Go to file

Felix Nehrke b16566e021 Move tasks to setup cert-manager into its own task-file

This change is the first step to setup further tools, like a git-server
or CI-servers with this role.

2025-11-28 00:28:25 +01:00

modules/hetzner

Merge infra and k3 into one directory again

2025-11-28 00:24:18 +01:00

roles

Move tasks to setup cert-manager into its own task-file

2025-11-28 00:28:25 +01:00

.gitignore

Move terraform-state to b2

2025-11-28 00:28:25 +01:00

.terraform.lock.hcl

Switch from terraform to opentofu, so update some providers therefore

2025-11-28 00:28:25 +01:00

ansible.cfg

Merge infra and k3 into one directory again

2025-11-28 00:24:18 +01:00

config.yml

Use port 1022 for all cluster nodes as SSH-port and fix some config-errors

2025-11-28 00:28:22 +01:00

inventory.ini.tftpl

Use port 1022 for all cluster nodes as SSH-port and fix some config-errors

2025-11-28 00:28:22 +01:00

main.tf

Merge infra and k3 into one directory again

2025-11-28 00:24:18 +01:00

README.adoc

Document possible tags for the ansible-playbook

2025-11-28 00:24:18 +01:00

requirements.yml

Merge infra and k3 into one directory again

2025-11-28 00:24:18 +01:00

site.yml

Don't gather facts just to run k8s-setup since it's not needed

2025-11-28 00:28:25 +01:00

variables.tf

Merge infra and k3 into one directory again

2025-11-28 00:24:18 +01:00

vault.yml

Merge infra and k3 into one directory again

2025-11-28 00:24:18 +01:00

versions.tf

Move terraform-state to b2

2025-11-28 00:28:25 +01:00

README.adoc

Hetzer Infra

This repository is meant to setup my kubernetes-cluster on Hetzner Cloud. The setup is split into 2 dedicated parts:

Create necessary machines in Hetzner Cloud via terraform.
Install/Upgrade kubernetes-cluster and other software via ansible.

TL;DR

terraform init
terraform apply
sleep 300 # Wait 5 minutes since the machines start _slow_ sometimes
ansible-galaxy install -r requirements.yml
ansible-playbook site.yml

Preparation

Ensure terraform is installed
Ensure ansible is installed

Setup

The project is split into different steps, each responsible for another task.

terraform

I use terraform to provide the required infrastructure to run a kubernetes-cluster.

Make sure config.auto.tfvars with all the needed configuration-secrets is present otherwise the module cannot be applied! The file is savely stored in the password-manager.

terraform init (1)
terraform apply (2)

1	Init the terraform modules if necessary
2	Setup infrastructure and create/update inventory.ini

The setup will take longer than just the terraform apply, since terraform returns as soon as the machine is provided. Though it hasn’t been started the machines, yet. As a rule of thumb wait ca. 5 minutes after the apply to do other work.

ansible

Use ansible to setup a k3s installation and provide a set of foundational services in the cluster. The provided services are:

cert-manager: This allows issuing TLS certificates. The certificates are issued via let’s encrypt and can be issued for the staging and production stage of let’s encrypt.
minio: Allow me to store data in an object storage.

TODO: Not setup yet!
concourse-ci: A powerful CI-cervice which I like to use to automate all kind of workloads.

TODO: Not setup yet!
gitea: My personal favourite git-server.

TODO: Not setup yet!
snappass: A secure and reliable tool to share password.

TODO: Not setup yet!

The k3s-setup requires a inventory.ini which is automatically created by terraform. So, make sure to apply the infra at least once, before running these playbooks.

ansible-galaxy install -r requirements.yml (1)
ansible-playbook site.yml (2)

1	Install required ansible collections to create a k3s-cluster (can be omitted in subsequent runs)
2	Install k3s and download kube-config to .kube/config

The second step will override any existing kube config, this might destroy any existing settings!

To apply the playbook you may need to install additional packages:

helm
helm-diff
python3-kubernetes (Debian/Ubuntu)

Configured tags

init: Everything needed for the initial setup
add-server: Everything needed to add a new server to the cluster
add-agent: Everything needed to add a new agent to the cluster
update: Everything needed to update the cluster
config: Everything needed to update the local kube-config
k8s: Everything needed to provide the foundational services

The affected scope of the ansible-playbook can be limited with tags (--tags tag1,tag2):

Enlarge / Reduce size of cluster

Increase

Simply adjust the number of agents/servers in your infra/config.auto.tfvars.
Then run the ansible-playbook of k3s again

Decrease

If you want shrink the cluster DO NOT reduce the agent-amount directly! Instead proceed as the following:

Open k9s and go to :nodes
Select the highest agent and press r to drain it
Afterward that succeeded delete it with Ctrl-d
Finally reduce the amount of agents in terraform and apply the change

Responsibilities

terraform

Creation of network for the kubernetes-cluster
- A public subnet exposed to the internet for the kubernetes-servers
- A private subnet for the kubernetes-agents
Routing between the networks
Firewall rules to block everything from the servers except of:
- ping (protocol: icmp)
- kubernetes api (Usually port 6443)
- ssh (I prefer to use a non-standard port (usually port 1022)
- public services, e.g. http and https (port 80 and 443) but also git-ssh (port 22)
Creating the machines for kubernetes-servers in the public subnet
Creating the machines for kubernetes-agents in the private subnet
Creating DNS-records in Hetzer Cloud

ansible

Setup SSH-connections
Setting up routing on all servers
Installing k3s
Keep the software up-to-date
Add foundational services to the cluster

README.adoc Unescape Escape

Hetzer Infra

TL;DR

Preparation

Setup

terraform

ansible

Configured tags

Enlarge / Reduce size of cluster

Responsibilities

README.adoc