refactor(edge_vps): reorganize certificate files

.gitignore

@@ -0,0 +1 @@
+.worktrees/

README.md

@@ -1,7 +1,6 @@
 # TuDatTr IaC
 
-**I do not recommend this project being used for ones own infrastructure, as
-this project is heavily attuned to my specific host/network setup**
+**I do not recommend this project being used for one's own infrastructure, as this project is heavily attuned to my specific host/network setup.**
 
 This Ansible project automates the setup of a K3s Kubernetes cluster on Proxmox VE. It also includes playbooks for configuring Docker hosts, load balancers, and other services.
 
@@ -41,6 +40,7 @@ The following roles are defined:
 - `kubernetes_argocd`: Deploys Argo CD to the Kubernetes cluster.
 - `node_exporter`: Installs the Prometheus Node Exporter for monitoring.
 - `reverse_proxy`: Configures a Caddy-based reverse proxy.
+- `edge_vps`: Placeholder role for Edge VPS configuration.
 
 ## Usage
 

changelog.md

@@ -0,0 +1,75 @@
+# Changelog
+
+Technical evolution of the infrastructure stack, tracking the migration from standalone Docker hosts to a fully automated, GitOps-managed Kubernetes cluster.
+
+## Phase 5: GitOps & Cluster Hardening (July 2025 - Present)
+
+*Shifted control plane management to ArgoCD and expanded storage capabilities.*
+
+- **GitOps Implementation**:
+  - Deployed **ArgoCD** in an App-of-Apps pattern to manage cluster state (`89c51aa`).
+  - Integrated **Sealed Secrets** (implied via vault diffs) and **Cert-Manager** for automated TLS management (`76000f8`).
+  - Migrated core services (Traefik, MetalLB) to Helm charts managed via ArgoCD manifests.
+- **Storage Architecture**:
+  - Implemented **Longhorn** with iSCSI support for distributed block storage (`48aec11`).
+  - Added **NFS Provisioner** (`e1a2248`) for ReadWriteMany volumes capabilities.
+- **Networking**:
+  - Centralized primary server IP logic (`97a5d6c`) to support HA control plane capability.
+  - Replaced Netcup DNS webhooks with **Cloudflare** for Caddy ACME challenges (`9cb90a8`).
+- **Observability**:
+  - Added **healthcheck** definitions to Docker Compose services (`0e8e07e`) and K3s probes.
+
+## Phase 4: IaaC Refactoring & Proxmox API Integration (Nov 2024 - June 2025)
+
+*Refactored Ansible roles for modularity and implemented Proxmox API automation for "click-less" provisioning.*
+
+- **Proxmox Automation**:
+  - Developed `roles/proxmox` to interface with Proxmox API: automated VM creation, cloning from templates, and Cloud-Init injection (`f2ea03b`).
+  - Configured **PCI Passthrough** (`591342f`) and hardware acceleration for media transcoding nodes.
+  - Added cron-based VM state reconciliation (`a1da69a`).
+- **Ansible Restructuring**:
+  - **Inventory Refactor**: Moved from root-level inventory files to a hierarchical `vars/` structure (`609e000`).
+  - **Linting Pipeline**: Integrated `ansible-lint` and `pre-commit` hooks (`6eef96b`) to enforce YAML standards and best practices.
+  - **Vault Security**: Configured `.gitattributes` to enable `ansible-vault view` for cleartext diffs in git (`c3905ed`).
+- **Identity Management**:
+  - Deployed **Keycloak** (`42196a3`) for OIDC/SAML authentication across the stack.
+
+## Phase 3: The Kubernetes Migration (Sep 2024 - Oct 2024)
+
+*Architectural pivot from Docker Compose to K3s.*
+
+- **Control Plane Setup**:
+  - Bootstrapped **K3s** cluster with dedicated server/agent split.
+  - Configured **HAProxy/Nginx** load balancers (`51a49d0`) for API server high availability.
+- **Node Provisioning**:
+  - Standardized node bootstrapping (kernel modules, sysctl params) for K3s compatibility.
+  - Deployed specialized storage nodes for Longhorn (`7d58de9`).
+- **Decommissioning**:
+  - Drained and removed legacy Docker hosts (`0aed818`).
+  - Migrated stateful workloads (Postgres) to cluster-managed resources.
+
+## Phase 2: Docker Service Expansion (2023 - 2024)
+
+*Vertical scaling of Docker hosts and introduction of the monitoring stack.*
+
+- **Service Stack**:
+  - Deployed the **\*arr suite** (Sonarr, Radarr, etc.) and Jellyfin with hardware mapping (`3d7f143`).
+  - Integrated **Paperless-ngx** with Redis and Tika consumption (`3f88065`).
+  - Self-hosted **Gitea** and **GitLab** (later removed) for source control.
+- **Observability V1**:
+  - Deployed **Prometheus** and **Grafana** stack (`b3ae5ef`).
+  - Added **Node Exporter** and **SmartCTL Exporter** (`0a361d9`) to bare metal hosts.
+  - Implemented **Uptime Kuma** for external availability monitoring.
+- **Reverse Proxy**:
+  - Transitioned ingress from Traefik v2 to **Nginx Proxy Manager**, then to **Caddy** for simpler configuration management (`a9af3c7`, `1a1b8cb`).
+
+## Phase 1: Genesis & Networking (Late 2022)
+
+*Initial infrastructure bring-up.*
+
+- **Base Configuration**:
+  - Established Ansible role structure for baseline system hardening (SSH, users, packages).
+  - Configured **Wireguard** mesh for secure inter-node communication (`2ba4259`).
+  - Set up **Backblaze B2** offsite backups via Restic/Rclone (`b371e24`).
+- **Network**:
+  - Experimented with **macvlan** Docker networks for direct container IP assignment.

roles/common/README.md

@@ -1,6 +1,6 @@
 # Ansible Role: common
 
-This role configures a baseline set of common configurations for Debian-based systems.
+This role configures a baseline set of common configurations for Debian-based systems, including time synchronization, essential packages, hostname, and specific developer tools.
 
 ## Requirements
 
@@ -11,33 +11,56 @@ None.
 Available variables are listed below, along with default values (see `vars/main.yml`):
 
 ```yaml
+# A list of common packages to install via apt.
+common_packages:
+  - build-essential
+  - curl
+  - git
+  - iperf3
+  - neovim
+  - rsync
+  - smartmontools
+  - sudo
+  - systemd-timesyncd
+  - tree
+  - screen
+  - bat
+  - fd-find
+  - ripgrep
+  - nfs-common
+  - open-iscsi
+  - parted
+
 # The hostname to configure.
 hostname: "new-host"
-
-# A list of extra packages to install.
-extra_packages:
-  - "htop"
-  - "ncdu"
-  - "stow"
-  - "unzip"
 ```
 
+## Tasks
+
+The role performs the following tasks:
+
+1.  **Configure Time**: Sets up `systemd-timesyncd` and timezone.
+2.  **Configure Packages**: Installs the list of `common_packages`.
+3.  **Configure Hostname**: Sets the system hostname.
+4.  **Configure Extra-Packages**:
+    - Installs `eza` (modern ls replacement).
+    - Installs `bottom` (process viewer).
+    - Installs `neovim` from AppImage and clones a custom configuration.
+5.  **Configure Bash**: Sets up bash aliases and prompt.
+6.  **Configure SSH**: Configures `sshd_config` for security.
+
 ## Dependencies
 
 None.
 
