Major update, remove hero, update apps, switch to rke2

Author: x86-39

Diff for: README.md

@@ -51,7 +51,6 @@ These VMs are ran on the dedicated server (`OMORI`) at Hetzner. I have purchased
 | `Basil` | Rancher upstream cluster | Ubuntu 22.04 | 4 vCPU | 16GiB | 1x 100GiB (boot) |
 | `Aubrey` | Rancher cluster for personal applications | Ubuntu 22.04 | 10 vCPU | 48GiB | 1x 350GiB (boot) |
 | `Kel` | Rancher cluster for public facing applications | Ubuntu 22.04 | 6 vCPU | 24GiB | 1x 100GiB (boot) |
-| `Hero` | Rancher cluster for [Queer Coded](https://github.com/queercoded-dev) (pending) | Ubuntu 22.04 | 6 vCPU | 32GiB | 1x 300GiB (boot) |
 ###### These are characters from the game OMORI, quite fitting if you are familiar with the story ;)
 
 ## Applications
@@ -60,7 +59,7 @@ These are the applications I run on my homelab.
 | --- | --- | --- |
 | [Rancher](https://rancher.com/) | Kubernetes cluster management | Upstream cluster (`Basil`) |
 | [Longhorn](https://longhorn.io/) | Storage for Kubernetes | All rancher clusters |
-| [Joplin Server](https://joplinapp.org/) | Cloud sync for Joplin notes application | Personal cluster (`Aubrey`) |
+| [Nextcloud](https://nextcloud.com/) | Personal cloud | Personal cluster (`Aubrey`) |
 | [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | Password manager | Personal cluster (`Aubrey`) |
 | [GitLab](https://gitlab.com/) | Git mirror | Personal cluster (`Aubrey`) |
 | [Nextcloud](https://nextcloud.com/) | Personal cloud | Personal cluster (`Aubrey`) |
@@ -79,7 +78,7 @@ These repositories are included in this project. This includes Ansible roles, co
 | Repository | Type | Purpose |
 | --- | --- | --- |
 | [ansible_role_docker](https://github.com/diademiemi/ansible_role_docker) | Ansible role | Install Docker on my NAS |
-| [ansible_role_k3s](https://github.com/diademiemi/ansible_role_k3s) | Ansible role | Install K3S on the `Basil` VM for Rancher |
+| [ansible_role_rke2](https://github.com/diademiemi/ansible_role_rke2) | Ansible role | Install rke2 on the `Basil` VM for Rancher |
 | [ansible_role_helm](https://github.com/diademiemi/ansible_role_helm) | Ansible role | Install Helm on the `Basil` VM for Rancher |
 | [ansible_role_openzfs](https://github.com/diademiemi/ansible_role_openzfs) | Ansible role | Install OpenZFS on my NAS |
 | [ansible_role_wireguard](https://github.com/diademiemi/ansible_role_wireguard) | Ansible role | Install Wireguard on the `OMORI` host to connect to the `Undertale` router |
@@ -132,13 +131,12 @@ File | Type | Purpose
 [`playbooks/hetzner/05-applications.yml`](./playbooks/hetzner/05-applications.yml) | Ansible Playbook | Playbook to deploy the ArgoCD application to the Rancher clusters
 [`playbooks/hetzner/backups/create.yml`](./playbooks/hetzner/backups/create.yml) | Ansible Playbook | Playbook to backups of all Longhorn volumes to the NAS and store the backup names in a temporary file
 [`playbooks/hetzner/backups/restore.yml`](playbooks/hetzner/backups/restore.yml) | Ansible Playbook | Playbook to restore the Longhorn volumes from the NAS
-[`inventory/main/group_vars/all/main.yml`](./inventory/main/group_vars/all/main.yml) | Ansible Variables | Variables used by all hosts in the inventory. This includes Wireguard options, Hetzner, K3S and Rancher options
+[`inventory/main/group_vars/all/main.yml`](./inventory/main/group_vars/all/main.yml) | Ansible Variables | Variables used by all hosts in the inventory. This includes Wireguard options, Hetzner, rke2 and Rancher options
 [`inventory/main/host_vars/omori/wireguard.yml`](./inventory/main/host_vars/omori/wireguard.yml) | Ansible Variables | Variables used to deploy Wireguard on the `omori` host. This includes the Wireguard IP addresses, keys and hosts to connect
 [`inventory/main/host_vars/omori/system.yml`](./inventory/main/host_vars/omori/system.yml) | Ansible Variables | Variables used to configure the `omori` host.
-[`inventory/main/host_vars/basil/main.yml`](./inventory/main/host_vars/basil/main.yml) | Ansible Variables | Variables used by the `basil` host. This includes options for the K3S deployment and the secret age key
+[`inventory/main/host_vars/basil/main.yml`](./inventory/main/host_vars/basil/main.yml) | Ansible Variables | Variables used by the `basil` host. This includes options for the rke2 deployment and the secret age key
 [`inventory/main/host_vars/aubrey/main.yml`](./inventory/main/host_vars/aubrey/main.yml) | Ansible Variables | Variables used by the `aubrey` host. This includes the cluster name and secret age key
 [`inventory/main/host_vars/kel/main.yml`](./inventory/main/host_vars/kel/main.yml) | Ansible Variables | Variables used by the `kel` host. This includes the cluster name and secret age key
-[`inventory/main/host_vars/hero/main.yml`](./inventory/main/host_vars/hero/main.yml) | Ansible Variables | Variables used by the `hero` host. This includes the cluster name and secret age key
 [`inventory/main/host_vars/localhost/terraform.yml`](./inventory/main/host_vars/localhost/terraform.yml) | Ansible Variables | Variables used that are fed into Terraform. This includes extra DNS records, Cloudflare variables and the Rancher users so that they can be encrypted with Ansible Vault
 [`inventory/main/host_vars/localhost/hetzner.yml`](./inventory/main/host_vars/localhost/hetzner.yml) | Ansible Variables | Variables used that are used to communicate with the Hetzner API
 [`terraform/vms/*.tf`](./terraform/vms/) | Terraform | Terraform files to deploy the VMs to the dedicated server

Diff for: inventory/main/group_vars/all/all.yml

@@ -1,11 +1,7 @@
 ---
 wireguard_master_inventory_hostname: omori
 
-k3s_version: "v1.25.10+k3s1"
-
-k3s_extra_server_args: "--node-name {{ ansible_facts['hostname'] }}"
-
-kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
+kubeconfig_path: "/etc/rancher/rke2/rke2.yaml"
 
 rancher_bootstrap_password: "{{ vault_rancher_bootstrap_password }}"
 

Diff for: inventory/main/group_vars/all/vault.yml

@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-64363063376630323430336431343032643036353235366331383335633066366339356234353430
-3737653439363532303136376662643838303539666231620a303565613432323038623563313265
-61326533623064373366373131386139393239643838303565616562613133643164376333363030
-3138343263666333660a303339303362653637383563373661383836613031336663646363366662
-34633934386638323066383161616463303665313663643433623234386135343962363031333632
-39623232643263366436326230616131613031646337393462313535613565386333363438626234
-30356338393963633464396639396630653739646231633262303766386633333532393265663732
-34643635366332396361633933343233306664383930636166343761623331336431313935633636
-66363639356233366333323132343639333635316135646634376231666437623234656566623837
-3835393961353433623539306565646363346239616466616131
+33376462376233653338623765306165373133633535343263383139613432333032326334313631
+3561353836623761623264626663323035383137306238390a666265656633313330336136386638
+36356237353761313030366138636530363837313766663366613062633461373934643666623230
+6533366662343034310a613530373733313632396239363765653466363337666636393431393465
+62333563323463356564346530383731616665393363643665376135313038623765333234333236
+36613630386466643661326130666530353262383666656663383139396432346537383261663731
+61376132626462363334386133653435363635656136323038656333376332633730393637656539
+66363631666465386334373862323465363138353736616361616633306262363436363234616438
+32373939386139613765393437323964383564666133346339386131663237613864386230643536
+3836303630353835396164643965623831373765653130393165

