Example service now uses tls for some reason

Certificate resource is created but not deployed at this time

.gitea/workflows/ansible-lint.yaml

@@ -10,6 +10,6 @@ jobs:
     steps:
       - name: Checkout repo content
         uses: actions/checkout@v4
-      - run: ansible-lint
+      - run: ansible-lint -c linter.yaml
         working-directory: ansible/
 

.gitignore

@@ -21,3 +21,4 @@ docker/beta/shockrah.xyz/
 docker/beta/resume.shockrah.xyz/
 k8s/config.yaml
 infra/**/tfplan
+.ansible/

ansible/inventory.yaml

@@ -0,0 +1,3 @@
+nigel:
+  hosts:
+    nigel.local:

ansible/linter.yaml

@@ -0,0 +1,4 @@
+---
+skip_list:
+    - role-name
+    - var-naming[no-role-prefix]

ansible/local-setup-admin-user.yaml

@@ -0,0 +1,28 @@
+# This playbook is meant to be a oneshot to be ran manually on the dev box
+# The rest of the role stuff is meant to be ran as the admin user that
+# this playbook creates for us
+---
+- name: Setup local admin user with a fresh ubuntu host
+  hosts: nigel.local
+  remote_user: nigel
+  vars:
+    admin:
+      username: nigel
+  tasks:
+    - name: Copy the nigel admin key
+      ansible.posix.authorized_key:
+        user: "{{ admin.username }}"
+        state: present
+        key: "{{ lookup('file', '~/.ssh/nigel/admin.pub') }}"
+    - name: Prevent password based logins
+      become: true
+      ansible.builtin.lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: true
+    - name: Restart SSH Daemon
+      become: true
+      ansible.builtin.service:
+        name: ssh
+        state: restarted

ansible/nomad.yaml

@@ -0,0 +1,9 @@
+---
+- name: Setup all the responsibilities of the nomad server
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply the nomad role
+      ansible.builtin.include_role:
+        name: nomad
+

ansible/nuc.yaml

@@ -0,0 +1,14 @@
+---
+- name: Setup bare metal requirements
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply the base role to the nuc
+      ansible.builtin.include_role:
+        name: base
+    - name: Apply the k3s base role
+      ansible.builtin.include_role:
+        name: k3s
+    - name: Apply the proxy role
+      ansible.builtin.include_role:
+        name: proxy

ansible/proxy.yaml

@@ -0,0 +1,8 @@
+---
+- name: Setup host as a reverse proxy
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply reverse proxy role
+      ansible.builtin.include_role:
+        name: proxy

ansible/roles/base/files/docker.list

@@ -0,0 +1 @@
+deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable

ansible/roles/base/tasks/ensure-docker-basic.yaml

@@ -0,0 +1,41 @@
+- name: Ensure we have basic updated packages setting up docker
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    update_cache: true
+  loop:
+    - ca-certificates
+    - curl
+- name: Running install on the keyrings directory
+  ansible.builtin.command:
+    cmd: install -m 0755 -d /etc/apt/keyrings
+  register: install
+  changed_when: install.rc == 0
+- name: Fetch Docker GPG Key
+  vars:
+    keylink: https://download.docker.com/linux/ubuntu/gpg
+  ansible.builtin.get_url:
+    url: "{{ keylink }}"
+    dest: /etc/apt/keyrings/docker.asc
+    mode: "0644"
+- name: Add repo to apt sources
+  ansible.builtin.copy:
+    src: docker.list
+    dest: /etc/apt/sources.list.d/docker.list
+    mode: "0644"
+- name: Update Apt cache with latest docker.list packages
+  ansible.builtin.apt:
+    update_cache: true
+- name: Ensure all docker packages are updated to the latest versions
+  ansible.builtin.apt:
+    name: "{{ item }}"
+  loop:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-buildx-plugin
+    - docker-compose-plugin
+- name: Verify that the docker components are installed properly
+  ansible.builtin.command:
+    cmd: docker run hello-world
+  register: docker
+  changed_when: docker.rc == 0

ansible/roles/base/tasks/k3s.yaml

@@ -0,0 +1,8 @@
+- name: Download the setup script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s.sh
+    mode: "0644"
+- name: Run installation script
+  ansible.builtin.command:
+    cmd: bash /tmp/k3s.sh

ansible/roles/base/tasks/main.yaml

@@ -0,0 +1,25 @@
+- name: Ensure nigel can use sudo without password
+  become: true
+  tags:
+    - setup
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    state: present
+    line: "nigel ALL=(ALL) NOPASSWD:ALL"
+- name: Ensure docker components are installed
+  tags:
+    - setup
+  ansible.builtin.include_tasks:
+    file: ensure-docker-basic.yaml
+    apply:
+      become: true
+      tags:
+        - setup
+- name: Run through nomad removal steps
+  tags: nomad
+  ansible.builtin.include_tasks:
+    file: nomad.yaml
+    apply:
+      become: true
+      tags:
+        - nomad

