From f761fcc3eb7923d65466a3cd88991d669dafae06 Mon Sep 17 00:00:00 2001
From: Finn <finn@finn.io>
Date: Sat, 3 Feb 2024 16:16:30 -0800
Subject: [PATCH] Add home-k8s which just has monitoring and misc cleanup

---
 home-k8s-playbook.yaml                     |   6 ++++
 inventory.yml                              |  36 +++++++++++++++++----
 roles/monitoring/files/grafana-apt-key.gpg | Bin 0 -> 5447 bytes
 roles/monitoring/handlers/main.yml         |   7 ++++
 roles/monitoring/tasks/main.yml            |   1 +
 roles/monitoring/templates/promtail.yml    |   4 +--
 roles/pdns/templates/pg_hpa.conf           |  23 -------------
 roles/pdns/templates/postgres.conf         |   2 +-
 roles/pdns/templates/wireguard.conf        |   8 ++---
 9 files changed, 50 insertions(+), 37 deletions(-)
 create mode 100644 home-k8s-playbook.yaml
 create mode 100644 roles/monitoring/files/grafana-apt-key.gpg
 create mode 100644 roles/monitoring/handlers/main.yml
 delete mode 100644 roles/pdns/templates/pg_hpa.conf

diff --git a/home-k8s-playbook.yaml b/home-k8s-playbook.yaml
new file mode 100644
index 0000000..1a3c43c
--- /dev/null
+++ b/home-k8s-playbook.yaml
@@ -0,0 +1,6 @@
+- hosts: home_k8s
+  vars:
+    ansible_user: root
+  roles:
+    - base
+    - monitoring
diff --git a/inventory.yml b/inventory.yml
index 6444698..3c83f3d 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -3,14 +3,36 @@ nameservers:
     dns.janky.solutions:
       ansible_host: 10.5.1.156
       powerdns_admin: yes
-      wireguard_ip: 10.6.0.1
-      wireguard_pubkey: hYUM1LRSemvjcPfHHcH9sZOsE45xWRSkasXs8uEDJDo=
-      wireguard_endpoint: wg.home.finn.io
+      dns_wg_ip: 10.6.0.1
+      dns_wg_pubkey: hYUM1LRSemvjcPfHHcH9sZOsE45xWRSkasXs8uEDJDo=
+      dns_wg_endpoint: wg.home.finn.io
+      home_network: true
     ns1.janky.zone:
       ansible_host: 137.184.226.48
-      wireguard_ip: 10.6.0.101
-      wireguard_pubkey: TwJXoSNhKhCCerjq1P8o3SBGQEe5vfjnB2Y9uX8mATU=
+      dns_wg_ip: 10.6.0.101
+      dns_wg_pubkey: TwJXoSNhKhCCerjq1P8o3SBGQEe5vfjnB2Y9uX8mATU=
     ns2.janky.zone:
       ansible_host: 66.42.71.31
-      wireguard_ip: 10.6.0.102
-      wireguard_pubkey: gTa4wsiQCGu+rbH05U8bjDJPVzINKJ/BIY0FejSWrWs=
+      dns_wg_ip: 10.6.0.102
+      dns_wg_pubkey: gTa4wsiQCGu+rbH05U8bjDJPVzINKJ/BIY0FejSWrWs=
+
+monitoring:
+  hosts:
+    hypervisor-d.home.finn.io:
+      ansible_host: 10.5.1.123
+      home_network: true
+
+authentik:
+  hosts:
+    authentik.home.finn.io:
+      ansible_host: 10.5.1.133
+      home_network: true
+
+home_k8s:
+  hosts:
+    k8s-node-1:
+      home_network: true
+    k8s-node-2:
+      home_network: true
+    k8s-node-3:
+      home_network: true
diff --git a/roles/monitoring/files/grafana-apt-key.gpg b/roles/monitoring/files/grafana-apt-key.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..7bcf81dc123909d5f9bf2675b6c6646ebb1c58da
GIT binary patch
literal 5447
zcmbW3WmFVu*M?_?7>4d{=`QIU5Mk&}X{3fh8bOe5Wu&_V>FyGwq)Sp#T0%OM`aI{n
zXT4{=Ykjf4pU;o|XYc!dt}6|QgK8M@OdE&+*k9J{1volhu*vk-&9rHSmsqBFwtR7}
zgZW+s*J~||clIlx&c<M*&JOY>q69?-2N%D46a!m$4t`}qmFIbr8%b|7i~oh+q9pbW
z-p|+%1|K(Qg@LiYL&An8Kl3*TRux}ca>EOWW^VemRk!q;2q>5zp3$kIrCGeG9DT%@
zgz*3IDN*#zPkp87!uBEi&?OyG*e4PpCyb<TaDi0_kNB@4;rT~bH+q^w`F;-t`kae*
z>=D{P9Siz~kzmv^fnwut7LT2Na=Sm)G+op<j*06Nakxw{tW{Q5ckI*KYfAIuHKx-{
zjC8PYqev2d`AO4p19j4kiVQ1(2OjBujT!<V00MyZluz9(pIag<=_MTy&s}8g{(A9P
zyEscn0Yy=XfFJ-P8t9Lefv8Z>u^<>=6c9QI1_*+Qg-QxS0fK0OAhJLJCImk=R;Z5&
z65B|v41Q4Z&UflAuwiz|RwBKb)<ULHLE0y^j&quXE-aZAh=_G!55+bBeHfkV^8^Zx
z6rX8TCvax+_8wXu&RFJJy5c9;d#oQB7BRycth|XgF;@ilGekom))PSSSiws#$E_I>
z#~#w6Z;OO!!V>wPRfTgnlfivL7|w}jOVaT@g9xo~olF(U+a72j$6(U@3Z^237^pQ;
zwaiA}vh}rWBGM6^0SZmaO?5I&v+D`u{!Syi^#pH3Qrs{-R#C1jo;7qAQz_`q#g@H@
zo6;b@wDJib>VVCy^e+9&AE`(w|J&MDeCgaA|M-TtH<KF9G1>JxtpsoD;y6#=7sZvL
zFW|TQJ7#t3L=7SLbZkeOhD}t;j&et7Cc;>rNYC-fr=%zRLfDZUm8`qo8n#$t#vZZf
