feat(k3s): add possibility to provide a custom backend; moved opentofu states to postgresql on actinium

2024-07-29 00:00:00 +00:00 · 2024-07-29 00:00:00 +00:00 · 6b15ecc3a6
commit 6b15ecc3a6
parent 1cd41762fc
3 changed files with 58 additions and 4 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml
@ -5,6 +5,7 @@
      ansible.builtin.set_fact:
        k3s_tf_safe_item_name: "{{ item.name | regex_replace('[^\\w]', '') }}"
        k3s_tf_project_git_path: "{{ provisioner_facts.artifacts_dir }}/{{ item.name | regex_replace('[^\\w]', '') }}.git"
      changed_when: false
    - name: check pre-existing TF state file
      ansible.builtin.file:
@ -12,6 +13,7 @@
      register: tfstate_file_info
      changed_when: false
      failed_when: false
      when: item.get("backend_override", false) is falsy
    - name: fetch git repository
      ansible.builtin.git:
@ -33,6 +35,15 @@
        dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/terraform.tfstate'
        force: true
        mode: '0600'
      when: item.get("backend_override", false) is falsy
    - name: dump custom backend override
      ansible.builtin.copy:
        content: '{{ item.backend_override }}'
        dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/backend_override.tf'
        mode: '0600'
      when: item.get("backend_override", false) is truthy
      changed_when: false
    - name: deploy k8s resources
      community.general.terraform:
@ -40,6 +51,14 @@
        project_path: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}'
        provider_upgrade: true
        force_init: true
      environment: '{{ item.get("backend_env", {}) }}'
    - name: cleanup override file
      ansible.builtin.file:
        path: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/backend_override.tf'
        state: absent
      when: item.get("backend_override", false) is truthy
      changed_when: false
    - name: backup source state file
      ansible.builtin.copy:
@ -47,6 +66,7 @@
        dest: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate.previous'
        force: true
        mode: '0600'
      when: item.get("backend_override", false) is falsy
    - name: update source tfstate file
      ansible.builtin.copy:
@ -54,3 +74,4 @@
        dest: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate'
        force: true
        mode: '0600'
      when: item.get("backend_override", false) is falsy
--- a/inventory/host_vars/actinium/vars.yml
+++ b/inventory/host_vars/actinium/vars.yml
@ -16,23 +16,46 @@ mariadb_server_custom_sql: "{{ vault_mariadb_server_custom_sql }}"
 mariadb_server_bind_addresses: "{{ vault_mariadb_server_bind_addresses }}"
 postgresql_server_run_custom_sql: true
-postgresql_nft_allowed_ingress_list: ['127.0.0.1/32', '10.42.0.0/16']
+postgresql_nft_allowed_ingress_list: '{{ vault_postgresql_nft_allowed_ingress_list }}'
 postgresql_server_custom_sql: "{{ vault_postgresql_server_custom_sql }}"
 postgresql_server_bind_addresses: "{{ vault_postgresql_server_bind_addresses }}"
 postgresql_server_databases_list:
  - name: '{{ vault_invidious_pg_dbname }}'
  - name: '{{ vault_opentofu_pg_dbname }}'
 postgresql_server_accounts_list:
  - name: '{{ vault_invidious_pg_user }}'
    db: '{{ vault_invidious_pg_dbname }}'
    password: '{{ vault_invidious_pg_password }}'
  - name: '{{ vault_opentofu_pg_user }}'
    password: '{{ vault_opentofu_pg_password }}'
 postgresql_server_hba_conf_list:
  - address: '10.42.0.0/16'
    databases:
-      - invidious
+      - '{{ vault_invidious_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
-      - invidious
+      - '{{ vault_invidious_pg_user }}'
  - address: '{{ vault_provider_geopoiesis }}/32'
    databases:
      - '{{ vault_opentofu_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_opentofu_pg_user }}'
  - address: '{{ vault_provider_unobtainium }}/32'
    databases:
      - '{{ vault_opentofu_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_opentofu_pg_user }}'
  - address: '{{ vault_provider_unsepttrium }}/32'
    databases:
      - '{{ vault_opentofu_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_opentofu_pg_user }}'
 k3s_cluster_helm_customizations:
  - name: routing-invidious
@ -115,6 +138,15 @@ k3s_cluster_additional_tf_resources:
    git_revision: 0.0.8
    terraform_dir: 'terraform'
    tfvars_content: '{{ vault_invoice_ninja_tfvars }}'
    backend_override: |-
      terraform {
        backend "pg" {}
      }
    backend_env:
      PGHOST: '{{ vault_ansible_host }}'
      PGDATABASE: '{{ vault_opentofu_pg_dbname }}'
      PGUSER: '{{ vault_opentofu_pg_user }}'
      PGPASSWORD: '{{ vault_opentofu_pg_password }}'
 hc_vault_server_tls_cert_data: '{{ vault_hc_vault_server_tls_cert_data }}'
 hc_vault_server_tls_key_data: '{{ vault_hc_vault_server_tls_key_data }}'
--- a/playbooks/internal.yml
+++ b/playbooks/internal.yml
@ -105,6 +105,7 @@
          tags: [gaming]
      tags: [gaming]
 # WARNING: OpenTofu states depend on setting up the postgresql database first
 - name: install K3S
  hosts: internal:&k3s
  tasks: