Update Terraform hcloud to v1.51.0

Reviewed-on: https://git.front.kjuulh.io/kjuulh/serverctl/pulls/7

.drone.yml

@@ -1,23 +1,36 @@
+type: docker
 kind: pipeline
 name: Serverctl
 
 steps:
-  - name: terraform plan
+  - name: test
-    image: alpine
+    image: harbor.front.kjuulh.io/docker-proxy/library/bash:latest
-    environment:
-      HCLOUD_TOKEN: 
-        from_secret: serverctl_hcloud_token
-      ACCESS_KEY:
-        from_secret: serverctl_access_key
-      SECRET_KEY:
-        from_secret: serverctl_secret_key
     commands:
-      - apk --update add curl
+      - echo 'Run tests'
-      - curl --silent --output terraform.zip "https://releases.hashicorp.com/terraform/1.1.6/terraform_1.1.6_linux_amd64.zip"
+  #
-      - unzip terraform.zip ; rm -f terraform.zip; chmod +x terraform
+  #  - name: terraform plan
-      - mkdir -p ${HOME}/bin ; export PATH=${PATH}:${HOME}/bin; mv terraform ${HOME}/bin/
+  #    image: alpine
-      - terraform -v
+  #    environment:
-      - cd infrastructure/create-resources
+  #      HCLOUD_TOKEN:
-      - terraform init -backend-config="access_key=$ACCESS_KEY" -backend-config="secret_key=$SECRET_KEY"
+  #        from_secret: serverctl_hcloud_token
-      - terraform validate
+  #      ACCESS_KEY:
-      - terraform plan -vars="hcloud_token=$HCLOUD_TOKEN"
+  #        from_secret: serverctl_access_key
+  #      SECRET_KEY:
+  #        from_secret: serverctl_secret_key
+  #      SSH_ZIP_KEY:
+  #        from_secret: serverctl_ssh_zip_key
+  #      HCLOUD_SSH_KEY_ID:
+  #        from_secret: serverctl_hcloud_ssh_key_id
+  #    commands:
+  #      - apk --update add curl zip ansible python3
+  #      - cd infrastructure && ./unzip-ssh-keys.sh "$SSH_ZIP_KEY" && cd ..
+  #      - curl --silent --output terraform.zip "https://releases.hashicorp.com/terraform/1.1.6/terraform_1.1.6_linux_amd64.zip"
+  #      - unzip terraform.zip ; rm -f terraform.zip; chmod +x terraform
+  #      - mkdir -p ${HOME}/bin ; export PATH=${PATH}:${HOME}/bin; mv terraform ${HOME}/bin/
+  #      - terraform -v
+  #      - cd infrastructure/create-resources
+  #      - terraform init -backend-config="access_key=$ACCESS_KEY" -backend-config="secret_key=$SECRET_KEY"
+  #      - terraform validate
+  #      - terraform apply -auto-approve -var "hcloud_token=$HCLOUD_TOKEN" -var "pvt_key=../ssh_keys/id_ed25519" -var "pub_key=../ssh_keys/id_ed25519.pub" -var "hcloud_serverctl_ssh_key_id=$HCLOUD_SSH_KEY_ID"
+  #      - cd ansible
+  #      - ANSIBLE_HOST_KEY_CHECKING=False /usr/bin/ansible-playbook -u root --key-file '../../ssh_keys/id_ed25519'  -e 'pub_key=../../ssh_keys/id_ed25519.pub' site.yml

docker-compose.yml

@@ -55,7 +55,7 @@ services:
 
