enable nginx dev

add music and subs nginx proxies

.gitignore

@@ -1,3 +1,39 @@
+# Local .terraform directories
+**/.terraform/*
+**/.terraform
+
+.ansible/
+.vscode/
+
+ansible/collections/**
+
+# registry password file
+distribution/htpasswd
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Terraform lock file
+**/.terraform.lock.hcl
+
+# Terraform secrets file
+**/secrets.auto.tfvars
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
 **/vault_password
 **/vault.yaml
 **/*secrets.yaml

.sops.yaml

@@ -0,0 +1,10 @@
+creation_rules:
+  - path_regex: (secret|secrets)\.(yml|yaml)$
+    unencrypted_regex: ^(apiVersion|kind|name|namespace|type)$
+    kms: 'arn:aws:kms:us-east-1:140023401248:key/c51c2cc5-4e8e-484d-b2f0-4d4ec2039938'
+    # kms: 
+    #   - arn: 'arn:aws:kms:us-east-1:140023401248:key/c51c2cc5-4e8e-484d-b2f0-4d4ec2039938'
+    #     aws_profile: home
+    age: 'age1k5y5gj5fzpwtjgzqd4n93h4h9ek9jz8898rva5zsgj7zjet97ytq4dtzjs'
+    hc_vault_transit_uri: 'https://vault.balsillie.net:443/v1/sops/keys/krds'
+  

.vscode/settings.json

@@ -23,5 +23,5 @@
         "checkForMinikubeUpgrade": true,
         "imageBuildTool": "Docker"
     },
-    "ansible.python.interpreterPath": "/usr/bin/python3"
+    "ansible.python.interpreterPath": "/usr/bin/python"
 }

ansible/ansible.cfg

@@ -5,7 +5,6 @@ library = modules
 module_utils = module_utils
 display_skipped_hosts = false
 interpreter_python = auto_silent
-collections_paths = ./collections
 collections_path = ./collections
 roles_path = ./roles
 vault_password_file = ./vault_password

ansible/inventory/group_vars/all/acme_certificate.yaml

@@ -0,0 +1,6 @@
+acme_certificate_csr_organization: Balsillie Family
+acme_certificate_csr_locality: Queenstown
+acme_certificate_csr_state: Otago
+acme_certificate_csr_country: NZ
+acme_certificate_csr_email: admin@balsillie.net
+acme_certificate_directory: https://acme-v02.api.letsencrypt.org/directory

ansible/inventory/group_vars/all/all.yaml

@@ -1 +0,0 @@
----

ansible/inventory/group_vars/all/nut.yaml

@@ -0,0 +1,3 @@
+nut_client_admin_username: nut-admin
+nut_client_primary_username: nut-primary
+nut_client_secondary_username: nut-secondary

ansible/inventory/group_vars/all/rfc2136.yaml

@@ -0,0 +1,3 @@
+rfc2136_key_algorithm: hmac-sha256
+rfc2136_key_name: rndc-house
+rfc2136_server_address: 10.208.240.1

ansible/inventory/group_vars/aur_repo_hosts/aur_repo_host.yml

@@ -0,0 +1,23 @@
+# code: language=ansible
+
+aur_repo_packager_name: "Balsillie Family"
+aur_repo_packager_email: "admin@balsillie.net"
+aur_repo_dir: "/aur"
+
+aur_repo_build_account: "aur-builder"
+
+aur_repo_host_packages:
+  - pikaur
+  - jellyfin-media-player # If you get errors relating to icu, check 'icu' package version and perform a system update
+  - git-credential-keepassxc
+  - docker-credential-secretservice-bin
+  - ventoy-bin
+  - debtap
+  - aurutils
+  - ipmiview
+  - powershell-bin
+  - visual-studio-code-bin
+  - ttf-ms-fonts
+  - brave-bin
+  - teamviewer
+  - vmware-horizon-client

ansible/inventory/host_vars/dev.balsillie.house/ansible_connection.yml

@@ -0,0 +1,17 @@
+# code: language=ansible
+
+# Connection (SSH)
+
+ansible_connection: ansible.builtin.ssh
+ansible_ssh_host: dev.balsillie.house
+ansible_ssh_port: 22
+ansible_ssh_host_key_checking: false
+ansible_ssh_pipelining: false
+ansible_ssh_user: ladmin
+ansible_ssh_private_key_file: ~/.ssh/conf.d/home/dev.balsillie.house.key
+
+# Become (sudo)
+
+ansible_become_method: ansible.builtin.sudo
+ansible_become_user: root
+ansible_become_password: "{{ lookup('community.hashi_vault.vault_kv1_get', 'ansible/host_vars/dev.balsillie.house/ansible_connection').secret.ansible_become_password }}" # noqa yaml[line-length]

ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml

@@ -0,0 +1,17 @@
+# code: language=ansible
+
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_cloudflare_api_token: "{{ lookup('community.hashi_vault.vault_kv1_get', 'cloudflare/balsillie.house/dns').secret.api_token }}" # noqa yaml[line-length]
+
+certbot_dns_propagation_seconds: 15
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'cloudflare'
+certbot_email: "certbot.dev@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"
+
+certbot_domains:
+  - repo.balsillie.house

ansible/inventory/host_vars/dev.balsillie.house/nginx.yaml

@@ -0,0 +1,9 @@
+# code: language=ansible
+
+nginx_sites:
+  - name: repo.balsillie.house
+    type: site
+    autoindex: 'on'
+    root: /var/www/aur
+
+nginx_user: "http"

ansible/inventory/host_vars/hv00.balsillie.house/acme_certificate.yaml

@@ -0,0 +1 @@
+acme_certificate_account_email: acme.hv00@balsillie.email

ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml

@@ -1,7 +1,9 @@
- 
 ansible_connection: ssh
-ansible_host: 192.168.1.250
+ansible_host: hv00.balsillie.house
 ansible_fqdn: hv00.balsillie.house
+ansible_remote_addr: 10.192.110.100
 ansible_port: 22
-ansible_become_method: sudo
+ansible_user: ladmin
-static_fqdn: hv00.balsillie.house
+# ansible_become_user: root
+ansible_become_method: ansible.builtin.sudo
+static_fqdn: hv00.balsillie.house

ansible/inventory/host_vars/hv00.balsillie.house/certbot.yaml

@@ -0,0 +1,8 @@
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'rfc2136'
+certbot_email: "certbot.hv00@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"

ansible/inventory/host_vars/hv00.balsillie.house/credentials.yaml

@@ -1,13 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65303065306531633065386131316639323033623166636331386435393231623763356336646337
-3430333966353561336334333332343130643065323663610a393664353431623037363731373837
-61653866666536383365393434613933393437343135346430643136396236313138613762316438
-3439303064366639380a316563666330306636613734666136633066656234363936623536383130
-65363364393937343231346133343435383336366464666661663432663663316337356637643165
-34303238653334663764633534393237643639636435633436353862663533346634396339343935
-34396363306461623564623566356139613564633136313965386337373138316365383732663139
-34396438636436376566323435316430376261323835303231663735373465326666666161616330
-33663132613733663337393636643736313863643566343366633032396134303462656162376432
-62666563376663323537396638306233346238306434643434366131656438303035666265613336
-37336135373061393036326633333137356531303038613061373638306435396135383365323265
-33623061633139626431

ansible/inventory/host_vars/hv00.balsillie.house/nginx.yaml

@@ -0,0 +1,17 @@
+nginx_sites:
+  - name: repo.balsillie.house
+    type: site
+    autoindex: 'on'
+    root: /var/www/aur
+  - name: unifi.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 8989
+  - name: hv00.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 9443
+
+nginx_user: "http"

ansible/inventory/host_vars/hv00.balsillie.house/nut_client.yaml

@@ -0,0 +1,38 @@
+nut_client_local_server: true
+nut_client_shutdown_cmd: /usr/bin/poweroff
+nut_client_shutdown_exit: "true"
+nut_client_hostsync: 240
+nut_client_notify_cmd: /scripts/notify.sh
+nut_client_min_supplies: 1
+nut_client_ups_devices:
+  - name: ups0
+    host: hv00.balsillie.house
+    type: primary
+    port: 3493
+    powervalue: 1
+nut_client_notify_messages:
+  - name: SHUTDOWN
+    message: "UPSMON shutdown triggered for HV00."
+  - name: LOWBATT
+    message: "UPS has reached low battery condition."
+nut_client_notify_flags:
+  - name: LOWBATT
+    flags: SYSLOG+WALL+EXEC
+  - name: FSD
+    flags: SYSLOG+WALL+EXEC
+  - name: COMMOK
+    flags: SYSLOG+WALL+EXEC
+  - name: COMMBAD
+    flags: SYSLOG+WALL+EXEC
+  - name: SHUTDOWN
+    flags: SYSLOG+WALL+EXEC
+  - name: REPLBATT
+    flags: SYSLOG+WALL+EXEC
+  - name: NOCOMM
+    flags: SYSLOG+WALL+EXEC
+  - name: NOPARENT
+    flags: SYSLOG+WALL+EXEC
+  - name: BYPASS
+    flags: SYSLOG+WALL+EXEC
+  - name: NOTBYPASS
+    flags: SYSLOG+WALL+EXEC

ansible/inventory/host_vars/hv00.balsillie.house/nut_server.yaml

@@ -0,0 +1,7 @@
+nut_server_listen_address: 10.192.110.100
+nut_server_listen_port: 3493
+nut_server_certificate_file: /etc/ssl/private/hv00.balsillie.house.plain.combined.pem
+nut_server_ups_devices:
+  - name: ups0
+    driver: usbhid-ups
+    port: auto

ansible/inventory/host_vars/hv00_balsillie_net/hv00_balsillie_net.yaml

@@ -1,2 +0,0 @@
----
-ansible_host: hv00.balsillie.net

ansible/inventory/host_vars/kodi00.balsillie.house/ansible_connection.yaml

@@ -0,0 +1,9 @@
+ansible_connection: ssh
+ansible_host: kodi00.balsillie.house
+ansible_fqdn: kodi00.balsillie.house
+ansible_remote_addr: 10.192.210.169
+ansible_port: 22
+ansible_user: ladmin
+ansible_become_user: root
+ansible_become_method: sudo
+static_fqdn: kodi00.balsillie.house

ansible/inventory/host_vars/kodi00.balsillie.house/certbot.yaml

@@ -0,0 +1,8 @@
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'rfc2136'
+certbot_email: "certbot.kodi00@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"

ansible/inventory/host_vars/kodi00.balsillie.house/docker.yaml

@@ -0,0 +1,81 @@
+---
+
+docker_users:
+  - ladmin
+
+docker_networks:
+  - name: torrent
+    driver: bridge
+    driver_options:
+      # com.docker.network.bridge.name: docker-torrent
+      com.docker.network.bridge.enable_ip_masquerade: true
+      com.docker.network.bridge.enable_icc: true
+      # com.docker.network.container_iface_prefix: container-torrent
+    attachable: true
+    enable_ipv6: false
+    internal: false
+    ipam:
+      - subnet: 192.168.99.0/24
+        gateway: 192.168.99.254
+
+docker_volumes:
+  - name: torrent-data
+    driver: local
+    driver_options:
+      type: none
+      device: /downloads
+      o: bind
+  - name: torrent-config
+    driver: local
+    driver_options:
+      type: none
+      device: /etc/qbittorrent
+      o: bind
+
+docker_images:
+  - name: hotio/qbittorrent
+    tag: release
+
+docker_containers:
+  - name: qbittorrent
+    image: hotio/qbittorrent:release
+    auto_remove: false
+    capabilities:
+      - NET_ADMIN
+    domainname: balsillie.house
+    env:
+      PUID: '968'
+      PGID: '968'
+      UMASK: '002'
+      TZ: Pacific/Auckland
+      WEBUI_PORTS: 8080/tcp
+      VPN_ENABLED: 'true'
+      VPN_CONF: 'wg0'
+      VPN_PROVIDER: 'proton'
+      VPN_LAN_NETWORK: ''
+      VPN_LAN_LEAK_ENABLED: 'false'
+      VPN_EXPOSE_PORTS_ON_LAN: ''
+      VPN_AUTO_PORT_FORWARD: 'true'
+      VPN_AUTO_PORT_FORWARD_TO_PORTS: ''
+      VPN_KEEP_LOCAL_DNS: 'false'
+      VPN_FIREWALL_TYPE: 'nftables'
+      VPN_HEALTHCHECK_ENABLED: 'true'
+      PRIVOXY_ENABLED: 'false'
+      UNBOUND_ENABLED: 'false'
+    etc_hosts:
+      tv.balsillie.house: 192.168.99.254
+      movies.balsillie.house: 192.168.99.254
+    hostname: torrent
+    networks:
+      - name: torrent
+        aliases:
+          - torrent
+          - qbittorrent
+        ipv4_address: 192.168.99.1
+    restart_policy: 'unless-stopped'
+    sysctls:
+      net.ipv4.conf.all.src_valid_mark: 1
+      net.ipv6.conf.all.disable_ipv6: 1
+    volumes:
+      - torrent-config:/config:rw
+      - torrent-data:/downloads:rw

ansible/inventory/host_vars/kodi00.balsillie.house/nginx.yaml

@@ -0,0 +1,43 @@
+nginx_sites:
+  - name: tv.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 8989
+  - name: movies.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 7878
+  - name: music.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 8686
+  - name: subs.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 6767
+  - name: index.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 9696
+  - name: torrent.balsillie.house
+    type: proxy
+    upstream:
+      host: 192.168.99.1
+      port: 8080
+  - name: jellyfin.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 8096
+  - name: kodi.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 8082
+
+nginx_user: "http"

ansible/inventory/host_vars/kodi00.balsillie.house/sonarr.yaml

@@ -0,0 +1,3 @@
+---
+
+sonarr_var: "sonarr_value"

ansible/inventory/host_vars/kodi00.balsillie.house/sshd.yaml

@@ -0,0 +1,4 @@
+sshd:
+  auth:
+    password: 'no'
+    pubkey: 'yes'

ansible/inventory/host_vars/kodi00.balsillie.house/torrent.yaml

@@ -0,0 +1,7 @@
+torrent_user: kodi
+torrent_downloads_dir: /downloads
+
+torrent_wireguard_address: 10.2.0.2
+torrent_wireguard_dns: 10.2.0.1
+torrent_wireguard_peer_endpoint: 103.75.11.18
+torrent_wireguard_peer_public_key: 8Rm0uoG0H9BcSuA67/5gBv8tJgFZXNLm4sqEtkB9Nmw=

ansible/inventory/host_vars/kodi00.balsillie.house/ufw.yaml

@@ -0,0 +1,21 @@
+ufw_enabled: true
+
+ufw_rules:
+  - name: "SSH from Local Subnet"
+    port: "22"
+    protocol: "tcp"
+    action: "allow"
+    source: "10.192.210.0/24"
+    destination: "10.192.210.169"
+  - name: "HTTP from Local Subnet"
+    port: "80"
+    protocol: "tcp"
+    action: "allow"
+    source: "10.192.210.0/24"
+    destination: "10.192.210.169"
+  - name: "HTTPS from Local Subnet"
+    port: "443"
+    protocol: "tcp"
+    action: "allow"
+    source: "10.192.210.0/24"
+    destination: "10.192.210.169"

ansible/inventory/host_vars/kube00.balsillie.house/acme_certificate.yaml

@@ -0,0 +1 @@
+acme_certificate_account_email: acme.kube00@balsillie.email

ansible/inventory/host_vars/kube00.balsillie.house/ansible_connection.yaml

@@ -0,0 +1,9 @@
+ansible_connection: ssh
+ansible_host: kube00.balsillie.house
+ansible_fqdn: kube00.balsillie.house
+ansible_remote_addr: 10.192.110.110
+ansible_port: 22
+ansible_user: ladmin
+ansible_become_user: root
+ansible_become_method: sudo
+static_fqdn: hv00.balsillie.house

ansible/inventory/host_vars/kube00.balsillie.house/nut_client.yaml

@@ -0,0 +1,18 @@
+nut_client_local_server: false
+nut_client_shutdown_cmd: /scripts/shutdown.sh
+nut_client_shutdown_exit: "false"
+nut_client_hostsync: 15
+nut_client_notify_cmd: /scripts/notify.sh
+nut_client_min_supplies: 1
+nut_client_ups_devices:
+  - name: ups0
+    host: hv00.balsillie.house
+    type: secondary
+    port: 3493
+    powervalue: 1
+nut_client_notify_messages:
+  - name: SHUTDOWN
+    message: "UPSMON shutdown triggered for KUBE00."
+nut_client_notify_flags:
+  - name: SHUTDOWN
+    flags: SYSLOG+WALL+EXEC

ansible/inventory/host_vars/kube01/kube01.yaml

@@ -1,4 +0,0 @@
----
-ansible_host: kube01.balsillie.net
-ssh_public_key_string: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtk+mk1+J3sZ3CA/yS7XV2wH913IdJj0gznmb/nI2nV ladmin@kube01.balsillie.net
-k8s_remove_control_plane_taint: true

ansible/inventory/host_vars/kube02/kube02.yaml

@@ -1,4 +0,0 @@
----
-ansible_host: kube02.balsillie.net
-ssh_public_key_string: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOfsOJJJ34VT9mHv9moHQAQNTAok8sOr49rVTkIfDn9 ladmin@kube02.balsillie.net
-k8s_remove_control_plane_taint: true

ansible/inventory/host_vars/kube03/kube03.yaml

@@ -1,4 +0,0 @@
----
-ansible_host: kube03.balsillie.net
-ssh_public_key_string: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINFqYq3CcxziLbWfp/0VpO5uD/HyjiKTXD8t/dAS01Oq ladmin@kube00.balsillie.net
-k8s_remove_control_plane_taint: true

