml
View file

@ -1,19 +1,19 @@
---
# etcd witness node configuration
# This node participates in etcd quorum but does not run K8s workloads
- name: Check if K3s is already installed
stat:
path: /usr/local/bin/k3s
register: k3s_binary
- name: Get K3s token from first server
- name: Load K3s token from environment
set_fact:
k3s_token: >-
{{
lookup('file', k3s_token_file, errors='ignore')
| default('PLACEHOLDER')
}}
k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
- name: Wait for first server API
wait_for:
host: "{{ k3s_server_1_ip }}"
port: 6443
delay: 60
timeout: 900
- name: Install K3s as server (witness mode)
shell: >

6
ansible/roles/k3s-server/files/k3s-pre-reboot.sh
View file

@ -1,19 +1,13 @@
#!/bin/bash
# K3s pre-reboot script
# Drains the node before system reboot to migrate workloads gracefully
set -e
# Only run if k3s is active
if systemctl is-active --quiet k3s; then
NODE_NAME=$(hostname)
echo "$(date): Starting pre-reboot drain for node $NODE_NAME" | logger -t k3s-pre-reboot
# Set KUBECONFIG
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
# Drain the node (migrate pods to other nodes)
/usr/local/bin/k3s kubectl drain "$NODE_NAME" \
--ignore-daemonsets \
--delete-emptydir-data \

72
ansible/roles/k3s-server/tasks/flux.yml
View file

@ -1,6 +1,4 @@
---
# Install and configure FluxCD
- name: Check if flux is already installed
command: k3s kubectl get namespace {{ flux_namespace }}
register: flux_installed
@ -44,9 +42,73 @@
changed_when: false
when: flux_installed.rc != 0
- name: Load Forgejo token from environment
set_fact:
forgejo_token: "{{ lookup('env', 'FORGEJO_TOKEN') }}"
forgejo_repo_url: "{{ lookup('env', 'REPO_URL') }}"
- name: Create Forgejo secret for FluxCD
shell: |
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
k3s kubectl create secret generic forgejo-auth \
--namespace={{ flux_namespace }} \
--from-literal=username=git \
--from-literal=password={{ forgejo_token }} \
--dry-run=client -o yaml | k3s kubectl apply -f -
when: flux_installed.rc != 0
- name: Create GitRepository manifest
copy:
dest: /tmp/gitrepository.yaml
content: |
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: infra
namespace: {{ flux_namespace }}
spec:
interval: 1m
url: {{ forgejo_repo_url }}
ref:
branch: main
secretRef:
name: forgejo-auth
mode: '0644'
when: flux_installed.rc != 0
- name: Apply GitRepository
shell: |
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
k3s kubectl apply -f /tmp/gitrepository.yaml
when: flux_installed.rc != 0
- name: Create Kustomization manifest
copy:
dest: /tmp/kustomization.yaml
content: |
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: {{ flux_namespace }}
spec:
interval: 1m
sourceRef:
kind: GitRepository
name: infra
path: ./k8s
prune: true
wait: true
mode: '0644'
when: flux_installed.rc != 0
- name: Apply Kustomization
shell: |
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
k3s kubectl apply -f /tmp/kustomization.yaml
when: flux_installed.rc != 0
- name: Display FluxCD installation status
debug:
msg: >-
FluxCD installed successfully.
Configure GitRepository in kubernetes/flux-system/
msg: "FluxCD configured to sync from {{ forgejo_repo_url }}"
when: flux_installed.rc != 0

27
ansible/roles/k3s-server/tasks/main.yml
View file

@ -1,6 +1,4 @@
---
# K3s server installation and configuration
- name: Check if K3s is already installed
stat:
path: /usr/local/bin/k3s
@ -17,10 +15,15 @@
set_fact:
is_first_server: "{{ ansible_default_ipv4.address == k3s_server_1_ip }}"
- name: Load K3s token from environment
set_fact:
k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
- name: Install K3s on first server (cluster-init)
shell: >
curl -sfL {{ k3s_install_url }} |
INSTALL_K3S_VERSION="{{ k3s_version }}"
K3S_TOKEN="{{ k3s_token }}"
sh -s - server
--cluster-init
--tls-san {{ k3s_server_1_ip }}
@ -44,17 +47,13 @@
timeout: 300
when: is_first_server
- name: Get K3s token from first server
slurp:
src: /var/lib/rancher/k3s/server/node-token
register: k3s_token_encoded
when: is_first_server
run_once: true
- name: Save K3s token
set_fact:
k3s_token: "{{ k3s_token_encoded.content | b64decode | trim }}"
when: is_first_server
- name: Wait for first server API (second server)
wait_for:
host: "{{ k3s_server_1_ip }}"
port: 6443
delay: 30
timeout: 600
when: not is_first_server
- name: Install K3s on second server (join cluster)
shell: >
@ -62,7 +61,7 @@
INSTALL_K3S_VERSION="{{ k3s_version }}"
sh -s - server
--server https://{{ k3s_server_1_ip }}:6443
--token {{ k3s_token | default('PLACEHOLDER') }}
--token {{ k3s_token }}
--tls-san {{ k3s_server_2_ip }}
--write-kubeconfig-mode 644
--disable traefik

7
ansible/site.yml
View file

@ -1,14 +1,10 @@
---
# Main playbook for K3s GitOps infrastructure
# This playbook is executed by ansible-pull on each VM
- name: Configure K3s Infrastructure
hosts: localhost
connection: local
become: true
vars:
# Read node role from file created by cloud-init
node_role: >-
{{
lookup('file', '/etc/node-role', errors='ignore')
@ -34,14 +30,11 @@
cache_valid_time: 3600
roles:
# Common role applies to all nodes
- role: common
# K3s server role (server + worker)
- role: k3s-server
when: node_role == 'server'
# etcd witness role (etcd only, no k8s workloads)
- role: etcd-witness
when: node_role == 'witness'

