feat: Commit initial

terraform/.gitignore

@@ -0,0 +1,15 @@
+# Terraform files
+.terraform/
+.terraform.lock.hcl
+terraform.tfstate
+terraform.tfstate.backup
+*.tfplan
+*.tfvars
+!terraform.tfvars.example
+
+# Generated cloud-init files
+.generated/
+
+# Sensitive files
+*.pem
+*.key

terraform/pve1/cloud-init.tf

@@ -0,0 +1,70 @@
+# Cloud-init configuration for K3s Server 1
+locals {
+  base_user_data = {
+    package_upgrade = true
+    packages = [
+      "ansible",
+      "git",
+      "curl",
+      "wget",
+      "ca-certificates",
+      "gnupg",
+      "lsb-release"
+    ]
+    users = [
+      {
+        name                = "ansible"
+        sudo                = "ALL=(ALL) NOPASSWD:ALL"
+        shell               = "/bin/bash"
+        ssh_authorized_keys = [var.ssh_public_key]
+        groups              = "sudo"
+      }
+    ]
+    timezone = "Europe/Paris"
+  }
+
+  ansible_pull_script = <<-EOT
+    #!/bin/bash
+    set -e
+    source /etc/ansible-pull.conf
+    WORK_DIR="/var/lib/ansible-local"
+    mkdir -p $WORK_DIR
+    cd $WORK_DIR
+    REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
+    if [ -d ".git" ]; then
+      git pull origin main 2>&1 | logger -t ansible-pull
+    else
+      git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
+    fi
+    ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
+  EOT
+
+  k3s_server_user_data = {
+    write_files = [
+      {
+        path        = "/etc/node-role"
+        content     = "server"
+        permissions = "0644"
+      },
+      {
+        path        = "/etc/ansible-pull.conf"
+        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
+        permissions = "0600"
+      },
+      {
+        path        = "/usr/local/bin/ansible-pull-wrapper.sh"
+        content     = local.ansible_pull_script
+        permissions = "0755"
+      }
+    ]
+    runcmd = [
+      "echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull",
+      "sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &"
+    ]
+  }
+}
+
+resource "local_file" "k3s_server_cloud_init" {
+  filename = "${path.module}/.generated/cloud-init-k3s-server-1.yaml"
+  content  = yamlencode(merge(local.base_user_data, local.k3s_server_user_data))
+}

terraform/pve1/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    proxmox = {
+      source  = "telmate/proxmox"
+      version = "~> 3.0"
+    }
+    local = {
+      source = "hashicorp/local"
+      version = "~> 2.1"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_api_url          = var.proxmox_api_url
+  pm_api_token_id     = var.proxmox_token_id
+  pm_api_token_secret = var.proxmox_token_secret
+  pm_tls_insecure     = var.proxmox_tls_insecure
+}
+
+# K3s Server VM on pve1
+resource "proxmox_vm_qemu" "k3s_server_1" {
+  name        = "k3s-server-1"
+  target_node = "pve1"
+  clone       = var.ubuntu_template
+
+  cores   = var.k3s_server_1_config.cores
+  sockets = 1
+  memory  = var.k3s_server_1_config.memory
+  agent   = 1
+
+  boot    = "order=scsi0"
+  scsihw  = "virtio-scsi-single"
+  onboot  = true
+
+  network {
+    model  = "virtio"
+    bridge = var.k3s_network_bridge
+  }
+
+  disks {
+    scsi {
+      scsi0 {
+        disk {
+          size    = var.k3s_server_1_config.disk_size
+          storage = var.storage_pool
+          iothread = true
+        }
+      }
+    }
+  }
+
+  ipconfig0 = "ip=${var.k3s_server_1_config.ip},gw=${var.k3s_gateway}"
+  cicustom  = "user=${var.snippets_storage}:snippets/cloud-init-k3s-server-1.yaml"
+  nameserver = join(" ", var.k3s_dns)
+
+  lifecycle {
+    ignore_changes = [ network ]
+  }
+
+  depends_on = [local_file.k3s_server_cloud_init]
+}

terraform/pve1/outputs.tf

@@ -0,0 +1,8 @@
+output "k3s_server_1" {
+  description = "K3s Server 1 VM information"
+  value = {
+    name = proxmox_vm_qemu.k3s_server_1.name
+    ip   = var.k3s_server_1_config.ip
+    node = proxmox_vm_qemu.k3s_server_1.target_node
+  }
+}

