refactor(k3s): streamline inventory and primary server IP handling

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
feat(proxmox): add k3s agents and refine VM provisioning
2025-07-13 00:40:48 +02:00 · 2025-07-12 23:08:44 +02:00 · 2025-07-12 21:38:53 +02:00 · 2025-07-12 20:35:26 +02:00 · 2025-06-07 01:19:27 +02:00 · 2025-06-07 00:16:54 +02:00
136 changed files with 1919 additions and 1048 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -0,0 +1,31 @@
+---
+# .ansible-lint
+
+# Specify exclude paths to prevent linting vendor roles, etc.
+exclude_paths:
+  - ./.git/
+  - ./.venv/
+  - ./galaxy_roles/
+
+# A list of rules to skip. This is a more modern and readable alternative to 'skip_list'.
+skip_list:
+  - experimental
+  - fqcn-builtins
+  - no-handler
+  - var-naming
+
+# Enforce certain rules that are not enabled by default.
+enable_list:
+  - no-free-form
+  - var-spacing
+  - no-log-password
+  - no-relative-path
+  - command-instead-of-module
+  - fqcn[deep]
+  - no-changed-when
+
+# Offline mode disables any features that require internet access.
+offline: true
+
+# Set the desired verbosity level.
+verbosity: 1
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,17 @@
+root = true
+
+[*]
+indent_style = space
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[*.py]
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false
--- a/README.md
+++ b/README.md
@@ -72,3 +72,16 @@ sudo vgextend  k3s-vg /dev/sda3
 # Use the newly available storage in the root volume
 sudo lvresize -l +100%FREE -r /dev/k3s-vg/root
 ```
+
+## Cloud Init VMs
+
+```sh
+# On Hypervisor Host
+qm resize <vmid> scsi0 +32G
+# On VM
+sudo fdisk -l /dev/sda # To check
+echo 1 | sudo tee /sys/class/block/sda/device/rescan
+sudo fdisk -l /dev/sda # To check
+# sudo apt-get install cloud-guest-utils
+sudo growpart /dev/sda 1
+```
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,9 +1,12 @@
 [defaults]
+# (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
+interpreter_python=python3
+
 # (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=./roles

 # (pathlist) Comma separated list of Ansible inventory sources
-inventory=./inventory/production
+inventory=./vars/

 # (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
 # If executable, it will be run and the resulting stdout will be used as the password.
@@ -33,3 +36,6 @@ skip=dark gray
 [tags]
 # (list) default list of tags to skip in your plays, has precedence over Run Tags
 ;skip=
+
+[inventory]
+ignore_extensions={{(REJECT_EXTS + ('.orig', '.cfg', '.retry', '.bak'))}}
--- a/group_vars/all/secrets.yml
+++ b/group_vars/all/secrets.yml
@@ -1,56 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-34623331393561623539666362643966336661326136363431666465356535343663376236663066
-3235363061633666626133313363373336656438633566630a383230393161323862303863656464
-61633861323966343263363466343130306635343539326464363637383139343033656130336464
-3163373535613961340a643335626165306663363063656339653862393533633534366331336231
-63393432383731633463323164333831313535373261336166326237306230326465616239306536
-37663863663161393130373835373062393866633864373465333937633838303130386334356566
-64303663303862623038646235303934376230393538353466393232363764366339616633343433
-65343730663864393766313134653335396562646135306637613031333461613965666465376532
-32643261626665396338313836633337383932616265613662383132303539623239623965333966
-66333638643635313262616434396164313833303065303662303736303232346535613834643435
-32316434343231363662393163353832393166643739396165313631363539663439316133616361
-61623830613035396333303363383332653736666231343763353666356539633433373066613330
-65656631343764323234333161636632616130353139626362343361386535313336666566636464
-35323434656439346262336335383366626565333765343562633236636132636532333761663535
-31383565313436633438633336306430343733663539666631386532313836623166356332626664
-39653762353265643861633237326662383466373539633732323833376238383963393837636466
-66656631666131623166393731643537393161303636353932653062363137376334356238643064
-34303666656638396263336639636135393536623037666137653132633264316431656438386432
-34333632616265343435306365373039653036353337633563393739653632656163316636363336
-32346638393364353634386231616639386164326531353134366639653837653236333030666139
-64656334336231636337656233383834343763393738643362626665333362353335656131653165
-35376330336433383262653039643131313437643265343663626363373439643932643063646439
-37663630363839643263373630646430386536346132383564396463376361343661346661333636
-39643961643031626462363537633263393838363262626439313838313039373035373634633462
-38363938343932626131343966616638323632303636383034383536616164393539343635666166
-39383434313863356434383961383139623436636230323866396366326665623863336438623335
-33346634303639643131333933363838666336306438646335343931366437326462376438663837
-34353938343837663930356464373332356530643231653166616331376335643832316365303164
-32393062313638393936393863613731363233376537323834623164613231393133353635623866
-35626337336562653265613730363961633662653331663966333430343462666535306133663835
-64663539303765366331613666653632313233626231313264346332323266653230323332373836
-33303564633464333064613431383230383535633362373839323334353162623433646230393838
-33306162613739393338373361616634396636313765326465393332396537613263383339626666
-63613162616363363138323965373966353366323463313934356530663931653565656164346363
-37633862366436623030303233396639393434336438623433383530393836626164353064366432
-35303532393437316162346366346636633135383938323631316563323935383561326335323438
-30613266643232656138663431666162663330643133643263343237663565323231316239633037
-39323732386236396136633539383335646634306139643533666636633131623566333137376236
-39616134306463613864353135313636343365643437323465643862303137663937376233306261
-31383862356535646563383438396363323838613237623034656561396163376433663262366137
-63323562346633303162666530616534386539383238366139376263326265343138373139393432
-35643335363139373139666230626363386232316536306431653964376333366235303763336135
-65623231336638643034373932376263636336653561646664366138643031316438316465353363
-38386539363631393433313664323135646562313537376236653635303263633230383866653039
-66636534336234363438363139366531653237323137613961383831376665626365393462363834
-36333965366463636233643433616431376436323535396238363933326363333661326462353161
-66626435373938633832393662313161663336613862343332643766333633653866316464653735
-31356135363662633961386264613836323435323836386635336338353663333137336666323531
-36663731336664633763633634613136663866363530613264356431326539316530326161313362
-62616539356537353261343464356334636134396664353463623163313765633432653932346136
-32326239373333643461333733646264353238356134613037663836643131316664653539643839
-30613235623933356565336630323939633266613164306262386666363137666661666131613962
-61623930663536646462343264336535353634373833316537613839396566376466653736333830
-33376663613063326230346439626237373232656665633832373364653931663361666432303166
-663564323132383864336332363139393534
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -1,36 +0,0 @@
-#
-# Essential
-#
-
-root: root
-user: tudattr
-timezone: Europe/Berlin
-puid: "1000"
-pgid: "1000"
-pk_path: "/media/veracrypt1/genesis"
-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+TYkkZRxl9 tuan@genesis-2022-01-20"
-
-public_domain: tudattr.dev
-internal_domain: seyshiro.de
-
-#
-# Packages
-#
-
-common_packages:
-  - build-essential
-  - curl
-  - git
-  - iperf3
-  - neovim
-  - rsync
-  - smartmontools
-  - sudo
-  - systemd-timesyncd
-  - tree
-  - screen
-  - bat
-  - fd-find
-  - ripgrep
-
-arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
--- a/group_vars/k3s/vars.yml
+++ b/group_vars/k3s/vars.yml
@@ -1,28 +0,0 @@
-db:
-  default_user:
-    user: "postgres"
-  name: "k3s"
-  user: "k3s"
-  password: "{{ vault.k3s.postgres.db.password }}"
-  listen_address: "{{ k3s.db.ip }}"
-
-k3s:
-  net: "192.168.20.0/24"
-  server:
-    ips:
-      - 192.168.20.21
-      - 192.168.20.24
-      - 192.168.20.30
-  loadbalancer:
-    ip: 192.168.20.22
-    default_port: 6443
-  db:
-    ip: 192.168.20.23
-    default_port: "5432"
-  agent:
-    ips:
-      - 192.168.20.25
-      - 192.168.20.26
-      - 192.168.20.27
-
-k3s_db_connection_string: "postgres://{{ db.user }}:{{ db.password }}@{{ k3s.db.ip }}:{{ k3s.db.default_port }}/{{ db.name }}"
--- a/host_vars/aya01.yml
+++ b/host_vars/aya01.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "root"
-ansible_host: 192.168.20.12
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.pve.aya01.root.sudo }}"
-
-host:
-  hostname: "aya01"
-  ip: "{{ ansible_host }}"
--- a/host_vars/docker-host00.yml
+++ b/host_vars/docker-host00.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.34
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.docker.host00.sudo }}"
-
-host:
-  hostname: "docker-host00"
-  ip: "{{ ansible_host }}"
--- a/host_vars/docker-host01.yml
+++ b/host_vars/docker-host01.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.35
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.docker.host01.sudo }}"
-
-host:
-  hostname: "docker-host01"
-  ip: "{{ ansible_host }}"
--- a/host_vars/docker-host02.yml
+++ b/host_vars/docker-host02.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.36
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.docker.host02.sudo }}"