ansible/inventory/host_vars/localhost/synapse.yaml

@@ -0,0 +1 @@
+synapse_host_address: matrix.balsillie.net

ansible/inventory/host_vars/localhost_bak/localhost.yaml

@@ -1,3 +0,0 @@
-ebs_zfs_storage_classes:
-  - name: ssd-zfs
-    dataset: ssd/data/open-ebs

ansible/inventory/host_vars/nuc.balsillie.house/ansible_connection.yaml

@@ -0,0 +1,4 @@
+ansible_connection: local
+ansible_user: ladmin
+ansible_become_user: root
+ansible_become_method: sudo

ansible/inventory/host_vars/nuc.balsillie.house/certbot.yaml

@@ -0,0 +1,11 @@
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'rfc2136'
+certbot_email: "certbot.kodi00@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"
+
+certbot_domains:
+  - xmr.balsillie.house

ansible/inventory/inventory.yaml

@@ -1,16 +1,13 @@
 all:
   children:
-    ups:
+    aur_repo_hosts:
       hosts:
-        ups00.balsillie.house:
+        dev.balsillie.house:
     firewalls:
       children:
         opnsense:
           hosts:
-            fw00.balsillie.net:
+            router.balsillie.house:
-        openwrt:
-          hosts:
-            fw00.balsillie.house:
     switches:
       hosts:
         sw00.balsillie.house:
@@ -19,63 +16,55 @@ all:
         wap00.balsillie.house:
     virtual_machines:
       hosts:
-        kube01.balsillie.net:
-        kube02.balsillie.net:
-        kube03.balsillie.net:
-        fw00.balsillie.net:
         fw00.balsillie.house:
-        mp00.balsillie.house:
         win11.balsillie.house:
     bare_metal:
       hosts:
-        ups00.balsillie.house:
         sw00.balsillie.house:
         wap00.balsillie.house:
         hv00.balsillie.house:
-        hv00.balsillie.net:
+        kube00.balsillie.house:
         lat5420.balsillie.house:
         lat7490.balsillie.house:
-        sff.balsillie.house:
+        nuc.balsillie.house:
     servers:
       children:
         hypervisors:
           hosts:
-            hv00.balsillie.net: # Hetzner
             hv00.balsillie.house: # vp2420
-            hv01.balsillie.net: # 4U Rosewill
         k8s:
           children:
             k8s_control:
               hosts:
-                kube01.balsillie.net:
+                kube00.balsillie.house:
-                kube02.balsillie.net:
-                kube03.balsillie.net:
-            k8s_taint:
-              hosts:
-                kube01.balsillie.net:
-                kube02.balsillie.net:
-                kube03.balsillie.net:
             k8s_worker:
               hosts:
-                kube01.balsillie.net:
+                kube00.balsillie.net:
-                kube02.balsillie.net:
-                kube03.balsillie.net:
             k8s_storage:
               hosts:
-                kube01.balsillie.net:
+                kube00.balsillie.net:
-                kube02.balsillie.net:
+        nut_servers:
-                kube03.balsillie.net:  
+          hosts:
+            hv00.balsillie.house:
+        nut_clients:
+          hosts:
+            hv00.balsillie.house:
+            kube00.balsillie.house:
+        nas:
+          hosts:
+            nas.balsillie.house:
     workstations:
       children:
         arch:
           hosts:
             lat5420.balsillie.house:
             sff.balsillie.house:
-            mp00.balsillie.house:
+            kodi00.balsillie.house:
+            nuc.balsillie.house:
         windows:
           hosts:
             lat7490.balsillie.house:
-            win11.balsillie.house: 
+            win11.balsillie.house:
         laptops:
           hosts:
             lat5420.balsillie.house:
@@ -83,19 +72,9 @@ all:
         desktops:
           hosts:
             sff.balsillie.house:
-            mp00.balsillie.house:               
+            mp00.balsillie.house:
-    hetzner:
+            kodi00.balsillie.house:
-      hosts:
+            nuc.balsillie.house:
-        fw00.balsillie.net:
+        kodi:
-        hv00.balsillie.net:
+          hosts:
-        kube01.balsillie.net:
+            kodi00.balsillie.house:
-        kube02.balsillie.net:
-        kube03.balsillie.net:
-    house:
-      hosts:
-        hv00.balsillie.house:
-        fw00.balsillie.house:
-        mp00.balsillie.house:
-        win11.balsillie.house:
-        lat5420.balsillie.house:
-        sff.balsillie.house:

ansible/playbooks/home.yml

@@ -0,0 +1,10 @@
+# code: language=ansible
+
+- name: AUR Repo
+  hosts: aur_repo_hosts
+  become: true
+  gather_facts: true
+  roles:
+    # - certbot
+    - nginx
+    # - aur_repo_host

ansible/playbooks/infra/hv00.yaml

@@ -0,0 +1,10 @@
+---
+
+- name: Setup core home router
+  hosts:
+    - hv00.balsillie.house
+  gather_facts: true
+  become: true
+  roles:
+    # - role: aur_repo_host
+    - role: nginx

ansible/playbooks/infra/kodi.yaml

@@ -0,0 +1,15 @@
+---
+
+- name: Setup Kodi boxes
+  hosts:
+    - kodi00.balsillie.house
+  gather_facts: true
+  become: true
+  roles:
+    # - role: sshd
+    # - role: ufw
+    # - role: nginx
+    # - role: aur_repo_client
+    # - role: arr
+    - role: torrent
+    # - role: sonarr

ansible/playbooks/infra/nuc.yaml

@@ -0,0 +1,9 @@
+---
+
+- name: Setup NUC
+  hosts:
+    - nuc.balsillie.house
+  gather_facts: true
+  become: true
+  roles:
+    - role: certbot

ansible/playbooks/infra/nut.yaml

@@ -0,0 +1,32 @@
+- name: Install NUT
+  hosts:
+    - nut_servers
+    - nut_clients
+  become: true
+  gather_facts: true
+  tasks:
+
+    - name: Install NUT package on Archlinux
+      when: ansible_facts['os_family'] == "Archlinux"
+      community.general.pacman:
+        name: nut
+        state: latest
+        update_cache: true
+
+- name: Setup NUT servers
+  gather_facts: false
+  hosts: nut_servers
+  become: true
+  roles:
+    - role: acme_certificate
+      acme_certificate_subject: "{{ ansible_host }}"
+      acme_certificate_zone: balsillie.house
+      acme_certificate_restart_services: ['nut-server.service']
+    - role: nut_server
+
+- name: Setup NUT clients
+  gather_facts: false
+  hosts: nut_clients
+  become: true
+  roles:
+    - nut_client

ansible/playbooks/infra/roles

@@ -0,0 +1 @@
+../../roles/

ansible/playbooks/k8s/roles

@@ -0,0 +1 @@
+../../roles/

ansible/playbooks/roles

@@ -0,0 +1 @@
+../roles

ansible/playbooks/synapse_delete_empty_rooms.yaml

@@ -0,0 +1,44 @@
+# code: language=ansible
+
+- name: Clean Synapse
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  tasks:
+
+    - name: Get room list
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms?limit=1000"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+      register: room_list
+
+    - name: Set empty_rooms fact
+      ansible.builtin.set_fact:
+        empty_rooms: "{{ room_list.json.rooms | selectattr('joined_local_members', '==', 0) | list }}"
+
+    - name: Debug empty room count
+      ansible.builtin.debug:
+        msg: "Total empty rooms to delete: {{ empty_rooms | length }}"
+
+    - name: Delete empty rooms
+      when: empty_rooms | length > 0
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/{{ room.room_id }}"
+        method: DELETE
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+        body_format: json
+        body: {}
+      loop: "{{ empty_rooms }}"
+      loop_control:
+        loop_var: room
+        label: "{{ room.room_id }}"
+      register: purge_ids
+
+    - name: Write purge_ids to file
+      ansible.builtin.copy:
+        dest: "{{ playbook_dir }}/purge_ids_{{ now(utc=false, fmt='%Y-%m-%d_%H-%M-%S') }}.json"
+        content: "{{ purge_ids.results | map(attribute='json.delete_id') | list | to_nice_json }}"
+        mode: "0664"

ansible/playbooks/synapse_delete_room.yaml

@@ -0,0 +1,28 @@
+# code: language=ansible
+
+- name: Clean Synapse
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  vars_prompt:
+    - name: room_id
+      prompt: "Enter the room ID to delete"
+      private: false
+  tasks:
+
+    - name: Delete room
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/{{ room_id }}"
+        method: DELETE
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+        body_format: json
+        body: {}
+      register: purge_id
+
+    - name: Wait for purge to complete
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/delete_status/{{ item }}"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"

ansible/playbooks/synapse_get_all_rooms.yaml

@@ -0,0 +1,19 @@
+# code: language=ansible
+
+- name: Clean Synapse
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  tasks:
+
+    - name: Get room details
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms?limit=1000"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+      register: result
+
+    - name: Print result
+      ansible.builtin.debug:
+        var: result.json.rooms | map(attribute='room_id') | list

ansible/playbooks/synapse_get_large_rooms.yaml

@@ -0,0 +1,19 @@
+# code: language=ansible
+
+- name: Clean Synapse
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  tasks:
+
+    - name: Get large rooms
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v1/statistics/database/rooms"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+      register: result
+
+    - name: Print result
+      ansible.builtin.debug:
+        var: result.json

ansible/playbooks/synapse_get_purge_status.yaml

@@ -0,0 +1,44 @@
+# code: language=ansible
+
+- name: Clean Synapse
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  vars_prompt:
+    - name: "purge_ids_file"
+      prompt: "Enter the file name containing the purge ids"
+      private: false
+  tasks:
+
+    - name: Load purge ids
+      ansible.builtin.slurp:
+        src: "{{ playbook_dir }}/{{ purge_ids_file }}"
+      register: purge_ids
+
+    - name: Set purge_ids_list fact
+      ansible.builtin.set_fact:
+        purge_ids_list: "{{ purge_ids.content | b64decode | from_json }}"
+
+    - name: Get purge status
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/delete_status/{{ item }}"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+      loop: "{{ purge_ids_list }}"
+      register: purge_status
+
+    - name: Set purge_satus_totals
+      ansible.builtin.set_fact:
+        purge_status_shutting_down: "{{ purge_status.results | selectattr('json.status', '==', 'shutting_down') | list | length }}"
+        purge_status_purging: "{{ purge_status.results | selectattr('json.status', '==', 'purging') | list | length }}"
+        purge_status_complete: "{{ purge_status.results | selectattr('json.status', '==', 'complete') | list | length }}"
+        purge_status_failed: "{{ purge_status.results | selectattr('json.status', '==', 'failed') | list | length }}"
+
+    - name: Print status
+      ansible.builtin.debug:
+        msg: |
+          Shutting down: {{ purge_status_shutting_down }}
+          Purging: {{ purge_status_purging }}
+          Complete: {{ purge_status_complete }}
+          Failed: {{ purge_status_failed }}"

ansible/playbooks/synapse_get_room_details.yaml

@@ -0,0 +1,23 @@
+# code: language=ansible
+
+- name: Clean Synapse
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  vars_prompt:
+    - name: room_id
+      prompt: "Enter the room ID to fetch"
+      private: false
+  tasks:
+
+    - name: Get room details
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms/{{ room_id }}"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+      register: result
+
+    - name: Print result
+      ansible.builtin.debug:
+        var: result.json

ansible/playbooks/synapse_get_room_members.yaml

@@ -0,0 +1,23 @@
+# code: language=ansible
+
+- name: Room members
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  vars_prompt:
+    - name: room_id
+      prompt: "Enter the room ID to fetch"
+      private: false
+  tasks:
+
+    - name: Get room details
+      ansible.builtin.uri:
+        url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms/{{ room_id }}/members"
+        headers:
+          Authorization: "Bearer {{ synapse_admin_token }}"
+      register: result
+
+    - name: Print result
+      ansible.builtin.debug:
+        var: result.json

ansible/playbooks/truenas.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Configure Truenas
+  hosts: truenas
+  become: false
+  tasks:
+    - name: Install required packages
+      package:
+        name: "{{ item }}"
+        state: present
+      with_items:
+        - py37-ansible
+        - py37-pip
+        - py37-netifaces
+        - py37-netaddr
+        - py37-requests
+        - py37-yaml

ansible/playbooks/vp2420.yaml

@@ -1,41 +0,0 @@
----
-
-# Arch install bare metal
-
-# Systemd networking
-
-# - name: Setup systemd-networkd
-#   hosts: hv00.balsillie.house
-#   become: true
-#   roles:
-#     - name: systemd_networkd
-#       vars:
-#         ansible_host: 192.168.1.106
-
-# Serial console
-
-# - name: Setup serial console
-#   hosts: hv00.balsillie.house
-#   become: true
-#   roles:
-#     - name: serial_console
-
-# Hypervisor setup
-
-# - name: Configure hypervisor
-#   hosts: hv00.balsillie.house
-#   gather_facts: true
-#   become: true
-#   roles:
-#     - name: hypervisor
-
-# SSHd setup
-
-- name: Configure sshd
-  hosts: hv00.balsillie.house
-  gather_facts: true
-  become: true
-  roles:
-    - name: sshd_setup
-
-# VM setup

ansible/roles/acme_certificate/tasks/main.yaml

@@ -0,0 +1,218 @@
+---
+
+- name: Install required python libraries system wide
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name:
+      - python-cryptography
+      - python-dnspython
+    state: latest
+    update_cache: true
+
+- name: Set certificate path facts
+  ansible.builtin.set_fact:
+    acme_certificate_certificate_path: "/etc/ssl/private/{{ acme_certificate_subject }}.pem"
+    acme_certificate_chain_path: "/etc/ssl/private/{{ acme_certificate_subject }}.chain.pem"
+    acme_certificate_combined_path: "/etc/ssl/private/{{ acme_certificate_subject }}.combined.pem"
+    acme_certificate_csr_path: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
+    acme_certificate_fullchain_path: "/etc/ssl/private/{{ acme_certificate_subject }}.fullchain.pem"
+    acme_certificate_key_path: "/etc/ssl/private/{{ acme_certificate_subject }}.key"
+    acme_certificate_plain_combined_path: "/etc/ssl/private/{{ acme_certificate_subject }}.plain.combined.pem"
+    acme_certificate_plain_key_path: "/etc/ssl/private/{{ acme_certificate_subject }}.plain.key"
+
+- name: Create ACME account key directory
+  ansible.builtin.file:
+    group: root
+    mode: '0700'
+    owner: root
+    path: /etc/ssl/private/ACME
+    state: directory
+
+- name: Create ACME account key
+  community.crypto.openssl_privatekey:
+    cipher: auto
+    curve: secp384r1
+    format: auto_ignore
+    group: root
+    mode: '0600'
+    owner: root
+    passphrase: "{{ acme_certificate_account_key_passphrase }}"
+    path: /etc/ssl/private/ACME/account.key
+    size: 4096
+    state: present
+    type: RSA
+
+- name: Generate RSA private key
+  community.crypto.openssl_privatekey:
+    cipher: auto
+    curve: secp384r1
+    format: auto_ignore
+    group: root
+    mode: '0600'
+    owner: root
+    passphrase: "{{ ssl_passphrase }}"
+    path: "{{ acme_certificate_key_path }}"
+    size: 4096
+    state: present
+    type: RSA
+  register: genrsa_private_key
+
+- name: Generate CSR
+  community.crypto.openssl_csr:
+    common_name: "{{ acme_certificate_subject }}"
+    country_name: "{{ acme_certificate_csr_country }}"
+    digest: sha256
+    email_address: "{{ acme_certificate_csr_email }}"
+    group: root
+    locality_name: "{{ acme_certificate_csr_locality }}"
+    mode: '0600'
+    organization_name: "{{ acme_certificate_csr_organization }}"
+    owner: root
+    path: "{{ acme_certificate_csr_path }}"
+    privatekey_passphrase: "{{ ssl_passphrase }}"
+    privatekey_path: "{{ acme_certificate_key_path }}"
+    state: present
+    state_or_province_name: "{{ acme_certificate_csr_state }}"
+    use_common_name_for_san: true
+
+- name: Submit ACME certificate request
+  community.crypto.acme_certificate:
+    account_email: "{{ acme_certificate_account_email }}"
+    account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}"
+    account_key_src: /etc/ssl/private/ACME/account.key
+    acme_directory: "{{ acme_certificate_directory }}"
+    acme_version: 2
+    chain_dest: "{{ acme_certificate_chain_path }}"
+    challenge: dns-01
+    csr: "{{ acme_certificate_csr_path }}"
+    dest: "{{ acme_certificate_certificate_path }}"
+    fullchain_dest: "{{ acme_certificate_fullchain_path }}"
+    modify_account: true
+    select_crypto_backend: cryptography
+    terms_agreed: true
+    validate_certs: true
+  register: challenge
+
+- name: Debug ACME certificate challenge
+  ansible.builtin.debug:
+    var: challenge
+
+- name: Proceed if challenge is changed
+  when:
+    - challenge is changed
+    - acme_certificate_subject in challenge.challenge_data
+  block:
+
+    - name: Answer ACME certificate challenge
+      community.general.nsupdate:
+        key_algorithm: "{{ rfc2136_key_algorithm }}"
+        key_name: "{{ rfc2136_key_name }}"
+        key_secret: "{{ rfc2136_key_secret }}"
+        port: 53
+        protocol: tcp
+        record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}."
+        server: "{{ rfc2136_server_address }}"
+        state: present
+        ttl: 3600
+        type: TXT
+        value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}"
+        # zone: "{{ acme_certificate_zone }}"
+      register: nsupdate_result
+
+    - name: Debug nsupdate result
+      ansible.builtin.debug:
+        var: nsupdate_result
+
+    - name: Retrieve ACME certificate
+      community.crypto.acme_certificate:
+        account_email: "{{ acme_certificate_account_email }}"
+        account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}"
+        account_key_src: /etc/ssl/private/ACME/account.key
+        acme_directory: "{{ acme_certificate_directory }}"
+        acme_version: 2
+        chain_dest: "{{ acme_certificate_chain_path }}"
+        challenge: dns-01
+        csr: "{{ acme_certificate_csr_path }}"
+        data: "{{ challenge }}"
+        dest: "{{ acme_certificate_certificate_path }}"
+        fullchain_dest: "{{ acme_certificate_fullchain_path }}"
+        select_crypto_backend: cryptography
+        terms_agreed: true
+        validate_certs: true
+
+    - name: Cleanup ACME challenge
+      community.general.nsupdate:
+        key_algorithm: "{{ rfc2136_key_algorithm }}"
+        key_name: "{{ rfc2136_key_name }}"
+        key_secret: "{{ rfc2136_key_secret }}"
+        port: 53
+        protocol: tcp
+        record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}."
+        server: "{{ rfc2136_server_address }}"
+        state: absent
+        ttl: 3600
+        type: TXT
+        value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}"
+        zone: "{{ acme_certificate_zone }}"
+
+- name: Slurp fullchain contents
+  ansible.builtin.slurp:
+    src: "{{ acme_certificate_fullchain_path }}"
+  register: acme_certificate_fullchain_content
+
+- name: Slurp private key contents
+  ansible.builtin.slurp:
+    src: "{{ acme_certificate_key_path }}"
+  register: acme_certificate_key_content
+
+- name: Create combined cert file
+  ansible.builtin.template:
+    dest: "{{ acme_certificate_combined_path }}"
+    group: root
+    mode: '0600'
+    owner: root
+    src: combined.pem.j2
+
+- name: Check if plain key file exists
+  ansible.builtin.stat:
+    path: "{{ acme_certificate_plain_key_path }}"
+  register: plain_key_file
+
+- name: Create a plain text copy of the SSL private key # noqa: no-handler
+  when: |
+    genrsa_private_key.changed or
+    not plain_key_file.stat.exists
+  ansible.builtin.command:
+    cmd: openssl rsa -in {{ acme_certificate_key_path }} -passin pass:{{ ssl_passphrase }} -out {{ acme_certificate_plain_key_path }}
+  changed_when: true
+
+- name: Slurp plain text private key contents
+  ansible.builtin.slurp:
+    src: "{{ acme_certificate_plain_key_path }}"
+  register: acme_certificate_key_content
+
+- name: Create plain text combined cert file
+  ansible.builtin.template:
+    dest: "{{ acme_certificate_plain_combined_path }}"
+    group: root
+    mode: '0600'
+    owner: root
+    src: combined.pem.j2
+
+- name: Dependant services block
+  when:
+    - (acme_certificate_restart_services | default([]) | length) >= 1
+    - challenge is changed
+  block:
+
+    - name: Check state of running services
+      ansible.builtin.service_facts:
+
+    - name: Restart dependant services
+      when:
+        - ansible_facts.services[item] is defined
+        - ansible_facts.services[item].state in ['running','failed']
+      ansible.builtin.service:
+        name: "{{ item }}"
+        state: restarted
+      loop: "{{ acme_certificate_restart_services }}"

ansible/roles/acme_certificate/templates/combined.pem.j2

@@ -0,0 +1,2 @@
+{{ acme_certificate_fullchain_content['content'] | b64decode }}
+{{ acme_certificate_key_content['content'] | b64decode }}

ansible/roles/archinstall/defaults/main.yml

@@ -44,4 +44,6 @@ pacstrap:
     ca-certificates-mozilla
     ca-certificates-utils
     efibootmgr
-    grep
+    grep
+    mdadm
+    lvm2

ansible/roles/archinstall/tasks/main.yml

@@ -23,6 +23,8 @@
 # cryptdevice=UUID=device-UUID:root root=/dev/mapper/root rw
 
 # add efi to /etc/fstab
+# mkdir /mnt/mountpoint/etc
+# sudo genfstab -L /mnt/mountpoint >> /mnt/mountpoint/etc/fstab
 
 
 
@@ -38,8 +40,9 @@
 
 
 # pacstrap
-# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup
+# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils ethtool qemu-guest-agent arch-install-scripts lsof
-# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils
+# desktop
+# pacstrap -K /mnt base linux linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils ethtool arch-install-scripts lsof btrfs-progs plasma-meta plasma-wayland-session kde-system dolphin-plugins
 
 # gen fstab
 # genfstab -L /mnt/root >> /mnt/root/etc/fstab
@@ -70,8 +73,6 @@
   # locale-gen
   # echo LANG=en_US.UTF-8 > /etc/locale.conf
 
-  
-
   # uncomment wheel group in /etc/sudoers
   # sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers
 
@@ -79,13 +80,17 @@
   # useradd -u 1000 -U -m -b /home/ -G wheel -s /bin/bash ladmin
   # set new user password
 
-  # disable root password
+  # disable root user
   # passwd -l root
+  # usermod -s /sbin/nologin root
 
   # create /etc/kernel/cmdline file
+  # the uuids are the DISK uuids from /dev/disk/by-uuid, NOT the partuuids
   # echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline
+  # for sd-encrypt hook
   # echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline
 
+
   # create a default systemd-networkd config
   # enable systemd-networkd
   # enable sshd
@@ -93,7 +98,11 @@
   # enable ufw firewall
   # create ufw config to allow ssh port 22
 
-  # modify mkinitcpio for encryption
+  # modify mkinitcpio presets
+  # template file?
+  # output to default efi path ESP/efi/boot/bootx64.efi
+
+  # modify mkinitcpio.conf for encryption
   # old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)
   # new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
   # sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf
@@ -121,4 +130,7 @@
   # add vfio modules to mkinitcpio.conf
   # MODULES=(vfio_pci vfio vfio_iommu_type1)
   # ensure modconf hook is in mkinitcpio.conf
-  # HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
+  # HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
+
+  # efibootmgr NO BACKSLASH ON A ROOT FILE
+  # efibootmgr -c -d /dev/nvme0n1 -p 1 -L "Arch Linux" -l "archlinux.efi"

ansible/roles/arr/tasks/main.yaml

@@ -0,0 +1,24 @@
+---
+
+- name: Install arr packages
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name: "{{ arr_packages }}"
+    state: present
+    update_cache: true
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Start arr services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop:
+    - sonarr.service
+    - radarr.service
+    - lidarr.service
+    - prowlarr.service
+    - bazarr.service

ansible/roles/arr/vars/main.yaml

@@ -0,0 +1,6 @@
+arr_packages:
+  - sonarr
+  - radarr
+  - lidarr
+  - bazarr
+  - prowlarr

ansible/roles/aur_repo_client/tasks/main.yaml

@@ -0,0 +1,50 @@
+---
+
+- name: Check if repo public key is in pacman keyring
+  ansible.builtin.command:
+    argv:
+      - pacman-key
+      - --list-keys
+      - "{{ aur_repo_client_public_key_fingerprint }}"
+  register: repo_key_check
+  failed_when: repo_key_check.rc not in [0, 1]
+  changed_when: false
+
+- name: Add repo public key to pacman keyring
+  when: repo_key_check.rc == 1
+  block:
+
+    - name: Import the repo public key
+      ansible.builtin.command:
+        argv:
+          - pacman-key
+          - --recv-keys
+          - "{{ aur_repo_client_public_key_fingerprint }}"
+          - --keyserver
+          - "{{ aur_repo_client_keyserver }}"
+      changed_when: true
+
+    - name: Trust the repo public key
+      ansible.builtin.command:
+        argv:
+          - pacman-key
+          - --lsign-key
+          - "{{ aur_repo_client_public_key_fingerprint }}"
+      changed_when: true
+
+- name: Add home repo block to pacman.conf
+  ansible.builtin.blockinfile:
+    path: /etc/pacman.conf
+    block: |
+      [{{ aur_repo_client_repo_name }}]
+      SigLevel = Required TrustedOnly
+      Server = {{ aur_repo_client_repo_address }}
+    create: false
+    state: present
+    insertafter: EOF
+  register: add_pacman_repo
+
+- name: Update pacman database # noqa: no-handler
+  when: add_pacman_repo.changed
+  community.general.pacman:
+    update_cache: true

ansible/roles/aur_repo_client/vars/main.yaml

@@ -0,0 +1,6 @@
+---
+
+aur_repo_client_repo_name: "home"
+aur_repo_client_repo_address: "https://repo.balsillie.house"
+aur_repo_client_public_key_fingerprint: DB529158B99DD8311D78CA2FBE6003C744F56EE2
+aur_repo_client_keyserver: hkps://keyserver.ubuntu.com

ansible/roles/aur_repo_host/files/aur-sync.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Sync AUR packages
+Wants=aur-sync.timer
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/aur sync --no-view --upgrades --no-confirm --clean --rm-deps --sign --database home
+User=aur-builder
+Group=aur-builder
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/aur_repo_host/files/aur-sync.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Timer that runs aur sync service
+Requires=aur-sync.service
+
+[Timer]
+Unit=aur-sync.service
+OnCalendar=*-*-* 16:00:00
+RandomizedDelaySec=120
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ansible/roles/aur_repo_host/tasks/main.yaml

@@ -0,0 +1,270 @@
+---
+
+- name: Lookup aur_repo_host secret
+  delegate_to: localhost
+  become: false
+  community.hashi_vault.vault_kv1_get:
+    path: ansible/group_vars/aur_repo_hosts
+  register: aur_repo_host_secret
+
+- name: Set aur_repo facts
+  ansible.builtin.set_fact:
+    aur_repo_private_key: "{{ aur_repo_host_secret.secret.aur_repo_private_key }}"
+    aur_repo_key_thumbprint: "{{ aur_repo_host_secret.secret.aur_repo_key_thumbprint }}"
+
+- name: Create the makepkg drop-in config file
+  ansible.builtin.template:
+    dest: /etc/makepkg.conf.d/makepkg.conf
+    src: makepkg.conf.j2
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Create the build user group
+  ansible.builtin.group:
+    name: "{{ aur_repo_build_account }}"
+    system: true
+    state: present
+
+- name: Create the build user
+  ansible.builtin.user:
+    name: "{{ aur_repo_build_account }}"
+    password: '!'
+    group: "{{ aur_repo_build_account }}"
+    comment: "AUR Package Builder"
+    shell: /sbin/nologin
+    home: "{{ aur_repo_dir }}"
+    createhome: true
+    system: true
+    state: present
+
+- name: Create the build user sudoer file
+  ansible.builtin.template:
+    dest: /etc/sudoers.d/{{ aur_repo_build_account }}
+    src: aur-sudoer.j2
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Create the build dirs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ aur_repo_build_account }}"
+    group: "{{ aur_repo_build_account }}"
+    mode: "0775"
+  loop:
+    - "{{ aur_repo_dir }}"
+    - "{{ aur_repo_dir }}/packages"
+    - "{{ aur_repo_dir }}/sources"
+    - "{{ aur_repo_dir }}/srcpackages"
+    - /var/log/makepkg
+    - /tmp/build
+
+- name: Check if the signing key is in build user's keyring
+  ansible.builtin.command:
+    cmd: gpg2 --list-secret-key --with-colons {{ aur_repo_key_thumbprint }}
+  failed_when: key_result.rc not in [0, 2]
+  changed_when: false
+  register: key_result
+  vars:
+    ansible_become_user: "{{ aur_repo_build_account }}"
+
+- name: GPG key import block
+  when: key_result.rc == 2
+  block:
+
+    - name: Template out the signing private key
+      ansible.builtin.template:
+        dest: "/tmp/build/signing_key.asc"
+        src: signing_key.asc.j2
+        owner: "{{ aur_repo_build_account }}"
+        group: "{{ aur_repo_build_account }}"
+        mode: "0600"
+
+    - name: Import the signing key
+      ansible.builtin.command:
+        cmd: gpg2 --import /tmp/build/signing_key.asc
+      changed_when: true
+      vars:
+        ansible_become_user: "{{ aur_repo_build_account }}"
+
+    - name: Delete the signing key
+      ansible.builtin.file:
+        path: "/tmp/build/signing_key.asc"
+        state: absent
+
+- name: Check if aurutils is already installed
+  ansible.builtin.stat:
+    follow: true
+    path: /usr/bin/aur
+  register: aurutils_stat
+
+- name: Aurutils install block
+  when: not aurutils_stat.stat.exists
+  block:
+
+    - name: Install makepkg dependencies
+      community.general.pacman:
+        name:
+          - git
+          - base-devel
+        state: present
+        update_cache: true
+
+    - name: Clone aurutils
+      ansible.builtin.git:
+        depth: 1
+        dest: /tmp/aurutils
+        repo: https://aur.archlinux.org/aurutils.git
+        single_branch: true
+        version: master
+
+    - name: Slurp PKGBUILD contents
+      ansible.builtin.slurp:
+        path: /tmp/aurutils/PKGBUILD
+      register: aurutils_pkgbuild
+
+    - name: Parse PKGBUILD into facts
+      ansible.builtin.set_fact:
+        aurutils_dependencies: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^depends=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') | split(' ') }}" # noqa: yaml[line-length]
+        aurutils_pkgver: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgver=).*(?=$)', multiline=True) }}"
+        aurutils_pkgrel: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgrel=).*(?=$)', multiline=True) }}"
+        aurutils_arch: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^arch=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') }}"
+
+    - name: Install aurutils dependencies
+      community.general.pacman:
+        name: "{{ aurutils_dependencies }}"
+        state: present
+        reason: dependency
+        update_cache: false
+
+    - name: Build aurutils
+      ansible.builtin.command:
+        cmd: makepkg
+        chdir: /tmp/aurutils
+        creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar"
+      vars:
+        ansible_become_user: "{{ aur_repo_build_account }}"
+
+    - name: Update repo database
+      ansible.builtin.command:
+        argv:
+          - repo-add
+          - --prevent-downgrade
+          - --remove
+          - --sign
+          - --key
+          - "{{ aur_repo_key_thumbprint }}"
+          - home.db.tar
+          - aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar
+        chdir: "{{ aur_repo_dir }}/packages"
+      changed_when: true
+      vars:
+        ansible_become_user: "{{ aur_repo_build_account }}"
+
+    - name: Check if the signing key is in pacman keyring
+      ansible.builtin.command:
+        argv:
+          - pacman-key
+          - -l
+          - "{{ aur_repo_key_thumbprint }}"
+      failed_when: pacman_key_result.rc not in [0, 1]
+      changed_when: false
+      register: pacman_key_result
+
+    - name: Pacman key import block
+      when: pacman_key_result.rc == 1
+      block:
+
+        - name: Import the signing public key to arch keyring
+          ansible.builtin.command:
+            argv:
+              - pacman-key
+              - -r
+              - "{{ aur_repo_key_thumbprint }}"
+              - --keyserver
+              - hkps://keyserver.ubuntu.com
+          changed_when: true
+
+        - name: Locally sign the imported pacman key
+          ansible.builtin.command:
+            argv:
+              - pacman-key
+              - --lsign-key
+              - "{{ aur_repo_key_thumbprint }}"
+          changed_when: true
+
+    - name: Add custom repo block to pacman.conf
+      ansible.builtin.blockinfile:
+        path: /etc/pacman.conf
+        block: |
+          [home]
+          SigLevel = Required TrustedOnly
+          Server = file://{{ aur_repo_dir }}/packages
+        create: false
+        state: present
+        insertafter: EOF
+
+    - name: Install aurutils
+      community.general.pacman:
+        name: aurutils
+        state: present
+        update_cache: true
+
+# - name: Enable the multilib repository
+#   ansible.builtin.replace:
+#     path: /etc/pacman.conf
+#     backup: true
+#     regexp: '^[#]?\[multilib\]\n[#]?Include = \/etc\/pacman.d\/mirrorlist$'
+#     replace: '[multilib]\nInclude = /etc/pacman.d/mirrorlist'
+#   register: multilib_enable
+
+# - name: Update the package database if multilib was enabled # noqa: no-handler
+#   when: multilib_enable.changed | default(false)
+#   community.general.pacman:
+#     update_cache: true
+
+- name: Sync AUR packages
+  ansible.builtin.command:
+    cmd: aur sync --no-view -CnrS {{ item }}
+  loop: "{{ aur_repo_host_packages }}"
+  register: aur_sync_result
+  changed_when: (aur_sync_result.stderr_lines | last | replace(':','')) != "sync there is nothing to do"
+  failed_when: aur_sync_result.rc != 0
+  vars:
+    ansible_become_user: "{{ aur_repo_build_account }}"
+
+- name: Add the root www folder if it doesn't exist
+  ansible.builtin.file:
+    path: /var/www
+    state: directory
+    owner: http
+    group: http
+    mode: "0775"
+
+- name: Link the aur repo to the web root
+  ansible.builtin.file:
+    src: "{{ aur_repo_dir }}/packages"
+    path: /var/www{{ aur_repo_dir }}
+    state: link
+
+- name: Add the aur-sync systemd unit files
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /usr/lib/systemd/system/
+    owner: root
+    group: root
+    mode: "0644"
+  loop:
+    - aur-sync.service
+    - aur-sync.timer
+  register: aur_sync_unit_files
+
+- name: Enable and start the aur-sync systemd timer # noqa: no-handler
+  when: aur_sync_unit_files.changed
+  ansible.builtin.systemd:
+    name: aur-sync.timer
+    enabled: true
+    state: started
+    daemon_reload: true

ansible/roles/aur_repo_host/templates/aur-sudoer.j2

@@ -0,0 +1 @@
+{{ aur_repo_build_account }} ALL = (root) NOPASSWD: /usr/bin/pacman, /usr/bin/pacsync