zqx0|^HD;b7Cc#V`L{{0al$RBxHR3&d3+9;*+!{^3Y5jZ8rN(TxwSUD4_v+DE4554_
z+D&&BlM>E)Yl}P4nTmlYT2)-}LBaDYjpQ!WKMUpVq`-hb>-(M8O&b@7EMz(pCi7Y|
z6qfMiGb84uLaJ$;z{%91M(?UBVbMT!u&y?`daeZLX<+$ANI!W9%Zmyq8)%q^zS(B%
z6*&9-Q|8^d9u9D!VKukG6@;2`?6Q&YszKC1qJs_Fj?G-0Z5RMX4QL|b7w}qV6(`HY
z4levNW>G*oRPx_Zg8UsN?0+U^Rt5Z^8zR;vCubdsMIlR9a@{j{l2SNeywflI&EzWQ
zJs(R+H$#1w!&c6!Y}x~GZRv{=AML=Z$y#bpDBOdl6FRQWt3%~1rU%Xr8&YdXG?JIS
zRgI`{q0T3CD7uVc44DymX#NVcFotW~!Qnot&sKP}z*ms4@>yE5Yl2dEseW`Geb*ZR
zN~(gQ03BCHhWOnugfB(0ESEBGBp+|U$haZ1Bag5!DXtsieTPD3Gfrw2Pb#8EJaNcQ
zb9N|u+pVe#q1Z9FBsDsAP)FO&r=Ojm77rxIGKH3=bxcZxE^U}Zw@hywO*N>H=xFvn
z88wexD*_?d*`m~}Qk9f~B*dbC!l?8>OaMJ81FE|0^5q<Y4F<Cd-2A&$Xdvs3vZo*#
z&_5Sf#st1+N)p2G7*XaFGYlvWGi_OO5AePJ{^M#X_@)mPEsa}XpDHJtMDDytxr2R|
zA2c3u`})_Zf#;jJ@qN1^<ffk?GxEUo{+J!ci<PVr_+8YkgZ?`hyMk{jNqKj|s+;Qe
zmbN#Y-uy~zId<64>6Y#|*-&?Dane<Y_Z#)(bL}VZ?(ZxEr`6#6Y<S(deTRf8*o?kg
z-wpeDp;8%h;nMH)4eag;5H$C%mFRnKUlw801#}je5%wijU98txc@#QY7MPzj#45gC
z7uY%mcZv9nFGklb1ko^g*o&4oqjmbY`f?n*%eU8C-VODthP1cy0C3gNdFE=CtCfn(
zQEky((|~VKt(zU0f!KidMRAc1RV3Z31jvVp!*u&vq{RctCwNkZ>;e}<4c^20<9W7E
zqeYM9deFQPBP^yVAA0vnI3C-$=T|S)tHTTL92^BXuzlDpu3I9h>rC1~^|5Cu(>Goc
z>}1T={)$Iwb}>j{FiawCP9-<3zAD!BTB`?xp=f{0M%$wJKAnOl@LRtheY&n}G||JS
z)LjGDEujk4j7+^J8%kL-B}EH<5kiK(n_J=M+8KtD<adZhn^fK>I?_Sh0of9A{oG5u
z*5b6;I-b=sm!5;VO_Z2cc0;(Brc`=9?Q4Y=*SL1g;%{$>e|a`tXjMOLuY=37P?4B=
zFHbyH`r?p4C-F*|)LEA*{smT{vg^uhk&ha6n%M(SV+sz=Jb<V;yUXDH92?Q-%Z4Ki
z8mv-TMy!j@d-iNTcB!y)g|v@OVR!H|U%rB5WDqNAeKLkVN@<`Y8qo+7rd%JD33Jx^
zX}o3hB0gk+LVT$kKoqHRVHIOg(abfF#gcbr5d_#v44~BdizqCA6Ghe1%AH=)7GdXr
zu(fq_K-m2UU8aB21p^@cJMg%S`;i;jgsi^a7M0oZ8TedhUH!iU|NE-Hp@RlN>9zx)
z{ehm}<iUhsV1fRFJb#an>|g^b_u6!vGpK07iyN6Fb{fcj#(WI(=s^RweJfTd&L!u;
ziQ*K-`D`Ph9do2x>&=`f>gQlKI)5Ylw6=vazf7|eC5Ntr5L7(>ssq1N3@>2xLg1YL
z7|AiLr7yjzgU&<KpXK+a;v-;$J5F-yUO(6}ENU)Sr<LPvPLo))PncQrS6|CBscq~W
z#ytbdpVcp~`CqwFmdR847%IKiwQxH-<=4iBz$mFd2kvZpDJU&na<FTJlZ*u{qzAQp
z)EjtjPeyGUrUm$d=RSMUN1!(w0gS+zie+Ap^LVp!vG&=&A9b2u(ziCq67Ln+2j-XK
zC*236j(%xbAF_CHH*pkUDfeqwqWH`Cbo<*D)?`F=kJp}p=59&$?jCS+7oE!~R39F_
zfTC(@Y32d#RbBGkP)Wo|u*X<w_>wQr*D}vy;?Zu&$@-RusM6hRIU0Tj)*|`Jq|Y;q
z6?vr<NN+>eKCDdEnCyv@ms9K#q*nHx5xbiknF$l24Qi9FLfu+86<YpX$D<ADwIua<
z<)`saNtc%ISgUttA-dtWq<}bwM3^1AN0rz}3v!j3wghK#WrwSMEmF9^smQBcS5dKM
zJJb={yR=)FxL7@2#Bj31`E?q1>UFm4m+My3>Syyo#t63Va25sw{09u3YJmlYH|kLC
zw{8B}VG1<$V2&-EM^0fnkWF*uJ|Yti8Xx8{a6*umfOCMp&a+BOM-{=o^Ayw$MKJ7O
zjF#Jn*KlfHHfyki%A%$}(#P7HDnVb5h#<$@u47N3UN1^TVCELv=rPa)`|TE{1>!4w
zbt^kypNEx|Gz&0hNA2|GJiL!zq<G=yJKOG%?25@CC77Y2pcRYG+B3Ddl4C5(s3uDr
zrujNd`f&MvJ+B|wHvXqG#y-xLTz*)qY@UbuKi<(7#&DL28z7r3c&HXIqqZbRN8n~B
zvMN$JOuI;prn~_`5GQOH#s=6gHQINd8CF-z48U9K(Q0Q9S}L<dXzmLzc%TgeCy!6i
znqJM-C}2DAWLYI={ENKpzsZXMVEJEahW%H~{-Dd>b?UOfx|e!B+5BU~Z9C+Y(*X1}
z`SLB=`!ApPZ0A_Eaztz?8>z!vc=Bx~vKSI5f)jFDzYDuf!d?Q`N5;ST!`7N7^E#65
z`&fRI^+?|>1-M%s_|?hFC`iiS>Du!znG_SLHrJIMCx;rV<5__hx%jQ!I6=4lPow4Q
zHtao8u^=eRGY1ce4pLJNGI3_}Er;cJcE_w7$t5)l%tstSH@%IolO-#z&Vtp>MN!@j
zwW(8L^{L?>s!jPiDpSb3vch?1*o7CDC0{zL&R}515&9~*!zsb7%Dj#34WI6}t;C8^
zz!IFTj6P+2$@W<%E)VemF$6BlxEWYE>9u@d&L#qt(@b?L5b(k`P}sBwlMy+3th^N6
zzHl-Qijv`5{al5GCLNq`$=x$PL5mP96_(=)Fy)`EA(f$(u_$&uhhDc<O_opeFpvl+
z67rRzAxO60(i`PWxgv~~IXq3k^pEe|0Zs}MGy>2ar5@&Asu#<yaxSx*)!I-IZ+AiQ
zF<paN!;~ms<8Lj%_)`o1+h5WWL<9Ke;TUnS9-Qm#2r2u*KN<|+RAv7tQcJ0Wj{wSf
z7rG~18+|S#vC(bAWeV#~ct3;HGls6F#97tiQGK6}&A*^wEApJvc)O3ppL3);?@4qT
zr~4U-k)$KCy7@uOg7!;2zjh!eb3cOZ#-EP8;%r3meHh{`LC(U2ZO)4IR5h{?)|+>l
zp04Jsc+_c(6tWwOu^~m8C!EZ#ht)o1L1&lx_=C{O3xDgJ&95U{AKg6iq_HGG@Kv@r
z_eM+M=g=Dc5~C|p1=52R41?_%bw%nv458VEQtN9!^wZm8jM#i;ve5nBZF<7>ZnNtr
za&VDJ`_>DVL+G=p7VxH&i=*x&b0D0^)_@efZbRLN+}~P~hJs)JtNGNO_Hd_SZzw4b
zFG^&ctYi5{A`^(*><((Ql5~}On^^oU?kl167kcP6{2UaXMW0n%W84y*KiNa6M9RT(
zha!D3U1@ne9?nd$*VUol9qhJ=R}Nm0J!i$A**?!{+_V-@^R0y!Fegv<t`n>&_*ea*
zB{n<Z4!^ZznrO4`4Y6DF6wB;Dct67yqtVXp`(~`59Kx*t$)&yiTXKm*r?l=u^2b80
zn3DM<`^_l9N43@NQM9_&x@Qw+w7=%z5r^ZqHH6-k(p?#pUOjxV!3l4P#rCxt%wO+J
zzTb)*E%l?o?9ASj84ReIW)?bTYr8$hGovnt$F~?&HL(7WS|_+0#iUS=cy4oHw|N{X
zTiiqBzc;<kG!O=n-nuM;Q5i5Ed~zZYNmlJsLd-M+uQ3S6jX7ZogFo{Nr-|f@oJp}B
z3Ir#dd@UH^wvEUoNE<O1DP~T9jo0KAvor!)kGm);x#VNq35}l|=x8s|2;Te}tRQ8-
zgpmj?O_;Ft+HupHOsrIJlGiINpdqiSV&(x;5j=Ur&a0YBVTFyGu)LT2&J4TzN_{ie
zgsOUN3MG1RrF+ND0lu2DD9;$Cjn?6t19}DTI?F%qR3Lb~UJtYSf|W`|F!CI1w2YJW
zIxKpE@N$cQ_M2-k)g8Icx0k{x9b@!~<37|R{|_y}{8LLB#CQBE8u>nipjx0M%jA3G
zKM8w+2KwWw|0gZ^dqgP^8;~Az;MRCo;3KDO{CG4|lYjpgRi=lj>AFZy$>#@w+rTLa
zixq3vX`=aAUUq#V7w=ih4X#+vT*no~vKQPeb<qGyqrIY3p`Su16b~L{>KbSpcF{0%
zuSKnxnSfC`3`G~P+-F9q>PHLo0_jARN|*CBl1b%hs%ORWhYuvRXDS0~ODq&|i09NR
zi-qa!1P$KDdL0C6U_lj&UC!Np1uOkr9soCHmNo@&UjEyHA;<TnvPxEg^9z(re&z5T
zqWzq7Pb8FFdzYwM@x8}RZ1uG9tPnr^qkBB9<E=+zS@c7?ZOqALA{uKeg^b&=XKZd>
zFEs!uNv%7O;Qp&QHInRh8Bd%#XsY}=93?lxBZB0n+M=rD>p{m}d(O+Y7K}FsCR0(*
zXiX#Z*37Opl&O!Q`PP^SOO`bAC!}mmMPqurcw5bd$mGVbGwHrI$wKZj(`P0cZ>-nQ
zxj3hoSjEUfTacP>osVTLNVmKs`IwBUy{hKLZ)Pn8PYqfiK8b&5$-nAYr$ho<e*xud
zNKN^19ukLb@7x;4QNHY}!N0QOfyKgHQ4=w&EKST$Ry#i^hXcQC9)ukpbY=>KOojmE
zu5tuBj!GVEGlrz+n~H3w7vx;G(U~0b^zgE4ttrE;6^XZQd{JHA=}4{PUyEpx2sWvJ
z7^3>G*2;17-e!?vFjR^M9Cp&pAdWMRU{$V&?heQ=d|W7X9!h@iP2}4B3hg2vWSihY
zds@ws)e@~7mG$T0C-za=iXRS|IYMk#(v0^o9~IRMY}%Xdm-o><0PM|=cg6-18xqf@
zoeNKWrJ<P-9^ubs1Xe|zPffzaqLr&0^v1GxmX?4UkLyn;oi&8kh|!a8CofrqF@9Aa
zK@pFHM<sC=*|QP2&|}$ik%zr<Z2WEim}iXrCDJ=d?6TV4S@%2~x`~2~L(e=-@qW>i
zjfz^IHV=Dq5vluIY75w3)ev41T50uujZiis7navE3wIn-;>G_kdQzyqtm@fw6z<><
zz8_X-^@PXeUb8&rA6kO>r<VLrHT#E_{9Pv;XRKRnR=OD145ORxmnriTP(-e_0oOcr
zO#4l(?cQN&NRd6l5-+yZXdH#rT7g-A;U}1J(u-rP@W$n~Dd}u-r<{s7p-=MNswM&c
z7c$4nTb`=?hMdak%@E-O$P48t!Q4!rFIaUkVekCIpG2C5!%h$GK*`V(EzzJ2U$&UF
zQu;Pq5rP}!sQTI**LS%ze(y_0hK@QndCYziY1tN8L0oBt(}nbPvg}H!y)Blju*r$m
z8B$+G9g!$Te=@8UC;8g-b|%QMn37+0u2A1FdF{9Y=#nFU`J^d|Ww;|ww>~@Nno7Q8
zW*8`=QI^$~{vGdkrwU+U29Gp3Tw^@yDi^|*)NGS$HjzjVcXa!nx$XqKk1QeKDZPpr
zgVJ2t4c}vO63OeY*<F*iN01WvOB3I!&yUWFLBv19+VX{mIzR7UPk7Jp=TU?O!i1Sc
zbX=rkv;dV&t6%ExD9f%0a))1#E7Rq>KNp{aVjq!Fb8OB4U3BwKkzL8q@DJG+dPe^R
DEos>?

literal 0
HcmV?d00001

diff --git a/roles/monitoring/handlers/main.yml b/roles/monitoring/handlers/main.yml
new file mode 100644
index 0000000..a4cfd34
--- /dev/null
+++ b/roles/monitoring/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: systemctl daemon-reload
+  command: systemctl daemon-reload
+
+- name: restart promtail
+  service:
+    name: promtail
+    state: restarted
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
index 9304911..42f23bf 100644
--- a/roles/monitoring/tasks/main.yml
+++ b/roles/monitoring/tasks/main.yml
@@ -5,3 +5,4 @@
 
 - name: promtail
   include_tasks: promtail.yml
+  when: home_network
diff --git a/roles/monitoring/templates/promtail.yml b/roles/monitoring/templates/promtail.yml
index 40a2db4..a5735bb 100644
--- a/roles/monitoring/templates/promtail.yml
+++ b/roles/monitoring/templates/promtail.yml
@@ -4,7 +4,7 @@ server:
   grpc_listen_port: 0
 
 clients:
-  - url: https://logs.janky.solutions
+  - url: http://monitoring-0:3100/loki/api/v1/push
     external_labels:
       hostname: "{{ inventory_hostname }}"
 
@@ -16,7 +16,7 @@ scrape_configs:
     relabel_configs:
       - source_labels: ['__journal__systemd_unit']
         target_label: 'unit'
-{% if 'jobs' in logs %}
+{% if logs is defined and 'jobs' in logs %}
 {% for job_name, path in logs.jobs.items() %}
   - job_name: {{ job_name }}
     static_configs:
diff --git a/roles/pdns/templates/pg_hpa.conf b/roles/pdns/templates/pg_hpa.conf
deleted file mode 100644
index 6d99ec8..0000000
--- a/roles/pdns/templates/pg_hpa.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# DO NOT DISABLE!
-# If you change this first entry you will need to make sure that the
-# database superuser can access the database using some other method.
-# Noninteractive access to all databases is required during automatic
-# maintenance (custom daily cronjobs, replication, and similar tasks).
-#
-# Database administrative login by Unix domain socket
-local   all             postgres                                peer
-
-# TYPE  DATABASE        USER            ADDRESS                 METHOD
-
-# "local" is for Unix domain socket connections only
-local   all             all                                     peer
-# IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
-# IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
-# Allow replication connections from localhost, by a user with the
-# replication privilege.
-local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
-host    replication     all             ::1/128                 scram-sha-256
-host    all             all             10.6.0.0/24             md5
diff --git a/roles/pdns/templates/postgres.conf b/roles/pdns/templates/postgres.conf
index f027418..218a9fe 100644
--- a/roles/pdns/templates/postgres.conf
+++ b/roles/pdns/templates/postgres.conf
@@ -1,4 +1,4 @@
-listen_addresses = 'localhost,{{ wireguard_ip }}'
+listen_addresses = 'localhost,{{ dns_wg_ip }}'
 
 {% if powerdns_admin|default(false) %}
 # write replica specific settings
diff --git a/roles/pdns/templates/wireguard.conf b/roles/pdns/templates/wireguard.conf
index a29122d..570d2a5 100644
--- a/roles/pdns/templates/wireguard.conf
+++ b/roles/pdns/templates/wireguard.conf
@@ -1,14 +1,14 @@
 [Interface]
 PrivateKey = {{ lookup('ansible.builtin.ini', 'private_key section=wireguard file=secrets/' + inventory_hostname + '.ini') }}
 ListenPort = 51822
-Address = {{ wireguard_ip }}
+Address = {{ dns_wg_ip }}
 
 {% for host in hostvars %}
 {% if host != inventory_hostname %}
 # {{ host }}
 [Peer]
-Endpoint = {{ hostvars[host].wireguard_endpoint|default(host) }}:51822
-PublicKey = {{ hostvars[host].wireguard_pubkey }}
-AllowedIPs = {{ hostvars[host].wireguard_ip }}
+Endpoint = {{ hostvars[host].dns_wg_endpoint|default(host) }}:51822
+PublicKey = {{ hostvars[host].dns_wg_pubkey }}
+AllowedIPs = {{ hostvars[host].dns_wg_ip }}
 
 {% endif %}{% endfor %}