terraform/pve1/variables.tf

@@ -0,0 +1,84 @@
+variable "proxmox_api_url" {
+  description = "Proxmox API URL"
+  type        = string
+  default     = "https://192.168.100.10:8006/api2/json"
+}
+
+variable "proxmox_token_id" {
+  description = "Proxmox API Token ID"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_token_secret" {
+  description = "Proxmox API Token Secret"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_tls_insecure" {
+  description = "Skip TLS verification for Proxmox API"
+  type        = bool
+  default     = true
+}
+
+variable "ssh_public_key" {
+  description = "SSH public key for admin access"
+  type        = string
+}
+
+variable "forgejo_token" {
+  description = "Forgejo token for ansible-pull authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "forgejo_repo_url" {
+  description = "Forgejo repository URL (without credentials)"
+  type        = string
+}
+
+variable "k3s_version" {
+  description = "K3s version to install"
+  type        = string
+}
+
+variable "ubuntu_template" {
+  description = "Ubuntu cloud-init template name"
+  type        = string
+}
+
+variable "storage_pool" {
+  description = "Proxmox storage pool for VM disks"
+  type        = string
+}
+
+variable "snippets_storage" {
+  description = "Proxmox storage for cloud-init snippets"
+  type        = string
+}
+
+variable "k3s_network_bridge" {
+  description = "SDN bridge for K3s VMs"
+  type        = string
+}
+
+variable "k3s_gateway" {
+  description = "Gateway for K3s network"
+  type        = string
+}
+
+variable "k3s_dns" {
+  description = "DNS servers for K3s network"
+  type        = list(string)
+}
+
+variable "k3s_server_1_config" {
+  description = "K3s server-1 VM configuration"
+  type = object({
+    ip        = string
+    cores     = number
+    memory    = number
+    disk_size = string
+  })
+}

terraform/pve2/cloud-init.tf

@@ -0,0 +1,70 @@
+# Cloud-init configuration for K3s Server 2
+locals {
+  base_user_data = {
+    package_upgrade = true
+    packages = [
+      "ansible",
+      "git",
+      "curl",
+      "wget",
+      "ca-certificates",
+      "gnupg",
+      "lsb-release"
+    ]
+    users = [
+      {
+        name                = "ansible"
+        sudo                = "ALL=(ALL) NOPASSWD:ALL"
+        shell               = "/bin/bash"
+        ssh_authorized_keys = [var.ssh_public_key]
+        groups              = "sudo"
+      }
+    ]
+    timezone = "Europe/Paris"
+  }
+
+  ansible_pull_script = <<-EOT
+    #!/bin/bash
+    set -e
+    source /etc/ansible-pull.conf
+    WORK_DIR="/var/lib/ansible-local"
+    mkdir -p $WORK_DIR
+    cd $WORK_DIR
+    REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
+    if [ -d ".git" ]; then
+      git pull origin main 2>&1 | logger -t ansible-pull
+    else
+      git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
+    fi
+    ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
+  EOT
+
+  k3s_server_user_data = {
+    write_files = [
+      {
+        path        = "/etc/node-role"
+        content     = "server"
+        permissions = "0644"
+      },
+      {
+        path        = "/etc/ansible-pull.conf"
+        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
+        permissions = "0600"
+      },
+      {
+        path        = "/usr/local/bin/ansible-pull-wrapper.sh"
+        content     = local.ansible_pull_script
+        permissions = "0755"
+      }
+    ]
+    runcmd = [
+      "echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull",
+      "sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &"
+    ]
+  }
+}
+
+resource "local_file" "k3s_server_cloud_init" {
+  filename = "${path.module}/.generated/cloud-init-k3s-server-2.yaml"
+  content  = yamlencode(merge(local.base_user_data, local.k3s_server_user_data))
+}

terraform/pve2/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    proxmox = {
+      source  = "telmate/proxmox"
+      version = "~> 3.0"
+    }
+    local = {
+      source = "hashicorp/local"
+      version = "~> 2.1"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_api_url          = var.proxmox_api_url
+  pm_api_token_id     = var.proxmox_token_id
+  pm_api_token_secret = var.proxmox_token_secret
+  pm_tls_insecure     = var.proxmox_tls_insecure
+}
+
+# K3s Server VM on pve2
+resource "proxmox_vm_qemu" "k3s_server_2" {
+  name        = "k3s-server-2"
+  target_node = "pve2"
+  clone       = var.ubuntu_template
+
+  cores   = var.k3s_server_2_config.cores
+  sockets = 1
+  memory  = var.k3s_server_2_config.memory
+  agent   = 1
+
+  boot    = "order=scsi0"
+  scsihw  = "virtio-scsi-single"
+  onboot  = true
+
+  network {
+    model  = "virtio"
+    bridge = var.k3s_network_bridge
+  }
+
+  disks {
+    scsi {
+      scsi0 {
+        disk {
+          size    = var.k3s_server_2_config.disk_size
+          storage = var.storage_pool
+          iothread = true
+        }
+      }
+    }
+  }
+
+  ipconfig0 = "ip=${var.k3s_server_2_config.ip},gw=${var.k3s_gateway}"
+  cicustom  = "user=${var.snippets_storage}:snippets/cloud-init-k3s-server-2.yaml"
+  nameserver = join(" ", var.k3s_dns)
+
+  lifecycle {
+    ignore_changes = [ network ]
+  }
+
+  depends_on = [local_file.k3s_server_cloud_init]
+}

terraform/pve2/outputs.tf

@@ -0,0 +1,8 @@
+output "k3s_server_2" {
+  description = "K3s Server 2 VM information"
+  value = {
+    name = proxmox_vm_qemu.k3s_server_2.name
+    ip   = var.k3s_server_2_config.ip
+    node = proxmox_vm_qemu.k3s_server_2.target_node
+  }
+}

terraform/pve2/variables.tf

@@ -0,0 +1,84 @@
+variable "proxmox_api_url" {
+  description = "Proxmox API URL"
+  type        = string
+  default     = "https://192.168.100.10:8006/api2/json"
+}
+
+variable "proxmox_token_id" {
+  description = "Proxmox API Token ID"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_token_secret" {
+  description = "Proxmox API Token Secret"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_tls_insecure" {
+  description = "Skip TLS verification for Proxmox API"
+  type        = bool
+  default     = true
+}
+
+variable "ssh_public_key" {
+  description = "SSH public key for admin access"
+  type        = string
+}
+
+variable "forgejo_token" {
+  description = "Forgejo token for ansible-pull authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "forgejo_repo_url" {
+  description = "Forgejo repository URL (without credentials)"
+  type        = string
+}
+
+variable "k3s_version" {
+  description = "K3s version to install"
+  type        = string
+}
+
+variable "ubuntu_template" {
+  description = "Ubuntu cloud-init template name"
+  type        = string
+}
+
+variable "storage_pool" {
+  description = "Proxmox storage pool for VM disks"
+  type        = string
+}
+
+variable "snippets_storage" {
+  description = "Proxmox storage for cloud-init snippets"
+  type        = string
+}
+
+variable "k3s_network_bridge" {
+  description = "SDN bridge for K3s VMs"
+  type        = string
+}
+
+variable "k3s_gateway" {
+  description = "Gateway for K3s network"
+  type        = string
+}
+
+variable "k3s_dns" {
+  description = "DNS servers for K3s network"
+  type        = list(string)
+}
+
+variable "k3s_server_2_config" {
+  description = "K3s server-2 VM configuration"
+  type = object({
+    ip        = string
+    cores     = number
+    memory    = number
+    disk_size = string
+  })
+}

terraform/pve3/cloud-init.tf

@@ -0,0 +1,70 @@
+# Cloud-init configuration for etcd-witness
+locals {
+  base_user_data = {
+    package_upgrade = true
+    packages = [
+      "ansible",
+      "git",
+      "curl",
+      "wget",
+      "ca-certificates",
+      "gnupg",
+      "lsb-release"
+    ]
+    users = [
+      {
+        name                = "ansible"
+        sudo                = "ALL=(ALL) NOPASSWD:ALL"
+        shell               = "/bin/bash"
+        ssh_authorized_keys = [var.ssh_public_key]
+        groups              = "sudo"
+      }
+    ]
+    timezone = "Europe/Paris"
+  }
+
+  ansible_pull_script = <<-EOT
+    #!/bin/bash
+    set -e
+    source /etc/ansible-pull.conf
+    WORK_DIR="/var/lib/ansible-local"
+    mkdir -p $WORK_DIR
+    cd $WORK_DIR
+    REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
+    if [ -d ".git" ]; then
+      git pull origin main 2>&1 | logger -t ansible-pull
+    else
+      git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
+    fi
+    ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
+  EOT
+
+  etcd_witness_user_data = {
+    write_files = [
+      {
+        path        = "/etc/node-role"
+        content     = "witness"
+        permissions = "0644"
+      },
+      {
+        path        = "/etc/ansible-pull.conf"
+        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
+        permissions = "0600"
+      },
+      {
+        path        = "/usr/local/bin/ansible-pull-wrapper.sh"
+        content     = local.ansible_pull_script
+        permissions = "0755"
+      }
+    ]
+    runcmd = [
+      "echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull",
+      "sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &"
+    ]
+  }
+}
+
+resource "local_file" "etcd_witness_cloud_init" {
+  filename = "${path.module}/.generated/cloud-init-etcd-witness.yaml"
+  content  = yamlencode(merge(local.base_user_data, local.etcd_witness_user_data))
+}

terraform/pve3/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    proxmox = {
+      source  = "telmate/proxmox"
+      version = "~> 3.0"
+    }
+    local = {
+      source = "hashicorp/local"
+      version = "~> 2.1"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_api_url          = var.proxmox_api_url
+  pm_api_token_id     = var.proxmox_token_id
+  pm_api_token_secret = var.proxmox_token_secret
+  pm_tls_insecure     = var.proxmox_tls_insecure
+}
+
+# etcd Witness VM on pve3
+resource "proxmox_vm_qemu" "etcd_witness" {
+  name        = "etcd-witness"
+  target_node = "pve3"
+  clone       = var.ubuntu_template
+
+  cores   = var.etcd_witness_config.cores
+  sockets = 1
+  memory  = var.etcd_witness_config.memory
+  agent   = 1
+
+  boot    = "order=scsi0"
+  scsihw  = "virtio-scsi-single"
+  onboot  = true
+
+  network {
+    model  = "virtio"
+    bridge = var.k3s_network_bridge
+  }
+
+  disks {
+    scsi {
+      scsi0 {
+        disk {
+          size    = var.etcd_witness_config.disk_size
+          storage = var.storage_pool
+          iothread = true
+        }
+      }
+    }
+  }
+
+  ipconfig0 = "ip=${var.etcd_witness_config.ip},gw=${var.k3s_gateway}"
+  cicustom  = "user=${var.snippets_storage}:snippets/cloud-init-etcd-witness.yaml"
+  nameserver = join(" ", var.k3s_dns)
+
+  lifecycle {
+    ignore_changes = [ network ]
+  }
+
+  depends_on = [local_file.etcd_witness_cloud_init]
+}

terraform/pve3/outputs.tf

@@ -0,0 +1,8 @@
+output "etcd_witness" {
+  description = "etcd Witness VM information"
+  value = {
+    name = proxmox_vm_qemu.etcd_witness.name
+    ip   = var.etcd_witness_config.ip
+    node = proxmox_vm_qemu.etcd_witness.target_node
+  }
+}

terraform/pve3/variables.tf

@@ -0,0 +1,84 @@
+variable "proxmox_api_url" {
+  description = "Proxmox API URL"
+  type        = string
+  default     = "https://192.168.100.10:8006/api2/json"
+}
+
+variable "proxmox_token_id" {
+  description = "Proxmox API Token ID"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_token_secret" {
+  description = "Proxmox API Token Secret"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_tls_insecure" {
+  description = "Skip TLS verification for Proxmox API"
+  type        = bool
+  default     = true
+}
+
+variable "ssh_public_key" {
+  description = "SSH public key for admin access"
+  type        = string
+}
+
+variable "forgejo_token" {
+  description = "Forgejo token for ansible-pull authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "forgejo_repo_url" {
+  description = "Forgejo repository URL (without credentials)"
+  type        = string
+}
+
+variable "k3s_version" {
+  description = "K3s version to install"
+  type        = string
+}
+
+variable "ubuntu_template" {
+  description = "Ubuntu cloud-init template name"
+  type        = string
+}
+
+variable "storage_pool" {
+  description = "Proxmox storage pool for VM disks"
+  type        = string
+}
+
+variable "snippets_storage" {
+  description = "Proxmox storage for cloud-init snippets"
+  type        = string
+}
+
+variable "k3s_network_bridge" {
+  description = "SDN bridge for K3s VMs"
+  type        = string
+}
+
+variable "k3s_gateway" {
+  description = "Gateway for K3s network"
+  type        = string
+}
+
+variable "k3s_dns" {
+  description = "DNS servers for K3s network"
+  type        = list(string)
+}
+
+variable "etcd_witness_config" {
+  description = "etcd witness VM configuration"
+  type = object({
+    ip        = string
+    cores     = number
+    memory    = number
+    disk_size = string
+  })
+}

terraform/terraform.tfvars.example

@@ -0,0 +1,28 @@
+# Copy this file to terraform.tfvars and fill in your values
+
+# Proxmox Configuration
+proxmox_api_url          = "https://192.168.100.10:8006/api2/json"
+proxmox_token_id         = "root@pam!terraform"
+proxmox_token_secret     = "your-proxmox-token-secret"
+proxmox_tls_insecure     = true
+
+# SSH Access
+ssh_public_key = "ssh-ed25519 AAAAC3... your-email@example.com"
+
+# Forgejo Configuration
+forgejo_token    = "your-forgejo-token"
+forgejo_repo_url = "ssh://git@forgejo.tellserv.fr:222/Tellsanguis/infra.git"
+
+# K3s Version
+k3s_version = "v1.28.5+k3s1"
+
+# Template and Storage
+ubuntu_template     = "ubuntu-2204-cloudinit"
+storage_pool        = "local-lvm"
+snippets_storage    = "local"
+
+# Network
+k3s_network_bridge = "k3s"
+management_bridge  = "vmbr0"
+k3s_gateway        = "10.100.20.1"
+k3s_dns            = ["10.100.20.1", "1.1.1.1"]