Merge infra and k3 into one directory again

Since I don't have multiple terraform steps anymore it simply doesn't
make sense to me anymore to split all tasks into separate folders.
Instead I try to be as clear as possible in the README to make it easy
to follow the structure in the future without too much headache.

roles/agent-setup/defaults/main.yml

@@ -0,0 +1,3 @@
+dns_servers: 8.8.8.8 8.8.4.4
+network_config_path: /etc/systemd/network
+

roles/agent-setup/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart resolved
+  service:
+    name: systemd-resolved
+    state: restarted

roles/agent-setup/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Set default network route
+  shell: "ip route add default via {{ private_nat }}"
+  ignore_errors: "yes"
+  when: ansible_facts['default_ipv4']['alias'] is not defined
+
+- name: Regather facts
+  setup:
+  when: ansible_facts['default_ipv4']['alias'] is not defined
+
+- name: Gather fact target_nic
+  set_fact:
+    target_nic: "{{ ansible_facts['default_ipv4']['alias'] }}"
+
+- name: Ensure path to configure default route
+  file:
+    path: "{{ network_config_path }}"
+    state: directory
+
+- name: Configure default route
+  template:
+    src: nic.network.j2
+    dest: "{{ network_config_path }}/10-{{target_nic}}.network"
+
+- name: Configure DNS servers
+  lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^#?\s*DNS\s*=.*'
+    line: "DNS={{ dns_servers }}"
+  notify: "Restart resolved"

roles/agent-setup/templates/nic.network.j2

@@ -0,0 +1,5 @@
+[Match]
+Name={{ target_nic }}
+[Network]
+DHCP=yes
+Gateway={{ private_nat }}

roles/k8s-setup/defaults/main.yml

@@ -0,0 +1,3 @@
+cert_manager_state: present
+cert_manager_version: v1.18.2
+letsencrypt_clusterissuers: {}

roles/k8s-setup/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Deploy cert manager {{ cert_manager_version }}
+  kubernetes.core.helm:
+    name: cert-manager
+    chart_ref: "oci://quay.io/jetstack/charts/cert-manager"
+    chart_version: "{{ cert_manager_version }}"
+    release_namespace: "cert-manager"
+    create_namespace: True
+    release_state: "{{ cert_manager_state }}"
+    set_values:
+    - value: crds.enabled=true
+
+- name: Provide let's encrypt clusterissuers
+  kubernetes.core.k8s:
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: ClusterIssuer
+      metadata:
+        name: "letsencrypt-{{ item.key }}"
+      spec:
+        acme:
+          email: "{{ item.value.email }}"
+          privateKeySecretRef:
+            name: "letsencrypt-{{ item.key }}"
+          server: "{{ item.value.server }}"
+          solvers:
+          - http01:
+              ingress:
+                class: "traefik"
+  loop: "{{ letsencrypt_clusterissuers | dict2items }}"

roles/kube-config/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: Download kube-config
+  fetch:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: "{{ lookup('env', 'HOME') }}/.kube/config.orig"
+    flat: True
+  register: loaded_kube_config
+- name: Copy kube-config to correct location
+  delegate_to: localhost
+  copy:
+    src: "{{ lookup('env', 'HOME') }}/.kube/config.orig"
+    dest: "{{ lookup('env', 'HOME') }}/.kube/config"
+  when: loaded_kube_config is changed
+- name: Use correct ip-address for k8s-cluster
+  delegate_to: localhost
+  lineinfile:
+    path: "{{ lookup('env', 'HOME') }}/.kube/config"
+    regexp: '^(\s*server: https://).*(:\d+)$'
+    line: \g<1>{{ k8s_api_endpoint }}\g<2>
+    backrefs: yes

roles/server-setup/defaults/main.yml

@@ -0,0 +1,2 @@
+ip_masquerade_path: /etc/networkd-dispatcher/routable.d
+ip_masquerade_script: 10-eth0-post-up

roles/server-setup/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: Restart sshd
+  service:
+    name: ssh
+    state: restarted
+
+- name: Start ip-masquerade
+  script: "{{ ip_masquerade_path }}/{{ ip_masquerade_script }}"

roles/server-setup/tasks/main.yml

@@ -0,0 +1,50 @@
+- name: Set facts for target SSH-connection
+  set_fact:
+    target_ansible_port: "{{ ansible_port }}"
+
+- name: Check if SSH-connection is already adjusted
+  ping:
+  ignore_errors: "yes"
+  ignore_unreachable: "yes"
+  register: target_ssh
+
+- name: Set ansible_port to 22 when SSH-connection is not adjusted
+  set_fact:
+    ansible_port: "22"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Check if initial SSH-connection is active
+  ping:
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Set SSH-port to 1022
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?\s*Port\s+[0-9]+$'
+    line: Port 1022
+  notify: "Restart sshd"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Reset ansible_port to configured value
+  set_fact:
+    ansible_port: "{{ target_ansible_port }}"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Run deferred setup to gather facts
+  setup:
+
+- name: Ensure routable.d path to masquerade ips
+  file:
+    path: "{{ ip_masquerade_path }}"
+    state: directory
+
+- name: Configure NAT to masquerade ips
+  template:
+    src: ip-masquerade.sh.j2
+    dest: "{{ ip_masquerade_path }}/{{ ip_masquerade_script }}"
+    mode: u=rwx,g=rx,o=rx
+  notify: "Start ip-masquerade"

roles/server-setup/templates/ip-masquerade.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -t nat -A POSTROUTING -s {{network_cidr}} -o eth0 -j MASQUERADE
+