37
k8s/hello-world/deployment.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-world
namespace: demo
spec:
replicas: 3
selector:
matchLabels:
app: hello-world
template:
metadata:
labels:
app: hello-world
spec:
containers:
- name: hello-world
image: bashofmann/rancher-demo:1.0.0
imagePullPolicy: Always
resources:
requests:
memory: "12Mi"
cpu: "2m"
ports:
- containerPort: 8080
name: web
env:
- name: COW_COLOR
value: purple
readinessProbe:
httpGet:
path: /
port: web
livenessProbe:
httpGet:
path: /
port: web

4
k8s/hello-world/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: demo

13
k8s/hello-world/service.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: hello-world-service
namespace: demo
spec:
type: LoadBalancer
selector:
app: hello-world
ports:
- protocol: TCP
port: 8080
targetPort: 8080

5
terraform/pve1/cloud-init.tf
View file

@ -27,6 +27,9 @@ locals {
#!/bin/bash
set -e
source /etc/ansible-pull.conf
export K3S_TOKEN
export FORGEJO_TOKEN
export REPO_URL
WORK_DIR="/var/lib/ansible-local"
mkdir -p $WORK_DIR
cd $WORK_DIR
@ -48,7 +51,7 @@ locals {
},
{
path = "/etc/ansible-pull.conf"
content = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
content = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}\nK3S_TOKEN=${var.k3s_token}"
permissions = "0600"
},
{

10
terraform/pve1/variables.tf
View file

@ -54,9 +54,9 @@ variable "storage_pool" {
}
variable "k3s_server_1_storage_pool" {
description = "Storage pool for k3s-server-1 disk (linstor_storage for HA)"
description = "Storage pool for k3s-server-1 disk (local-nvme for acemagician)"
type = string
default = "linstor_storage"
default = "local-nvme"
}
variable "snippets_storage" {
@ -88,3 +88,9 @@ variable "k3s_server_1_config" {
disk_size = string
})
}
variable "k3s_token" {
description = "K3s cluster token"
type = string
sensitive = true
}

5
terraform/pve2/cloud-init.tf
View file

@ -27,6 +27,9 @@ locals {
#!/bin/bash
set -e
source /etc/ansible-pull.conf
export K3S_TOKEN
export FORGEJO_TOKEN
export REPO_URL
WORK_DIR="/var/lib/ansible-local"
mkdir -p $WORK_DIR
cd $WORK_DIR
@ -48,7 +51,7 @@ locals {
},
{
path = "/etc/ansible-pull.conf"
content = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
content = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}\nK3S_TOKEN=${var.k3s_token}"
permissions = "0600"
},
{

10
terraform/pve2/variables.tf
View file

@ -54,9 +54,9 @@ variable "storage_pool" {
}
variable "k3s_server_2_storage_pool" {
description = "Storage pool for k3s-server-2 disk (linstor_storage for HA)"
description = "Storage pool for k3s-server-2 disk (local-nvme for elitedesk)"
type = string
default = "linstor_storage"
default = "local-nvme"
}
variable "snippets_storage" {
@ -88,3 +88,9 @@ variable "k3s_server_2_config" {
disk_size = string
})
}
variable "k3s_token" {
description = "K3s cluster token"
type = string
sensitive = true
}

5
terraform/pve3/cloud-init.tf
View file

@ -27,6 +27,9 @@ locals {
#!/bin/bash
set -e
source /etc/ansible-pull.conf
export K3S_TOKEN
export FORGEJO_TOKEN
export REPO_URL
WORK_DIR="/var/lib/ansible-local"
mkdir -p $WORK_DIR
cd $WORK_DIR
@ -48,7 +51,7 @@ locals {
},
{
path = "/etc/ansible-pull.conf"
content = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
content = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}\nK3S_TOKEN=${var.k3s_token}"
permissions = "0600"
},
{

6
terraform/pve3/variables.tf
View file

@ -88,3 +88,9 @@ variable "etcd_witness_config" {
disk_size = string
})
}
variable "k3s_token" {
description = "K3s cluster token"
type = string
sensitive = true
}

14
terraform/terraform.tfvars.example
View file

@ -1,44 +1,36 @@
# Copy this file to terraform.tfvars and fill in your values
# Proxmox Configuration
proxmox_api_url = "https://192.168.100.10:8006/api2/json"
proxmox_token_id = "root@pam!opentofu"
proxmox_token_secret = "your-proxmox-token-secret"
proxmox_tls_insecure = true
# SSH Access
ssh_public_key = "ssh-ed25519 AAAAC3... your-email@example.com"
# Forgejo Configuration
forgejo_token = "your-forgejo-token"
forgejo_repo_url = "ssh://git@forgejo.tellserv.fr:222/Tellsanguis/infra.git"
# K3s Version
k3s_version = "v1.28.5+k3s1"
k3s_token = "your-k3s-cluster-token"
# Template and Storage
ubuntu_template = "ubuntu-2404-cloudinit"
storage_pool = "linstor_storage"
snippets_storage = "local"
# Network
k3s_network_bridge = "k3s"
k3s_gateway = "10.100.20.1"
k3s_dns = ["10.100.20.1", "1.1.1.1"]
# VM Configurations
k3s_server_1_config = {
ip = "10.100.20.10/24"
cores = 6
memory = 12288
disk_size = "100G"
disk_size = "40G"
}
k3s_server_2_config = {
ip = "10.100.20.20/24"
cores = 6
memory = 12288
disk_size = "100G"
disk_size = "40G"
}
etcd_witness_config = {