update infra and portfolio deployment

infra/ansible/inventory/group_vars/wireguard.yaml

@@ -0,0 +1,18 @@
+apt_packages:
+  - curl
+  - vim
+  - htop
+  - wireguard
+
+wireguard_path: "/etc/wireguard"
+wireguard_interface: "wg0"
+wireguard_private_key_file: "{{ wireguard_path }}/server_private.key"
+wireguard_public_key_file: "{{ wireguard_path }}/server_public.key"
+wg_port: 51820
+wg_address: "10.0.0.1/24"
+wg_dns: "1.1.1.1"
+wg_peers:
+  - public_key: "LburMRtqT5LK0K1xzGGh4VkNVgWZQRm96dsxf6twbkw="
+    allowed_ips: "0.0.0.0/0"
+    endpoint: "tahmidcloud.com:51820"
+    persistent_keepalive: 25

infra/ansible/inventory/hosts.yaml

@@ -2,6 +2,7 @@ all:
   children:
     hypervisors:
     vms:
+    wireguard:
 
 hypervisors:
   children:
@@ -56,3 +57,10 @@ vm_group_2:
       ansible_host: 192.168.1.162
       ansible_user: "{{ ansible_vm_user }}"
       ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file }}"
+
+wireguard:
+  hosts:
+    vm10:
+      ansible_host: 192.168.1.174
+      ansible_user: "{{ ansible_vm_user }}"
+      ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file }}"

infra/ansible/playbooks/configure-wireguard.yaml

@@ -0,0 +1,6 @@
+- name: Configure WireGuard
+  hosts: wireguard
+  vars_files:
+    - ../secrets/vault.yaml # Load the encrypted vault file
+  roles:
+    - configure-wireguard

infra/ansible/roles/configure-wireguard/tasks/main.yaml

@@ -0,0 +1,92 @@
+---
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: yes
+  become: true
+
+- name: Install necessary packages
+  ansible.builtin.apt:
+    name: "{{ apt_packages }}"
+    state: present
+  become: true
+
+- name: Ensure WireGuard directory exists
+  ansible.builtin.file:
+    path: "{{ wireguard_path }}"
+    state: directory
+    mode: "0700"
+    owner: root
+    group: root
+  become: true
+
+- name: Generate WireGuard server private key
+  ansible.builtin.command:
+    cmd: wg genkey
+  register: wg_private_key
+  become: true
+
+- name: Save WireGuard server private key
+  ansible.builtin.copy:
+    content: "{{ wg_private_key.stdout | trim }}"
+    dest: "{{ wireguard_private_key_file }}"
+    mode: "0600"
+    owner: root
+    group: root
+  become: true
+
+- name: Read WireGuard private key from file
+  ansible.builtin.slurp:
+    src: "{{ wireguard_private_key_file }}"
+  register: wg_private_key_file_content
+  become: true
+
+- name: Decode WireGuard private key
+  ansible.builtin.set_fact:
+    wg_private_key_content: "{{ wg_private_key_file_content.content | b64decode | trim }}"
+
+- name: Generate WireGuard server public key (if not exists)
+  ansible.builtin.stat:
+    path: "{{ wireguard_public_key_file }}"
+  register: public_key_stat
+  become: true
+
+- name: Generate WireGuard server public key
+  ansible.builtin.shell:
+    cmd: "wg pubkey < {{ wireguard_private_key_file }}"
+  register: wg_public_key
+  become: true
+
+- name: Save WireGuard server public key
+  ansible.builtin.copy:
+    content: "{{ wg_public_key.stdout | trim }}"
+    dest: "{{ wireguard_public_key_file }}"
+    mode: "0644"
+    owner: root
+    group: root
+  become: true
+
+- name: Read WireGuard public key from file
+  ansible.builtin.slurp:
+    src: "{{ wireguard_public_key_file }}"
+  register: wg_public_key_file_content
+  become: true
+
+- name: Decode WireGuard public key
+  ansible.builtin.set_fact:
+    wg_public_key_content: "{{ wg_public_key_file_content.content | trim }}"
+
+- name: Create WireGuard configuration file
+  ansible.builtin.template:
+    src: "wg0.conf.j2"
+    dest: "{{ wireguard_path }}/wg0.conf"
+    owner: root
+    group: root
+    mode: "0600"
+  become: true
+
+- name: Enable and start WireGuard service
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface }}"
+    state: started
+    enabled: yes
+  become: true

