No description
  • Jinja 48.1%
  • HCL 26%
  • TypeScript 12.2%
  • Go Template 7.5%
  • Dockerfile 4.3%
  • Other 1.9%
Find a file
Alessandro Vozza ebd3444fad
All checks were successful
/ test (push) Successful in 1s
dashy
2026-06-25 14:39:59 +02:00
.ansible Add roles for Fail2Ban, Flux, k0s, Tailscale, and packages management 2025-11-24 13:10:06 +01:00
.claude fix: configure fs.file-max sysctl in k0s workerProfiles and add CoreDNS Tailscale patch 2026-04-27 13:33:48 +02:00
.forgejo/workflows Update .forgejo/workflows/demo.yaml 2026-05-15 07:27:15 +00:00
.github/workflows fix: harden ansible deploy workflow 2026-05-02 01:39:02 +02:00
.spacelift feat: add initial Spacelift configuration for cloudlab stack 2026-01-14 18:52:11 +01:00
charts feat: Add Alarik Helm chart for S3-compatible object storage 2026-03-15 13:35:36 +01:00
gitops dashy 2026-06-25 14:39:59 +02:00
group_vars/oracle_hosts fix(vault): update encrypted content in vault.yml 2026-06-11 11:51:43 +02:00
ingress feat(traefik): upgrade to v3.7.1 and drop fragile loki docker log-driver 2026-06-01 00:36:17 +02:00
roles fix(flux): trigger Flux reconciliation with bounded wait to prevent CI timeouts 2026-06-11 15:40:18 +02:00
terraform chore(deps): update terraform oci to ~> 8.18.0 2026-06-10 12:10:17 +00:00
.gitignore feat: Add Loki deployment configuration and resources 2026-04-09 16:23:43 +02:00
.vault_password.template Add roles for Fail2Ban, Flux, k0s, Tailscale, and packages management 2025-11-24 13:10:06 +01:00
.whitesource Add .whitesource configuration file 2025-11-24 12:09:47 +00:00
AGENTS.md fix: harden ansible deploy workflow 2026-05-02 01:39:02 +02:00
ansible.cfg Add Forgejo application resources and configurations 2025-12-21 19:15:20 +01:00
CLAUDE.md docs: add atlantis README and update CLAUDE.md app lists 2026-04-15 05:42:51 +00:00
CNCF_Projects.md feat: Add CNCF Projects documentation and update permissions in settings 2026-04-04 17:26:11 +02:00
deploy.sh Add roles for Fail2Ban, Flux, k0s, Tailscale, and packages management 2025-11-24 13:10:06 +01:00
features.md Add roles for Fail2Ban, Flux, k0s, Tailscale, and packages management 2025-11-24 13:10:06 +01:00
inventory.ini.example Add roles for Fail2Ban, Flux, k0s, Tailscale, and packages management 2025-11-24 13:10:06 +01:00
rationale.md Update project name references from ansible-singlehost to CloudLab 2025-12-21 19:23:52 +01:00
README.md feat: Add rustfs namespace and auth secret management in Flux role 2026-03-30 21:00:38 +02:00
renovate.json chore(config): migrate config renovate.json 2026-01-14 16:59:29 +00:00
requirements.yml Auto-commit: Write modified requirements.yml 2025-12-21 20:09:19 +01:00
site.yml feat(alloy): host-level log shipper for systemd journal + /var/log files 2026-05-08 23:42:45 +02:00
ToDeploy.md feat: update settings and deployment configurations; add new Bash commands and adjust HelmRelease settings 2026-04-25 14:08:01 +03:00
VAULT_SETUP.md Add roles for Fail2Ban, Flux, k0s, Tailscale, and packages management 2025-11-24 13:10:06 +01:00

CloudLab Host Management

This project combines Terraform, Ansible and GitOps to manage a single Oracle host with comprehensive configuration including packages, cron jobs, and Kubernetes (and its apps therein).

