gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Ansible configuration and documentation to reflect new inventory structure. Migrate group_vars to inventory/group_vars/ and enhance README with updated paths for variable files, improving clarity for users.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 00:39:29 -04:00
parent 78b524a044
commit 15d0e120d3
13 changed files with 21 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ansible/README.md
View File

@@ -8,7 +8,7 @@ Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talo
2. **Talos Phase A (automated):** run [`playbooks/talos_phase_a.yml`](playbooks/talos_phase_a.yml) **or** the full pipeline [`playbooks/deploy.yml`](playbooks/deploy.yml). This runs **`talhelper genconfig -o out`**, **`talosctl apply-config`** on each node, **`talosctl bootstrap`**, and **`talosctl kubeconfig`** → **`talos/kubeconfig`**.
3. **Platform stack:** [`playbooks/noble.yml`](playbooks/noble.yml) (included at the end of **`deploy.yml`**).
Your workstation must be able to reach **node IPs on the lab LAN** (Talos API **:50000** for `talosctl`, Kubernetes **:6443** for `kubectl` / Helm). If `kubectl` cannot reach the VIP (`192.168.50.230`), use `-e 'noble_k8s_api_server_override=https://<control-plane-ip>:6443'` on **`noble.yml`** (see `group_vars/all.yml`).
Your workstation must be able to reach **node IPs on the lab LAN** (Talos API **:50000** for `talosctl`, Kubernetes **:6443** for `kubectl` / Helm). If `kubectl` cannot reach the VIP (`192.168.50.230`), use `-e 'noble_k8s_api_server_override=https://<control-plane-ip>:6443'` on **`noble.yml`** (see `inventory/group_vars/all.yml`).
**One-shot full deploy** (after nodes are booted and reachable):
@@ -79,9 +79,9 @@ ansible-playbook playbooks/noble.yml --tags velero -e noble_velero_install=true
ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install=true
```
### Variables — `group_vars/all.yml` and role defaults
### Variables — `inventory/group_vars/` and role defaults
- **`group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**
- **`inventory/group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**
- **`roles/noble_platform/defaults/main.yml`:** **`noble_apply_sops_secrets`**, **`noble_sops_age_key_file`** (SOPS secrets under **`clusters/noble/secrets/`**)
## Roles
@@ -106,7 +106,7 @@ ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install
These playbooks are separate from the Talos/noble flow and target hosts in `debian_servers`.
1. Copy `inventory/debian.example.yml` to `inventory/debian.yml` and update hosts/users.
2. Update `group_vars/debian_servers.yml` with your allowed SSH users and real public keys.
2. Update `inventory/group_vars/debian_servers.yml` with your allowed SSH users and real public keys.
3. Run with the Debian inventory:
```bash
@@ -128,7 +128,7 @@ ansible-playbook -i inventory/debian.yml playbooks/debian_ops.yml
These playbooks are separate from the Talos/noble flow and target hosts in `proxmox_hosts`.
1. Copy `inventory/proxmox.example.yml` to `inventory/proxmox.yml` and update hosts/users.
2. Update `group_vars/proxmox_hosts.yml` with your cluster name (`proxmox_cluster_name`), chosen cluster master, and root public key file paths to install.
2. Update `inventory/group_vars/proxmox_hosts.yml` with your cluster name (`proxmox_cluster_name`), chosen cluster master, and root public key file paths to install.
3. First run (no SSH keys yet): use `--ask-pass` **or** set `ansible_password` (prefer Ansible Vault). Keep `ansible_ssh_common_args: "-o StrictHostKeyChecking=accept-new"` in inventory for first-contact hosts.
4. Run prepare first to install your public keys on each host, then continue:

2
ansible/ansible.cfg
View File

@@ -1,4 +1,6 @@
[defaults]
# Inventory lives under **inventory/** — place **group_vars/** next to the inventory file
# (e.g. **inventory/group_vars/all.yml**) so variables apply to playbooks under **playbooks/**.
inventory = inventory/localhost.yml
roles_path = roles
retry_files_enabled = False

2
ansible/group_vars/all.yml → ansible/inventory/group_vars/all.yml
View File

@@ -28,4 +28,4 @@ noble_argocd_apply_root_application: true
noble_argocd_apply_bootstrap_root_application: true
# Authentik (OIDC IdP) + oauth2-proxy ForwardAuth — set **true** after **.env** has NOBLE_AUTHENTIK_* (see ansible/roles/noble_authentik/README.md).
noble_authentik_install: false
noble_authentik_install: true

0
ansible/group_vars/debian_servers.yml → ansible/inventory/group_vars/debian_servers.yml
View File

0
ansible/group_vars/proxmox_hosts.yml → ansible/inventory/group_vars/proxmox_hosts.yml
View File

2
ansible/roles/noble_authentik/README.md
View File

@@ -5,7 +5,7 @@ Installs **Authentik** (Helm `goauthentik/authentik`) as the cluster IdP, **oaut
## Enable
1. Copy repository **`.env.sample`** to **`.env`** and set every **`NOBLE_AUTHENTIK_*`** variable (see comments there).
2. Set **`noble_authentik_install: true`** in **`ansible/group_vars/all.yml`** (or pass **`-e noble_authentik_install=true`**).
2. Set **`noble_authentik_install: true`** in **`ansible/inventory/group_vars/all.yml`** (or pass **`-e noble_authentik_install=true`**).
3. Run **`ansible-playbook playbooks/noble.yml --tags authentik`** (or a full **`noble.yml`**) from **`ansible/`** with a working **`KUBECONFIG`**.
`noble_authentik` runs **after** **`noble_platform`** so Grafana / Headlamp / Prometheus exist before SSO Helm upgrades.

2
ansible/roles/noble_cert_manager/defaults/main.yml
View File

@@ -1,5 +1,5 @@
---
# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **group_vars/all.yml** when loaded).
# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **inventory/group_vars/all.yml** when loaded).
noble_cert_manager_require_cloudflare_secret: true
# Helm --wait default (~5m) can expire while startupapicheck waits on webhooks / API (busy or slow pulls).

2
ansible/roles/noble_post_deploy/tasks/main.yml
View File

@@ -11,6 +11,6 @@
msg: >-
App-of-apps: after **noble_platform**, noble.yml runs **noble_argocd** `applications_post_platform.yml`:
root-application.yaml when noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k
argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (group_vars/all.yml).
argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml).
noble-bootstrap-root uses manual sync until you enable automation after the playbook —
clusters/noble/bootstrap/argocd/README.md §5. See clusters/noble/apps/README.md and that README.

2
ansible/roles/noble_velero/defaults/main.yml
View File

@@ -1,5 +1,5 @@
---
# **noble_velero_install** is in **ansible/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars.
# **noble_velero_install** is in **ansible/inventory/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars.
noble_velero_chart_version: "12.0.0"
noble_velero_s3_bucket: ""