infra/ansible/roles/configure-wireguard/templates/wg0.conf.j2

@@ -0,0 +1,25 @@
+[Interface]
+Address = {{ wg_address }}
+ListenPort = {{ wg_port }}
+PrivateKey = {{ wg_private_key_content }}
+{% if wg_dns is defined %}
+DNS = {{ wg_dns }}
+{% endif %}
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+SaveConfig = true
+
+{% for peer in wg_peers %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+{% if peer.preshared_key is defined %}
+PresharedKey = {{ peer.preshared_key }}
+{% endif %}
+AllowedIPs = {{ peer.allowed_ips }}
+{% if peer.endpoint is defined %}
+Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
+{% endfor %}

infra/terraform/proxmox/terraform.tfvars

@@ -9,7 +9,7 @@ vms = [
     vm_id       = 105
     ip_address  = "192.168.1.151/24"
     gateway     = "192.168.1.1"
-    dns_servers = ["192.168.1.145", "1.1.1.1"]
+    dns_servers = ["1.1.1.1"]
     cores       = 2
     memory      = 4096
     disk_size   = 20
@@ -20,7 +20,7 @@ vms = [
     vm_id       = 205
     ip_address  = "192.168.1.161/24"
     gateway     = "192.168.1.1"
-    dns_servers = ["192.168.1.145", "1.1.1.1"]
+    dns_servers = ["1.1.1.1"]
     cores       = 2
     memory      = 4096
     disk_size   = 20
@@ -31,7 +31,7 @@ vms = [
     vm_id       = 301
     ip_address  = "192.168.1.172/24"
     gateway     = "192.168.1.1"
-    dns_servers = ["192.168.1.145", "1.1.1.1"]
+    dns_servers = ["1.1.1.1"]
     cores       = 2
     memory      = 4096
     disk_size   = 50
@@ -42,10 +42,21 @@ vms = [
     vm_id       = 302
     ip_address  = "192.168.1.173/24"
     gateway     = "192.168.1.1"
-    dns_servers = ["192.168.1.145", "1.1.1.1"]
+    dns_servers = ["1.1.1.1"]
     cores       = 2
     memory      = 4096
     disk_size   = 50
+  },
+  {
+    name        = "vm10"
+    node_name   = "homeserver3"
+    vm_id       = 303
+    ip_address  = "192.168.1.174/24"
+    gateway     = "192.168.1.1"
+    dns_servers = ["1.1.1.1"]
+    cores       = 2
+    memory      = 2048
+    disk_size   = 20
   }
 ]
 

kubernetes/README.md

@@ -960,6 +960,12 @@ This stack includes Prometheus Node Exporter, kube-state-metrics, Alertmanager,
 and Grafana. It provides a comprehensive set of default Grafana dashboards for
 tracking key system metrics such as CPU, memory, I/O, and network usage.
 
+The dashbaords are loaded as kubernetes configMaps. To create a persistant
+custom dashboard, one can create a configmap within the monitoring namespace
+following the example of existing dashboards. One way to generate dashboard,
+is to create the dashboard from the Grafana UI and then export the JSON file
+and embed it to the configmap.
+
 ```bash
 helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
 helm repo update

kubernetes/kube-prometheus-stack/values.yaml

@@ -1257,11 +1257,12 @@ grafana:
   operator:
     ## Enable references to ConfigMaps containing dashboards in GrafanaDashboard CRs
     ## Set to true to allow dashboards to be loaded from ConfigMap references
-    dashboardsConfigMapRefEnabled: false
+    dashboardsConfigMapRefEnabled: true
 
     ## Annotations for GrafanaDashboard Cr
     ##
-    annotations: {}
+    annotations:
+      catagory: dashboard
     ## Labels that should be matched kind: Grafana instance
     ## Example: { app: grafana, category: dashboard }
     ##

kubernetes/my-portfolio/portfolioManifest.yaml

@@ -19,7 +19,7 @@ spec:
         - name: docker-registry-credentials
       containers:
         - name: portfolio-app
-          image: "${DOCKER_REGISTRY_HOST}/taqi/portfolio/my-portfolio-app:latest"
+          image: "${DOCKER_REGISTRY_HOST}/taqi/portfolio:latest"
           imagePullPolicy: Always
           ports:
             - containerPort: 80

kubernetes/woodpecker-ci/values.yaml

@@ -190,6 +190,7 @@ server:
     WOODPECKER_ADMIN: "taqi"
     WOODPECKER_HOST: "woodpecker-server.woodpecker.svc.cluster.local:9000"
     WOODPECKER_GITEA: "true"
+    WOODPECKER_PLUGINS_PRIVILEGED: woodpeckerci/plugin-docker-buildx
 
   # -- Add extra environment variables from the secrets list
   extraSecretNamesForEnvFrom: