From 15d0e120d37d821edb244278df767fb006700daf Mon Sep 17 00:00:00 2001 From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com> Date: Thu, 14 May 2026 00:39:29 -0400 Subject: [PATCH] Update Ansible configuration and documentation to reflect new inventory structure. Migrate group_vars to inventory/group_vars/ and enhance README with updated paths for variable files, improving clarity for users. --- ansible/README.md | 10 +++++----- ansible/ansible.cfg | 2 ++ ansible/{ => inventory}/group_vars/all.yml | 2 +- ansible/{ => inventory}/group_vars/debian_servers.yml | 0 ansible/{ => inventory}/group_vars/proxmox_hosts.yml | 0 ansible/roles/noble_authentik/README.md | 2 +- ansible/roles/noble_cert_manager/defaults/main.yml | 2 +- ansible/roles/noble_post_deploy/tasks/main.yml | 2 +- ansible/roles/noble_velero/defaults/main.yml | 2 +- clusters/noble/bootstrap/argocd/README.md | 2 +- clusters/noble/bootstrap/authentik/values.yaml | 9 +++++---- clusters/noble/bootstrap/velero/README.md | 4 ++-- clusters/noble/secrets/README.md | 2 +- 13 files changed, 21 insertions(+), 18 deletions(-) rename ansible/{ => inventory}/group_vars/all.yml (98%) rename ansible/{ => inventory}/group_vars/debian_servers.yml (100%) rename ansible/{ => inventory}/group_vars/proxmox_hosts.yml (100%) diff --git a/ansible/README.md b/ansible/README.md index c0a19b6..49bf470 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -8,7 +8,7 @@ Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talo 2. **Talos Phase A (automated):** run [`playbooks/talos_phase_a.yml`](playbooks/talos_phase_a.yml) **or** the full pipeline [`playbooks/deploy.yml`](playbooks/deploy.yml). This runs **`talhelper genconfig -o out`**, **`talosctl apply-config`** on each node, **`talosctl bootstrap`**, and **`talosctl kubeconfig`** → **`talos/kubeconfig`**. 3. **Platform stack:** [`playbooks/noble.yml`](playbooks/noble.yml) (included at the end of **`deploy.yml`**). -Your workstation must be able to reach **node IPs on the lab LAN** (Talos API **:50000** for `talosctl`, Kubernetes **:6443** for `kubectl` / Helm). If `kubectl` cannot reach the VIP (`192.168.50.230`), use `-e 'noble_k8s_api_server_override=https://:6443'` on **`noble.yml`** (see `group_vars/all.yml`). +Your workstation must be able to reach **node IPs on the lab LAN** (Talos API **:50000** for `talosctl`, Kubernetes **:6443** for `kubectl` / Helm). If `kubectl` cannot reach the VIP (`192.168.50.230`), use `-e 'noble_k8s_api_server_override=https://:6443'` on **`noble.yml`** (see `inventory/group_vars/all.yml`). **One-shot full deploy** (after nodes are booted and reachable): @@ -79,9 +79,9 @@ ansible-playbook playbooks/noble.yml --tags velero -e noble_velero_install=true ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install=true ``` -### Variables — `group_vars/all.yml` and role defaults +### Variables — `inventory/group_vars/` and role defaults -- **`group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`** +- **`inventory/group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`** - **`roles/noble_platform/defaults/main.yml`:** **`noble_apply_sops_secrets`**, **`noble_sops_age_key_file`** (SOPS secrets under **`clusters/noble/secrets/`**) ## Roles @@ -106,7 +106,7 @@ ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install These playbooks are separate from the Talos/noble flow and target hosts in `debian_servers`. 1. Copy `inventory/debian.example.yml` to `inventory/debian.yml` and update hosts/users. -2. Update `group_vars/debian_servers.yml` with your allowed SSH users and real public keys. +2. Update `inventory/group_vars/debian_servers.yml` with your allowed SSH users and real public keys. 3. Run with the Debian inventory: ```bash @@ -128,7 +128,7 @@ ansible-playbook -i inventory/debian.yml playbooks/debian_ops.yml These playbooks are separate from the Talos/noble flow and target hosts in `proxmox_hosts`. 1. Copy `inventory/proxmox.example.yml` to `inventory/proxmox.yml` and update hosts/users. -2. Update `group_vars/proxmox_hosts.yml` with your cluster name (`proxmox_cluster_name`), chosen cluster master, and root public key file paths to install. +2. Update `inventory/group_vars/proxmox_hosts.yml` with your cluster name (`proxmox_cluster_name`), chosen cluster master, and root public key file paths to install. 3. First run (no SSH keys yet): use `--ask-pass` **or** set `ansible_password` (prefer Ansible Vault). Keep `ansible_ssh_common_args: "-o StrictHostKeyChecking=accept-new"` in inventory for first-contact hosts. 4. Run prepare first to install your public keys on each host, then continue: diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 8bb8e4f..185835b 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,4 +1,6 @@ [defaults] +# Inventory lives under **inventory/** — place **group_vars/** next to the inventory file +# (e.g. **inventory/group_vars/all.yml**) so variables apply to playbooks under **playbooks/**. inventory = inventory/localhost.yml roles_path = roles retry_files_enabled = False diff --git a/ansible/group_vars/all.yml b/ansible/inventory/group_vars/all.yml similarity index 98% rename from ansible/group_vars/all.yml rename to ansible/inventory/group_vars/all.yml index afbacc6..fce9e83 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -28,4 +28,4 @@ noble_argocd_apply_root_application: true noble_argocd_apply_bootstrap_root_application: true # Authentik (OIDC IdP) + oauth2-proxy ForwardAuth — set **true** after **.env** has NOBLE_AUTHENTIK_* (see ansible/roles/noble_authentik/README.md). -noble_authentik_install: false +noble_authentik_install: true diff --git a/ansible/group_vars/debian_servers.yml b/ansible/inventory/group_vars/debian_servers.yml similarity index 100% rename from ansible/group_vars/debian_servers.yml rename to ansible/inventory/group_vars/debian_servers.yml diff --git a/ansible/group_vars/proxmox_hosts.yml b/ansible/inventory/group_vars/proxmox_hosts.yml similarity index 100% rename from ansible/group_vars/proxmox_hosts.yml rename to ansible/inventory/group_vars/proxmox_hosts.yml diff --git a/ansible/roles/noble_authentik/README.md b/ansible/roles/noble_authentik/README.md index 064a9f9..64e5b4b 100644 --- a/ansible/roles/noble_authentik/README.md +++ b/ansible/roles/noble_authentik/README.md @@ -5,7 +5,7 @@ Installs **Authentik** (Helm `goauthentik/authentik`) as the cluster IdP, **oaut ## Enable 1. Copy repository **`.env.sample`** to **`.env`** and set every **`NOBLE_AUTHENTIK_*`** variable (see comments there). -2. Set **`noble_authentik_install: true`** in **`ansible/group_vars/all.yml`** (or pass **`-e noble_authentik_install=true`**). +2. Set **`noble_authentik_install: true`** in **`ansible/inventory/group_vars/all.yml`** (or pass **`-e noble_authentik_install=true`**). 3. Run **`ansible-playbook playbooks/noble.yml --tags authentik`** (or a full **`noble.yml`**) from **`ansible/`** with a working **`KUBECONFIG`**. `noble_authentik` runs **after** **`noble_platform`** so Grafana / Headlamp / Prometheus exist before SSO Helm upgrades. diff --git a/ansible/roles/noble_cert_manager/defaults/main.yml b/ansible/roles/noble_cert_manager/defaults/main.yml index 2ac6532..92c8941 100644 --- a/ansible/roles/noble_cert_manager/defaults/main.yml +++ b/ansible/roles/noble_cert_manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **group_vars/all.yml** when loaded). +# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **inventory/group_vars/all.yml** when loaded). noble_cert_manager_require_cloudflare_secret: true # Helm --wait default (~5m) can expire while startupapicheck waits on webhooks / API (busy or slow pulls). diff --git a/ansible/roles/noble_post_deploy/tasks/main.yml b/ansible/roles/noble_post_deploy/tasks/main.yml index dd547bd..910950d 100644 --- a/ansible/roles/noble_post_deploy/tasks/main.yml +++ b/ansible/roles/noble_post_deploy/tasks/main.yml @@ -11,6 +11,6 @@ msg: >- App-of-apps: after **noble_platform**, noble.yml runs **noble_argocd** `applications_post_platform.yml`: root-application.yaml when noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k - argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (group_vars/all.yml). + argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml). noble-bootstrap-root uses manual sync until you enable automation after the playbook — clusters/noble/bootstrap/argocd/README.md §5. See clusters/noble/apps/README.md and that README. diff --git a/ansible/roles/noble_velero/defaults/main.yml b/ansible/roles/noble_velero/defaults/main.yml index 2768040..3b12d97 100644 --- a/ansible/roles/noble_velero/defaults/main.yml +++ b/ansible/roles/noble_velero/defaults/main.yml @@ -1,5 +1,5 @@ --- -# **noble_velero_install** is in **ansible/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars. +# **noble_velero_install** is in **ansible/inventory/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars. noble_velero_chart_version: "12.0.0" noble_velero_s3_bucket: "" diff --git a/clusters/noble/bootstrap/argocd/README.md b/clusters/noble/bootstrap/argocd/README.md index e7cdac5..618c5d4 100644 --- a/clusters/noble/bootstrap/argocd/README.md +++ b/clusters/noble/bootstrap/argocd/README.md @@ -58,7 +58,7 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o 2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**). 3. **Bootstrap kustomize** (namespaces, datasource, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`** (no **`argocd/app-of-apps/`** in that kustomization). Leaf **`Application`** manifests live under **`argocd/app-of-apps/`**; Ansible applies that directory **after** **`noble_platform`** Helm so Argo does not SSA charts first. The root app uses **manual** sync; each leaf app is **manual** until you enable automation (see **§5**). - **`ansible/playbooks/noble.yml`** (roles **`noble_argocd`** Helm, then **`noble_platform`** — which **include_role**s **`noble_argocd/applications_post_platform`** after Helm) when **`noble_argocd_apply_*`** flags are set in **`ansible/group_vars/all.yml`**. + **`ansible/playbooks/noble.yml`** (roles **`noble_argocd`** Helm, then **`noble_platform`** — which **include_role**s **`noble_argocd/applications_post_platform`** after Helm) when **`noble_argocd_apply_*`** flags are set in **`ansible/inventory/group_vars/all.yml`**. ```bash kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml diff --git a/clusters/noble/bootstrap/authentik/values.yaml b/clusters/noble/bootstrap/authentik/values.yaml index 8ac813a..5926f2b 100644 --- a/clusters/noble/bootstrap/authentik/values.yaml +++ b/clusters/noble/bootstrap/authentik/values.yaml @@ -37,11 +37,12 @@ server: ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + # Chart expects **strings** (FQDNs only); paths come from **server.ingress.paths** / **pathType**. hosts: - - host: auth.apps.noble.lab.pcenicni.dev - paths: - - path: / - pathType: Prefix + - auth.apps.noble.lab.pcenicni.dev + paths: + - / + pathType: Prefix tls: - secretName: authentik-apps-noble-tls hosts: diff --git a/clusters/noble/bootstrap/velero/README.md b/clusters/noble/bootstrap/velero/README.md index c7a82e0..2ec5559 100644 --- a/clusters/noble/bootstrap/velero/README.md +++ b/clusters/noble/bootstrap/velero/README.md @@ -45,7 +45,7 @@ Or let **Ansible** create it from **`.env`** (`NOBLE_VELERO_AWS_ACCESS_KEY_ID`, - **`NOBLE_VELERO_S3_URL`** — S3 API base URL (e.g. `https://minio.lan:9000` or your VersityGW/MinIO endpoint) - **`NOBLE_VELERO_AWS_ACCESS_KEY_ID`** / **`NOBLE_VELERO_AWS_SECRET_ACCESS_KEY`** — credentials the AWS plugin uses (S3-compatible access key style) -2. Enable the role: set **`noble_velero_install: true`** in **`ansible/group_vars/all.yml`**, **or** pass **`-e noble_velero_install=true`** on the command line. +2. Enable the role: set **`noble_velero_install: true`** in **`ansible/inventory/group_vars/all.yml`**, **or** pass **`-e noble_velero_install=true`** on the command line. 3. Run from **`ansible/`** (adjust **`KUBECONFIG`** to your cluster admin kubeconfig): @@ -73,7 +73,7 @@ ansible-playbook playbooks/noble.yml ## Install (Ansible) — details -1. Set **`noble_velero_install: true`** in **`ansible/group_vars/all.yml`** (or pass **`-e noble_velero_install=true`**). +1. Set **`noble_velero_install: true`** in **`ansible/inventory/group_vars/all.yml`** (or pass **`-e noble_velero_install=true`**). 2. Set **`noble_velero_s3_bucket`** and **`noble_velero_s3_url`** via **`.env`** (**`NOBLE_VELERO_S3_*`**) or **`group_vars`** or **`-e`**. Extra-vars override **`.env`**. Optional: **`noble_velero_s3_region`**, **`noble_velero_s3_prefix`**, **`noble_velero_s3_force_path_style`** (defaults match `values.yaml`). 3. Run **`ansible/playbooks/noble.yml`** (Velero runs after **`noble_platform`**). diff --git a/clusters/noble/secrets/README.md b/clusters/noble/secrets/README.md index 7bb4e89..d344f62 100644 --- a/clusters/noble/secrets/README.md +++ b/clusters/noble/secrets/README.md @@ -29,7 +29,7 @@ export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt sops -d clusters/noble/secrets/newt-pangolin-auth.secret.yaml | kubectl apply -f - ``` -**Ansible** (`noble.yml`) runs the same decrypt-and-apply step for every `*.yaml` in this directory when **`age-key.txt`** exists and **`noble_apply_sops_secrets`** is true (see `ansible/group_vars/all.yml`). +**Ansible** (`noble.yml`) runs the same decrypt-and-apply step for every `*.yaml` in this directory when **`age-key.txt`** exists and **`noble_apply_sops_secrets`** is true (see `ansible/inventory/group_vars/all.yml` via **`noble_platform`** defaults). ## Files