Customer infrastructure repository, forked from ayoungco/blueprint.
| Role | Host | OS |
|---|---|---|
| Hypervisor / WireGuard gateway | big0 |
Fedora Server |
| Kubernetes control plane | k8s-control-01 |
VM |
| Kubernetes worker | k8s-worker-01 |
VM |
| Bastion / fileserver | bastion-01 |
Fedora VM with GUI |
| Edge node | littlehamster |
Raspberry Pi 5 |
The wireguard Ansible role (infra/ansible/roles/wireguard/) configures the wg0 interface on the Fedora hypervisor host.
Required CI/CD secrets
| Variable | Description |
|---|---|
FEDORA_HOST_IP |
IP or hostname of the Fedora server |
K8S_CONTROL_01_IP |
IP or hostname of the Kubernetes control-plane VM |
K8S_WORKER_01_IP |
IP or hostname of the Kubernetes worker VM |
BASTION_01_IP |
IP or hostname of the Fedora bastion/fileserver VM |
ANSIBLE_DEPLOY_USER |
SSH user on target hosts (default: admin) |
DEPLOY_SSH_KEY |
SSH private key for Ansible |
WIREGUARD_PRIVATE_KEY |
WireGuard private key for big0 |
Peer configuration lives in group_vars/hypervisors/wireguard.yml (store sensitive values in CI/CD secrets or a vault).
git fetch upstream
git merge upstream/main
- Set the CI/CD secrets listed above.
- Update
infra/ansible/inventories/production/hosts.ymlwith real IPs (or let them be injected via CI vars). - Add peers to
wg_peersin your group_vars or CI vars. - Run the
Deploy AnsibleGitHub Actions workflow in check mode first, then rerun with check mode disabled to apply production changes.
MIT License. See LICENSE.