 # Logging
   loki:
-    image: grafana/loki:2.4.2
+    image: grafana/loki:2.7.0
     ports:
       - 3100
     networks:
@@ -66,7 +66,7 @@ services:
     logging: *loki-logging
 
   promtail:
-    image: grafana/promtail:2.4.2
+    image: grafana/promtail:2.7.0
     volumes:
       - ./services/logs/promtail/config.yaml:/mnt/config/promtail-config.yaml
       - /var/lib/docker/containers:/host/containers

infrastructure/.gitignore

@@ -0,0 +1 @@
+ssh_keys/

infrastructure/create-resources/.gitignore

@@ -3,3 +3,5 @@
 .terraform.lock.hcl
 terraform.tfstate
 terraform.tfstate.backup
+secrets.txt
+.env

infrastructure/create-resources/ansible/.yamllint

@@ -0,0 +1,9 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 120
+    level: warning
+  truthy:
+    allowed-values: ['true', 'false', 'yes', 'no']

infrastructure/create-resources/ansible/ansible.cfg

@@ -0,0 +1,12 @@
+[defaults]
+nocows = True
+roles_path = ./roles
+inventory = ./inventory/hosts.cfg
+
+remote_tmp = $HOME/.ansible/tmp
+local_tmp = $HOME/.ansible/tmp
+pipelining = True
+become = True
+host_key_checking = False
+deprecation_warnings = True
+callback_whitelist = profile_tasks

infrastructure/create-resources/ansible/collections/requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - name: community.general

infrastructure/create-resources/ansible/inventory/group_vars/all.yml

@@ -0,0 +1,15 @@
+---
+k3s_version: v1.22.3+k3s1
+ansible_user: root
+systemd_dir: /etc/systemd/system
+systemd_network_dir: /etc/systemd/network
+master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['wireguard_ip'] | default(groups['serverctl_master_hosts'][0]) }}"
+extra_server_args: "--flannel-iface=serverctl-wg0"
+extra_agent_args: "--flannel-iface=serverctl-wg0"
+
+ansible_become_method: su
+
+ufw_enabled: true
+
+wireguard_mask_bits: 24
+wireguard_port: 51871

infrastructure/create-resources/ansible/inventory/hosts.cfg

@@ -0,0 +1,32 @@
+[serverctl_master_hosts]
+95.217.155.228 ansible_host=95.217.155.228 wireguard_ip=10.1.1.1
+
+[serverctl_node_hosts]
+65.21.50.146 ansible_host=65.21.50.146 wireguard_ip=10.1.1.10
+95.216.162.16 ansible_host=95.216.162.16 wireguard_ip=10.1.1.11
+
+[serverctl_home_servers]
+192.168.1.150 ansible_host=192.168.1.150 wireguard_ip=10.1.1.8
+#192.168.1.233 ansible_host=192.168.1.233 wireguard_ip=10.1.1.9
+
+[serverctl_cluster:children]
+serverctl_master_hosts
+serverctl_node_hosts
+
+[serverctl_super_cluster:children]
+serverctl_cluster
+serverctl_home_servers
+
+[serverctl_home_servers:vars]
+client_server=True
+
+[serverctl_super_cluster:vars]
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22
+
+[serverctl_cluster:vars]
+client_server=False
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22

infrastructure/create-resources/ansible/kubeconfig.yml

@@ -0,0 +1,8 @@
+- hosts: serverctl_master_hosts[0]
+  become: yes
+  tasks:
+    - name: Fetch kubeconfig
+      ansible.builtin.fetch:
+        src: ~/.kube/config
+        dest: temp/.kube/config
+

infrastructure/create-resources/ansible/ping.yml

@@ -0,0 +1,7 @@
+---
+- hosts: serverctl_super_cluster
+  gather_facts: yes
+  tasks:
+    - name: ping
+      command: "ping -c3 {{ hostvars[item].wireguard_ip}}"
+      with_items: "{{groups['all']}}"

infrastructure/create-resources/ansible/roles/download/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Download k3s binary x64
+  get_url:
+    url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s
+    checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-amd64.txt
+    dest: /usr/local/bin/k3s
+    owner: root
+    group: root
+    mode: 0755
+  when: ansible_facts.architecture == "x86_64"

infrastructure/create-resources/ansible/roles/firewall/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: update packages
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+  become: yes
+
+- name: install ufw
+  apt:
+    name: ufw
+    state: present
+  become: yes
+  when: ufw_enabled
+
+- name: Allow SSH in UFW
+  ufw:
+    rule: allow
+    port: "{{ ansible_ssh_port }}"
+    proto: tcp
+  become: yes
+  when: ufw_enabled
+
+- name: Allow wireguard port in UFW
+  ufw:
+    rule: allow
+    port: "{{ wireguard_port }}"
+    proto: udp
+  become: yes
+  when: ufw_enabled
+
+- name: Set ufw logging
+  ufw:
+    logging: "on"
+  become: yes
+  when: ufw_enabled
+
+- name: inter-node Wireguard UFW connectivity
+  ufw:
+    rule: allow
+    src: "{{ hostvars[item].wireguard_ip }}"
+  with_items: "{{ groups['all'] }}"
+  become: yes
+  when: ufw_enabled and item != inventory_hostname
+
+- name: Reject everything and enable UFW
+  ufw:
+    state: enabled
+    policy: reject
+    log: yes
+  become: yes
+  when: ufw_enabled
+
+- name: Allow 6443 in UFW /tcp
+  ufw:
+    rule: allow
+    port: "6443"
+    proto: tcp
+  become: yes
+  when: ufw_enabled
+
+- name: Allow 6443 in UFW udp
+  ufw:
+    rule: allow
+    port: "6443"
+    proto: udp
+  become: yes
+  when: ufw_enabled

infrastructure/create-resources/ansible/roles/k3s/master/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+k3s_server_location: /var/lib/rancher/k3s

infrastructure/create-resources/ansible/roles/k3s/master/tasks/main.yml

@@ -0,0 +1,79 @@
+---
+
+- name: Copy K3s service file
+  register: k3s_service
+  template:
+    src: "k3s.service.j2"
+    dest: "{{ systemd_dir }}/k3s.service"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Enable and check K3s service
+  systemd:
+    name: k3s
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+
+- name: Wait for node-token
+  wait_for:
+    path: "{{ k3s_server_location }}/server/node-token"
+
+- name: Register node-token file access mode
+  stat:
+    path: "{{ k3s_server_location }}/server/node-token"
+  register: p
+
+- name: Change file access node-token
+  file:
+    path: "{{ k3s_server_location }}/server/node-token"
+    mode: "g+rx,o+rx"
+
+- name: Read node-token from master
+  slurp:
+    path: "{{ k3s_server_location }}/server/node-token"
+  register: node_token
+
+- name: Store Master node-token
+  set_fact:
+    token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}"
+
+- name: Restore node-token file access
+  file:
+    path: "{{ k3s_server_location }}/server/node-token"
+    mode: "{{ p.stat.mode }}"
+
+- name: Create directory .kube
+  file:
+    path: ~{{ ansible_user }}/.kube
+    state: directory
+    owner: "{{ ansible_user }}"
+    mode: "u=rwx,g=rx,o="
+
+- name: Copy config file to user home directory
+  copy:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: ~{{ ansible_user }}/.kube/config
+    remote_src: yes
+    owner: "{{ ansible_user }}"
+    mode: "u=rw,g=,o="
+
+- name: Replace https://localhost:6443 by https://master-ip:6443
+  command: >-
+    k3s kubectl config set-cluster default
+      --server=https://{{ master_ip }}:6443
+      --kubeconfig ~{{ ansible_user }}/.kube/config
+  changed_when: true
+
+- name: Create kubectl symlink
+  file:
+    src: /usr/local/bin/k3s
+    dest: /usr/local/bin/kubectl
+    state: link
+
+- name: Create crictl symlink
+  file:
+    src: /usr/local/bin/k3s
+    dest: /usr/local/bin/crictl
+    state: link

infrastructure/create-resources/ansible/roles/k3s/master/templates/k3s.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=Lightweight Kubernetes
+Documentation=https://k3s.io
+After=network-online.target
+
+[Service]
+Type=notify
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args | default("") }} --advertise-address {{master_ip}}
+KillMode=process
+Delegate=yes
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+TimeoutStartSec=0
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

infrastructure/create-resources/ansible/roles/k3s/node/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Copy K3s service file
+  template:
+    src: "k3s.service.j2"
+    dest: "{{ systemd_dir }}/k3s-node.service"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Enable and check K3s service
+  systemd:
+    name: k3s-node
+    daemon_reload: yes
+    state: restarted
+    enabled: yes

infrastructure/create-resources/ansible/roles/k3s/node/templates/k3s.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=Lightweight Kubernetes
+Documentation=https://k3s.io
+After=network-online.target
+
+[Service]
+Type=notify
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['serverctl_master_hosts'][0]]['token'] }} {{ extra_agent_args | default("") }} --node-ip {{inventory_hostname}}
+KillMode=process
+Delegate=yes
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+TimeoutStartSec=0
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

infrastructure/create-resources/ansible/roles/prereq/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+    reload: yes
+
+- name: Enable IPv6 forwarding
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: "1"
+    state: present
+    reload: yes
+  when: ansible_all_ipv6_addresses
+
+- name: Wait for apt to unlock
+  shell: while sudo fuser /var/lib/dpkg/lock >/dev/null >2&1; do sleep 5; done;

infrastructure/create-resources/ansible/roles/wireguard/mesh/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: systemd network restart
+  service:
+    name: systemd-networkd
+    state: restarted
+    enabled: yes
+  become: yes

infrastructure/create-resources/ansible/roles/wireguard/mesh/tasks/main.yml

@@ -0,0 +1,89 @@
+---
+- name: install wireguard
+  apt:
+    name: wireguard
+    state: present
+  become: yes
+  when: ansible_distribution == 'Debian' or ansible_distribution == "Ubuntu"
+
+- name: install wireguard
+  pacman:
+    name: wireguard-tools
+    state: present
+  become: yes
+  when: ansible_distribution == "Archlinux"
+
+- name: generate wireguard keypair
+  shell: wg genkey | tee /etc/wireguard/serverctl-privatekey | wg pubkey | tee /etc/wireguard/serverctl-publickey
+  args:
+    creates: /etc/wireguard/serverctl-privatekey
+  become: yes
+
+- name: register private key
+  shell: cat /etc/wireguard/serverctl-privatekey
+  register: wireguard_private_key
+  changed_when: false
+  become: yes
+
+- name: register public key
+  shell: cat /etc/wireguard/serverctl-publickey
+  register: wireguard_public_key
+  changed_when: false
+  become: yes
+
+- name: generate preshared keypair
+  shell: "wg genpsk > /etc/wireguard/serverctl-psk-{{item}}"
+  args:
+    creates: "/etc/wireguard/serverctl-psk-{{item}}"
+  when: inventory_hostname < item
+  with_items: "{{groups['serverctl_super_cluster']}}"
+  become: yes
+
+- name: register preshared key
+  shell: "cat /etc/wireguard/serverctl-psk-{{item}}"
+  register: wireguard_preshared_key
+  changed_when: false
+  when: inventory_hostname < item
+  with_items: "{{groups['serverctl_super_cluster']}}"
+  become: yes
+
+- name: message preshared keys
+  set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
+  when: item.skipped is not defined
+  with_items: "{{wireguard_preshared_key.results}}"
+  become: yes
+
+#- name: print hostvars
+#  ansible.builtin.debug:
+#    msg: "{{hostvars[item]}}"
+#  with_items: "{{groups['serverctl_super_cluster']}}"
+
+- name: Setup wg0 device
+  template:
+    src: 'systemd.netdev'
+    dest: '{{systemd_network_dir}}/99-serverctl-wg0.netdev'
+    owner: root
+    group: systemd-network
+    mode: 0640
+  become: yes
+  notify: systemd network restart
+
+- name: Setup wg0 network
+  template:
+    src: 'systemd.network'
+    dest: "{{systemd_network_dir}}/99-serverctl-wg0.network"
+    owner: root
+    group: systemd-network
+    mode: 0640
+  become: yes
+  notify: systemd network restart
+
+#- name: Start and enalbe wireguard on book
+#  systemd:
+#    name: wg-quick@wgserverctl0
+#    enabled: yes
+#    state: started
+
+#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
+#  with_indexed_items: "{{groups.serverctl_mesh_nodes}}"
+

infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.netdev

@@ -0,0 +1,22 @@
+[NetDev]
+Name=serverctl-wg0
+Kind=wireguard
+Description=WireGuard tunnel serverctl-wg0
+
+[WireGuard]
+ListenPort={{ wireguard_port }}
+PrivateKey={{ wireguard_private_key.stdout }}
+
+{% for peer in groups['serverctl_super_cluster'] %}
+{% if peer != inventory_hostname %}
+
+[WireGuardPeer]
+PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
+PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
+AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
+{% if not hostvars[peer].client_server %}
+Endpoint={{ hostvars[peer].ansible_host }}:{{ wireguard_port }}
+PersistentKeepalive=25
+{% endif %}
+{% endif %}
+{% endfor %}

infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.network

@@ -0,0 +1,5 @@
+[Match]
+Name=serverctl-wg0
+
+[Network]
+Address={{ wireguard_ip }}/{{ wireguard_mask_bits }}

infrastructure/create-resources/ansible/server-install.yml

@@ -0,0 +1,16 @@
+- become: yes
+  hosts: all
+  name: server-install
+  tasks:
+    - name: Add the user 'kjuulh' and add it to 'sudo'
+      user:
+        name: kjuulh
+        group: sudo
+    - name:
+      authorized_key:
+        user: kjuulh
+        state: present
+        key: "{{ lookup('file', pub_key) }}"
+    - name: Wait for apt to unlock
+      become: yes
+      shell: while sudo fuser /var/lib/dpkg/lock >/dev/null >2&1; do sleep 5; done;

infrastructure/create-resources/ansible/site.yml

@@ -0,0 +1,25 @@
+---
+- hosts: serverctl_cluster
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: prereq
+    - role: download
+    - role: firewall
+
+- hosts: serverctl_super_cluster
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: wireguard/mesh
+
+- hosts: serverctl_master_hosts
+  become: yes
+  roles:
+    - role: "./k3s/master"
+
+- hosts: serverctl_node_hosts
+  become: yes
+  roles:
+    - role: "./k3s/node"
+

infrastructure/create-resources/hcloud.tf

@@ -0,0 +1,81 @@
+variable "serverctl_master_count" {
+  default = 0
+}
+
+variable "serverctl_node_count" {
+  default = 0
+}
+
+resource "hcloud_placement_group" "serverctl_master" {
+  name = "serverctl_master_group"
+  type = "spread"
+}
+
+resource "hcloud_server" "serverctl_master" {
+  count       = var.serverctl_master_count
+  name        = "serverctl-master-${count.index}"
+  image       = "debian-11"
+  server_type = "cx11"
+  ssh_keys    = [
+    var.hcloud_serverctl_ssh_key_id
+  ]
+  placement_group_id = hcloud_placement_group.serverctl_master.id
+
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  provisioner "remote-exec" {
+    inline = ["sudo apt update", "sudo apt install python3 -y", "echo Done!"]
+
+    connection {
+      host        = self.ipv4_address
+      type        = "ssh"
+      user        = "root"
+      private_key = file(var.pvt_key)
+    }
+  }
+}
+
+resource "hcloud_placement_group" "serverctl_node" {
+  name = "serverctl_node_group"
+  type = "spread"
+}
+
+resource "hcloud_server" "serverctl_node" {
+  count       = var.serverctl_node_count
+  name        = "serverctl-node-${count.index}"
+  image       = "debian-11"
+  server_type = "cx11"
+  ssh_keys    = [
+    var.hcloud_serverctl_ssh_key_id
+  ]
+  placement_group_id = hcloud_placement_group.serverctl_node.id
+
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  provisioner "remote-exec" {
+    inline = ["sudo apt update", "sudo apt install python3 -y", "echo Done!"]
+
+    connection {
+      host        = self.ipv4_address
+      type        = "ssh"
+      user        = "root"
+      private_key = file(var.pvt_key)
+    }
+  }
+}
+
+resource "local_file" "hosts_cfg" {
+  content = templatefile("${path.module}/templates/hosts.tftpl",
+    {
+      serverctl_masters    = hcloud_server.serverctl_master.*.ipv4_address
+      serverctl_nodes      = hcloud_server.serverctl_node.*.ipv4_address
+    }
+  )
+  filename = "ansible/inventory/hosts.cfg"
+}

infrastructure/create-resources/main.tf

@@ -1,43 +0,0 @@
-terraform {
-  required_providers {
-    hcloud = {
-      source = "hetznercloud/hcloud"
-      version = "1.32.2"
-    }
-  }
-
-  backend "s3" {
-    bucket = "serverctl-terraform"
-    key = "terraform.tfstate"
-
-    endpoint = "https://api.minio.front.kjuulh.io"
-
-    region = "main"
-
-    skip_credentials_validation = true
-    skip_metadata_api_check = true
-    skip_region_validation = true
-    force_path_style = true
-  }
-}
-
-variable "hcloud_token" {
-  sensitive = true
-}
-
-provider "hcloud" {
-  token = var.hcloud_token
-}
-
-resource "hcloud_placement_group" "serverctl_master" {
-  name = "serverctl_master_group"
-  type = "spread"
-}
-
-resource "hcloud_server" "serverctl_master" {
-  count = 2
-  name = "serverctl-master-${count.index}"
-  image = "debian-11"
-  server_type = "cx11"
-  placement_group_id = hcloud_placement_group.serverctl_master.id
-}

infrastructure/create-resources/provider.tf

@@ -0,0 +1,35 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "1.51.0"
+    }
+  }
+
+  backend "s3" {
+    bucket = "serverctl-terraform"
+    key    = "terraform.tfstate"
+
+    endpoint = "https://api.minio.front.kjuulh.io"
+
+    region = "main"
+
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+}
+
+variable "hcloud_token" {
+  sensitive = true
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+
+variable "hcloud_serverctl_ssh_key_id" {}
+variable "pvt_key" {}
+variable "pub_key" {}

infrastructure/create-resources/setup-terraform.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export $(grep -v "^#" .env | xargs)
+
+terraform init -backend-config="access_key=$ACCESS_KEY" -backend-config="secret_key=$SECRET_KEY"
+

infrastructure/create-resources/templates/hosts.tftpl

@@ -0,0 +1,35 @@
+[serverctl_master_hosts]
+%{ for ip in serverctl_masters ~}
+${ip} ansible_host=${ip} wireguard_ip=${cidrhost("10.1.1.0/24", index(serverctl_masters, ip) + 1)}
+%{ endfor ~}
+
+[serverctl_node_hosts]
+%{ for ip in serverctl_nodes ~}
+${ip} ansible_host=${ip} wireguard_ip=${cidrhost("10.1.1.0/24", index(serverctl_nodes, ip) + 10)}
+%{ endfor ~}
+
+[serverctl_home_servers]
+192.168.1.150 ansible_host=192.168.1.150 wireguard_ip=10.1.1.8
+#192.168.1.233 ansible_host=192.168.1.233 wireguard_ip=10.1.1.9
+
+[serverctl_cluster:children]
+serverctl_master_hosts
+serverctl_node_hosts
+
+[serverctl_super_cluster:children]
+serverctl_cluster
+serverctl_home_servers
+
+[serverctl_home_servers:vars]
+client_server=True
+
+[serverctl_super_cluster:vars]
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22
+
+[serverctl_cluster:vars]
+client_server=False
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22

infrastructure/unzip-ssh-keys.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+ZIP_KEY=$1
+
+unzip -P "$ZIP_KEY" ssh_keys.zip
+
+echo "unzip done!"

infrastructure/zip-ssh-keys.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+ZIP_KEY=$(openssl rand -hex 30)
+
+mkdir -p ssh_keys/
+
+cp -f ~/.ssh/id_ed25519* ssh_keys/
+
+zip -r --password $ZIP_KEY ssh_keys.zip ssh_keys/
+
+echo "zip done!"
+echo "Zip key: $ZIP_KEY"

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

services/db/migrations/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.17-bullseye
+FROM golang:1.24-bullseye
 
 RUN go install github.com/jackc/tern@latest
 

services/entry/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.17-bullseye
+FROM golang:1.24-bullseye
 
 RUN go install github.com/cosmtrek/air@latest
 # Development don't need this

services/entry/go.mod

@@ -1,6 +1,6 @@
 module serverctl
 
-go 1.17
+go 1.19
 
 require (
 	github.com/Microsoft/go-winio v0.4.17 // indirect