ansible/roles/aur_repo_host/templates/makepkg.conf.j2

@@ -0,0 +1,21 @@
+
+# Global Options
+
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto autodeps)
+MAKEFLAGS="-j{{ (ansible_processor_nproc - 1) }}"
+PACKAGER="{{ aur_repo_packager_name }} <{{ aur_repo_packager_email }}>"
+
+# Build Environment
+
+BUILDDIR=/tmp/build
+BUILDENV=(!distcc color !ccache check sign)
+GPGKEY={{ aur_repo_key_thumbprint }}
+
+# Outputs
+
+PKGDEST={{ aur_repo_dir }}/packages
+SRCDEST={{ aur_repo_dir }}/sources
+SRCPKGDEST={{ aur_repo_dir }}/srcpackages
+LOGDEST=/var/log/makepkg
+PKGEXT=".pkg.tar"
+SRCEXT=".src.tar"

ansible/roles/aur_repo_host/templates/signing_key.asc.j2

@@ -0,0 +1 @@
+{{ aur_repo_private_key }}

ansible/roles/certbot/handlers/main.yaml

@@ -0,0 +1,6 @@
+---
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx.service
+    state: restarted

ansible/roles/certbot/tasks/main.yaml

@@ -0,0 +1,67 @@
+- name: Install certbot package (Archlinux)
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name:
+      - certbot
+      - certbot-dns-{{ certbot_dns_plugin }}
+    state: present
+    update_cache: true
+
+- name: Install certbot webserver plugin (Archlinux)
+  when:
+    - ansible_facts['os_family'] == "Archlinux"
+    - certbot_webserver_type == 'nginx'
+  community.general.pacman:
+    name:
+      - certbot-nginx
+    state: present
+    update_cache: true
+
+- name: Template out the rfc2136 credentials file
+  when: certbot_dns_plugin == 'rfc2136'
+  ansible.builtin.template:
+    src: "{{ certbot_dns_plugin }}.conf.j2"
+    dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Template out cloudflare credentials file
+  when: certbot_dns_plugin == 'cloudflare'
+  ansible.builtin.template:
+    src: "{{ certbot_dns_plugin }}.conf.j2"
+    dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Template out the certbot default config
+  ansible.builtin.template:
+    src: cli.ini.j2
+    dest: /etc/letsencrypt/cli.ini
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Request and install certificates
+  ansible.builtin.command:
+    argv:
+      - certbot
+      - certonly
+      - -n
+      - --dns-{{ certbot_dns_plugin }}
+      - --dns-{{ certbot_dns_plugin }}-credentials
+      - /etc/letsencrypt/{{ certbot_dns_plugin }}.conf
+      - --dns-{{ certbot_dns_plugin }}-propagation-seconds
+      - "{{ certbot_dns_propagation_seconds | default(10) }}"
+      - -d
+      - "{{ item }}"
+    creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  loop: "{{ certbot_domains }}"
+  notify: "{{ certbot_notify | default(omit) }}"
+
+- name: Enable certbot renewal
+  ansible.builtin.service:
+    name: certbot-renew.timer
+    state: started
+    enabled: true

ansible/roles/certbot/templates/cli.ini.j2

@@ -0,0 +1,3 @@
+rsa-key-size = 4096
+email = {{ certbot_email }}
+agree-tos = true

ansible/roles/certbot/templates/cloudflare.conf.j2

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }}

ansible/roles/certbot/templates/rfc2136.conf.j2

@@ -0,0 +1,6 @@
+dns_rfc2136_server = {{ certbot_rfc2136_server }}
+dns_rfc2136_port = {{ certbot_rfc2136_port | default(53) }}
+dns_rfc2136_name = {{ certbot_rfc2136_key_name }}
+dns_rfc2136_secret = {{ certbot_rfc2136_key_secret }}
+dns_rfc2136_algorithm = {{ certbot_rfc2136_key_algorithm | upper }}
+dns_rfc2136_sign_query = true

ansible/roles/docker/tasks/main.yaml

@@ -0,0 +1,82 @@
+---
+
+- name: Install Docker on Archlinux
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name: docker
+    state: present
+    update_cache: true
+
+- name: Add users to docker group
+  ansible.builtin.user:
+    name: "{{ item }}"
+    groups: docker
+    append: true
+  loop: "{{ docker_users }}"
+
+- name: Start and enable Docker
+  ansible.builtin.systemd:
+    name: docker
+    state: started
+    enabled: true
+
+- name: Create Docker networks
+  when:
+    - docker_networks is defined
+    - docker_networks | length > 0
+  community.docker.docker_network:
+    attachable: "{{ item.attachable | default(true) }}"
+    driver: "{{ item.driver | default('bridge') }}"
+    driver_options: "{{ item.driver_options | default(omit) }}"
+    enable_ipv6: "{{ item.enable_ipv6 | default(false) }}"
+    internal: "{{ item.internal | default(false) }}"
+    ipam_config: "{{ item.ipam | default(omit) }}"
+    name: "{{ item.name }}"
+    state: "present"
+  loop: "{{ docker_networks }}"
+
+- name: Create Docker volumes
+  when:
+    - docker_volumes is defined
+    - docker_volumes | length > 0
+  community.general.docker_volume:
+    driver: "{{ item.driver | default('local') }}"
+    driver_options: "{{ item.driver_options | default({}) }}"
+    recreate: "never"
+    state: "present"
+    volume_name: "{{ item.name }}"
+  loop: "{{ docker_volumes }}"
+
+- name: Pull Docker images
+  when:
+    - docker_images is defined
+    - docker_images | length > 0
+  community.docker.docker_image_pull:
+    name: "{{ item.name }}"
+    pull: "always"
+    tag: "{{ item.tag | default('latest') }}"
+  loop: "{{ docker_images }}"
+
+- name: Create Docker containers
+  when:
+    - docker_containers is defined
+    - docker_containers | length > 0
+  community.general.docker_container:
+    auto_remove: "{{ item.auto_remove | default(false) }}"
+    capabilities: "{{ item.capabilities | default(omit) }}"
+    command: "{{ item.command | default(omit) }}"
+    detach: true
+    domainname: "{{ item.domainname | default(omit) }}"
+    entrypoint: "{{ item.entrypoint | default(omit) }}"
+    env: "{{ item.env | default({}) }}"
+    etc_hosts: "{{ item.etc_hosts | default({}) }}"
+    hostname: "{{ item.hostname | default(item.name) }}"
+    image: "{{ item.image }}"
+    name: "{{ item.name }}"
+    networks: "{{ item.networks | default(omit) }}"
+    published_ports: "{{ item.ports | default([]) }}"
+    restart_policy: "{{ item.restart_policy | default('unless_stopped') }}"
+    state: 'started'
+    sysctls: "{{ item.sysctls | default({}) }}"
+    volumes: "{{ item.volumes | default([]) }}"
+  loop: "{{ docker_containers }}"

ansible/roles/k8s_cert_manager/files/cluster.balsillie.house/issuers.yaml

@@ -0,0 +1,41 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: le-prod-balsillie-house
+spec:
+  acme:
+    email: le-prod.balsillie-house@balsillie.email
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: account-le-prod-balsillie-house
+    solvers:
+      - dns01:
+          rfc2136:
+            nameserver: 10.208.240.1:53
+            tsigKeyName: rndc-house
+            tsigAlgorithm: HMACSHA256
+            tsigSecretSecretRef:
+              name: tsig-keys
+              key: rndc-house
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: le-prod-balsillie-net
+spec:
+  acme:
+    email: le-prod.balsillie-net@balsillie.email
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: account-le-prod-balsillie-net
+    solvers:
+      - dns01:
+          rfc2136:
+            nameserver: 10.208.240.1:53
+            tsigKeyName: rndc-net
+            tsigAlgorithm: HMACSHA256
+            tsigSecretSecretRef:
+              name: tsig-keys
+              key: rndc-net

ansible/roles/k8s_control/files/kube00.balsillie.house_init

@@ -0,0 +1 @@
+sudo kubeadm init --control-plane-endpoint=api.cluster.balsillie.house --cri-socket=unix:///run/containerd/containerd.sock --pod-network-cidr="10.208.0.0/16,2400:8907:e002:7c10::/64" --service-cidr="10.224.0.0/16,2400:8907:e002:7c11::/108" --apiserver-advertise-address="10.192.110.91" --apiserver-advertise-address="2400:8907:e002:7c02::91" --apiserver-bind-port=6443 --apiserver-cert-extra-sans="api.cluster.balsillie.house" --apiserver-cert-extra-sans="10.192.110.90" --apiserver-cert-extra-sans="10.192.110.91" --apiserver-cert-extra-sans="2400:8907:e002:7c02::90" --apiserver-cert-extra-sans="2400:8907:e002:7c02::91" --node-name="kube00" --service-dns-domain="cluster.balsillie.house"

ansible/roles/k8s_ingress_controller/files/cluster.balsillie.house/deploy.yaml

@@ -0,0 +1,991 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - ingress-nginx-leader
+  resources:
+  - leases
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-controller-external
+  namespace: ingress-nginx
+spec:
+  clusterIP: None
+  ipFamilies:
+  - IPv4
+  - IPv6
+  ipFamilyPolicy: RequireDualStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/access: external
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-controller-internal
+  namespace: ingress-nginx
+spec:
+  clusterIP: None
+  ipFamilies:
+  - IPv4
+  - IPv6
+  ipFamilyPolicy: RequireDualStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/access: internal
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-controller-external-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/access: external
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-controller-internal-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/access: internal
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-controller-external
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/access: external
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.8.2
+        app.kubernetes.io/access: external
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-external
+        - --controller-class=k8s.io/ingress-external
+        - --ingress-class=external
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-admission-external
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-controller-internal
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/access: internal
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.8.2
+        app.kubernetes.io/access: internal
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-internal
+        - --controller-class=k8s.io/ingress-internal
+        - --ingress-class=internal
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-admission-internal
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-admission-external-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.8.2
+        app.kubernetes.io/access: external
+      name: ingress-admission-external-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-controller-external-admission,ingress-controller-external-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-admission-external
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-admission-external-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.8.2
+        app.kubernetes.io/access: external
+      name: ingress-admission-external-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-external-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-admission-external
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-admission-internal-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.8.2
+        app.kubernetes.io/access: internal
+      name: ingress-admission-internal-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-controller-internal-admission,ingress-controller-internal-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-admission-internal
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-admission-internal-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.8.2
+        app.kubernetes.io/access: internal
+      name: ingress-admission-internal-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-internal-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-admission-internal
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: external
+spec:
+  controller: k8s.io/ingress-external
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: internal
+spec:
+  controller: k8s.io/ingress-internal
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-external-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-controller-external-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-internal-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-controller-internal-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None  

ansible/roles/k8s_ingress_controller/files/cluster.balsillie.house/v4-ingress-service.yaml

@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: external
+  name: ingress-controller-external-v4
+  namespace: ingress-nginx
+spec:
+  clusterIP: None
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/access: external
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.8.2
+    app.kubernetes.io/access: internal
+  name: ingress-controller-internal-v4
+  namespace: ingress-nginx
+spec:
+  clusterIP: None
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/access: internal
+  type: ClusterIP

ansible/roles/k8s_network/files/cluster.balsillie.house/calico_installation.yaml

@@ -0,0 +1,52 @@
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+    name: default
+spec:
+    calicoNetwork:
+        bgp: Enabled
+        hostPorts: Enabled
+        ipPools:
+        -   blockSize: 20
+            cidr: 10.208.0.0/16
+            encapsulation: None
+            natOutgoing: Disabled
+            nodeSelector: all()
+        -   blockSize: 116
+            cidr: 2400:8907:e002:7c10::/64
+            encapsulation: None
+            natOutgoing: Disabled
+            nodeSelector: all()
+        linuxDataplane: Iptables
+
+---
+
+apiVersion: projectcalico.org/v3
+kind: BGPConfiguration
+metadata:
+    name: default
+spec:
+    asNumber: 64622
+    serviceClusterIPs:
+    -   cidr: 10.224.0.0/16
+    -   cidr: 2400:8907:e002:7c11::/108
+
+---
+
+apiVersion: crd.projectcalico.org/v1
+kind: BGPPeer
+metadata:
+    name: opnsense-v4
+spec:
+    asNumber: 64623
+    peerIP: 10.192.110.254
+
+---
+
+apiVersion: crd.projectcalico.org/v1
+kind: BGPPeer
+metadata:
+    name: opnsense-v6
+spec:
+    asNumber: 64623
+    peerIP: 2400:8907:e002:7c02::0254

ansible/roles/k8s_network/files/cluster.balsillie.house/calico_ip_reservation.yaml

@@ -0,0 +1,41 @@
+apiVersion: projectcalico.org/v3
+kind: IPReservation
+metadata:
+  name: default-ipreservation
+spec:
+  reservedCIDRs:
+  - 10.208.240.0/20
+  - 2400:8907:e002:7c10:ffff:ffff:ffff:f000/116
+
+# Static IPs:
+#
+# DNS (Bind9):
+#   10.208.240.1
+#   2400:8907:e002:7c10:ffff:ffff:ffff:f001
+#
+# Nginx:
+#   10.208.240.2
+#   2400:8907:e002:7c10:ffff:ffff:ffff:f002
+#
+# Mail:
+#
+#   Postfix:
+#     10.208.240.3
+#     2400:8907:e002:7c10:ffff:ffff:ffff:f003
+#
+#   Dovecot:
+#     10.208.240.4
+#     2400:8907:e002:7c10:ffff:ffff:ffff:f004
+#
+# Transmission:
+#   10.208.240.5
+#   2400:8907:e002:7c10:ffff:ffff:ffff:f005 (Unused)
+#
+# Matrix:
+#   10.208.240.6
+#   2400:8907:e002:7c10:ffff:ffff:ffff:f006
+#
+# Coturn:
+#   10.208.240.7
+#   2400:8907:e002:7c10:ffff:ffff:ffff:f007
+#

ansible/roles/k8s_network/files/cluster.balsillie.house/ippool.yaml

@@ -0,0 +1,13 @@
+apiVersion: projectcalico.org/v3
+kind: IPPool
+metadata:
+  name: default-ipv6-ippool
+spec:
+  allowedUses:
+  - Workload
+  - Tunnel
+  blockSize: 116
+  cidr: 2400:8907:e002:7c10::/64
+  ipipMode: Never
+  nodeSelector: all()
+  vxlanMode: Never

ansible/roles/k8s_storage_ebs_zfs_deploy/files/sc_ssd-zfs-imd.yaml

@@ -0,0 +1,11 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ssd-zfs-imd
+parameters:
+  poolname: ssd/data/open-ebs
+  fstype: zfs
+provisioner: zfs.csi.openebs.io
+allowVolumeExpansion: true
+volumeBindingMode: Immediate
+reclaimPolicy: Retain

ansible/roles/nginx/files/ssl.conf

@@ -0,0 +1,7 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:1m;
+ssl_session_tickets off;
+ssl_dhparam ssl/dhparams.pem;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;

ansible/roles/nginx/handlers/main.yaml

@@ -0,0 +1,6 @@
+---
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx.service
+    state: restarted

ansible/roles/nginx/tasks/main.yaml

@@ -0,0 +1,112 @@
+- name: Install nginx package (Archlinux)
+  when: ansible_facts['os_family'] == "Archlinux"
+  community.general.pacman:
+    name:
+      - nginx
+    state: present
+    update_cache: true
+
+- name: Create config dirs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0775"
+  loop:
+    - /etc/nginx/sites-available
+    - /etc/nginx/sites-enabled
+    - /etc/nginx/conf.d
+    - /etc/nginx/ssl
+
+- name: Copy the ssl configuration
+  ansible.builtin.copy:
+    src: ssl.conf
+    dest: /etc/nginx/ssl/ssl.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart nginx
+
+- name: Generate dhparams
+  ansible.builtin.command:
+    argv:
+      - openssl
+      - dhparam
+      - -dsaparam
+      - -outform
+      - PEM
+      - -out
+      - /etc/nginx/ssl/dhparams.pem
+      - 4096
+    creates: /etc/nginx/ssl/dhparams.pem
+  notify: Restart nginx
+
+# - name: Generate dhparams (alternative)
+#   community.crypto.openssl_dhparam:
+#     group: root
+#     mode: "0644"
+#     owner: root
+#     path: /etc/nginx/ssl/dhparams.pem
+#     size: 4096
+#     state: present
+
+- name: Set permissions on dhparams
+  ansible.builtin.file:
+    path: /etc/nginx/ssl/dhparams.pem
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart nginx
+
+- name: Template out nginx base config
+  ansible.builtin.template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart nginx
+
+- name: Template out nginx reverse proxy configs
+  when: item.type == "proxy"
+  ansible.builtin.template:
+    src: nginx-proxy.conf.j2
+    dest: /etc/nginx/sites-available/{{ item.name }}.conf
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ nginx_sites }}"
+  notify: Restart nginx
+
+- name: Template out nginx site configs
+  when: item.type == "site"
+  ansible.builtin.template:
+    src: nginx-site.conf.j2
+    dest: /etc/nginx/sites-available/{{ item.name }}.conf
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ nginx_sites }}"
+  notify: Restart nginx
+
+- name: Enable site configs
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/{{ item.name }}.conf
+    src: /etc/nginx/sites-available/{{ item.name }}.conf
+    state: link
+  loop: "{{ nginx_sites }}"
+  notify: Restart nginx
+
+# - name: Run certbot role to install certificates
+#   ansible.builtin.include_role:
+#     name: certbot
+#   vars:
+#     certbot_domains: "{{ nginx_sites | map(attribute='name') }}"
+#     certbot_notify: "Restart nginx"
+
+- name: Start and enable nginx
+  ansible.builtin.service:
+    name: nginx
+    state: started
+    enabled: true