This repos is available on GitHub and on my own Forgejo instance

Structure

.
├── ansible.cfg           # Ansible configuration
├── inventory.ini         # Host inventory
├── site.yml             # Main playbook
├── group_vars/          # Group variables
│   └── oracle_hosts.yml
└── roles/               # Ansible roles
    ├── common/          # Basic system setup
    ├── packages/        # Package management
    ├── cron/           # Cron job management
    ├── docker/         # Docker installation
    ├── tailscale/      # Tailscale VPN
    ├── borg/           # Borg Backup 2.0
    ├── datadog/        # Datadog monitoring
    └── kubernetes/     # Kubernetes installation

Usage

Provision the VM (Terraform)

A ready-to-use Terraform configuration lives in terraform/ and creates the VCN, subnet, security list, and a single compute instance. Copy terraform/terraform.tfvars.example to terraform/terraform.tfvars, fill in your OCI OCIDs and image information, then run:

cd terraform
terraform init
terraform apply

The Terraform outputs show the instance IP addresses that you can paste into inventory.ini before running Ansible.

Test connection

ansible oracle_hosts -m ping

Run full configuration

ansible-playbook site.yml

Run specific roles

# Only install packages
ansible-playbook site.yml --tags packages

# Only configure cron jobs
ansible-playbook site.yml --tags cron

# Install Kubernetes (uncomment in site.yml first)
ansible-playbook site.yml --tags kubernetes

Check what would change

ansible-playbook site.yml --check --diff

Configuration

Edit group_vars/oracle_hosts.yml to customize:

  • Package lists
  • Timezone and locale
  • Kubernetes settings
  • Cron jobs (add cron_jobs variable)

Example configurations:

Cron jobs:

cron_jobs:
  - name: "System backup"
    minute: "0"
    hour: "2"
    job: "/usr/local/bin/backup.sh"
  - name: "Log cleanup"
    minute: "0"
    hour: "1"
    weekday: "0"
    job: "find /var/log -name '*.log' -mtime +30 -delete"

Borg Backup:

borg_repository: "ssh://backup-user@backup-server.com/~/backups/{{ inventory_hostname }}"
borg_ssh_user: "backup-user"
borg_ssh_host: "backup-server.com"
borg_passphrase: "your-secure-passphrase"  # Use ansible-vault

Tailscale:

tailscale_auth_key: "tskey-auth-xxxxxxxxxxxx"  # Use ansible-vault
tailscale_hostname: "oracle-{{ inventory_hostname }}"
tailscale_accept_routes: true

Datadog:

datadog_api_key: "your-datadog-api-key"  # Use ansible-vault
datadog_tags:
  - "env:production"
  - "role:oracle-host"
datadog_logs_enabled: true
datadog_process_agent_enabled: true

Kubernetes Secrets Managed by Ansible

The flux role creates the following Kubernetes secrets from Ansible Vault variables during deployment. These secrets are not managed by Flux/Helm and must exist before their respective HelmReleases can deploy.

Namespace Secret Name Vault Variables Used By
datadog datadog-api-key vault_datadog_api_key Datadog agent
keycloak keycloak-bootstrap-admin vault_keycloak_admin_password Keycloak
keycloak keycloak-smtp vault_forgejo_smtp_password Keycloak SMTP
forgejo forgejo-smtp vault_forgejo_smtp_password Forgejo SMTP
omni omni-oidc vault_omni_oidc_client_secret Omni OIDC
omni omni-etcd-encryption-key vault_omni_etcd_encryption_key Omni etcd
flux-system tailscale-oauth vault_tailscale_operator_oauth_client_id/secret Tailscale operator
openclaw openclaw-env-secret vault_openclaw_anthropic_api_key, vault_openclaw_gateway_token OpenClaw
alarik alarik-credentials vault_alarik_admin_*, vault_alarik_jwt_key, vault_alarik_default_* Alarik
rustfs rustfs-auth vault_rustfs_access_key, vault_rustfs_secret_key RustFS console auth

To add or update vault secrets:

# Edit the encrypted vault file
ansible-vault edit group_vars/oracle_hosts/vault.yml

# Then re-run the flux role to apply
ansible-playbook site.yml --tags flux