-
-host:
-  hostname: "docker-host02"
-  ip: "{{ ansible_host }}"
--- a/host_vars/docker-lb.yml
+++ b/host_vars/docker-lb.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.37
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.docker.lb.sudo }}"
-
-host:
-  hostname: "docker-lb"
-  ip: "{{ ansible_host }}"
--- a/host_vars/inko.yml
+++ b/host_vars/inko.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "root"
-ansible_host: 192.168.20.14
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.pve.inko.root.sudo }}"
-
-host:
-  hostname: "inko"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-agent00.yml
+++ b/host_vars/k3s-agent00.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.25
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.agent00.sudo }}"
-
-host:
-  hostname: "k3s-agent00"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-agent01.yml
+++ b/host_vars/k3s-agent01.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.26
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.agent01.sudo }}"
-
-host:
-  hostname: "k3s-agent01"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-agent02.yml
+++ b/host_vars/k3s-agent02.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.27
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.agent02.sudo }}"
-
-host:
-  hostname: "k3s-agent02"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-loadbalancer.yml
+++ b/host_vars/k3s-loadbalancer.yml
@@ -1,9 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.22
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.loadbalancer.sudo }}"
-host:
-  hostname: "k3s-loadbalancer"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-longhorn00.yml
+++ b/host_vars/k3s-longhorn00.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.32
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.longhorn00.sudo }}"
-
-host:
-  hostname: "k3s-longhorn00"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-longhorn01.yml
+++ b/host_vars/k3s-longhorn01.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.33
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.longhorn01.sudo }}"
-
-host:
-  hostname: "k3s-longhorn01"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-longhorn02.yml
+++ b/host_vars/k3s-longhorn02.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.31
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.longhorn02.sudo }}"
-
-host:
-  hostname: "k3s-longhorn02"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-postgres.yml
+++ b/host_vars/k3s-postgres.yml
@@ -1,9 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.23
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.postgres.sudo }}"
-host:
-  hostname: "k3s-postgres"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-server00.yml
+++ b/host_vars/k3s-server00.yml
@@ -1,9 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.21
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server00.sudo }}"
-host:
-  hostname: "k3s-server00"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-server01.yml
+++ b/host_vars/k3s-server01.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.24
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server01.sudo }}"
-
-host:
-  hostname: "k3s-server01"
-  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-server02.yml
+++ b/host_vars/k3s-server02.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "{{ user }}"
-ansible_host: 192.168.20.30
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server02.sudo }}"
-
-host:
-  hostname: "k3s-server02"
-  ip: "{{ ansible_host }}"
--- a/host_vars/lulu.yml
+++ b/host_vars/lulu.yml
@@ -1,10 +0,0 @@
---
-ansible_user: "root"
-ansible_host: 192.168.20.28
-ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.pve.lulu.root.sudo }}"
-
-host:
-  hostname: "lulu"
-  ip: "{{ ansible_host }}"
--- a/inventory/production
+++ b/inventory/production
@@ -1,55 +0,0 @@
-[proxmox]
-aya01
-lulu
-inko
-
-[k3s]
-k3s-postgres
-k3s-loadbalancer
-k3s-server[00:02]
-k3s-agent[00:02]
-k3s-longhorn[00:02]
-
-[vm]
-k3s-postgres
-k3s-loadbalancer
-k3s-agent[00:02]
-k3s-server[00:02]
-k3s-longhorn[00:02]
-docker-host[00:02]
-
-[k3s_nodes]
-k3s-server[00:02]
-k3s-agent[00:02]
-k3s-longhorn[00:02]
-
-[docker]
-docker-host[00:02]
-docker-lb
-
-[vps]
-mii
-
-[k3s_server]
-k3s-server[00:02]
-
-[k3s_agent]
-k3s-agent[00:02]
-
-[k3s_storage]
-k3s-longhorn[00:02]
-
-[db]
-k3s-postgres
-
-[loadbalancer]
-k3s-loadbalancer
-
-[docker_host]
-docker-host[00:02]
-
-[docker_lb]
-docker-lb
-
-[vm:vars]
-ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'
--- a/playbooks/common-k3s.yml
+++ b/playbooks/common-k3s.yml
@@ -1,10 +0,0 @@
---
- name: Run the common role on k3s
-  hosts: k3s
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
-  roles:
-    - role: common
-      tags:
-        - common
--- a/playbooks/db.yml
+++ b/playbooks/db.yml
@@ -1,19 +0,0 @@
---
- name: Set up Servers
-  hosts: db
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
-  roles:
-    - role: common
-      tags:
-        - common
-    - role: postgres
-      tags:
-        - postgres
-    - role: node_exporter
-      tags:
-        - node_exporter
-    - role: postgres_exporter
-      tags:
-        - postgres_exporter
--- a/playbooks/docker-host.yml
+++ b/playbooks/docker-host.yml
@@ -1,9 +1,7 @@
 ---
 - name: Set up Servers
  hosts: docker_host
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
+  gather_facts: true
  roles:
    - role: common
      tags:
--- a/playbooks/docker-lb.yml
+++ b/playbooks/docker-lb.yml
@@ -1,13 +1,13 @@
 ---
 - name: Set up reverse proxy for docker
-  hosts: docker_lb
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
+  hosts: docker
+  gather_facts: true
  roles:
    - role: common
      tags:
        - common
+      when: inventory_hostname in groups["docker_lb"]
    - role: reverse_proxy
      tags:
        - reverse_proxy
+      when: inventory_hostname in groups["docker_lb"]
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@@ -0,0 +1,5 @@
+---
+- name: Setup Docker Hosts
+  ansible.builtin.import_playbook: docker-host.yml
+- name: Setup Docker load balancer
+  ansible.builtin.import_playbook: docker-lb.yml
--- a/playbooks/k3s-agents.yml
+++ b/playbooks/k3s-agents.yml
@@ -1,19 +1,20 @@
 - name: Set up Agents
-  hosts: k3s_nodes
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
+  hosts: k3s
+  gather_facts: true
+  vars:
+    k3s_primary_server_ip: "{{ groups['k3s_server'] | map('extract', hostvars, 'ansible_host') | list | first }}"
  pre_tasks:
    - name: Get K3s token from the first server
-      when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
+      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
      slurp:
        src: /var/lib/rancher/k3s/server/node-token
      register: k3s_token
      become: true

-    - name: Set fact on k3s.server.ips[0]
-      when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
-      set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
+    - name: Set fact on k3s_primary_server_ip
+      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
+      set_fact:
+        k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"

  roles:
    - role: common
@@ -22,7 +23,7 @@
        - common
    - role: k3s_agent
      when: inventory_hostname in groups["k3s_agent"]
-      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
+      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s_primary_server_ip ) | select() | first | items2dict).host.hostname].k3s_token }}"
      tags:
        - k3s_agent
    - role: node_exporter
--- a/playbooks/k3s-loadbalancer.yml
+++ b/playbooks/k3s-loadbalancer.yml
@@ -0,0 +1,17 @@
+---
+- name: Set up Servers
+  hosts: k3s
+  gather_facts: true
+  roles:
+    - role: common
+      tags:
+        - common
+      when: inventory_hostname in groups["k3s_loadbalancer"]
+    - role: k3s_loadbalancer
+      tags:
+        - k3s_loadbalancer
+      when: inventory_hostname in groups["k3s_loadbalancer"]
+    # - role: node_exporter
+    #   tags:
+    #     - node_exporter
+    #   when: inventory_hostname in groups["k3s_loadbalancer"]
--- a/playbooks/k3s-servers.yml
+++ b/playbooks/k3s-servers.yml
@@ -1,9 +1,7 @@
 ---
 - name: Set up Servers
-  hosts: k3s_server
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
+  hosts: k3s
+  gather_facts: true
  roles:
    - role: common
      tags:
@@ -11,6 +9,7 @@
    - role: k3s_server
      tags:
        - k3s_server
+      when: inventory_hostname in groups["k3s_server"]
    - role: node_exporter
      tags:
        - node_exporter
--- a/playbooks/k3s-storage.yml
+++ b/playbooks/k3s-storage.yml
@@ -1,19 +1,20 @@
 - name: Set up storage
  hosts: k3s_nodes
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
+  gather_facts: true
+  vars:
+    k3s_primary_server_ip: "{{ groups['k3s_server'] | map('extract', hostvars, 'ansible_host') | list | first }}"
  pre_tasks:
    - name: Get K3s token from the first server
-      when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
+      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
      slurp:
        src: /var/lib/rancher/k3s/server/node-token
      register: k3s_token
      become: true

-    - name: Set fact on k3s.server.ips[0]
-      when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
-      set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
+    - name: Set fact on k3s_primary_server_ip
+      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
+      set_fact:
+        k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"

  roles:
    - role: common
@@ -22,7 +23,7 @@
        - common
    - role: k3s_storage
      when: inventory_hostname in groups["k3s_storage"]
-      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
+      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s_primary_server_ip ) | select() | first | items2dict).host.hostname].k3s_token }}"
      tags:
        - k3s_storage
    - role: node_exporter
--- a/playbooks/loadbalancer.yml
+++ b/playbooks/loadbalancer.yml
@@ -1,16 +0,0 @@
---
- name: Set up Servers
-  hosts: loadbalancer
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
-  roles:
-    - role: common
-      tags:
-        - common
-    - role: loadbalancer
-      tags:
-        - loadbalancer
-    - role: node_exporter
-      tags:
-        - node_exporter
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yml
@@ -0,0 +1,15 @@
+---
+- name: Run proxmox vm playbook
+  hosts: proxmox
+  gather_facts: true
+  vars:
+    is_localhost: "{{ inventory_hostname == '127.0.0.1' }}"
+    is_proxmox_node: "{{ 'proxmox_nodes' in group_names }}"
+  roles:
+    - role: common
+      tags:
+        - common
+      when: not is_localhost
+    - role: proxmox
+      tags:
+        - proxmox
--- a/playbooks/test.yml
+++ b/playbooks/test.yml
@@ -1,9 +0,0 @@
---
- hosts: db
-  gather_facts: yes
-  vars_files:
-    - secrets.yml
-  tasks:
-    - name: Print the database connection string
-      debug:
-        msg: "{{ k3s_db_connection_string }}"
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,7 @@
+certifi==2025.1.31
+charset-normalizer==3.4.1
+idna==3.10
+nc-dnsapi==0.1.3
+proxmoxer==2.2.0
+requests==2.32.3
+urllib3==2.3.0
--- a/roles/common/files/ghostty/infocmp
+++ b/roles/common/files/ghostty/infocmp
@@ -0,0 +1,80 @@
+xterm-ghostty|ghostty|Ghostty,
+	am, bce, ccc, hs, km, mc5i, mir, msgr, npc, xenl, AX, Su, Tc, XT, fullkbd,
+	colors#0x100, cols#80, it#8, lines#24, pairs#0x7fff,
+	acsc=++\,\,--..00``aaffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~,
+	bel=^G, blink=\E[5m, bold=\E[1m, cbt=\E[Z, civis=\E[?25l,
+	clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=\r,
+	csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H,
+	cud=\E[%p1%dB, cud1=\n, cuf=\E[%p1%dC, cuf1=\E[C,
+	cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A,
+	cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m,
+	dl=\E[%p1%dM, dl1=\E[M, dsl=\E]2;\007, ech=\E[%p1%dX,
+	ed=\E[J, el=\E[K, el1=\E[1K, flash=\E[?5h$<100/>\E[?5l,
+	fsl=^G, home=\E[H, hpa=\E[%i%p1%dG, ht=^I, hts=\EH,
+	ich=\E[%p1%d@, ich1=\E[@, il=\E[%p1%dL, il1=\E[L, ind=\n,
+	indn=\E[%p1%dS,
+	initc=\E]4;%p1%d;rgb:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\,
+	invis=\E[8m, kDC=\E[3;2~, kEND=\E[1;2F, kHOM=\E[1;2H,
+	kIC=\E[2;2~, kLFT=\E[1;2D, kNXT=\E[6;2~, kPRV=\E[5;2~,
+	kRIT=\E[1;2C, kbs=^?, kcbt=\E[Z, kcub1=\EOD, kcud1=\EOB,
+	kcuf1=\EOC, kcuu1=\EOA, kdch1=\E[3~, kend=\EOF, kent=\EOM,
+	kf1=\EOP, kf10=\E[21~, kf11=\E[23~, kf12=\E[24~,
+	kf13=\E[1;2P, kf14=\E[1;2Q, kf15=\E[1;2R, kf16=\E[1;2S,
+	kf17=\E[15;2~, kf18=\E[17;2~, kf19=\E[18;2~, kf2=\EOQ,
+	kf20=\E[19;2~, kf21=\E[20;2~, kf22=\E[21;2~,
+	kf23=\E[23;2~, kf24=\E[24;2~, kf25=\E[1;5P, kf26=\E[1;5Q,
+	kf27=\E[1;5R, kf28=\E[1;5S, kf29=\E[15;5~, kf3=\EOR,
+	kf30=\E[17;5~, kf31=\E[18;5~, kf32=\E[19;5~,
+	kf33=\E[20;5~, kf34=\E[21;5~, kf35=\E[23;5~,
+	kf36=\E[24;5~, kf37=\E[1;6P, kf38=\E[1;6Q, kf39=\E[1;6R,
+	kf4=\EOS, kf40=\E[1;6S, kf41=\E[15;6~, kf42=\E[17;6~,
+	kf43=\E[18;6~, kf44=\E[19;6~, kf45=\E[20;6~,
+	kf46=\E[21;6~, kf47=\E[23;6~, kf48=\E[24;6~,
+	kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q, kf51=\E[1;3R,
+	kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~,
+	kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~,
+	kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~,
+	kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~,
+	kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~,
+	kind=\E[1;2B, kmous=\E[<, knp=\E[6~, kpp=\E[5~,
+	kri=\E[1;2A, oc=\E]104\007, op=\E[39;49m, rc=\E8,
+	rep=%p1%c\E[%p2%{1}%-%db, rev=\E[7m, ri=\EM,
+	rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B, rmam=\E[?7l,
+	rmcup=\E[?1049l, rmir=\E[4l, rmkx=\E[?1l\E>, rmso=\E[27m,
+	rmul=\E[24m, rs1=\E]\E\\\Ec, sc=\E7,
+	setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m,
+	setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m,
+	sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m,
+	sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h,
+	smcup=\E[?1049h, smir=\E[4h, smkx=\E[?1h\E=, smso=\E[7m,
+	smul=\E[4m, tbc=\E[3g, tsl=\E]2;, u6=\E[%i%d;%dR, u7=\E[6n,
+	u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd,
+	BD=\E[?2004l, BE=\E[?2004h, Clmg=\E[s,
+	Cmg=\E[%i%p1%d;%p2%ds, Dsmg=\E[?69l, E3=\E[3J,
+	Enmg=\E[?69h, Ms=\E]52;%p1%s;%p2%s\007, PE=\E[201~,
+	PS=\E[200~, RV=\E[>c, Se=\E[2 q,
+	Setulc=\E[58:2::%p1%{65536}%/%d:%p1%{256}%/%{255}%&%d:%p1%{255}%&%d%;m,
+	Smulx=\E[4:%p1%dm, Ss=\E[%p1%d q,
+	Sync=\E[?2026%?%p1%{1}%-%tl%eh%;,
+	XM=\E[?1006;1000%?%p1%{1}%=%th%el%;, XR=\E[>0q,
+	fd=\E[?1004l, fe=\E[?1004h, kDC3=\E[3;3~, kDC4=\E[3;4~,
+	kDC5=\E[3;5~, kDC6=\E[3;6~, kDC7=\E[3;7~, kDN=\E[1;2B,
+	kDN3=\E[1;3B, kDN4=\E[1;4B, kDN5=\E[1;5B, kDN6=\E[1;6B,
+	kDN7=\E[1;7B, kEND3=\E[1;3F, kEND4=\E[1;4F,
+	kEND5=\E[1;5F, kEND6=\E[1;6F, kEND7=\E[1;7F,
+	kHOM3=\E[1;3H, kHOM4=\E[1;4H, kHOM5=\E[1;5H,
+	kHOM6=\E[1;6H, kHOM7=\E[1;7H, kIC3=\E[2;3~, kIC4=\E[2;4~,
+	kIC5=\E[2;5~, kIC6=\E[2;6~, kIC7=\E[2;7~, kLFT3=\E[1;3D,
+	kLFT4=\E[1;4D, kLFT5=\E[1;5D, kLFT6=\E[1;6D,
+	kLFT7=\E[1;7D, kNXT3=\E[6;3~, kNXT4=\E[6;4~,
+	kNXT5=\E[6;5~, kNXT6=\E[6;6~, kNXT7=\E[6;7~,
+	kPRV3=\E[5;3~, kPRV4=\E[5;4~, kPRV5=\E[5;5~,
+	kPRV6=\E[5;6~, kPRV7=\E[5;7~, kRIT3=\E[1;3C,
+	kRIT4=\E[1;4C, kRIT5=\E[1;5C, kRIT6=\E[1;6C,
+	kRIT7=\E[1;7C, kUP=\E[1;2A, kUP3=\E[1;3A, kUP4=\E[1;4A,
+	kUP5=\E[1;5A, kUP6=\E[1;6A, kUP7=\E[1;7A, kxIN=\E[I,
+	kxOUT=\E[O, rmxx=\E[29m, rv=\E\\[[0-9]+;[0-9]+;[0-9]+c,
+	setrgbb=\E[48:2:%p1%d:%p2%d:%p3%dm,
+	setrgbf=\E[38:2:%p1%d:%p2%d:%p3%dm, smxx=\E[9m,
+	xm=\E[<%i%p3%d;%p1%d;%p2%d;%?%p4%tM%em%;,
+	xr=\EP>\\|[ -~]+a\E\\,
--- a/roles/common/files/ssh/root/sshd_config
+++ b/roles/common/files/ssh/root/sshd_config
@@ -0,0 +1,19 @@
+Protocol 2
+PermitRootLogin yes
+MaxAuthTries 3
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+UsePAM yes
+AllowAgentForwarding no
+AllowTcpForwarding yes
+X11Forwarding no
+PrintMotd no
+TCPKeepAlive no
+ClientAliveCountMax 2
+TrustedUserCAKeys /etc/ssh/vault-ca.pub
+UseDNS yes
+AcceptEnv LANG LC_*
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
--- a/roles/common/files/ssh/user/sshd_config
+++ b/roles/common/files/ssh/user/sshd_config
@@ -1,4 +1,3 @@
-Include /etc/ssh/sshd_config.d/*.conf
 Protocol 2
 PermitRootLogin no
 MaxAuthTries 3
@@ -13,6 +12,7 @@ X11Forwarding no
 PrintMotd no
 TCPKeepAlive no
 ClientAliveCountMax 2
+TrustedUserCAKeys /etc/ssh/vault-ca.pub
 UseDNS yes
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/roles/common/files/ssh/vault-ca.pub
+++ b/roles/common/files/ssh/vault-ca.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
--- a/roles/common/tasks/bash.yml
+++ b/roles/common/tasks/bash.yml
@@ -2,11 +2,23 @@
 - name: Copy bash-configs
  ansible.builtin.template:
    src: "files/bash/{{ item }}"
-    dest: "/home/{{ user }}/.{{ item }}"
-    owner: "{{ user }}"
-    group: "{{ user }}"
+    dest: "{{ ansible_env.HOME }}/.{{ item }}"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
    mode: "644"
  loop:
    - bashrc
    - bash_aliases
-  become: true
+
+- name: Copy ghostty infocmp
+  ansible.builtin.copy:
+    src: files/ghostty/infocmp
+    dest: "{{ ansible_env.HOME }}/ghostty"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
+    mode: "0644"
+  register: ghostty_terminfo
+
+- name: Compile ghostty terminalinfo
+  ansible.builtin.command: "tic -x {{ ansible_env.HOME }}/ghostty"
+  when: ghostty_terminfo.changed
--- a/roles/common/tasks/extra_packages.yml
+++ b/roles/common/tasks/extra_packages.yml
@@ -11,7 +11,6 @@
    url: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
    dest: /etc/apt/keyrings/gierens.asc
    mode: "0644"
-  register: gpg_key_result
  become: true

 - name: Add Gierens repository to apt sources
--- a/roles/common/tasks/hostname.yml
+++ b/roles/common/tasks/hostname.yml
@@ -1,14 +1,14 @@
 ---
 - name: Set a hostname
  ansible.builtin.hostname:
-    name: "{{ host.hostname }}"
+    name: "{{ inventory_hostname }}"
  become: true

 - name: Update /etc/hosts to reflect the new hostname
  ansible.builtin.lineinfile:
    path: /etc/hosts
    regexp: '^127\.0\.1\.1'
-    line: "127.0.1.1 {{ host.hostname }}"
+    line: "127.0.1.1 {{ inventory_hostname }}"
    state: present
    backup: true
  become: true
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,10 +1,10 @@
 ---
 - name: Configure Time
  ansible.builtin.include_tasks: time.yml
- name: Configure Hostname
-  ansible.builtin.include_tasks: hostname.yml
 - name: Configure Packages
  ansible.builtin.include_tasks: packages.yml
+- name: Configure Hostname
+  ansible.builtin.include_tasks: hostname.yml
 - name: Configure Extra-Packages
  ansible.builtin.include_tasks: extra_packages.yml
 - name: Configure Bash
--- a/roles/common/tasks/packages.yml
+++ b/roles/common/tasks/packages.yml
@@ -5,9 +5,24 @@
    upgrade: true
    autoremove: true
  become: true
+  when: ansible_user_id != "root"

 - name: Install base packages
