Move setup of foundational service from k8s to k3s

It simply doesn't make sense to split the installation of the
kubernetes-cluster from the provisioning of foundational services.
Therefore I drop the idea to organise these services in another
terraform-setup and instead ensure their presence with ansible, as it's
already responsible for setting up the cluster and keep it up-to.date.

k3s/README.adoc

@@ -1,7 +1,32 @@
 = k3s
 :icons: font
 
-This project is responsible for setting up a k3s installation.
+This project is responsible for setting up a k3s installation and provide a set of foundational services in the cluster.
+The provided services are:
+
+cert-manager::
+This allows issuing TLS certificates.
+The certificates are issued via https://letsencrypt.org[let's encrypt] and can be issued for the staging and production stage of let's encrypt.
+minio::
+
+Allow me to store data in an object storage.
++
+TODO: Not setup yet!
+
+concourse-ci::
+A powerful CI-cervice which I like to use to automate all kind of workloads.
++
+TODO: Not setup yet!
+
+gitea::
+My personal favourite git-server.
++
+TODO: Not setup yet!
+
+snappass::
+A secure and reliable tool to share password.
++
+TODO: Not setup yet!
 
 == Setup
 
@@ -19,4 +44,13 @@ ansible-playbook site.yml # <2>
 
 [IMPORTANT]
 The second step will override any existing kube config, this might destroy any existing settings!
+
+[NOTE]
+--
+To apply the playbook you may need to install additional packages:
+
+* https://helm.sh/docs/intro/install/[helm]
+* https://github.com/databus23/helm-diff?tab=readme-ov-file#install[helm-diff]
+* python3-kubernetes (Debian/Ubuntu)
+--
 // end::setup[]

k3s/ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 nocows = True
-inventory = inventory.ini,config.ini
+inventory = inventory.ini,config.yml,vault.yml
 display_skipped_hosts = False
 error_on_undefined_vars = True
+vault_password_file = password.txt

k3s/config.ini

@@ -1,15 +0,0 @@
-[all:vars]
-k8s_api_endpoint = "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
-
-[k3s_cluster:vars]
-ansible_user = root
-# note the space between the IPs!
-dns_servers = 8.8.8.8 8.8.4.4
-
-[agent:vars]
-ansible_ssh_common_args = -o StrictHostKeyChecking=accept-new -o ProxyCommand="ssh -p 1022 -W %h:%p -q root@{{ k8s_api_endpoint }}"
-k3s_version = v1.31.6+k3s1
-
-[server:vars]
-ansible_ssh_common_args = '-o StrictHostKeyChecking=accept-new'
-k3s_version = v1.31.6+k3s1

k3s/config.yml

@@ -0,0 +1,28 @@
+all:
+  vars:
+    k8s_api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
+    cert_manager_state: present
+    cert_manager_version: v1.18.2
+    letsencrypt_clusterissuers:
+      staging:
+        server: https://acme-staging-v02.api.letsencrypt.org/directory
+        email: "{{ vault_letsencrypt_issuer_email }}"
+      prod:
+        server: https://acme-v02.api.letsencrypt.org/directory
+        email: "{{ vault_letsencrypt_issuer_email }}"
+
+k3s_cluster:
+  vars:
+    ansible_user: root
+    # note the space between the IPs!
+    dns_servers: 8.8.8.8 8.8.4.4
+
+agent:
+  vars:
+    ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new -o ProxyCommand="ssh -p 1022 -W %h:%p -q root@{{ k8s_api_endpoint }}"
+    k3s_version: v1.31.6+k3s1
+
+server:
+  vars:
+    ansible_ssh_common_args: '-o StrictHostKeyChecking=accept-new'
+    k3s_version: v1.31.6+k3s1

k3s/roles/k8s-setup/defaults/main.yml

@@ -0,0 +1,3 @@
+cert_manager_state: present
+cert_manager_version: v1.18.2
+letsencrypt_clusterissuers: {}

k3s/roles/k8s-setup/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Deploy cert manager {{ cert_manager_version }}
+  kubernetes.core.helm:
+    name: cert-manager
+    chart_ref: "oci://quay.io/jetstack/charts/cert-manager"
+    chart_version: "{{ cert_manager_version }}"
+    release_namespace: "cert-manager"
+    create_namespace: True
+    release_state: "{{ cert_manager_state }}"
+    set_values:
+    - value: crds.enabled=true
+
+- name: Provide let's encrypt clusterissuers
+  kubernetes.core.k8s:
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: ClusterIssuer
+      metadata:
+        name: "letsencrypt-{{ item.key }}"
+      spec:
+        acme:
+          email: "{{ item.value.email }}"
+          privateKeySecretRef:
+            name: "letsencrypt-{{ item.key }}"
+          server: "{{ item.value.server }}"
+          solvers:
+          - http01:
+              ingress:
+                class: "traefik"
+  loop: "{{ letsencrypt_clusterissuers | dict2items }}"

k3s/site.yml

@@ -26,3 +26,9 @@
     - init
     - config
     - update
+- hosts: localhost
+  roles:
+  - role: k8s-setup
+    tags:
+    - init
+    - k8s

k3s/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+39663830333033356463613461373238356334303063343634343463643961313266636163326638
+6161313335653163656230333566343465353535663630620a353664363735656264333766303136
+61333138366230336339316638633834393738663032303732623832326233323635363230626430
+3564653635323334320a636531633061376135666333303961643633356361306635666639396534
+34363933623239316439396636663164396633336639346539356664663136386262326666656665
+64623764316530363163353033656536343034383039613961623563373836383238366131666362
+38323739353461303135373239646334616134616539313133636634306265343261623038613030
+33643830666331326164