ansible/roles/base/templates/consul.hcl

@@ -0,0 +1,12 @@
+bind_addr = "{{ ip }}"
+advertise_addr = "{{ ip }}"
+bootstrap = true
+bootstrap_expect = 1
+client_addr = "{{ ip }}"
+server = true
+data_dir = "/opt/consul"
+
+ui_config { 
+    enabled = true
+}
+

ansible/roles/base/templates/hashicorp.list

@@ -0,0 +1 @@
+deb [signed-by={{ keyfile }}] https://apt.releases.hashicorp.com jammy main

ansible/roles/k3s/tasks/main.yaml

@@ -0,0 +1,11 @@
+- name: Download the installation script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp
+  register: install_script
+- name: Run installation script
+  become: true
+  environment:
+      INSTALL_K3S_EXEC: server
+  ansible.builtin.command:
+    cmd: sh {{ install_script.dest }}

ansible/roles/nomad/files/nomad.hcl

@@ -0,0 +1,24 @@
+data_dir  = "/opt/nomad/data"
+bind_addr = "0.0.0.0"
+
+server {
+  enabled          = true
+  bootstrap_expect = 1
+}
+
+
+client {
+  enabled = true
+  servers = ["127.0.0.1"]
+}
+
+host_volume "registry" {
+    path = "/opt/volumes/registry"
+    read_only = false
+}
+
+host_volume "nfs" {
+  path = "/opt/volumes/nfs"
+  read_only = false
+}
+

ansible/roles/nomad/tasks/main.yaml

@@ -0,0 +1,18 @@
+- name: Nomad server configuration
+  become:  true
+  block:
+    - name: Ensure the root data directory is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.root }}"
+        state: absent
+        mode: "0755"
+    - name: Ensure registry volume is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.registry }}"
+        state: absent
+        mode: "0755"
+    - name: Ensure the MinIO diretory is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.nfs }}"
+        state: absent
+        mode: "0755"

ansible/roles/nomad/vars/main.yaml

@@ -0,0 +1,5 @@
+nomad:
+  volumes:
+    root: /opt/volumes
+    registry: /opt/volumes/ncr
+    nfs: /opt/volumes/nfs

ansible/roles/proxy/files/host-file

@@ -0,0 +1,15 @@
+127.0.0.1 localhost
+127.0.1.1 nigel
+
+# Our own dns stuff
+127.0.1.1 nigel.local
+127.0.1.1 nomad.nigel.local
+127.0.1.1 sanity.nigel.local
+127.0.1.1 ncr.nigel.local
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

ansible/roles/proxy/files/ncr.conf

@@ -0,0 +1,6 @@
+server {
+    server_name ncr.nigel.local;
+    location / {
+        proxy_pass http://localhost:5000;
+    }
+}

ansible/roles/proxy/files/nomad.conf

@@ -0,0 +1,25 @@
+server {
+    server_name nomad.nigel.local;
+    location / {
+        proxy_pass http://nomad-ws;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_read_timeout 319s;
+
+        # This is for log streaming requests
+        proxy_buffering off;
+
+        # Upgrade and Connection headers for upgrading to websockets
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+
+        proxy_set_header Origin "${scheme}://${proxy_host}";
+    }
+}
+
+
+upstream nomad-ws {
+    ip_hash;
+    server nomad.nigel.local:4646;
+}

ansible/roles/proxy/tasks/main.yaml

@@ -0,0 +1,28 @@
+- name: Reverse proxy role configuration
+  become: true
+  block:
+    - name: Ensure /etc/hosts are up to date
+      ansible.builtin.copy:
+        dest: /etc/hosts
+        src: host-file
+        mode: "0644"
+    - name: Ensure nginx is setup as latest
+      ansible.builtin.apt:
+        name: nginx
+    - name: Copy the nomad.conf to available configurations
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "/etc/nginx/sites-available/{{ item }}"
+        mode: "0644"
+      loop: "{{ proxy_nginx_configs }}"
+    - name: Link the nomad.conf to sites-enabled
+      ansible.builtin.file:
+        path: "/etc/nginx/sites-enabled/{{ item }}"
+        state: link
+        src: "/etc/nginx/sites-available/{{ item }}"
+        mode: "0644"
+      loop: "{{ proxy_nginx_configs }}"
+    - name: Restart nginx
+      ansible.builtin.systemd_service:
+        name: nginx
+        state: restarted

ansible/roles/proxy/vars/main.yaml

@@ -0,0 +1,3 @@
+proxy_nginx_configs:
+  - nomad.conf
+  - ncr.conf

ansible/scripts/pull-down-s3.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-set -e
-
-bucket="$1"
-s3env=/opt/nginx/s3.env
-
-[[ -z "$bucket" ]] && echo "No bucket selected" && exit 1
-
-[[ ! -f $s3env ]] && echo "No credentials to source!" && exit 1
-source $s3env
-
-pull() {
-	aws s3 sync s3://$bucket /opt/nginx/$bucket
-}
-
-
-case $bucket in 
-	resume.shockrah.xyz|shockrah.xyz|temper.tv) pull;;
-	*) echo "Invalid bucket name" && exit 1 ;;
-esac
-
-

infra/containers/docker-compose.yaml

@@ -1,40 +0,0 @@
-networks:
-  gitea:
-    external: false
-
-
-services:
-  gitea:
-    image: gitea/gitea:latest-rootless
-    container_name: gitea
-    environment:
-      - USER_UID=1000
-      - USER_GID=1000
-    restart: always
-    networks:
-      - gitea
-    volumes:
-      - /opt/containers/gitea:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - "3000:3000"
-      - "2222:22"
-  gitea-runner:
-    image: gitea/act_runner:nightly
-    container_name: gitea-runner
-    restart: always
-    networks:
-      - gitea
-    volumes:
-      - /opt/containers/gitea_runner/
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - GITEA_INSTANCE_URL=https://git.shockrah.xyz
-      - GITEA_RUNNER_NAME=gitea-main
-      - GITEA_RUNNER_LABELS=gitea-main
-      - GITEA_RUNNER_REGISTRATION_TOKEN=${token}
-
-
-
-

infra/containers/readme.md

@@ -1,29 +0,0 @@
-What is this
-============
-
-Here we contain scripts to build out all the containers that are run.
-All of these images are based on images that are made from other projects
-
-docker-compose.yaml
-===================
-
-Services that are more/less "special" go here since most of the stuff that is
-run on the main host are basically just static html websites
-
-Services & Containers
-=====================
-
-| Service    | Docker Image Used        |
-|------------|--------------------------|
-| Gitea      | gitea/gitea:latest       |
-| Act Runner | gitea/act_runner:nightly |
-
-Why the servics above?
-======================
-
-The Gitea related services are there so that I can host my own Git projects
-away from "Git as a service" services. I have no issue with Github/Gitlab
-but I just like being able to host my own stuff when possible :smiley:
-
-
-

infra/dns/build.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-opt=$1
-plan=tfplan
-
-build_plan() {
-	echo Generating plan
-	set -x
-	terraform plan -var-file variables.tfvars -input=false -out $plan
-}
-
-deploy_plan() {
-	terraform apply $plan
-}
-
-init() {
-	terraform init
-}
-
-help_prompt() {
-	cat <<- EOF
-	Options: plan deploy help
-	EOF
-}
-
-# Default to building a plan
-source ./secrets.sh
-case $opt in 
-	plan) build_plan;;
-	deploy) deploy_plan;;
-	*) help_prompt;;
-esac

infra/dns/shockrah-xyz.tf

@@ -37,6 +37,7 @@ locals {
     { name = "www.shockrah.xyz",      records = [ var.vultr_host ] },
     { name = "resume.shockrah.xyz",   records = [ var.vultr_host ] },
     { name = "git.shockrah.xyz",      records = [ var.vultr_host ] },
+    { name = "example.shockrah.xyz",      records = [ var.vke_lb ] },
   ]
 }
 

infra/dns/variables.tf

@@ -26,3 +26,7 @@ variable "vultr_host" {
   description = "IP of the temp Vultr host"
 }
 
+variable "vke_lb" {
+	type = string
+	description = "IP of our VKE load balancer"
+}

infra/dns/variables.tfvars

@@ -1 +1,2 @@
 vultr_host = "45.32.83.83"
+vke_lb = "140.82.21.106"

infra/nigel-k3s/.gitignore

@@ -0,0 +1 @@
+config.yaml

infra/nigel-k3s/health.yaml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+          name: nginx-port
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+spec:
+  type: NodePort
+  selector:
+    app: nginx
+  ports:
+    - port: 80
+      nodePort: 30808
+      targetPort: nginx-port

infra/nigel-k3s/sample-cron.yaml

@@ -0,0 +1,19 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hello
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: hello
+              image: busybox:1.28
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/sh
+                - -c
+                - date; echo Hello from the sample cron-container
+          restartPolicy: OnFailure

infra/vultr-kubernetes/admin-services.tf

@@ -1,62 +0,0 @@
-resource kubernetes_namespace admin-servers {
-    count = length(var.admin_services.configs) > 0 ? 1 : 0
-    metadata {
-        name = var.admin_services.namespace
-    }
-}
-
-resource kubernetes_pod admin {
-    for_each = var.admin_services.configs
-
-    metadata {
-        name = each.key
-        namespace = var.admin_services.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    spec {
-        node_selector = {
-            NodeType = var.admin_services.namespace
-        }
-        container {
-            image = each.value.image
-            name  = coalesce(each.value.name, each.key)
-            resources {
-                limits = {
-                    cpu    = each.value.cpu
-                    memory = each.value.mem
-                }
-            }
-            port {
-                container_port = each.value.port.internal
-                protocol       = coalesce(each.value.proto, "TCP")
-            }
-        }
-    }
-}
-
-resource kubernetes_service admin {
-    for_each = var.admin_services.configs
-    metadata {
-        name = each.key
-        namespace = var.admin_services.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    # TODO: don't make these NodePorts since we're gonna want them
-    # to be purely internal to the Cluster.
-    # WHY? Because we want to keep dashboards as unexposed as possible
-    spec {
-        selector = {
-            app = each.key
-        }
-        port {
-            target_port        = each.value.port.internal
-            port               = each.value.port.expose
-        }
-        type = "NodePort"
-    }
-}
-

infra/vultr-kubernetes/backend.tf

@@ -9,15 +9,20 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "5.98.0"
     }
     vultr = {
       source = "vultr/vultr"
-      version = "2.22.1"
+      version = "2.26.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.34.0"
+      version = "2.37.1"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.1.0"
     }
   }
 }

infra/vultr-kubernetes/cert-manager.yaml

@@ -1,15 +1,14 @@
 apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
+kind: Issuer
 metadata:
-  name: letsencrypt-prod
-  namespace: default
+  name: letsencrypt-nginx
 spec:
   acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
     email: dev@shockrah.xyz
+    server: https://acme-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
-      name: letsencrypt-prod
+      name: example
     solvers:
       - http01:
           ingress:
-            class: traefik
+            class: nginx

infra/vultr-kubernetes/cluster.tf

@@ -1,28 +1,16 @@
 resource vultr_kubernetes athens {
-  region = var.cluster.region
+  region  = var.cluster.region
   version = var.cluster.version
-  label = var.cluster.label
-  # BUG: only have this set when creating the resource for the first time
-  # once the cluster is up, we should comment this out again
-  # enable_firewall = true
-  node_pools {
-    node_quantity = 1
-    plan      = var.cluster.pools["meta"].plan
-    label     = var.admin_services.namespace
-    min_nodes = var.cluster.pools["meta"].min
-    max_nodes = var.cluster.pools["meta"].max
-    # tag       = var.admin_services.namespace
-  }
-}
+  label   = var.cluster.label
+  # vpc_id  = vultr_vpc.athens.id
 
-resource vultr_kubernetes_node_pools games {
-  cluster_id = vultr_kubernetes.athens.id
-  node_quantity = var.cluster.pools["games"].min
-  plan      = var.cluster.pools["games"].plan
-  label     = var.game_servers.namespace
-  min_nodes = var.cluster.pools["games"].min
-  max_nodes = var.cluster.pools["games"].max
-  tag       = var.admin_services.namespace
+  node_pools {
+    node_quantity = var.cluster.pools["main"].min_nodes
+    plan          = var.cluster.pools["main"].plan
+    label         = var.cluster.pools["main"].label
+    min_nodes     = var.cluster.pools["main"].min_nodes
+    max_nodes     = var.cluster.pools["main"].max_nodes
+  }
 }
 
 output k8s_config {

infra/vultr-kubernetes/dev/.gitignore

@@ -1,4 +0,0 @@
-# created by virtualenv automatically
-bin/
-lib/
-

infra/vultr-kubernetes/dev/find-server.py

@@ -1,51 +0,0 @@
-from argparse import ArgumentParser
-from argparse import Namespace
-from kubernetes import client, config
-import re
-
-def get_args() -> Namespace:
-    parser = ArgumentParser(
-        prog="Cluster Search Thing",
-        description="General utility for finding resources for game server bot"
-    )
-    games = {"reflex", "minecraft"}
-    parser.add_argument('-g', '--game', required=False, choices=games)
-
-    admin = {"health"}
-    parser.add_argument('-a', '--admin', required=False, choices=admin)
-    return parser.parse_args()
-
-def k8s_api(config_path: str) -> client.api.core_v1_api.CoreV1Api:
-    config.load_kube_config("../config.yaml")
-    return client.CoreV1Api()
-
-def get_admin_service_details(args: ArgumentParser, api: client.api.core_v1_api.CoreV1Api):
-    print('admin thing requested', args.admin)
-
-def get_game_server_ip(args: ArgumentParser, api: client.api.core_v1_api.CoreV1Api):
-    pods = api.list_pod_for_all_namespaces(label_selector=f'app={args.game}')
-    node_name = pods.items[0].spec.node_name
-
-    services = api.list_service_for_all_namespaces(label_selector=f'app={args.game}')
-    port = services.items[0].spec.ports[0].port
-
-    # Collecting the IPV4 of the node that contains the pod(container)
-    # we actually care about. Since these pods only have 1 container
-    # Now we collect specific data about the game server we requested
-    node_ips  = list(filter(lambda a: a.type == 'ExternalIP', api.list_node().items[0].status.addresses))
-    ipv4 = list(filter(lambda item: not re.match('[\d\.]{3}\d', item.address), node_ips))[0].address
-    ipv6 = list(filter(lambda item: re.match('[\d\.]{3}\d', item.address), node_ips))[0].address
-    
-    print(f'{args.game} --> {ipv4}:{port} ~~> {ipv6}:{port}')
-
-
-if __name__ == '__main__':
-    args = get_args()
-    api = k8s_api('../config.yaml')
-
-    if args.game:
-        get_game_server_ip(args, api)
-    
-    if args.admin:
-        get_admin_service_details(args, api)
-    

infra/vultr-kubernetes/dev/pyvenv.cfg

@@ -1,8 +0,0 @@
-home = /usr
-implementation = CPython
-version_info = 3.10.12.final.0
-virtualenv = 20.13.0+ds
-include-system-site-packages = false
-base-prefix = /usr
-base-exec-prefix = /usr
-base-executable = /usr/bin/python3

infra/vultr-kubernetes/dev/requirements.txt

@@ -1,18 +0,0 @@
-cachetools==5.5.0
-certifi==2024.8.30
-charset-normalizer==3.4.0
-durationpy==0.9
-google-auth==2.36.0
-idna==3.10
-kubernetes==31.0.0
-oauthlib==3.2.2
-pyasn1==0.6.1
-pyasn1_modules==0.4.1
-python-dateutil==2.9.0.post0
-PyYAML==6.0.2
-requests==2.32.3
-requests-oauthlib==2.0.0
-rsa==4.9
-six==1.17.0
-urllib3==2.2.3
-websocket-client==1.8.0

infra/vultr-kubernetes/firewall.tf

@@ -1,32 +1,23 @@
-resource vultr_firewall_rule web_inbound {
-  for_each = toset([for port in [80, 443, 6443] : tostring(port) ])
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
+# resource vultr_firewall_rule web_inbound {
+#   for_each = toset([for port in [80, 443, 6443] : tostring(port) ])
+#   firewall_group_id = vultr_kubernetes.athens.firewall_group_id
+#   protocol = "tcp"
+#   ip_type = "v4"
+#   subnet = "0.0.0.0"
+#   subnet_size = 0
+#   port = each.value
+# }
+
+resource vultr_firewall_group bastion {
+  description = "For connections into and out of the bastion host"
+}
+
+resource vultr_firewall_rule bastion_inbound {
+  firewall_group_id = vultr_firewall_group.bastion.id
   protocol = "tcp"
   ip_type = "v4"
   subnet = "0.0.0.0"
   subnet_size = 0
-  port = each.value
-}
-
-resource vultr_firewall_rule game-server-inbound {
-  for_each = var.game_servers.configs
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
-  protocol = "tcp"
-  ip_type = "v4"
-  subnet = "0.0.0.0"
-  subnet_size = 0
-  port = each.value.port.expose
-}
-
-
-resource vultr_firewall_rule admin-service-inbound {
-  for_each = var.admin_services.configs
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
-  protocol = "tcp"
-  ip_type = "v4"
-  subnet = "0.0.0.0"
-  subnet_size = 0
-  notes = each.value.port.notes
-  port = each.value.port.expose
+  port = 22
 }
 

infra/vultr-kubernetes/game-server.tf

@@ -1,55 +0,0 @@
-resource kubernetes_namespace game-servers {
-    count = length(var.game_servers.configs) > 0 ? 1 : 0
-    metadata {
-        name = var.game_servers.namespace
-    }
-}
-
-resource kubernetes_pod game {
-    for_each = var.game_servers.configs
-
-    metadata {
-        name = each.key
-        namespace = var.game_servers.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    spec {
-        container {
-            image = each.value.image
-            name  = coalesce(each.value.name, each.key)
-            resources {
-                limits = {
-                    cpu    = each.value.cpu
-                    memory = each.value.mem
-                }
-            }
-            port {
-                container_port = each.value.port.internal
-                protocol       = coalesce(each.value.proto, "TCP")
-            }
-        }
-    }
-}
-
-resource kubernetes_service game {
-    for_each = var.game_servers.configs
-    metadata {
-        name = each.key
-        namespace = var.game_servers.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    spec {
-        selector = {
-            app = each.key
-        }
-        port {
-            target_port        = each.value.port.internal
-            port   = each.value.port.expose
-        }
-        type = "NodePort"
-    }
-}

infra/vultr-kubernetes/ingress.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami-service
+spec:
+  selector:
+    name: whoami
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami-ingress
+  annotations:
+    cert-manager.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: whoami-tls
+      hosts:
+        - example.shockrah.xyz
+  rules:
+    - host: example.shockrah.xyz
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: whoami-service
+                port:
+                  number: 80

infra/vultr-kubernetes/k8s/.gitignore

@@ -1 +0,0 @@
-terraform.yaml

infra/vultr-kubernetes/k8s/backend.tf

@@ -1,33 +0,0 @@
-terraform {
-  required_version = ">= 0.13"
-  backend s3 {
-    bucket  = "project-athens"
-    key     = "infra/vke/k8s/state/build.tfstate"
-    region  = "us-west-1"
-    encrypt = true
-  }
-  required_providers {
-    # For interacting with S3
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-      version = "2.30.0"
-    }
-  }
-}
-
-provider aws {
-  access_key  = var.aws_key
-  secret_key  = var.aws_secret
-  region      = var.aws_region
-  max_retries = 1
-}
-
-provider kubernetes {
-  config_path = "terraform.yaml"
-}
-
-

infra/vultr-kubernetes/k8s/ingress.tf

@@ -1,50 +0,0 @@
-resource kubernetes_ingress_v1 athens {
-	metadata {
-		name = var.shockrahxyz.name
-    namespace = kubernetes_namespace.websites.metadata.0.name
-		labels = {
-			app = "websites"
-		}
-	}
-	spec {
-		rule {
-      host = "test.shockrah.xyz"
-		  http {
-		    path {
-		      backend {
-						service {
-						  name = var.shockrahxyz.name
-							port {
-							  number = 80
-							}
-						}
-		      }
-					path = "/"
-		    }
-		  }
-		}
-	}
-}
-
-
-resource kubernetes_service athens_lb {
-  metadata {
-    name = "athens-websites"
-    namespace = kubernetes_namespace.websites.metadata.0.name
-    labels = {
-      app = "websites"
-    }
-  }
-  spec {
-    selector = {
-      app = kubernetes_ingress_v1.athens.metadata.0.labels.app
-    }
-    port {
-      port = 80
-      target_port = 80
-    }
-    type = "LoadBalancer"
-    external_ips = [ var.cluster.ip ]
-  }
-}
-

infra/vultr-kubernetes/k8s/namespace.tf

@@ -1,5 +0,0 @@
-resource kubernetes_namespace websites {
-  metadata {
-    name = "websites"
-  }
-}

infra/vultr-kubernetes/k8s/readme.md

@@ -1,62 +0,0 @@
-# First we setup the ingress controller with helm
-
-
-```sh
-helm repo add traefik https://helm.traefik.io/traefik
-helm repo update
-# Now we can install this to our cluster
-helm install --kubeconfig config.yaml traefik traefik/traefik
-```
-
-# Prove the service is present with
-
-```sh
-kubectl --kubeconfig config.yaml get svc
-```
-
-# Create the pods
-
-```sh
-kubectl --kubeconfig config.yaml -f k8s/nginx-dep.yaml
-```
-
-# Expose on port 80
-
-```sh
-kubectl --kubeconfig config.yaml -f k8s/nginx-service.yaml
-```
-
-# Create ingress on k8s
-
-```sh
-kubectl --kubeconfig config.yaml -f k8s/traefik-ingress.yaml
-```
-
-# Take the external IP from the ingress 
-
-Put that into terraform's A record for the domain since this is a load balancer
-in Vultr ( actual resource apparantly )
-
-# Configure cert-manager for traefik ingress
-
-Using the latest version from here:
-https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.crds.yaml
-
-```sh
-kubectl --kubeconfig config.yaml \
-	apply --validate=false \
-	-f https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.yaml
-```
-
-# Create the cert issuer and certificate
-
-
-```sh
-kubectl --kubeconfig config.yaml apply -f k8s/letsencrypt-issuer.yaml
-kubectl --kubeconfig config.yaml apply -f k8s/letsencrypt-issuer.yaml
-```
-
-Because we just have 1 cert for now we are looking for it's status to be `READY`
-
-
-

infra/vultr-kubernetes/k8s/shockrah-xyz.tf

@@ -1,21 +0,0 @@
-Plain nginx for now so that we can test out reverse dns
-resource kubernetes_pod shockrah {
-  metadata {
-    name = var.shockrahxyz.name
-    namespace = kubernetes_namespace.websites.metadata.0.name
-    labels = {
-      app = var.shockrahxyz.name
-    }
-  }
-  spec {
-    container {
-      image = "nginx"
-      name  = "${var.shockrahxyz.name}"
-      port {
-        container_port = 80
-      }
-    }
-  }
-}
-
-

infra/vultr-kubernetes/k8s/variables.tf

@@ -1,35 +0,0 @@
-# API Keys required to reach AWS/Vultr
-variable vultr_api_key {
-  type = string
-  sensitive = true
-}
-
-variable aws_key {
-  type = string
-  sensitive = true
-}
-
-variable aws_secret {
-  type = string
-  sensitive = true
-}
-
-variable aws_region {
-  type = string
-  sensitive = true
-}
-
-variable shockrahxyz {
-  type = object({
-    name = string
-    port = number
-    dns  = string
-  })
-}
-
-variable cluster {
-  type = object({
-    ip = string
-  })
-}
-

infra/vultr-kubernetes/k8s/yaml/alternate.temprah-lab.xyz/main.yaml

@@ -1,37 +0,0 @@
-# Here we are going to define the deployment and service
-# Basically all things directly related to the actual service we want to provide
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: alternate-nginx-web
-  namespace: default
-  labels:
-    app: alternate-nginx-web
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: alternate-nginx-web
-  template:
-    metadata:
-      labels:
-        app: alternate-nginx-web
-    spec:
-      # Container comes from an example thing i randomly found on docker hub
-      containers:
-        - name: alternate-nginx-web
-          image: dockerbogo/docker-nginx-hello-world
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: alternate-nginx-web
-  namespace: default
-spec:
-  selector:
-    app: alternate-nginx-web
-  ports:
-    - name: http
-      targetPort: 80
-      port: 80

infra/vultr-kubernetes/k8s/yaml/alternate.temprah-lab.xyz/tls.yaml

@@ -1,30 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: hello.temprah-lab.xyz
-  namespace: default
-spec:
-  secretName: hello.temprah-lab.xyz-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  commonName: hello.temprah-lab.xyz
-  dnsNames:
-    - hello.temprah-lab.xyz
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod-hello
-  namespace: default
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: dev@shockrah.xyz
-    privateKeySecretRef:
-      name: letsencrypt-prod-hello
-    solvers:
-      - http01:
-          ingress:
-            class: traefik
-

infra/vultr-kubernetes/k8s/yaml/letsencrypt-certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: sample.temprah-lab.xyz
-  namespace: default
-spec:
-  secretName: sample.temprah-lab.xyz-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  commonName: sample.temprah-lab.xyz
-  dnsNames:
-    - sample.temprah-lab.xyz

infra/vultr-kubernetes/k8s/yaml/temprah-lab.xyz/nginx-dep.yaml

@@ -1,20 +0,0 @@
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: nginx-web
-  namespace: default
-  labels:
-    app: nginx-web
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nginx-web
-  template:
-    metadata:
-      labels:
-        app: nginx-web
-    spec:
-      containers:
-        - name: nginx
-          image: nginx

infra/vultr-kubernetes/k8s/yaml/temprah-lab.xyz/nginx-service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nginx-web
-  namespace: default
-spec:
-  selector:
-    app: nginx-web
-  ports:
-    - name: http
-      targetPort: 80
-      port: 80

infra/vultr-kubernetes/k8s/yaml/tls.yaml

@@ -1,44 +0,0 @@
-# This is the first thing we need to create, an issue to put certs into
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-  namespace: default
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: dev@shockrah.xyz
-    privateKeySecretRef:
-      name: letsencrypt-temprah-lab
-    solvers:
-      - http01:
-          ingress:
-            class: traefik
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: hello.temprah-lab.xyz
-  namespace: default
-spec:
-  secretName: hello.temprah-lab.xyz-tls
-  issuerRef:
-    name: letsencrypt-temprah-lab
-    kind: ClusterIssuer
-  commonName: hello.temprah-lab.xyz
-  dnsNames:
-    - hello.temprah-lab.xyz
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: sample.temprah-lab.xyz
-  namespace: default
-spec:
-  secretName: sample.temprah-lab.xyz-tls
-  issuerRef:
-    name: letsencrypt-temprah-lab
-    kind: ClusterIssuer
-  commonName: sample.temprah-lab.xyz
-  dnsNames:
-    - sample.temprah-lab.xyz

infra/vultr-kubernetes/k8s/yaml/traefik-ingress.yaml

@@ -1,31 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: traefik-ingress
-  namespace: default
-  labels:
-    name: project-athens-lb
-  annotations:
-    kubernetes.io/ingress.class: traefik
-spec:
-  rules:
-    - host: sample.temprah-lab.xyz
-      http:
-        paths:
-          - backend:
-              service:
-                name: nginx-web
-                port:
-                  number: 80
-            path: /
-            pathType: Prefix
-    - host: hello.temprah-lab.xyz
-      http:
-        paths:
-          - backend:
-              service:
-                name: alternate-nginx-web
-                port:
-                  number: 80
-            path: /
-            pathType: Prefix

infra/vultr-kubernetes/namespaces.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: testing
+  labels:
+    name: testing

infra/vultr-kubernetes/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+    name: whoami-lb
+    annotations:
+        service.beta.kubernetes.io/vultr-loadbalancer-protocol: "http"
+        service.beta.kubernetes.io/vultr-loadbalancer-algorithm: "least_connections"
+        service.beta.kubernetes.io/vultr-loadbalancer-healthcheck-protocol: "http"
+        service.beta.kubernetes.io/vultr-loadbalancer-healthcheck-path: "/health"
+        service.beta.kubernetes.io/vultr-loadbalancer-healthcheck-interval: "30"
+        service.beta.kubernetes.io/vultr-loadbalancer-healthcheck-response-timeout: "5"
+        service.beta.kubernetes.io/vultr-loadbalancer-healthcheck-unhealthy-threshold: "5"
+        service.beta.kubernetes.io/vultr-loadbalancer-healthcheck-healthy-threshold: "5"
+spec:
+    type: LoadBalancer
+    selector:
+        name: whoami
+    ports:
+        - name: http
+          port: 80
+          targetPort: 8080

infra/vultr-kubernetes/test.yaml

@@ -0,0 +1,20 @@
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+     name: whoami
+ spec:
+     replicas: 3
+     selector:
+         matchLabels:
+             name: whoami
+     template:
+         metadata:
+             labels:
+                 name: whoami
+         spec:
+             containers:
+                 - name: whoami
+                   image: quanhua92/whoami:latest
+                   imagePullPolicy: Always
+                   ports:
+                       - containerPort: 8080

infra/vultr-kubernetes/tls.yaml

@@ -0,0 +1,37 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    preferredChain: "ISRG Root X1"
+    # Email address used for ACME registration
+    email: dev@shockrah.xyz
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: dev@shockrah.xyz
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+

infra/vultr-kubernetes/variables.tf

@@ -26,46 +26,30 @@ variable cluster {
     label   = string
     version = string
     pools = map(object({
-      plan = string
-      autoscale = bool
-      min = number
-      max = number
+      node_quantity = number
+      plan          = string
+      label         = string
+      min_nodes     = number
+      max_nodes     = number
+      tag           = string
     }))
   })
 }
 
-variable game_servers {
+
+variable personal {
   type = object({
     namespace = string
-    configs = map(object({
-      name  = optional(string)
-      image = string
-      cpu   = string
-      mem   = string
-      port  = object({
-        internal = number
-        expose   = number
-      })
-      proto = optional(string)
-    }))
   })
 }
 
-variable admin_services {
+
+variable bastion {
   type = object({
-    namespace = string
-    configs = map(object({
-      name  = string
-      image = string
-      cpu   = string
-      mem   = string
-      port  = object({
-        notes = optional(string)
-        internal = number
-        expose   = number
-      })
-      proto = optional(string)
-    }))
+    plan  = string
+    os    = string
+    label = string
   })
 }
 
+

infra/vultr-kubernetes/variables.tfvars

@@ -1,51 +1,27 @@
 cluster = {
   region = "lax"
   label   = "athens-cluster"
-  version = "v1.31.2+1"
+  version = "v1.33.0+3"
   pools = {
-    meta = {
-      plan =  "vc2-1c-2gb"
-      autoscale = true
-      min = 1
-      max = 2
-    }
-    games = {
-      plan =  "vc2-1c-2gb"
-      autoscale = true
-      min = 1
-      max = 3
+    main = {
+      node_quantity = 1
+      plan          =  "vc2-1c-2gb"
+      label         = "main"
+      min_nodes     = 1
+      max_nodes     = 2
+      tag           = "athens-main"
     }
   }
 }
 
-game_servers = {
-  namespace = "games"
-  configs = {
-    # minecraft = {
-    #   image = "itzg/minecraft-server"
-    #   cpu   = "1000m"
-    #   mem   = "2048Mi"
-    #   port  = {
-    #     expose = 30808
-    #     internal = 80
-    #   }
-    # }
-  }
+personal = {
+  namespace = "athens-main"
 }
 
-admin_services = {
-  namespace = "admin-services"
-  configs = {
-    # health = {
-    #   image = "nginx:latest"
-    #   name  = "health"
-    #   cpu   = "200m"
-    #   mem   = "64Mi"
-    #   port  = {
-    #     notes    = "Basic nginx sanity check service"
-    #     expose   = 30800
-    #     internal = 80
-    #   }
-    # }
-  }
+bastion = {
+  plan  = "vc2-1c-2gb"
+  label = "bastion"
+  os    = "1743"
 }
+
+