  ansible.builtin.apt:
    name: "{{ common_packages }}"
    state: present
  become: true
+  when: ansible_user_id != "root"
+
+- name: Update and upgrade packages
+  ansible.builtin.apt:
+    update_cache: true
+    upgrade: true
+    autoremove: true
+  when: ansible_user_id == "root"
+
+- name: Install base packages
+  ansible.builtin.apt:
+    name: "{{ common_packages }}"
+    state: present
+  when: ansible_user_id == "root"
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,17 +1,28 @@
 ---
- name: Copy sshd_config
+- name: Copy user sshd_config
  ansible.builtin.template:
-    src: templates/ssh/sshd_config
+    src: files/ssh/user/sshd_config
    dest: /etc/ssh/sshd_config
    mode: "644"
+    backup: true
  notify:
    - Restart sshd
  become: true
+  when: ansible_user_id != "root"
+
+- name: Copy root sshd_config
+  ansible.builtin.template:
+    src: files/ssh/root/sshd_config
+    dest: /etc/ssh/sshd_config
+    mode: "644"
+    backup: true
+  notify:
+    - Restart sshd
+  when: ansible_user_id == "root"

 - name: Copy pubkey
  ansible.builtin.copy:
-    content: "{{ pubkey }}"
-    dest: "/home/{{ user }}/.ssh/authorized_keys"
-    owner: "{{ user }}"
-    group: "{{ user }}"
+    src: files/ssh/vault-ca.pub
+    dest: "/etc/ssh/vault-ca.pub"
    mode: "644"
+  become: true
--- a/roles/common/tasks/time.yml
+++ b/roles/common/tasks/time.yml
@@ -1,4 +1,11 @@
 ---
- name: Set timezone to "{{ timezone }}"
+- name: Set timezone
  community.general.timezone:
    name: "{{ timezone }}"
+  become: true
+  when: ansible_user_id != "root"
+
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+  when: ansible_user_id == "root"
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -0,0 +1,15 @@
+common_packages:
+  - build-essential
+  - curl
+  - git
+  - iperf3
+  - neovim
+  - rsync
+  - smartmontools
+  - sudo
+  - systemd-timesyncd
+  - tree
+  - screen
+  - bat
+  - fd-find
+  - ripgrep
--- a/roles/docker_host/handlers/main.yml
+++ b/roles/docker_host/handlers/main.yml
@@ -8,4 +8,14 @@
 - name: Restart compose
  community.docker.docker_compose_v2:
    project_src: "{{ docker.directories.compose }}"
-    state: restarted
+    state: present
+  retries: 3
+  delay: 5
+  become: true
+
+- name: Restart host
+  ansible.builtin.reboot:
+    connect_timeout: 5
+    reboot_timeout: 600
+    test_command: whoami
+  become: true
--- a/roles/docker_host/tasks/10_setup.yml
+++ b/roles/docker_host/tasks/10_setup.yml
@@ -0,0 +1,50 @@
+---
+- name: Check if debian.sources file exists
+  ansible.builtin.stat:
+    path: /etc/apt/sources.list.d/debian.sources
+  register: debian_sources_stat
+
+- name: Replace Components line to include non-free and non-free-firmware
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list.d/debian.sources
+    regexp: "^Components:.*$"
+    replace: "Components: main non-free non-free-firmware"
+  when: debian_sources_stat.stat.exists
+  become: true
+
+- name: Setup VM Packages
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
+  loop: "{{ docker_host_package_common_dependencies }}"
+  become: true
+
+- name: Gather installed package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: Filter for specific cloud kernel packages
+  ansible.builtin.set_fact:
+    cloud_kernel_packages: >-
+      {{
+        ansible_facts.packages.keys()
+        | select('search', 'linux-image')
+        | select('search', 'cloud')
+        | list
+      }}
+
+- name: Use the list to remove the found packages
+  ansible.builtin.apt:
+    name: "{{ cloud_kernel_packages }}"
+    state: absent
+    autoremove: true
+  when: cloud_kernel_packages | length > 0
+  become: true
+
+- name: Restart host
+  ansible.builtin.reboot:
+    connect_timeout: 5
+    reboot_timeout: 600
+    test_command: whoami
+  become: true
--- a/roles/docker_host/tasks/20_installation.yml
+++ b/roles/docker_host/tasks/20_installation.yml
--- a/roles/docker_host/tasks/30_user_group_setup.yml
+++ b/roles/docker_host/tasks/30_user_group_setup.yml
@@ -5,10 +5,12 @@
    state: present
  become: true

- name: Append the group docker to "{{ user }}"
+- name: Append the group docker to "{{ ansible_user_id }}"
  ansible.builtin.user:
-    name: "{{ user }}"
+    name: "{{ ansible_user_id }}"
    shell: /bin/bash
    groups: docker
    append: true
  become: true
+  notify:
+    - Restart host
--- a/roles/docker_host/tasks/40_directory_setup.yml
+++ b/roles/docker_host/tasks/40_directory_setup.yml
@@ -9,19 +9,20 @@
    - /media/series
    - /media/movies
    - /media/songs
-    - "{{ docker.directories.opt }}"
+    - "{{ docker.directories.local }}"
+    - "{{ docker.directories.config }}"
    - "{{ docker.directories.compose }}"
-    - /opt/local
  become: true

- name: Set ownership to {{ user }}
+- name: Set ownership to {{ ansible_user_id }}
  ansible.builtin.file:
    path: "{{ item }}"
-    owner: "{{ user }}"
-    group: "{{ user }}"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
  loop:
-    - "{{ docker.directories.opt }}"
-    - /opt/local
+    - "{{ docker.directories.local }}"
+    - "{{ docker.directories.config }}"
+    - "{{ docker.directories.compose }}"
    - /media
  become: true

--- a/roles/docker_host/tasks/50_provision.yml
+++ b/roles/docker_host/tasks/50_provision.yml
@@ -0,0 +1,31 @@
+---
+- name: Set fact if this host should run Keycloak
+  ansible.builtin.set_fact:
+    is_keycloak_host: "{{ inventory_hostname in (services | selectattr('name', 'equalto', 'keycloak') | map(attribute='vm') | first) }}"
+
+- name: Create Keycloak directories
+  ansible.builtin.file:
+    path: "{{ docker.directories.local }}/keycloak/"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
+    state: directory
+    mode: "0755"
+  when: is_keycloak_host | bool
+  become: true
+
+- name: Setup Keycloak realms
+  ansible.builtin.template:
+    src: "templates/keycloak/realm.json.j2"
+    dest: "{{ docker.directories.local }}/keycloak/{{ keycloak.realm }}-realm.json"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
+    mode: "644"
+    backup: true
+  when: is_keycloak_host | bool
+  loop: "{{ keycloak_config.realms }}"
+  loop_control:
+    loop_var: keycloak
+  notify:
+    - Restart docker
+    - Restart compose
+  become: true
--- a/roles/docker_host/tasks/60_deploy_compose.yml
+++ b/roles/docker_host/tasks/60_deploy_compose.yml
@@ -3,8 +3,8 @@
  ansible.builtin.template:
    src: "templates/compose.yaml.j2"
    dest: "{{ docker.directories.compose }}/compose.yaml"
-    owner: "{{ user }}"
-    group: "{{ user }}"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
    mode: "644"
    backup: true
  notify:
--- a/roles/docker_host/tasks/70_export.yml
+++ b/roles/docker_host/tasks/70_export.yml
--- a/roles/docker_host/tasks/main.yml
+++ b/roles/docker_host/tasks/main.yml
@@ -1,18 +1,20 @@
 ---
 - name: Setup VM
-  ansible.builtin.include_tasks: setup.yml
-
+  ansible.builtin.include_tasks: 10_setup.yml
 - name: Install docker
-  ansible.builtin.include_tasks: installation.yml
+  ansible.builtin.include_tasks: 20_installation.yml

 - name: Setup user and group for docker
-  ansible.builtin.include_tasks: user_group_setup.yml
+  ansible.builtin.include_tasks: 30_user_group_setup.yml

 - name: Setup directory structure for docker
-  ansible.builtin.include_tasks: directory_setup.yml
+  ansible.builtin.include_tasks: 40_directory_setup.yml
+
+- name: Deploy configs
+  ansible.builtin.include_tasks: 50_provision.yml

 - name: Deploy docker compose
-  ansible.builtin.include_tasks: deploy_compose.yml
+  ansible.builtin.include_tasks: 60_deploy_compose.yml

 - name: Publish metrics
-  ansible.builtin.include_tasks: export.yml
+  ansible.builtin.include_tasks: 70_export.yml
--- a/roles/docker_host/tasks/setup.yml
+++ b/roles/docker_host/tasks/setup.yml
@@ -1,9 +0,0 @@
---
- name: Enable HW accelerate for VM
-  ansible.builtin.apt:
-    name: "{{ item }}"
-    state: present
-  loop:
-    - firmware-misc-nonfree
-    - nfs-common
-  become: true
--- a/roles/docker_host/templates/compose.yaml.j2
+++ b/roles/docker_host/templates/compose.yaml.j2
@@ -1,12 +1,13 @@
 services:
 {% for service in services %}
 {% if inventory_hostname in service.vm %}
-  {{service.name}}:
+
+  {{ service.name }}:
    container_name: {{ service.container_name }}
    image: {{ service.image }}
-    restart: {{ service.restart }}
+    restart: unless-stopped
 {% if service.network_mode is not defined %}
-    hostname: {{service.name}}
+    hostname: {{ service.name }}
    networks:
      - net
 {% endif %}
@@ -15,11 +16,40 @@ services:
    ports:
 {% for port in service.ports %}
 {% if port.internal != 'proxy_only' %}
-      - {{port.external}}:{{port.internal}}
+      - {{ port.external }}:{{ port.internal }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% endif %}
+{% if service.ports is defined and service.ports is iterable %}
+{% set first_http_port = service.ports | default([]) | selectattr('name', 'defined') | selectattr('name', 'search', 'http') | first %}
+{% set chosen_http_port_value = none %}
+{% if first_http_port is not none %}
+{% if first_http_port.internal is defined and first_http_port.internal == 'proxy_only' %}
+{% if first_http_port.external is defined %}
+{% set chosen_http_port_value = first_http_port.external %}
+{% endif %}
+{% else %}
+{% set chosen_http_port_value = first_http_port.internal %}
+{% endif %}
+{% if chosen_http_port_value is defined %}
+    healthcheck:
+{% set healthcheck = 'curl' %}
+{% if service.healthcheck is defined %}
+{% set healthcheck = service.healthcheck %}
+{% endif %}
+{% if healthcheck == 'curl' %}
+      test: ["CMD", "curl", "-f", "--silent", "--show-error", "--connect-timeout", "5", "http://localhost:{{ chosen_http_port_value }}/"]
+{% elif healthcheck == 'wget' %}
+      test: ["CMD-SHELL", "wget --quiet --spider --timeout=5 http://localhost:{{ chosen_http_port_value }}/ || exit 1"]
+{% endif %}
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 20s
+{% endif %}
+{% endif %}
+{% endif %}
 {% if service.cap_add is defined and service.cap_add is iterable %}
    cap_add:
 {% for cap in service.cap_add %}
@@ -41,46 +71,88 @@ services:
 {% if service.volumes is defined and service.volumes is iterable %}
    volumes:
 {% for volume in service.volumes %}
-      - {{volume.external}}:{{volume.internal}}
+      - {{ volume.external }}:{{ volume.internal }}
 {% endfor %}
 {% endif %}
 {% if service.environment is defined and service.environment is iterable %}
    environment:
 {% for env in service.environment %}
-      - {{env}}
+      - {{ env }}
 {% endfor %}
 {% endif %}
 {% if service.devices is defined and service.devices is iterable  %}
    devices:
 {% for device in service.devices %}
-      - {{device.external}}:{{device.internal}}
+      - {{ device.external }}:{{ device.internal }}
 {% endfor %}
 {% endif %}
-{% if service.name == 'paperless' %}
-
-  {{service.name}}-broker:
-    container_name: paperless-broker
-    image: docker.io/library/redis:7
-    restart: unless-stopped
-    networks:
-      - net
-    volumes:
-      - /opt/local/paperless/redis/data:/data
-
-  {{service.name}}-postgres:
-    container_name: paperless-postgres
-    image: docker.io/library/postgres:15
-    restart: unless-stopped
-    networks:
-      - net
-    volumes:
-      - /opt/local/paperless/db/data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_DB: paperless
-      POSTGRES_USER: paperless
-      POSTGRES_PASSWORD: 5fnhn%u2YWY3paNvMAjdoufYPQ2Hf3Yi
+{% if service.command is defined and service.command is iterable  %}
+    command:
+{% for command in service.command %}
+      - {{ command }}
+{% endfor %}
+{% endif %}
+{% if service.sub_service is defined and service.sub_service is iterable %}
+{% for sub in service.sub_service %}
+{% if sub.name is defined and sub.name == "postgres" %}
+  {{ service.name }}-postgres:
+    container_name: {{ service.name }}-postgres
+    image: docker.io/library/postgres:{{ sub.version }}
+    restart: unless-stopped
+    hostname: {{ service.name }}-postgres
+    networks:
+      - net
+    volumes:
+      - /opt/local/{{ service.name }}/postgres/data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: {{ service.name }}
+      POSTGRES_USER: {{ sub.username }}
+      POSTGRES_PASSWORD: {{ sub.password }}
+{% endif %}
+{% if sub.name is defined and sub.name == "redis" %}
+  {{ service.name }}-redis:
+    container_name: {{ service.name }}-redis
+    image: docker.io/library/redis:{{ sub.version }}
+    restart: unless-stopped
+    hostname: {{ service.name }}-redis
+    networks:
+      - net
+    volumes:
+      - /opt/local/{{ service.name }}/redis/data:/data
+{% endif %}
+{% if sub.name is defined and sub.name == "chrome" %}
+  {{ service.name }}-chrome:
+    image: gcr.io/zenika-hub/alpine-chrome:{{ sub.version }}
+    container_name: {{ service.name }}-chrome
+    restart: unless-stopped
+    networks:
+      - net
+    command:
+      - --no-sandbox
+      - --disable-gpu
+      - --disable-dev-shm-usage
+      - --remote-debugging-address=0.0.0.0
+      - --remote-debugging-port=9222
+      - --hide-scrollbars
+{% endif %}
+{% if sub.name is defined and sub.name == "meilisearch" %}
+  {{ service.name }}-meilisearch:
+    container_name: {{ service.name }}-meilisearch
+    image: getmeili/meilisearch:{{ sub.version }}
+    restart: unless-stopped
+    hostname: {{ service.name }}-meilisearch
+    networks:
+      - net
+    volumes:
+      - /opt/local/{{ service.name }}/mailisearch/data:/meili_data
+    environment:
+      - MEILI_NO_ANALYTICS=true
+      - NEXTAUTH_SECRET={{ sub.nextauth_secret }}
+      - MEILI_MASTER_KEY={{ sub.meili_master_key }}
+      - OPENAI_API_KEY="{{ sub.openai_key }}"
+{% endif %}
+{% endfor %}
 {% endif %}
-
 {% endif %}
 {% endfor %}
 networks:
@@ -90,6 +162,3 @@ networks:
      driver: default
      config:
        - subnet: 172.16.69.0/24
-
-volumes:
-  prometheus_data: {}
--- a/roles/docker_host/templates/keycloak/realm.json.j2
+++ b/roles/docker_host/templates/keycloak/realm.json.j2
@@ -0,0 +1,79 @@
+{
+  "realm": "{{ keycloak.realm }}",
+  "enabled": true,
+  "displayName": "{{ keycloak.display_name }}",
+  "displayNameHtml": "<div class=\"kc-logo-text\">{{keycloak.display_name}}</div>",
+  "bruteForceProtected": true,
+  "users": [
+{% if keycloak.users is defined and keycloak.users is iterable %}
+{% for user in keycloak.users %}
+    {
+      "username": "{{ user.username }}",
+      "enabled": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "{{ user.password }}",
+          "temporary": false
+        }
+      ],
+      "realmRoles": [
+{% for realm_role in user.realm_roles %}
+        "{{ realm_role }}"{%- if not loop.last %},{% endif %}{{''}}
+{% endfor %}
+      ],
+      "clientRoles": {
+        "account": [
+{% for account in user.client_roles.account %}
+          "{{ account }}"{%- if not loop.last %},{% endif %}{{''}}
+{% endfor %}
+        ]
+      }
+    },{% if not loop.last %}{% endif %}
+{% endfor %}
+{% endif %}
+    {
+      "username": "{{ keycloak.admin.username }}",
+      "enabled": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "{{ keycloak.admin.password }}",
+          "temporary": false
+        }
+      ],
+      "realmRoles": [
+{% for realm_role in keycloak.admin.realm_roles %}
+        "{{ realm_role }}"{% if not loop.last %},{% endif %}{{''}}
+{% endfor %}
+      ],
+      "clientRoles": {
+        "realm-management": [
+{% for realm_management in keycloak.admin.client_roles.realm_management %}
+          "{{ realm_management }}"{%- if not loop.last %},{% endif %}{{''}}
+{% endfor %}
+        ],
+        "account": [
+{% for account in keycloak.admin.client_roles.account %}
+          "{{ account }}"{%- if not loop.last %},{% endif %}{{''}}
+{% endfor %}
+        ]
+      }
+    }
+  ],
+  "roles": {
+    "realm": [
+{% for role in keycloak.roles.realm %}
+      {
+        "name": "{{ role.name }}",
+        "description": "{{ role.name }}"
+      }{% if not loop.last %},{% endif %}
+{% endfor %}
+    ]
+  },
+  "defaultRoles": [
+{% for role in keycloak.roles.default_roles %}
+      "{{ role }}"{% if not loop.last %},{% endif %}{{''}}
+{% endfor %}
+  ]
+}
--- a/roles/docker_host/vars/main.yml
+++ b/roles/docker_host/vars/main.yml
@@ -0,0 +1,9 @@
+docker_host_package_common_dependencies:
+  - nfs-common
+  - firmware-misc-nonfree
+  - linux-image-amd64
+
+apt_lock_files:
+  - /var/lib/dpkg/lock
+  - /var/lib/dpkg/lock-frontend
+  - /var/cache/apt/archives/lock
--- a/roles/k3s_agent/tasks/installation.yml
+++ b/roles/k3s_agent/tasks/installation.yml
@@ -16,6 +16,6 @@
  ansible.builtin.command: |
    /tmp/k3s_install.sh
  environment:
-    K3S_URL: "https://{{ k3s.loadbalancer.ip }}:{{ k3s.loadbalancer.default_port }}"
+    K3S_URL: "https://{{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}:{{ k3s.loadbalancer.default_port }}"
    K3S_TOKEN: "{{ k3s_token }}"
  become: true
--- a/roles/k3s_loadbalancer/handlers/main.yml
+++ b/roles/k3s_loadbalancer/handlers/main.yml
--- a/roles/k3s_loadbalancer/tasks/configuration.yml
+++ b/roles/k3s_loadbalancer/tasks/configuration.yml
@@ -2,7 +2,7 @@
 - name: Template the nginx config file with dynamic upstreams
  ansible.builtin.template:
    src: templates/nginx.conf.j2
-    dest: "{{ nginx_config_path }}"
+    dest: "{{ k3s_loadbalancer_nginx_config_path }}"
    owner: root
    group: root
    mode: "0644"
@@ -10,7 +10,7 @@
  notify:
    - Restart nginx
  vars:
-    k3s_server_ips: "{{ k3s.server.ips }}"
+    k3s_server_ips: "{{ groups['k3s_server'] | map('extract', hostvars, 'ansible_default_ipv4') | map(attribute='address') | unique | list }}"

 - name: Enable nginx
  ansible.builtin.systemd:
--- a/roles/k3s_loadbalancer/tasks/installation.yml
+++ b/roles/k3s_loadbalancer/tasks/installation.yml
--- a/roles/k3s_loadbalancer/tasks/main.yml
+++ b/roles/k3s_loadbalancer/tasks/main.yml
--- a/roles/k3s_loadbalancer/templates/nginx.conf.j2
+++ b/roles/k3s_loadbalancer/templates/nginx.conf.j2
@@ -0,0 +1,87 @@
+include /etc/nginx/modules-enabled/*.conf;
+
+events {}
+
+stream {
+# TCP Load Balancing for the K3s API
+  upstream k3s_servers {
+    {% for ip in k3s_server_ips %}
+    server {{ ip }}:{{ k3s.loadbalancer.default_port }};
+    {% endfor %}
+  }
+
+  server {
+    listen {{k3s.loadbalancer.default_port}};
+    proxy_pass k3s_servers;
+  }
+
+  upstream dns_servers {
+    {% for ip in k3s_server_ips %}
+    server {{ ip }}:53;
+    {% endfor %}
+  }
+
+  server {
+    listen 53 udp;
+    proxy_pass dns_servers;
+  }
+}
+
+# http {
+#   upstream k3s_servers_http {
+#     least_conn;
+#     {% for ip in k3s_server_ips %}
+#     server {{ ip }}:80;
+#     {% endfor %}
+#   }
+#
+#   upstream k3s_servers_https {
+#     least_conn;
+#     {% for ip in k3s_server_ips %}
+#     server {{ ip }}:443;
+#     {% endfor %}
+#   }
+#
+#   server {
+#     listen 80;
+#
+#     location / {
+#       proxy_pass http://k3s_servers_http;
+#       proxy_set_header Host $http_host;
+#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#       proxy_set_header X-Forwarded-Proto http;
+#     }
+#   }
+#
+#   server {
+#     listen 443 ssl;
+#
+#     server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de;
+#
+#     ssl_certificate /etc/nginx/ssl/staging_tls.crt;
+#     ssl_certificate_key /etc/nginx/ssl/staging_tls.key;
+#
+#     location / {
+#       proxy_pass https://k3s_servers_https;
+#       proxy_set_header Host $host;
+#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#       proxy_set_header X-Forwarded-Proto https;
+#     }
+#   }
+#
+#   server {
+#     listen 443 ssl;
+#
+#     server_name k3s.seyshiro.de *.k3s.seyshiro.de;
+#
+#     ssl_certificate /etc/nginx/ssl/production_tls.crt;
+#     ssl_certificate_key /etc/nginx/ssl/production_tls.key;
+#
+#     location / {
+#       proxy_pass https://k3s_servers_https;
+#       proxy_set_header Host $host;
+#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#       proxy_set_header X-Forwarded-Proto https;
+#     }
+#   }
+# }
--- a/roles/k3s_loadbalancer/vars/main.yml
+++ b/roles/k3s_loadbalancer/vars/main.yml
@@ -0,0 +1 @@
+k3s_loadbalancer_nginx_config_path: "/etc/nginx/nginx.conf"
--- a/roles/k3s_server/tasks/installation.yml
+++ b/roles/k3s_server/tasks/installation.yml
@@ -16,9 +16,7 @@
  ansible.builtin.command: |
    /tmp/k3s_install.sh server \
    --node-taint CriticalAddonsOnly=true:NoExecute \
-    --tls-san {{ k3s.loadbalancer.ip }}
-  environment:
-    K3S_DATASTORE_ENDPOINT: "{{ k3s_db_connection_string }}"
+    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}
  become: true
  async: 300
  poll: 0
@@ -53,6 +51,5 @@
    --node-taint CriticalAddonsOnly=true:NoExecute \
    --tls-san {{ k3s.loadbalancer.ip }}
  environment:
-    K3S_DATASTORE_ENDPOINT: "{{ k3s_db_connection_string }}"
    K3S_TOKEN: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
  become: true
--- a/roles/k3s_storage/tasks/installation.yml
+++ b/roles/k3s_storage/tasks/installation.yml
@@ -18,6 +18,6 @@
    --node-taint storage=true:NoExecute \
    --node-label longhorn=true
  environment:
-    K3S_URL: "https://{{ k3s.loadbalancer.ip }}:{{ k3s.loadbalancer.default_port }}"
+    K3S_URL: "https://{{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}:{{ k3s.loadbalancer.default_port }}"
    K3S_TOKEN: "{{ k3s_token }}"
  become: true
--- a/roles/loadbalancer/templates/nginx.conf.j2
+++ b/roles/loadbalancer/templates/nginx.conf.j2
@@ -1,89 +0,0 @@
-include /etc/nginx/modules-enabled/*.conf;
-
-events {}
-
-stream {
-# TCP Load Balancing for the K3s API
-  upstream k3s_servers {
-    {% for ip in k3s_server_ips %}
-    server {{ ip }}:{{k3s.loadbalancer.default_port}};
-    {% endfor %}
-  }
-
-  server {
-    listen {{k3s.loadbalancer.default_port}};
-    proxy_pass k3s_servers;
-  }
-
-  upstream dns_servers {
-    {% for ip in k3s_server_ips %}
-    server {{ ip }}:53;
-    {% endfor %}
-  }
-
-  server {
-    listen 53 udp;
-    proxy_pass dns_servers;
-  }
-}
-
-http {
-  upstream k3s_servers_http {
-    least_conn;
-    {% for ip in k3s_server_ips %}
-    server {{ ip }}:80;
-    {% endfor %}
-  }
-
-  upstream k3s_servers_https {
-    least_conn;
-    {% for ip in k3s_server_ips %}
-    server {{ ip }}:443;
-    {% endfor %}
-  }
-
-  server {
-    listen 80;
-
-    location / {
-      proxy_pass http://k3s_servers_http;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto http;
-    }
-  }
-
-  server {
-    listen 443 ssl;
-
-    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de;
-
-    ssl_certificate /etc/nginx/ssl/staging_tls.crt;
-    ssl_certificate_key /etc/nginx/ssl/staging_tls.key;
-
-    location / {
-      proxy_pass https://k3s_servers_https;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto https;
-    }
-  }
-
-  server {
-    listen 443 ssl;
-
-    server_name k3s.seyshiro.de *.k3s.seyshiro.de;
-
-    ssl_certificate /etc/nginx/ssl/production_tls.crt;
-    ssl_certificate_key /etc/nginx/ssl/production_tls.key;
-
-    location / {
-      proxy_pass https://k3s_servers_https;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto https;
-    }
-  }
-}
-
-
--- a/roles/loadbalancer/vars/main.yml
+++ b/roles/loadbalancer/vars/main.yml
@@ -1 +0,0 @@
-nginx_config_path: "/etc/nginx/nginx.conf"
--- a/roles/postgres/handlers/main.yml
+++ b/roles/postgres/handlers/main.yml
@@ -1,6 +0,0 @@
---
- name: Restart postgres
-  ansible.builtin.systemd:
-    name: postgresql
-    state: restarted
-  become: true
--- a/roles/postgres/tasks/ansible_deps.yml
+++ b/roles/postgres/tasks/ansible_deps.yml
@@ -1,10 +0,0 @@
---
- name: Update apt cache
-  ansible.builtin.apt:
-    update_cache: true
-  become: true
-
- name: Install ansible dependencies
-  ansible.builtin.apt:
-    name: "{{ ansible_dependencies }}"
-  become: true
--- a/roles/postgres/tasks/configuration.yml
+++ b/roles/postgres/tasks/configuration.yml
@@ -1,69 +0,0 @@
---
- name: "Create postgres user: {{ db.user }}"
-  community.postgresql.postgresql_user:
-    state: present
-    name: "{{ db.user }}"
-    password: "{{ db.password }}"
-  become: true
-  become_user: "{{ db.default_user.user }}"
-  vars:
-    ansible_remote_temp: "/tmp/"
-
- name: "Create database: {{ db.name }}"
-  community.postgresql.postgresql_db:
-    state: present
-    name: "{{ db.name }}"
-    encoding: UTF8
-    lc_collate: "en_US.UTF-8"
-    lc_ctype: "en_US.UTF-8"
-  become: true
-  become_user: postgres
-  vars:
-    ansible_remote_temp: "/tmp/"
-
- name: "Grant privileges to {{ db.user }}"
-  community.postgresql.postgresql_privs:
-    db: "{{ db.name }}"
-    privs: ALL
-    type: database
-    roles: "{{ db.user }}"
-  become: true
-  become_user: postgres
-  vars:
-    ansible_remote_temp: "/tmp/"
-
- name: "Grant all privileges on schema public to {{ db.user }};"
-  community.postgresql.postgresql_privs:
-    db: "{{ db.name }}"
-    privs: ALL
-    type: schema
-    obj: "public"
-    roles: "{{ db.user }}"
-  become: true
-  become_user: postgres
-  vars:
-    ansible_remote_temp: "/tmp/"
-
- name: "Allow md5 connection for the user {{ db.user }}"
-  community.postgresql.postgresql_pg_hba:
-    dest: "/etc/postgresql/15/main/pg_hba.conf"
-    contype: host
-    databases: all
-    method: md5
-    address: "{{ k3s.net }}"
-    users: "{{ db.user }}"
-    create: false
-  become: true
-  notify:
-    - Restart postgres
-
- name: "Set public listen address"
-  become: true
-  ansible.builtin.lineinfile:
-    dest: "/etc/postgresql/15/main/conf.d/listen.conf"
-    regexp: "^#?listen_addresses="
-    line: "listen_addresses='{{ db.listen_address | default('localhost') }}'"
-    state: present
-    mode: "644"
-    create: true
-  notify: "Restart postgres"
--- a/roles/postgres/tasks/installation.yml
+++ b/roles/postgres/tasks/installation.yml
@@ -1,14 +0,0 @@
---
- name: Install postgres
-  ansible.builtin.apt:
-    name: "{{ postgres_packages }}"
-    state: present
-  become: true
-
- name: Start and enable the service
-  ansible.builtin.systemd:
-    name: postgresql
-    state: started
-    daemon_reload: true
-    enabled: true
-  become: true
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -1,7 +0,0 @@
---
- name: Install ansible dependencies for this role
-  ansible.builtin.include_tasks: ansible_deps.yml
- name: Install postgres
-  ansible.builtin.include_tasks: installation.yml
- name: Configure Database
-  ansible.builtin.include_tasks: configuration.yml
--- a/roles/postgres/vars/main.yml
+++ b/roles/postgres/vars/main.yml
@@ -1,9 +0,0 @@
-ansible_dependencies:
-  - python3-pip
-  - python3-psycopg
-  - python3-pexpect
-  - acl
-
-postgres_packages:
-  - postgresql
-  - postgresql-client
--- a/roles/postgres_exporter/handlers/main.yml
+++ b/roles/postgres_exporter/handlers/main.yml
@@ -1,6 +0,0 @@
---
- name: "Restart {{ bin_name }}"
-  ansible.builtin.service:
-    name: "{{ bin_name }}"
-    state: restarted
-  become: true
--- a/roles/postgres_exporter/tasks/get_version.yml
+++ b/roles/postgres_exporter/tasks/get_version.yml
@@ -1,18 +0,0 @@
---
- name: Determine latest GitHub release (local)
-  delegate_to: localhost
-  ansible.builtin.uri:
-    url: "https://api.github.com/repos/{{ repository }}/releases/{{ version }}"
-    body_format: json
-  register: _github_release
-  until: _github_release.status == 200
-  retries: 3
-
- name: Set version
-  ansible.builtin.set_fact:
-    tag: "{{ _github_release.json.tag_name
-      | regex_replace('^v?([0-9\\.]+)$', '\\1') }}"
-
- name: Set download_url
-  ansible.builtin.set_fact:
-    download_url: "https://github.com/{{ repository }}/releases/download/v{{ tag }}/{{ bin_name }}-{{ tag }}.linux-{{ go_arch }}.tar.gz"
--- a/roles/postgres_exporter/tasks/install.yml
+++ b/roles/postgres_exporter/tasks/install.yml
@@ -1,29 +0,0 @@
---
- name: Download/Extract "{{ download_url }}"
-  ansible.builtin.unarchive:
-    src: "{{ download_url }}"
-    dest: /tmp/
-    remote_src: true
-    mode: "755"
-
- name: "Move binary into path: {{ bin_path }}"
-  ansible.builtin.copy:
-    src: "/tmp/{{ bin_name }}-{{ tag }}.linux-{{ go_arch }}/{{ bin_name }}"
-    dest: "{{ bin_path }}"
-    mode: "755"
-    remote_src: true
-  become: true
-
- name: "Create user: {{ bin_name }}"
-  ansible.builtin.user:
-    name: "{{ bin_name }}"
-    shell: /sbin/nologin
-    state: present
-  become: true
-
- name: Copy the node_exporter systemd unit file.
-  ansible.builtin.template:
-    src: "{{ bin_name }}.service.j2"
-    dest: "/etc/systemd/system/{{ bin_name }}.service"
-    mode: "644"
-  become: true
--- a/roles/postgres_exporter/tasks/main.yml
+++ b/roles/postgres_exporter/tasks/main.yml
@@ -1,7 +0,0 @@
---
- name: Get Version
-  ansible.builtin.include_tasks: get_version.yml
- name: Install exporter
-  ansible.builtin.include_tasks: install.yml
- name: Create service
-  ansible.builtin.include_tasks: systemd.yml
--- a/roles/postgres_exporter/tasks/systemd.yml
+++ b/roles/postgres_exporter/tasks/systemd.yml
@@ -1,10 +0,0 @@
---
- name: "Ensure service is running and enabled: {{ bin_name }}"
-  ansible.builtin.service:
-    name: "{{ bin_name }}"
-    state: started
-    daemon_reload: true
-    enabled: true
-  notify:
-    - Restart "{{ bin_name }}"
-  become: true
--- a/roles/postgres_exporter/templates/postgres_exporter.service.j2
+++ b/roles/postgres_exporter/templates/postgres_exporter.service.j2
@@ -1,14 +0,0 @@
-[Unit]
-Description=PostgresExporter
-
-[Service]
-TimeoutStartSec=0
-User={{ bin_name }}
-ExecStart={{ bin_path }} --web.listen-address={{ host.ip }}:{{ bind_port }} {{ options }}
-Environment="DATA_SOURCE_URI=localhost:5432/postgres?sslmode=disable"
-Environment="DATA_SOURCE_USER={{ db.user }}"
-Environment="DATA_SOURCE_PASS={{ db.password }}"
-
-[Install]
-WantedBy=multi-user.target
-
--- a/roles/postgres_exporter/vars/main.yml
+++ b/roles/postgres_exporter/vars/main.yml
@@ -1,16 +0,0 @@
-go_arch_map:
-  i386: "386"
-  x86_64: "amd64"
-  aarch64: "arm64"
-  armv7l: "armv7"
-  armv6l: "armv6"
-
-go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
-
-repository: "prometheus-community/postgres_exporter"
-bind_port: 9187
-version: "latest"
-serve: "localhost"
-options: ""
-bin_name: postgres_exporter
-bin_path: "/usr/local/bin/{{ bin_name }}"
--- a/roles/proxmox/files/check_proxmox_vm.sh
+++ b/roles/proxmox/files/check_proxmox_vm.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Configuration
+VM_ID=303
+TARGET_IP="192.168.20.36" # Replace with the IP of your VM
+PORT=22
+CHECK_INTERVAL=300 # 5 minutes in seconds
+LOG_FILE="/var/log/vm_monitor.log"
+
+# Function to log messages
+log_message() {
+	echo "$(date): $1" | tee -a $LOG_FILE
+}
+
+# Check if running on a Proxmox host
+if ! command -v qm &>/dev/null; then
+	log_message "qm command not found. This script must run on a Proxmox host."
+	exit 1
+fi
+
+# Function to check port
+check_port() {
+	# Try nc first if available
+	if command -v nc &>/dev/null; then
+		if nc -z -w 5 $TARGET_IP $PORT 2>/dev/null; then
+			return 0 # Port is open
+		else
+			return 1 # Port is closed
+		fi
+	# Fall back to nmap if nc is not available
+	elif command -v nmap &>/dev/null; then
+		if nmap -p $PORT $TARGET_IP | grep -q "$PORT/tcp.*open"; then
+			return 0 # Port is open
+		else
+			return 1 # Port is closed
+		fi
+	else
+		log_message "Neither nc nor nmap found. Please install one of them."
+		exit 1
+	fi
+}
+
+# Function to restart the VM
+restart_vm() {
+	log_message "Port $PORT is not reachable. Restarting VM $VM_ID..."
+
+	# Stop the VM
+	qm stop $VM_ID
+	if [ $? -ne 0 ]; then
+		log_message "Failed to stop VM $VM_ID. Trying force stop..."
+		qm stop $VM_ID --force
+	fi
+
+	# Wait for VM to fully stop
+	log_message "Waiting for VM to stop..."
+	sleep 10
+
+	# Start the VM
+	qm start $VM_ID
+	if [ $? -ne 0 ]; then
+		log_message "Failed to start VM $VM_ID. Manual intervention required."
+		exit 1
+	fi
+
+	log_message "VM $VM_ID has been restarted."
+}
+
+# Main loop
+log_message "Starting monitoring of VM $VM_ID on port $PORT..."
+log_message "Press Ctrl+C to exit."
+
+while true; do
+	# Check if port 22 is open
+	if ! check_port; then
+		restart_vm
+	else
+		log_message "Port $PORT is reachable. VM is running normally."
+	fi
+
+	# Wait for the next check
+	log_message "Sleeping for $CHECK_INTERVAL seconds..."
+	sleep $CHECK_INTERVAL
+done
--- a/roles/proxmox/handlers/node.yml
+++ b/roles/proxmox/handlers/node.yml
@@ -0,0 +1,6 @@
+---
+- name: Reboot Node
+  ansible.builtin.reboot:
+    connect_timeout: 5
+    reboot_timeout: 600
+    test_command: whoami
--- a/roles/proxmox/tasks/00_setup_machines.yml
+++ b/roles/proxmox/tasks/00_setup_machines.yml
@@ -0,0 +1,8 @@
+---
+- name: Prepare Localhost
+  ansible.builtin.include_tasks: ./01_setup_localhost.yml
+  when: is_localhost
+
+- name: Prepare Localhost
+  ansible.builtin.include_tasks: ./05_setup_node.yml
+  when: is_proxmox_node
--- a/roles/proxmox/tasks/01_setup_localhost.yml
+++ b/roles/proxmox/tasks/01_setup_localhost.yml
@@ -0,0 +1,7 @@
+---
+- name: Install dependencies
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    update_cache: true
+    state: present
+  loop: "{{ proxmox_localhost_dependencies }}"
--- a/roles/proxmox/tasks/05_setup_node.yml
+++ b/roles/proxmox/tasks/05_setup_node.yml
@@ -0,0 +1,10 @@
+---
+- name: Install dependencies
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    update_cache: true
+    state: present
+  loop: "{{ proxmox_node_dependencies }}"
+
+- name: Ensure Harware Acceleration on node
+  ansible.builtin.include_tasks: 06_hardware_acceleration.yml
--- a/roles/proxmox/tasks/06_hardware_acceleration.yml
+++ b/roles/proxmox/tasks/06_hardware_acceleration.yml
@@ -0,0 +1,41 @@
+---
+- name: Set GRUB_CMDLINE_LINUX_DEFAULT for PCI passthrough
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction initcall_blacklist=sysfb_init video=simplefb:off video=vesafb:off video=efifb:off video=vesa:off disable_vga=1 vfio_iommu_type1.allow_unsafe_interrupts=1 kvm.ignore_msrs=1 modprobe.blacklist=radeon,nouveau,nvidia,nvidiafb,nvidia-gpu,snd_hda_intel,snd_hda_codec_hdmi,i915"'
+    backup: true
+  register: iommu_result
+
+- name: Set GRUB_CMDLINE_LINUX_DEFAULT for PCI passthrough
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction initcall_blacklist=sysfb_init video=simplefb:off video=vesafb:off video=efifb:off video=vesa:off disable_vga=1 vfio_iommu_type1.allow_unsafe_interrupts=1 kvm.ignore_msrs=1 modprobe.blacklist=radeon,nouveau,nvidia,nvidiafb,nvidia-gpu,snd_hda_intel,snd_hda_codec_hdmi,i915"'
+    backup: true
+  register: iommu_result
+
+- name: Ensure VFIO modules are listed in /etc/modules
+  ansible.builtin.blockinfile:
+    path: /etc/modules
+    marker: "# {mark} VFIO Modules"
+    block: |
+      vfio
+      vfio_iommu_type1
+      vfio_pci
+      vfio_virqfd
+    create: true
+    backup: true
+  register: vfio_result
+
+- name: Update initramfs
+  ansible.builtin.command: update-initramfs -u -k all
+  when: iommu_result.changed or vfio_result.changed
+  # notify:
+  #   - Reboot Node
+
+- name: update grub configuration
+  ansible.builtin.command: update-grub
+  when: iommu_result.changed or vfio_result.changed
+  # notify:
+  #   - Reboot Node
--- a/roles/proxmox/tasks/10_create_secrets.yml
+++ b/roles/proxmox/tasks/10_create_secrets.yml
@@ -0,0 +1,12 @@
+---
+- name: Ensure Vault file exists
+  ansible.builtin.file:
+    path: "{{ proxmox_vault_file }}"
+    state: touch
+    mode: "0600"
+
+- name: Update Vault data
+  ansible.builtin.include_tasks: 15_create_secret.yml
+  loop: "{{ vms | map(attribute='name') }}"
+  loop_control:
+    loop_var: "vm_name"
--- a/roles/proxmox/tasks/15_create_secret.yml
+++ b/roles/proxmox/tasks/15_create_secret.yml
@@ -0,0 +1,47 @@
+---
+- name: Decrypt vm vault file
+  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
+  ignore_errors: true
+  no_log: true
+
+- name: Load existing vault content
+  ansible.builtin.slurp:
+    src: "{{ proxmox_vault_file }}"
+  register: vault_content
+  no_log: true
+
+- name: Parse vault content as YAML
+  ansible.builtin.set_fact:
+    vault_data: "{{ (vault_content['content'] | b64decode | from_yaml) if (vault_content['content'] | length > 0) else {} }}"
+  no_log: true
+
+- name: Setup secret name
+  ansible.builtin.set_fact:
+    vm_name_secret: "{{ proxmox_secrets_prefix }}_{{ vm_name | replace('-','_') }}"
+
+- name: Check if variable is in vault
+  ansible.builtin.set_fact:
+    variable_exists: "{{ vm_name_secret in vault_data }}"
+
+- name: Set new secret
+  ansible.builtin.set_fact:
+    cipassword: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
+  when: not variable_exists
+
+- name: Set new secret
+  ansible.builtin.set_fact:
+    new_vault_data: "{{ vault_data | combine({ vm_name_secret: cipassword }) }}"
+  when: not variable_exists
+
+- name: Write updated Vault content to file (temporary plaintext)
+  ansible.builtin.copy:
+    content: "{{ new_vault_data | to_nice_yaml }}"
+    dest: "{{ proxmox_vault_file }}"
+    mode: "0600"
+  when: not variable_exists
+  no_log: true
+
+- name: Encrypt vm vault file
+  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
+  ignore_errors: true
+  no_log: true
--- a/roles/proxmox/tasks/40_prepare_vm_creation.yml
+++ b/roles/proxmox/tasks/40_prepare_vm_creation.yml
@@ -0,0 +1,6 @@
+---
+- name: Download Cloud Init Isos
+  ansible.builtin.include_tasks: 42_download_isos.yml
+  loop: "{{ proxmox_cloud_init_images | dict2items | map(attribute='value') }}"
+  loop_control:
+    loop_var: distro
--- a/roles/proxmox/tasks/42_download_isos.yml
+++ b/roles/proxmox/tasks/42_download_isos.yml
@@ -0,0 +1,28 @@
+---
+- name: Check if file exists
+  ansible.builtin.stat:
+    path: "{{ proxmox_dirs.isos }}/{{ distro.name }}"
+  register: image_stat
+
+- name: Download image if missing
+  ansible.builtin.get_url:
+    url: "{{ distro.url }}"
+    dest: "{{ proxmox_dirs.isos }}/{{ distro.name }}"
+    mode: "0644"
+  when: not image_stat.stat.exists
+
+- name: Set raw image file name fact
+  ansible.builtin.set_fact:
+    raw_image_name: "{{ distro.name | splitext | first }}.img"
+
+- name: Check if raw image already exists
+  ansible.builtin.stat:
+    path: "{{ proxmox_dirs.isos }}/{{ raw_image_name }}"
+  register: raw_image_stat
+
+- name: Convert image to raw format
+  ansible.builtin.command:
+    cmd: "qemu-img convert -O raw {{ proxmox_dirs.isos }}/{{ distro.name }} {{ proxmox_dirs.isos }}/{{ raw_image_name }}"
+  when:
+    - download_result is changed or not raw_image_stat.stat.exists
+    - image_stat.stat.exists
--- a/roles/proxmox/tasks/50_create_vms.yml
+++ b/roles/proxmox/tasks/50_create_vms.yml
@@ -0,0 +1,17 @@
+---
+- name: Load vault variables
+  ansible.builtin.include_vars:
+    file: "{{ proxmox_vault_file }}"
+    name: vm_secrets
+
+# - name: Destroy vms (Only during rapid testing)
+#   ansible.builtin.include_tasks: 54_destroy_vm.yml
+#   loop: "{{ vms }}"
+#   loop_control:
+#     loop_var: "vm"
+
+- name: Create vms
+  ansible.builtin.include_tasks: 55_create_vm.yml
+  loop: "{{ vms }}"
+  loop_control:
+    loop_var: "vm"
--- a/roles/proxmox/tasks/54_destroy_vm.yml
+++ b/roles/proxmox/tasks/54_destroy_vm.yml
@@ -0,0 +1,33 @@
+---
+- name: Gather info about VM
+  community.general.proxmox_vm_info:
+    api_user: "{{ proxmox_api_user }}@pam"
+    api_token_id: "{{ proxmox_api_token_id }}"
+    api_token_secret: "{{ proxmox_api_token_secret }}"
+    api_host: "192.168.20.12"
+    vmid: "{{ vm.vmid }}"
+  register: vm_info
+
+- name: Stop VM
+  community.general.proxmox_kvm:
+    api_user: "{{ proxmox_api_user }}@pam"
+    api_token_id: "{{ proxmox_api_token_id }}"
+    api_token_secret: "{{ proxmox_api_token_secret }}"
+    api_host: "192.168.20.12"
+    node: "{{ vm.node }}"
+    vmid: "{{ vm.vmid }}"
+    state: stopped
+    force: true
+  when: vm_info.proxmox_vms | length > 0
+
+- name: Destroy VM
+  community.general.proxmox_kvm:
+    api_user: "{{ proxmox_api_user }}@pam"
+    api_token_id: "{{ proxmox_api_token_id }}"
+    api_token_secret: "{{ proxmox_api_token_secret }}"
+    api_host: "192.168.20.12"
+    node: "{{ vm.node }}"
+    vmid: "{{ vm.vmid }}"
+    state: absent
+    force: true
+  when: vm_info.proxmox_vms | length > 0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tuan-Dat Tran	f1b0cfad2c	refactor(k3s): streamline inventory and primary server IP handling Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-13 00:40:48 +02:00
Tuan-Dat Tran	dac0d88d60	feat(proxmox): add k3s agents and refine VM provisioning Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-12 23:08:44 +02:00
Tuan-Dat Tran	609e000089	refactor(ansible): centralize inventory and variables in 'vars' directory Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-12 21:38:53 +02:00
Tuan-Dat Tran	3d7f652ff3	refactor(ansible): restructure inventory and remove postgres role Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-07-12 20:35:26 +02:00
Tuan-Dat Tran	cb8ccd8f00	wip Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-06-07 01:19:27 +02:00
Tuan-Dat Tran	02168225b1	wip Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-06-07 00:16:54 +02:00
Tuan-Dat Tran	6ff1ccecd0	refactor(infra): reorganize docker host VMs and service assignments Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-07 00:02:30 +02:00
Tuan-Dat Tran	de62327fde	Add naruto01 to proxmox nodes Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-06 13:33:46 +02:00
Tuan-Dat Tran	b70c8408dc	2025-05-03T21:41+02:00 Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-03 21:41:32 +02:00
Tuan-Dat Tran	a913e1cbc0	refactor: reorganize proxmox roles, add hardware acceleration, and update common config tasks Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-05-03 10:24:50 +02:00
Tuan-Dat Tran	e3c67a32e9	feat(reverse_proxy): add Netcup DNS ACME challenge support and refactor Caddy setup Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-28 23:24:29 +02:00
Tuan-Dat Tran	8f2998abc0	refactor(ansible): use ansible_user_id and add root package condition Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-27 18:15:07 +02:00
Tuan-Dat Tran	7fcee3912f	refactor(ansible): refactor common role application and improve vm ssh config Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-27 17:46:41 +02:00
Tuan-Dat Tran	591342f580	feat(proxmox): refactor vm provisioning and add pci passthrough config Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-26 23:34:42 +02:00
Tuan-Dat Tran	f2ea03bc01	feat(proxmox): automatic vm creation Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-26 21:58:58 +02:00
Tuan-Dat Tran	0e8e07ed3e	feat(docker): Added healthcheck Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-26 13:21:02 +02:00
Tuan-Dat Tran	a2a58f6343	feat(keycloak\|docker): improved templating Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-25 23:37:24 +02:00
Tuan-Dat Tran	42196a32dc	feat(docker): Add karakeep and keycloak services Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-24 20:24:33 +02:00
Tuan-Dat Tran	6934a9f5fc	distributed secrets to group_vars and added karakeep Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-06 23:46:28 +02:00
Tuan-Dat Tran	27621aac03	Added proxmox-vm and static tagging of docker images Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-04-06 18:04:33 +02:00
Tuan-Dat Tran	56f058c254	moved ssh to cert based Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>	2025-03-25 01:09:08 +01:00
				`@@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
				`@@ -0,0 +1 @@`
				`k3s_loadbalancer_nginx_config_path: "/etc/nginx/nginx.conf"`