 ## Example Playbook
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
 ```yaml
 - hosts: servers
   roles:
     - role: common
-      hostname: "my-new-host"
-      extra_packages:
-        - "vim"
-        - "curl"
+      vars:
+        hostname: "my-server"
 ```
 
 ## License

roles/docker_host/README.md

@@ -7,7 +7,7 @@ This role sets up a Docker host, installs Docker, and configures it according to
 ### General
 
 - `docker_host_package_common_dependencies`: A list of common packages to be installed on the host.
-  - Default: `nfs-common`, `firmware-misc-nonfree`, `linux-image-amd64`
+  - Default: `nfs-common`
 - `apt_lock_files`: A list of apt lock files to check.
 - `arch`: The architecture of the host.
   - Default: `arm64` if `ansible_architecture` is `aarch64`, otherwise `amd64`.
@@ -82,4 +82,4 @@ To use this role, include it in your playbook and set the required variables.
 
 ## License
 
-This project is licensed under the MIT License - see the [LICENSE.md](LICENSE.md) file for details.
+MIT

roles/edge_vps/README.md

@@ -0,0 +1,75 @@
+# Edge VPS
+
+Configures edge VPS instances with WireGuard VPN, Traefik reverse proxy, Pangolin, and Elastic Fleet Agent.
+
+## Requirements
+
+- Docker and Docker Compose installed
+- Ansible community.docker collection
+
+## Role Variables
+
+### WireGuard
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `edge_vps_wireguard_address` | `10.133.7.1/24` | WireGuard interface address |
+| `edge_vps_wireguard_port` | `61975` | WireGuard listen port |
+| `edge_vps_wireguard_interface` | `wg0` | WireGuard interface name |
+| `edge_vps_wireguard_routes` | `[]` | List of routes to add (network, gateway) |
+
+### Traefik
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `edge_vps_traefik_config_dir` | `/root/config/traefik` | Traefik config directory |
+| `edge_vps_acme_email` | - | Email for Let's Encrypt |
+
+### Pangolin
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `edge_vps_pangolin_dashboard_url` | - | Pangolin dashboard URL |
+| `edge_vps_pangolin_base_endpoint` | - | Pangolin base endpoint |
+| `edge_vps_pangolin_base_domain` | - | Base domain for Pangolin |
+
+### Elastic Agent
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `edge_vps_elastic_version` | `9.2.2` | Elastic Agent version |
+| `edge_vps_elastic_fleet_url` | - | Fleet server URL |
+| `edge_vps_elastic_dns_server` | `10.43.0.10` | DNS server for agent |
+
+## Secrets
+
+Store secrets in `vars/group_vars/vps/secrets.yaml` (ansible-vault encrypted):
+
+```yaml
+vault_edge_vps:
+  wireguard:
+    private_key: "..."
+    peers: [...]
+  pangolin:
+    server_secret: "..."
+  traefik:
+    cloudflare_api_token: "..."
+  elastic:
+    fleet_enrollment_token: "..."
+```
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+```yaml
+- hosts: vps
+  roles:
+    - role: edge_vps
+```
+
+## License
+
+MIT

roles/edge_vps/defaults/main.yaml

@@ -0,0 +1,11 @@
+---
+edge_vps_config_base: /root/config
+edge_vps_wireguard_config_dir: /etc/wireguard
+edge_vps_wireguard_interface: wg0
+edge_vps_wireguard_address: "10.133.7.1/24"
+edge_vps_wireguard_port: 61975
+edge_vps_traefik_config_dir: "{{ edge_vps_config_base }}/traefik"
+edge_vps_traefik_logs_dir: "{{ edge_vps_traefik_config_dir }}/logs"
+edge_vps_pangolin_config_dir: "{{ edge_vps_config_base }}/pangolin"
+edge_vps_elastic_config_dir: "{{ edge_vps_config_base }}/elastic-agent"
+edge_vps_elastic_state_dir: /var/lib/elastic-agent/elastic-system/elastic-agent/state

