Infrastructure as Code (IaC) by Bryan J.
A comprehensive set of tools and configurations for automating tasks across various environments.
Overview
This repository provides a set of tools and configurations for automating tasks across environments. It includes Ansible playbooks and roles, Docker configurations, Kubernetes manifests, Terraform modules, and Packer scripts. Secrets are managed through various methods, most notably Bitwarden Secrets Manager. The project is designed with flexibility in mind, allowing me to configure every inch of my infrastructure programmatically while being modular.
About The Lab
Kubernetes
Core Components
- Cilium: Internal Kubernetes networking plugin.
- Cert-manager: Creates SSL certificates for services in the cluster.
- External DNS: Syncs DNS records from Kubernetes ingresses to a DNS provider.
- External Secrets: Manages Kubernetes secrets using Bitwarden.
- Ingress NGINX: NGINX-based ingress controller for Kubernetes.
- Rook Ceph: Open-Source, Cloud-Native Storage for Kubernetes.
- Tofu Controller: Runs Terraform from within a Kubernetes cluster.
Terraform
❯ tree -L1 terraform
terraform
├── _modules
├── _templates
├── authentik
├── aws
[...]Core Components
bws-cache
Securely retrieves secrets into the Terraform state by making API requests to a secrets management service (like Bitwarden) using an access token. By leveraging the bws-cache, it ensures sensitive information is dynamically fetched and securely passed into the Terraform state without hardcoding secrets, minimizing exposure risks.
Example
[...]
for key in key_name:
bws_response = requests.get(
f"http://mgmt-srv-01:5000/key/{key}",
headers={"Authorization": f"Bearer {access_token}"},
timeout=10,
).json()
logging.debug(bws_response)
try:
results.append(bws_response['value'])
except KeyError as exc:
raise InvalidToken(
"Token is invalid or does not have permissions to read value"
) from exc
[...]resource "radarr_download_client_sabnzbd" "sabnzbd" {
enable = true
priority = 1
name = "sabnzbd"
host = "sabnzbd.${var.cluster_media_domain}"
url_base = "/"
port = var.ports["sabnzbd"]
movie_category = "movies"
api_key = data.external.bws_lookup.result["infra-media-secrets_sabnzbd_api_key"]
}Ansible
Core Components
N/A
Equipment
Kubernetes
| Name | Device | CPU | OS Disk | Data Disk | RAM | OS | Purpose |
|---|---|---|---|---|---|---|---|
| ct-k3s-01 | Lenovo M710q | i5-6500T | 64GB SSD | 1TB NVME | 32GB | Kairos | control-plane/worker |
| ct-k3s-02 | Lenovo M710q | i5-6500T | 64GB SSD | 1TB NVME | 32GB | Kairos | control-plane/worker |
| ct-k3s-03 | Lenovo M710q | i5-6500T | 64GB SSD | 1TB NVME | 32GB | Kairos | control-plane/worker |
Servers
| Name | Device | CPU | OS Disk | Data Disk | RAM | OS | Purpose |
|---|---|---|---|---|---|---|---|
| WhiteBox | Custom | TR 2970W | 128GB | 6TB | 128GB | Proxmox | VM/Containers |
| Synology | RS819 | - | - | 4x4TB SHR | - | DSM 7 | Storage |
| mgmt-pi | Raspberry Pi4 | Cortex A72 | 64GB SSD | - | 8GB | Debian 12 | Misc Software |
Network
| Device | Purpose |
|---|---|
| Dell 7040 | Network - Router |
| TL-SG1016PE | Network - Switch |
Roadmap
- Finish README