Diff for: inventory/main/host_vars/basil/main.yml

@@ -1,9 +1,12 @@
 ---
 system_hostname: "basil.blahaj.sh"
-k3s_role: "master"
+rke2_channel: "v1.26"
+rke2_type: "server"
+rke2_tls_san:
+  - "blahaj.sh"
 
-k3s_retrieve_kubeconfig: true
-k3s_kubeconfig_local_dest: ~/.kube/config-hetzner_server
+# rke2_retrieve_kubeconfig: true
+# rke2_kubeconfig_local_dest: ~/.kube/config-hetzner_server
 
 agekey: "{{ vault_agekey }}"
 

Diff for: inventory/main/host_vars/hero/main.yml

@@ -10,21 +10,32 @@ dns_records:
     type: "CNAME"
     ttl: 1
     value: "aubrey.blahaj.sh"
-    proxied: false
+    proxied: true
     allow_overwrite: true
   - name: "blahaj.sh"
     zone_id: "{{ terraform_domain_zone_map['blahaj']['sh'] }}"
     type: "CNAME"
     ttl: 1
     value: "aubrey.blahaj.sh"
+    proxied: true
+    allow_overwrite: true
+  - name: "tonetag.is"
+    zone_id: "{{ terraform_domain_zone_map['tonetag']['is'] }}"
+    type: "CNAME"
+    ttl: 1
+    value: "kel.blahaj.sh"
     proxied: false
     allow_overwrite: true
 
 terraform_domain_zone_map:
+  diademiemi:
+    me: "72bea38f2a542b196e1b6454f359e7a7"
   blahaj:
     sh: "26c4cee4cc505e99a566c577895cab4a"
   queercoded:
     dev: "6a3f0f8093ccbe852a7212bb81df6c03"
+  tonetag:
+    is: "d78598f3e1da5133c88e3bf61b7cca21"
 
 terraform_rancher_users:
   - name: "diademiemi"

Diff for: inventory/main/host_vars/hero/vault.yml

@@ -21,7 +21,7 @@ helmCharts:
           apiVersion: "policy/v1"
         ingress:
           apiVersion: "networking.k8s.io/v1"
-          class: "traefik"
+          class: "nginx"
           enabled: true
           tls:
             secretName: gitlab-blahaj-cert

Diff for: inventory/main/host_vars/localhost/terraform.yml

@@ -1,5 +1,4 @@
 resources:
-  - ./joplin-server
   - ./vaultwarden
   - ./gitlab
   - ./site-blahaj-sh

Diff for: kubernetes/argocd-gitlab/kustomization.yaml

@@ -8,6 +8,8 @@ helmCharts:
     version: "0.1.1"
     valuesInline:
       ingress:
+        annotations:
+          ingress.kubernetes.io/force-ssl-redirect: "true"
         enabled: true
         hosts:
           - host: libreddit.blahaj.sh

Diff for: kubernetes/argocd-personal/applications/joplin-server/kustomization.yaml

@@ -8,7 +8,7 @@ helmCharts:
     releaseName: nextcloud
     namespace: nextcloud
     repo: https://nextcloud.github.io/helm/
-    version: "3.5.15"
+    version: "4.3.1"
     valuesInline:
       nextcloud:
         host: cloud.blahaj.sh
@@ -27,7 +27,7 @@ helmCharts:
           enabled: true
 
       ingress:
-        className: traefik
+        className: nginx
         enabled: true
         tls:
           - hosts:

