- Jinja 48.1%
- HCL 26%
- TypeScript 12.2%
- Go Template 7.5%
- Dockerfile 4.3%
- Other 1.9%
|
|
||
|---|---|---|
| .ansible | ||
| .claude | ||
| .forgejo/workflows | ||
| .github/workflows | ||
| .spacelift | ||
| charts | ||
| gitops | ||
| group_vars/oracle_hosts | ||
| ingress | ||
| roles | ||
| terraform | ||
| .gitignore | ||
| .vault_password.template | ||
| .whitesource | ||
| AGENTS.md | ||
| ansible.cfg | ||
| CLAUDE.md | ||
| CNCF_Projects.md | ||
| deploy.sh | ||
| features.md | ||
| inventory.ini.example | ||
| rationale.md | ||
| README.md | ||
| renovate.json | ||
| requirements.yml | ||
| site.yml | ||
| ToDeploy.md | ||
| VAULT_SETUP.md | ||
CloudLab Host Management
This project combines Terraform, Ansible and GitOps to manage a single Oracle host with comprehensive configuration including packages, cron jobs, and Kubernetes (and its apps therein).
This repos is available on GitHub and on my own Forgejo instance
Structure
.
├── ansible.cfg # Ansible configuration
├── inventory.ini # Host inventory
├── site.yml # Main playbook
├── group_vars/ # Group variables
│ └── oracle_hosts.yml
└── roles/ # Ansible roles
├── common/ # Basic system setup
├── packages/ # Package management
├── cron/ # Cron job management
├── docker/ # Docker installation
├── tailscale/ # Tailscale VPN
├── borg/ # Borg Backup 2.0
├── datadog/ # Datadog monitoring
└── kubernetes/ # Kubernetes installation
Usage
Provision the VM (Terraform)
A ready-to-use Terraform configuration lives in terraform/ and creates the VCN,
subnet, security list, and a single compute instance. Copy
terraform/terraform.tfvars.example to terraform/terraform.tfvars, fill in your
OCI OCIDs and image information, then run:
cd terraform
terraform init
terraform apply
The Terraform outputs show the instance IP addresses that you can paste into
inventory.ini before running Ansible.
Test connection
ansible oracle_hosts -m ping
Run full configuration
ansible-playbook site.yml
Run specific roles
# Only install packages
ansible-playbook site.yml --tags packages
# Only configure cron jobs
ansible-playbook site.yml --tags cron
# Install Kubernetes (uncomment in site.yml first)
ansible-playbook site.yml --tags kubernetes
Check what would change
ansible-playbook site.yml --check --diff
Configuration
Edit group_vars/oracle_hosts.yml to customize:
- Package lists
- Timezone and locale
- Kubernetes settings
- Cron jobs (add
cron_jobsvariable)
Example configurations:
Cron jobs:
cron_jobs:
- name: "System backup"
minute: "0"
hour: "2"
job: "/usr/local/bin/backup.sh"
- name: "Log cleanup"
minute: "0"
hour: "1"
weekday: "0"
job: "find /var/log -name '*.log' -mtime +30 -delete"
Borg Backup:
borg_repository: "ssh://backup-user@backup-server.com/~/backups/{{ inventory_hostname }}"
borg_ssh_user: "backup-user"
borg_ssh_host: "backup-server.com"
borg_passphrase: "your-secure-passphrase" # Use ansible-vault
Tailscale:
tailscale_auth_key: "tskey-auth-xxxxxxxxxxxx" # Use ansible-vault
tailscale_hostname: "oracle-{{ inventory_hostname }}"
tailscale_accept_routes: true
Datadog:
datadog_api_key: "your-datadog-api-key" # Use ansible-vault
datadog_tags:
- "env:production"
- "role:oracle-host"
datadog_logs_enabled: true
datadog_process_agent_enabled: true
Kubernetes Secrets Managed by Ansible
The flux role creates the following Kubernetes secrets from Ansible Vault variables during deployment. These secrets are not managed by Flux/Helm and must exist before their respective HelmReleases can deploy.
| Namespace | Secret Name | Vault Variables | Used By |
|---|---|---|---|
datadog |
datadog-api-key |
vault_datadog_api_key |
Datadog agent |
keycloak |
keycloak-bootstrap-admin |
vault_keycloak_admin_password |
Keycloak |
keycloak |
keycloak-smtp |
vault_forgejo_smtp_password |
Keycloak SMTP |
forgejo |
forgejo-smtp |
vault_forgejo_smtp_password |
Forgejo SMTP |
omni |
omni-oidc |
vault_omni_oidc_client_secret |
Omni OIDC |
omni |
omni-etcd-encryption-key |
vault_omni_etcd_encryption_key |
Omni etcd |
flux-system |
tailscale-oauth |
vault_tailscale_operator_oauth_client_id/secret |
Tailscale operator |
openclaw |
openclaw-env-secret |
vault_openclaw_anthropic_api_key, vault_openclaw_gateway_token |
OpenClaw |
alarik |
alarik-credentials |
vault_alarik_admin_*, vault_alarik_jwt_key, vault_alarik_default_* |
Alarik |
rustfs |
rustfs-auth |
vault_rustfs_access_key, vault_rustfs_secret_key |
RustFS console auth |
To add or update vault secrets:
# Edit the encrypted vault file
ansible-vault edit group_vars/oracle_hosts/vault.yml
# Then re-run the flux role to apply
ansible-playbook site.yml --tags flux