roles/edge_vps/files/elastic-agent/elasticsearch-ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVjCCAj6gAwIBAgIRAPcoBHrxSnovxGFQ44+7XiYwDQYJKoZIhvcNAQELBQAw
+NTEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEbMBkGA1UEAxMSZWxhc3RpY3NlYXJj
+aC1odHRwMB4XDTI2MDIwOTIxNDI0NVoXDTI3MDIwOTIxNTI0NVowNTEWMBQGA1UE
+CxMNZWxhc3RpY3NlYXJjaDEbMBkGA1UEAxMSZWxhc3RpY3NlYXJjaC1odHRwMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA48M932+yPFJkVg31G5f1jJ1g
+IevD+tujYp96De3MY/5QNEsW1R21VWwAobfSN+3NyInhjXT03IhXIwN21B0KPTtO
+c6cpOk0/nwmF0pHpK1PLaqvsfUsa4ffSRvwpsSA0rlEoF+ObBUuQ92ngvAXMN3wp
+PhcaNw9zbPidJoUjwzeaL3nmgnXQIBFRqYGi6l5LzVA0qVHXsNHi5LgXPN4wevWs
+49kn9xPYPXrYBMLxn7hPa9/OfRjUtru2ZoK7L1imr86tjppY0rk8GxIHF12eVf4t
+nGeDUMBuYe6mmUTTkFiwYmrwTzhfDlN82wZ+6cmYeDxpce2nbLBTMICJYOJmMwID
+AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHvrdY9Nbr77PnHkkEiD
+Y79yBXpkMA0GCSqGSIb3DQEBCwUAA4IBAQCS3X8dQYD89rrltR7HjrG4KCtG6uDY
+U3LYSu1KCBiwMIwYn6RZoI+6D7t16AOumwJC3AJ3/JFkGr7F+UqQSYIaAxYEeyzS
+c2oPzl52h1tbfKUS/550FhWqFuOG6m6SCFSUXe17ShPoomtBxvFjJr6fZLezKdoO
+CBZX0PzHCnU7axFLoNHqzl55koxVcyaY8OjcjvsuAP5zU77nF4sSoHtZ3VTprGWE
+xL3j+vFJ4++d516frWVY8L20mECOcDfLXEf3ngmK9j+8v7UwwpPxWe9MlLS+v7QH
+yBuAMUyKymN4zzhIVKSSYZmiwdkzwUIykffphymJVAQCDSXgX4RWPuKi
+-----END CERTIFICATE-----

roles/edge_vps/files/elastic-agent/fleet-ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUjCCAjqgAwIBAgIRANgLvsSqUxkRAC8fvlBQsn4wDQYJKoZIhvcNAQELBQAw
+MzEVMBMGA1UECxMMZmxlZXQtc2VydmVyMRowGAYDVQQDExFmbGVldC1zZXJ2ZXIt
+aHR0cDAeFw0yNjAyMDkyMTQyNDhaFw0yNzAyMDkyMTUyNDhaMDMxFTATBgNVBAsT
+DGZsZWV0LXNlcnZlcjEaMBgGA1UEAxMRZmxlZXQtc2VydmVyLWh0dHAwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0zbNbwm3YnaNKQbmHb/9fk5YadGop
+9d9n0VA7pYC32qST5/IsWAkTP/ulPfJwI+nA18tAqtBoLMncdpKP9YtMb1cgRNGe
+d9Fe1kItmIGxoYlQPx4vbbembyvlFFEu82/4tJtDkCR5TuP3ZdmGWazO+tGooMvL
+vkKy0qgQEDUIPTF1VFHcQa+qRvIerAKV81q2lVluVr/GNljoISsXgsoHXG2MDPDs
+RHX+XcQGFNlFG1MuiGApvrKSFsFTCxn8oM88waoI0t/D+y7T1WNwLRY+Fg6fivVh
+kNaIPuCswAIB0MLATtPDP85IjKMxEk5/cTz5R1jOsYz1OoIydkSN87tDAgMBAAGj
+YTBfMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNRhWtaWRi0nubx9yz3tXMDaz
+2AIwDQYJKoZIhvcNAQELBQADggEBAFwFlEQ26vdbPtTv5gpIIRAZDcYAGtm6wx16
+/dqedcVXKSbKKPJq1OfHjYSfN3r3XGGLKTlui8v7Pkz/bqQyAONEC+4S33RX3MiT
+3zTu/SLHiOyHfdLn44Z8JUZ6xmK3mSfchngKLRlECHjNydzYtzJSj67CP7ARJhHo
+wOlQwH11EC+HLrhYBeW4si5L5jCnE9rpKQ4U+/MCLgpdWtHZ3G3PVFxBjL8JISLP
+ZZnHwCMK1LiuWtY3+n3S6BqDDgrQg0TsVA8X/tdEQKzoJb0hTwKrGpvy7CO42vLf
+X+h9iUG4QNve+QCT2Y7T9jNTaWamTHfZWFa6FD5CEgldqDJfEZw=
+-----END CERTIFICATE-----

roles/edge_vps/handlers/main.yaml

@@ -0,0 +1,12 @@
+---
+- name: Restart wireguard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ edge_vps_wireguard_interface }}"
+    state: restarted
+  listen: restart wireguard
+
+- name: Restart traefik
+  ansible.builtin.command:
+    cmd: docker compose restart
+    chdir: "{{ edge_vps_traefik_config_dir }}"
+  listen: restart traefik

roles/edge_vps/tasks/10_directories.yaml

@@ -0,0 +1,30 @@
+---
+- name: Create config base directory
+  ansible.builtin.file:
+    path: "{{ edge_vps_config_base }}"
+    state: directory
+    mode: "0755"
+
+- name: Create Traefik directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ edge_vps_traefik_config_dir }}"
+    - "{{ edge_vps_traefik_logs_dir }}"
+
+- name: Create Pangolin config directory
+  ansible.builtin.file:
+    path: "{{ edge_vps_pangolin_config_dir }}"
+    state: directory
+    mode: "0755"
+
+- name: Create Elastic Agent directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ edge_vps_elastic_config_dir }}"
+    - "{{ edge_vps_elastic_state_dir }}"

roles/edge_vps/tasks/20_wireguard.yaml

@@ -0,0 +1,19 @@
+---
+- name: Install WireGuard
+  ansible.builtin.apt:
+    name: wireguard
+    state: present
+    update_cache: true
+
+- name: Deploy WireGuard config
+  ansible.builtin.template:
+    src: wireguard/wg0.conf.j2
+    dest: "{{ edge_vps_wireguard_config_dir }}/{{ edge_vps_wireguard_interface }}.conf"
+    mode: "0600"
+  notify: restart wireguard
+
+- name: Enable WireGuard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ edge_vps_wireguard_interface }}"
+    enabled: true
+    state: started

roles/edge_vps/tasks/30_traefik.yaml

@@ -0,0 +1,15 @@
+---
+- name: Deploy Traefik config
+  ansible.builtin.template:
+    src: traefik/traefik_config.yml.j2
+    dest: "{{ edge_vps_traefik_config_dir }}/traefik_config.yml"
+    mode: "0644"
+  notify: restart traefik
+
+- name: Deploy Cloudflare credentials for ACME
+  ansible.builtin.copy:
+    content: |
+      CF_DNS_API_TOKEN={{ vault_edge_vps.traefik.cloudflare_api_token }}
+    dest: "{{ edge_vps_traefik_config_dir }}/cloudflare.env"
+    mode: "0600"
+  no_log: true

roles/edge_vps/tasks/40_pangolin.yaml

@@ -0,0 +1,24 @@
+---
+- name: Deploy Pangolin config
+  ansible.builtin.template:
+    src: pangolin/config.yml.j2
+    dest: "{{ edge_vps_pangolin_config_dir }}/config.yml"
+    mode: "0644"
+  notify: restart pangolin
+
+- name: Deploy Pangolin docker-compose
+  ansible.builtin.template:
+    src: pangolin/docker-compose.yml.j2
+    dest: "{{ edge_vps_pangolin_config_dir }}/docker-compose.yml"
+    mode: "0644"
+
+- name: Create letsencrypt directory for Pangolin
+  ansible.builtin.file:
+    path: "{{ edge_vps_pangolin_config_dir }}/letsencrypt"
+    state: directory
+    mode: "0755"
+
+- name: Start Pangolin
+  community.docker.docker_compose_v2:
+    project_src: "{{ edge_vps_pangolin_config_dir }}"
+    state: present

roles/edge_vps/tasks/50_elastic_agent.yaml

@@ -0,0 +1,29 @@
+---
+- name: Deploy Elastic Agent config
+  ansible.builtin.template:
+    src: elastic-agent/elastic-agent.yml.j2
+    dest: "{{ edge_vps_elastic_config_dir }}/elastic-agent.yml"
+    mode: "0644"
+
+- name: Deploy Elastic Agent docker-compose
+  ansible.builtin.template:
+    src: elastic-agent/docker-compose.yml.j2
+    dest: "{{ edge_vps_elastic_config_dir }}/docker-compose.yml"
+    mode: "0644"
+
+- name: Deploy Elasticsearch CA certificate
+  ansible.builtin.copy:
+    src: elastic-agent/elasticsearch-ca.crt
+    dest: "{{ edge_vps_elastic_config_dir }}/elasticsearch-ca.crt"
+    mode: "0644"
+
+- name: Deploy Fleet CA certificate
+  ansible.builtin.copy:
+    src: elastic-agent/fleet-ca.crt
+    dest: "{{ edge_vps_elastic_config_dir }}/fleet-ca.crt"
+    mode: "0644"
+
+- name: Start Elastic Agent
+  community.docker.docker_compose_v2:
+    project_src: "{{ edge_vps_elastic_config_dir }}"
+    state: present

roles/edge_vps/tasks/main.yaml

@@ -0,0 +1,15 @@
+---
+- name: Setup directories
+  ansible.builtin.include_tasks: 10_directories.yaml
+
+- name: Setup WireGuard
+  ansible.builtin.include_tasks: 20_wireguard.yaml
+
+- name: Setup Traefik
+  ansible.builtin.include_tasks: 30_traefik.yaml
+
+- name: Setup Pangolin
+  ansible.builtin.include_tasks: 40_pangolin.yaml
+
+- name: Setup Elastic Agent
+  ansible.builtin.include_tasks: 50_elastic_agent.yaml

roles/edge_vps/templates/elastic-agent/docker-compose.yml.j2

@@ -0,0 +1,42 @@
+services:
+  elastic-agent:
+    image: docker.elastic.co/elastic-agent/elastic-agent:{{ edge_vps_elastic_version }}
+    container_name: elastic-agent
+    restart: always
+    network_mode: host
+    dns:
+      - {{ edge_vps_elastic_dns_server }}
+    dns_search:
+      - elastic-system.svc.cluster.local
+      - svc.cluster.local
+      - cluster.local
+    user: "0:0"
+    privileged: true
+    entrypoint: ["/usr/bin/env", "bash", "-c"]
+    command:
+      - |
+        set -e
+        if [[ -f /mnt/elastic-internal/elasticsearch-association/elastic-system/elasticsearch/certs/ca.crt ]]; then
+          if [[ -f /usr/bin/update-ca-trust ]]; then
+            cp /mnt/elastic-internal/elasticsearch-association/elastic-system/elasticsearch/certs/ca.crt /etc/pki/ca-trust/source/anchors/
+            /usr/bin/update-ca-trust
+          elif [[ -f /usr/sbin/update-ca-certificates ]]; then
+            cp /mnt/elastic-internal/elasticsearch-association/elastic-system/elasticsearch/certs/ca.crt /usr/local/share/ca-certificates/
+            /usr/sbin/update-ca-certificates
+          fi
+        fi
+        exec /usr/bin/tini -- /usr/local/bin/docker-entrypoint -e -c /etc/agent/elastic-agent.yml
+    environment:
+      - FLEET_CA=/mnt/elastic-internal/fleetserver-association/elastic-system/fleet-server/certs/ca.crt
+      - FLEET_ENROLL=true
+      - FLEET_ENROLLMENT_TOKEN={{ vault_edge_vps.elastic.fleet_enrollment_token }}
+      - FLEET_URL={{ edge_vps_elastic_fleet_url }}
+      - STATE_PATH=/usr/share/elastic-agent/state
+      - CONFIG_PATH=/usr/share/elastic-agent/state
+      - NODE_NAME={{ inventory_hostname }}
+    volumes:
+      - {{ edge_vps_elastic_state_dir }}:/usr/share/elastic-agent/state
+      - ./elastic-agent.yml:/etc/agent/elastic-agent.yml:ro
+      - ./elasticsearch-ca.crt:/mnt/elastic-internal/elasticsearch-association/elastic-system/elasticsearch/certs/ca.crt:ro
+      - ./fleet-ca.crt:/mnt/elastic-internal/fleetserver-association/elastic-system/fleet-server/certs/ca.crt:ro
+      - {{ edge_vps_traefik_logs_dir }}:/var/log/traefik:ro

roles/edge_vps/templates/elastic-agent/elastic-agent.yml.j2

@@ -0,0 +1,2 @@
+fleet:
+  enabled: true

roles/edge_vps/templates/pangolin/config.yml.j2

@@ -0,0 +1,28 @@
+gerbil:
+    start_port: 51820
+    base_endpoint: "{{ edge_vps_pangolin_base_endpoint }}"
+
+app:
+    dashboard_url: "{{ edge_vps_pangolin_dashboard_url }}"
+    log_level: "info"
+    telemetry:
+        anonymous_usage: true
+
+domains:
+    domain1:
+        base_domain: "{{ edge_vps_pangolin_base_domain }}"
+
+server:
+    secret: "{{ vault_edge_vps.pangolin.server_secret }}"
+    cors:
+        origins: ["{{ edge_vps_pangolin_dashboard_url }}"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false
+    maxmind_db_path: "./config/GeoLite2-Country.mmdb"
+
+flags:
+    require_email_verification: false
+    disable_signup_without_invite: true
+    disable_user_create_org: false
+    allow_raw_resources: true

roles/edge_vps/templates/pangolin/docker-compose.yml.j2

@@ -0,0 +1,25 @@
+services:
+  pangolin:
+    image: fosrl/pangolin:latest
+    container_name: pangolin
+    restart: unless-stopped
+    ports:
+      - "3001:3001"
+      - "443:443"
+      - "80:80"
+    volumes:
+      - ./config.yml:/app/config/config.yml:ro
+      - ./letsencrypt:/letsencrypt
+    depends_on:
+      - gerbil
+
+  gerbil:
+    image: fosrl/gerbil:latest
+    container_name: gerbil
+    restart: unless-stopped
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    volumes:
+      - /lib/modules:/lib/modules

roles/edge_vps/templates/traefik/traefik_config.yml.j2

@@ -0,0 +1,57 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.2.1"
+
+log:
+  level: "INFO"
+  format: "common"
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      dnsChallenge:
+        provider: "cloudflare"
+      email: "{{ edge_vps_acme_email }}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+  tcp-6443:
+    address: ":6443/tcp"
+
+serversTransport:
+  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: common

roles/edge_vps/templates/wireguard/wg0.conf.j2

@@ -0,0 +1,25 @@
+[Interface]
+Address = {{ edge_vps_wireguard_address }}
+ListenPort = {{ edge_vps_wireguard_port }}
+PrivateKey = {{ vault_edge_vps.wireguard.private_key }}
+
+PostUp   = sysctl -w net.ipv4.ip_forward=1
+PostUp   = iptables -A FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
+PostUp   = iptables -A FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
+{% for route in edge_vps_wireguard_routes | default([]) %}
+PostUp   = ip route add {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
+{% endfor %}
+PostDown = iptables -D FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
+PostDown = iptables -D FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
+{% for route in edge_vps_wireguard_routes | default([]) %}
+PostDown = ip route del {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
+{% endfor %}
+
+{% for peer in vault_edge_vps.wireguard.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.public_key }}
+PresharedKey = {{ peer.preshared_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+
+{% endfor %}

roles/kubernetes_argocd/README.md

@@ -20,7 +20,7 @@ Available variables are listed below, along with default values (see `defaults/m
 The following tasks are performed by this role:
 
 - **Install ArgoCD**: Creates the ArgoCD namespace and applies the installation manifests.
-- **Apply ArgoCD Ingress**: Applies an Ingress resource for the ArgoCD server. **Note:** The template file `ingress.yml.j2` is missing from the role.
+- **Apply ArgoCD Ingress**: Applies an Ingress resource for the ArgoCD server. **Note:** The template file `ingress.yaml.j2` is missing from `templates/`.
 - **Apply ArgoCD CM**: Applies a ConfigMap with command parameters for ArgoCD.
 - **Apply ArgoCD repository**: Creates a Secret with Git repository credentials.
 - **Apply ArgoCD Root Application**: Creates a root Application resource for ArgoCD.

roles/node_exporter/README.md

@@ -0,0 +1,37 @@
+# Node Exporter
+
+This role installs and configures the Prometheus Node Exporter on target hosts.
+
+## Requirements
+
+None.
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `vars/main.yaml`):
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `version` | `latest` | The version of Node Exporter to install. |
+| `bind_port` | `9100` | The port Node Exporter will listen on. |
+| `serve` | `localhost` | The address to bind to. |
+| `options` | `""` | Additional command-line options for Node Exporter. |
+| `bin_path` | `/usr/local/bin/node_exporter` | Installation path for the binary. |
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+```yaml
+- hosts: all
+  roles:
+    - role: node_exporter
+      vars:
+        version: "1.5.0"
+```
+
+## License
+
+MIT

vars/group_vars/vps/secrets.yaml

@@ -0,0 +1,22 @@
+vault_edge_vps:
+  wireguard:
+    private_key: "YOUR_WIREGUARD_PRIVATE_KEY"
+    peers:
+      - name: lilcrow
+        public_key: "PEER_PUBLIC_KEY"
+        preshared_key: "PEER_PRESHARED_KEY"
+        allowed_ips: "10.133.7.2/32"
+      - name: homelab
+        public_key: "PEER_PUBLIC_KEY"
+        preshared_key: "PEER_PRESHARED_KEY"
+        allowed_ips: "10.133.7.3/32"
+      - name: k3s
+        public_key: "PEER_PUBLIC_KEY"
+        preshared_key: "PEER_PRESHARED_KEY"
+        allowed_ips: "10.133.7.4/32, 10.43.0.0/16"
+  pangolin:
+    server_secret: "YOUR_PANGOLIN_SERVER_SECRET"
+  traefik:
+    cloudflare_api_token: "YOUR_CLOUDFLARE_API_TOKEN"
+  elastic:
+    fleet_enrollment_token: "YOUR_FLEET_ENROLLMENT_TOKEN"

vars/group_vars/vps/vars.yaml

@@ -0,0 +1,15 @@
+edge_vps_wireguard_address: "10.133.7.1/24"
+edge_vps_wireguard_port: 61975
+edge_vps_wireguard_routes:
+  - network: "10.43.0.0/16"
+    gateway: "10.133.7.4"
+
+edge_vps_pangolin_dashboard_url: "https://pangolin.seyshiro.de"
+edge_vps_pangolin_base_endpoint: "pangolin.seyshiro.de"
+edge_vps_pangolin_base_domain: "seyshiro.de"
+
+edge_vps_acme_email: "me+acme@tudattr.dev"
+
+edge_vps_elastic_version: "9.2.2"
+edge_vps_elastic_dns_server: "10.43.0.10"
+edge_vps_elastic_fleet_url: "https://fleet-server-agent-http.elastic-system.svc:8220"