Diff for: kubernetes/argocd-personal/applications/kustomization.yaml

@@ -3,6 +3,8 @@ kind: Ingress
 metadata:
   name: site-blahaj-sh
   namespace: site-blahaj-sh
+  annotations:
+    ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   rules:
     - host: blahaj.sh

Diff for: kubernetes/argocd-personal/applications/libreddit/kustomization.yaml

@@ -5,7 +5,7 @@ helmCharts:
     releaseName: vaultwarden
     namespace: vaultwarden
     repo: https://diademiemi.github.io/charts
-    version: "0.2.0"
+    version: "0.3.0"
     valuesInline:
       image:
         repository: vaultwarden/server

Diff for: kubernetes/argocd-personal/applications/nextcloud/kustomization.yaml

@@ -8,7 +8,6 @@ spec:
   secretName: home-blahaj-cert
   commonName: home.blahaj.sh
   dnsNames:
-    - blahaj.sh  # To work around https://letsencrypt.org/docs/duplicate-certificate-limit/
     - home.blahaj.sh
   issuerRef:
     name: blahaj-issuer

Diff for: kubernetes/argocd-personal/applications/site-blahaj-sh/ingress.yaml

@@ -8,7 +8,6 @@ spec:
   secretName: media-blahaj-cert
   commonName: media.blahaj.sh
   dnsNames:
-    - blahaj.sh  # To work around https://letsencrypt.org/docs/duplicate-certificate-limit/
     - media.blahaj.sh
   issuerRef:
     name: blahaj-issuer

Diff for: kubernetes/argocd-personal/applications/vaultwarden/kustomization.yaml

@@ -32,6 +32,8 @@ kind: Ingress
 metadata:
   name: homeassistant-service
   namespace: ingresses
+  annotations:
+    ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   rules:
   - host: home.blahaj.sh

Diff for: kubernetes/argocd-personal/cert-manager/certificates/home.yaml

@@ -32,6 +32,8 @@ kind: Ingress
 metadata:
   name: jellyfin-service
   namespace: ingresses
+  annotations:
+    ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   rules:
   - host: media.blahaj.sh

Diff for: kubernetes/argocd-personal/cert-manager/certificates/media.yaml

@@ -14,10 +14,3 @@ targetCustomizations:
       identifier/name: public
   kustomize:
     dir: overlays/public
-
-- name: qc
-  clusterSelector:
-    matchLabels:
-      identifier/name: qc
-  kustomize:
-    dir: overlays/qc

Diff for: kubernetes/argocd-personal/ingresses/home-assistant.yaml

@@ -4,7 +4,7 @@ helm:
   releaseName: cert-manager
   chart: cert-manager
   repo: https://partner-charts.rancher.io/
-  version: "v1.12.0"
+  version: "v1.13.1"
 
   values:
     installCRDs: true

Diff for: kubernetes/argocd-personal/ingresses/jellyfin.yaml

@@ -4,7 +4,7 @@ helm:
   releaseName: longhorn
   chart: longhorn
   repo: https://charts.rancher.io/
-  version: "102.2.1+up1.4.2"
+  version: "102.3.0+up1.5.1"
 
   values:
     persistence:
@@ -35,12 +35,3 @@ targetCustomizations:
     values:
       defaultSettings:
         backupTarget: "s3://longhorn-backups-public@minio/"
-
-- name: qc
-  clusterSelector:
-    matchLabels:
-      identifier/name: qc
-  helm:
-    values:
-      defaultSettings:
-        backupTarget: "s3://longhorn-backups-qc@minio/"

Diff for: kubernetes/argocd-qc/.sops.yaml

@@ -4,7 +4,7 @@ helm:
   releaseName: rancher-backup
   chart: rancher-backup
   repo: https://charts.rancher.io/
-  version: "102.0.0+up3.1.0"
+  version: "102.0.2+up3.1.2"
 
   values:
     s3: