From d9b3ceff6b1c8f4b80e0e59430e44b69c89bd228 Mon Sep 17 00:00:00 2001 From: Taqi Tahmid Date: Sat, 23 Aug 2025 09:25:23 +0300 Subject: [PATCH] update infra and portfolio deployment --- .../inventory/group_vars/wireguard.yaml | 18 ++++ infra/ansible/inventory/hosts.yaml | 8 ++ .../playbooks/configure-wireguard.yaml | 6 ++ .../roles/configure-wireguard/tasks/main.yaml | 92 +++++++++++++++++++ .../configure-wireguard/templates/wg0.conf.j2 | 25 +++++ infra/terraform/proxmox/terraform.tfvars | 19 +++- kubernetes/README.md | 6 ++ kubernetes/kube-prometheus-stack/values.yaml | 5 +- .../my-portfolio/portfolioManifest.yaml | 2 +- kubernetes/woodpecker-ci/values.yaml | 1 + 10 files changed, 175 insertions(+), 7 deletions(-) create mode 100644 infra/ansible/inventory/group_vars/wireguard.yaml create mode 100644 infra/ansible/playbooks/configure-wireguard.yaml create mode 100644 infra/ansible/roles/configure-wireguard/tasks/main.yaml create mode 100644 infra/ansible/roles/configure-wireguard/templates/wg0.conf.j2 diff --git a/infra/ansible/inventory/group_vars/wireguard.yaml b/infra/ansible/inventory/group_vars/wireguard.yaml new file mode 100644 index 0000000..ab2e36f --- /dev/null +++ b/infra/ansible/inventory/group_vars/wireguard.yaml @@ -0,0 +1,18 @@ +apt_packages: + - curl + - vim + - htop + - wireguard + +wireguard_path: "/etc/wireguard" +wireguard_interface: "wg0" +wireguard_private_key_file: "{{ wireguard_path }}/server_private.key" +wireguard_public_key_file: "{{ wireguard_path }}/server_public.key" +wg_port: 51820 +wg_address: "10.0.0.1/24" +wg_dns: "1.1.1.1" +wg_peers: + - public_key: "LburMRtqT5LK0K1xzGGh4VkNVgWZQRm96dsxf6twbkw=" + allowed_ips: "0.0.0.0/0" + endpoint: "tahmidcloud.com:51820" + persistent_keepalive: 25 diff --git a/infra/ansible/inventory/hosts.yaml b/infra/ansible/inventory/hosts.yaml index 8e1b68a..f3262ac 100644 --- a/infra/ansible/inventory/hosts.yaml +++ b/infra/ansible/inventory/hosts.yaml @@ -2,6 +2,7 @@ all: children: hypervisors: vms: + wireguard: hypervisors: children: @@ -56,3 +57,10 @@ vm_group_2: ansible_host: 192.168.1.162 ansible_user: "{{ ansible_vm_user }}" ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file }}" + +wireguard: + hosts: + vm10: + ansible_host: 192.168.1.174 + ansible_user: "{{ ansible_vm_user }}" + ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file }}" diff --git a/infra/ansible/playbooks/configure-wireguard.yaml b/infra/ansible/playbooks/configure-wireguard.yaml new file mode 100644 index 0000000..f586e48 --- /dev/null +++ b/infra/ansible/playbooks/configure-wireguard.yaml @@ -0,0 +1,6 @@ +- name: Configure WireGuard + hosts: wireguard + vars_files: + - ../secrets/vault.yaml # Load the encrypted vault file + roles: + - configure-wireguard \ No newline at end of file diff --git a/infra/ansible/roles/configure-wireguard/tasks/main.yaml b/infra/ansible/roles/configure-wireguard/tasks/main.yaml new file mode 100644 index 0000000..f2a8b03 --- /dev/null +++ b/infra/ansible/roles/configure-wireguard/tasks/main.yaml @@ -0,0 +1,92 @@ +--- +- name: Update apt cache + ansible.builtin.apt: + update_cache: yes + become: true + +- name: Install necessary packages + ansible.builtin.apt: + name: "{{ apt_packages }}" + state: present + become: true + +- name: Ensure WireGuard directory exists + ansible.builtin.file: + path: "{{ wireguard_path }}" + state: directory + mode: "0700" + owner: root + group: root + become: true + +- name: Generate WireGuard server private key + ansible.builtin.command: + cmd: wg genkey + register: wg_private_key + become: true + +- name: Save WireGuard server private key + ansible.builtin.copy: + content: "{{ wg_private_key.stdout | trim }}" + dest: "{{ wireguard_private_key_file }}" + mode: "0600" + owner: root + group: root + become: true + +- name: Read WireGuard private key from file + ansible.builtin.slurp: + src: "{{ wireguard_private_key_file }}" + register: wg_private_key_file_content + become: true + +- name: Decode WireGuard private key + ansible.builtin.set_fact: + wg_private_key_content: "{{ wg_private_key_file_content.content | b64decode | trim }}" + +- name: Generate WireGuard server public key (if not exists) + ansible.builtin.stat: + path: "{{ wireguard_public_key_file }}" + register: public_key_stat + become: true + +- name: Generate WireGuard server public key + ansible.builtin.shell: + cmd: "wg pubkey < {{ wireguard_private_key_file }}" + register: wg_public_key + become: true + +- name: Save WireGuard server public key + ansible.builtin.copy: + content: "{{ wg_public_key.stdout | trim }}" + dest: "{{ wireguard_public_key_file }}" + mode: "0644" + owner: root + group: root + become: true + +- name: Read WireGuard public key from file + ansible.builtin.slurp: + src: "{{ wireguard_public_key_file }}" + register: wg_public_key_file_content + become: true + +- name: Decode WireGuard public key + ansible.builtin.set_fact: + wg_public_key_content: "{{ wg_public_key_file_content.content | trim }}" + +- name: Create WireGuard configuration file + ansible.builtin.template: + src: "wg0.conf.j2" + dest: "{{ wireguard_path }}/wg0.conf" + owner: root + group: root + mode: "0600" + become: true + +- name: Enable and start WireGuard service + ansible.builtin.service: + name: "wg-quick@{{ wireguard_interface }}" + state: started + enabled: yes + become: true diff --git a/infra/ansible/roles/configure-wireguard/templates/wg0.conf.j2 b/infra/ansible/roles/configure-wireguard/templates/wg0.conf.j2 new file mode 100644 index 0000000..786c597 --- /dev/null +++ b/infra/ansible/roles/configure-wireguard/templates/wg0.conf.j2 @@ -0,0 +1,25 @@ +[Interface] +Address = {{ wg_address }} +ListenPort = {{ wg_port }} +PrivateKey = {{ wg_private_key_content }} +{% if wg_dns is defined %} +DNS = {{ wg_dns }} +{% endif %} +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE +SaveConfig = true + +{% for peer in wg_peers %} +[Peer] +PublicKey = {{ peer.public_key }} +{% if peer.preshared_key is defined %} +PresharedKey = {{ peer.preshared_key }} +{% endif %} +AllowedIPs = {{ peer.allowed_ips }} +{% if peer.endpoint is defined %} +Endpoint = {{ peer.endpoint }} +{% endif %} +{% if peer.persistent_keepalive is defined %} +PersistentKeepalive = {{ peer.persistent_keepalive }} +{% endif %} +{% endfor %} diff --git a/infra/terraform/proxmox/terraform.tfvars b/infra/terraform/proxmox/terraform.tfvars index 7e8403e..e0e6542 100644 --- a/infra/terraform/proxmox/terraform.tfvars +++ b/infra/terraform/proxmox/terraform.tfvars @@ -9,7 +9,7 @@ vms = [ vm_id = 105 ip_address = "192.168.1.151/24" gateway = "192.168.1.1" - dns_servers = ["192.168.1.145", "1.1.1.1"] + dns_servers = ["1.1.1.1"] cores = 2 memory = 4096 disk_size = 20 @@ -20,7 +20,7 @@ vms = [ vm_id = 205 ip_address = "192.168.1.161/24" gateway = "192.168.1.1" - dns_servers = ["192.168.1.145", "1.1.1.1"] + dns_servers = ["1.1.1.1"] cores = 2 memory = 4096 disk_size = 20 @@ -31,7 +31,7 @@ vms = [ vm_id = 301 ip_address = "192.168.1.172/24" gateway = "192.168.1.1" - dns_servers = ["192.168.1.145", "1.1.1.1"] + dns_servers = ["1.1.1.1"] cores = 2 memory = 4096 disk_size = 50 @@ -42,10 +42,21 @@ vms = [ vm_id = 302 ip_address = "192.168.1.173/24" gateway = "192.168.1.1" - dns_servers = ["192.168.1.145", "1.1.1.1"] + dns_servers = ["1.1.1.1"] cores = 2 memory = 4096 disk_size = 50 + }, + { + name = "vm10" + node_name = "homeserver3" + vm_id = 303 + ip_address = "192.168.1.174/24" + gateway = "192.168.1.1" + dns_servers = ["1.1.1.1"] + cores = 2 + memory = 2048 + disk_size = 20 } ] diff --git a/kubernetes/README.md b/kubernetes/README.md index 119df9d..a4757a0 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -960,6 +960,12 @@ This stack includes Prometheus Node Exporter, kube-state-metrics, Alertmanager, and Grafana. It provides a comprehensive set of default Grafana dashboards for tracking key system metrics such as CPU, memory, I/O, and network usage. +The dashbaords are loaded as kubernetes configMaps. To create a persistant +custom dashboard, one can create a configmap within the monitoring namespace +following the example of existing dashboards. One way to generate dashboard, +is to create the dashboard from the Grafana UI and then export the JSON file +and embed it to the configmap. + ```bash helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update diff --git a/kubernetes/kube-prometheus-stack/values.yaml b/kubernetes/kube-prometheus-stack/values.yaml index c406c98..b4d272e 100644 --- a/kubernetes/kube-prometheus-stack/values.yaml +++ b/kubernetes/kube-prometheus-stack/values.yaml @@ -1257,11 +1257,12 @@ grafana: operator: ## Enable references to ConfigMaps containing dashboards in GrafanaDashboard CRs ## Set to true to allow dashboards to be loaded from ConfigMap references - dashboardsConfigMapRefEnabled: false + dashboardsConfigMapRefEnabled: true ## Annotations for GrafanaDashboard Cr ## - annotations: {} + annotations: + catagory: dashboard ## Labels that should be matched kind: Grafana instance ## Example: { app: grafana, category: dashboard } ## diff --git a/kubernetes/my-portfolio/portfolioManifest.yaml b/kubernetes/my-portfolio/portfolioManifest.yaml index cabada6..be9c5a0 100644 --- a/kubernetes/my-portfolio/portfolioManifest.yaml +++ b/kubernetes/my-portfolio/portfolioManifest.yaml @@ -19,7 +19,7 @@ spec: - name: docker-registry-credentials containers: - name: portfolio-app - image: "${DOCKER_REGISTRY_HOST}/taqi/portfolio/my-portfolio-app:latest" + image: "${DOCKER_REGISTRY_HOST}/taqi/portfolio:latest" imagePullPolicy: Always ports: - containerPort: 80 diff --git a/kubernetes/woodpecker-ci/values.yaml b/kubernetes/woodpecker-ci/values.yaml index e6e4f68..227a9b6 100644 --- a/kubernetes/woodpecker-ci/values.yaml +++ b/kubernetes/woodpecker-ci/values.yaml @@ -190,6 +190,7 @@ server: WOODPECKER_ADMIN: "taqi" WOODPECKER_HOST: "woodpecker-server.woodpecker.svc.cluster.local:9000" WOODPECKER_GITEA: "true" + WOODPECKER_PLUGINS_PRIVILEGED: woodpeckerci/plugin-docker-buildx # -- Add extra environment variables from the secrets list extraSecretNamesForEnvFrom: