Commit Graph

6 Commits

Author SHA1 Message Date
Adyrem 7ba749c620 Add Proxmox host role, WireGuard VPN, and public Gitea via Traefik HTTPS
Ansible Lint / lint (push) Successful in 4s
Proxmox host role:
- Admin user setup, SSH hardening (port 2222, no root login)
- claude-code SFTP chroot user
- Unattended upgrades, DuckDNS dynamic DNS updater (vault-encrypted token)
- WireGuard VPN server (10.10.10.0/24) with Fedora client registered
- Proxmox firewall management via pvesh API (idempotent Python script)

Public Gitea exposure:
- Traefik: add HTTPS entrypoint, Let's Encrypt ACME (HTTP-01), StripPrefix
  middleware for /git subpath, HTTP→HTTPS redirect
- Gitea ROOT_URL updated to https://adyrem.duckdns.org/git/
- Pi-hole split DNS: adyrem.duckdns.org → 10.10.1.3 for internal hairpin bypass

SSH config fixes:
- StrictHostKeyChecking no → accept-new across all hosts
- Proxmox jump host: port 2222, user adyrem (root login disabled)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 04:06:56 +02:00
Adyrem 3d596b984b Add Claude Code VM (105) with cloud-init provisioning
Arch Linux cloud image, 4 cores/8GB, dev-net (10.10.2.10), autostart.
Cloud-init handles user/SSH key/network on first boot. Ansible role
installs Claude Code CLI, tmux, SSH keys, SSH config for all managed
VMs via ProxyJump, homelab repo clone.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 17:41:52 +02:00
Adyrem afd240de86 Add Pi-hole and Traefik LXC containers
- LXC 103 (pihole): Debian 12, 10.10.1.2, Pi-hole v6 with local DNS for
  gitea/grafana/traefik/pihole.homelab, Proxmox dnsmasq updated to use
  Pi-hole upstream
- LXC 104 (traefik): Debian 12, 10.10.1.3, Traefik v3 routing
  gitea.homelab → 10.10.1.125:3000, grafana.homelab → 10.10.1.137:3000
- DNAT rules on vmbr0 forwarding :80/:443 to Traefik, persisted in
  /etc/network/interfaces
- Ansible roles: pihole, traefik; playbooks: pihole.yml, traefik.yml
- site.yml excludes Debian containers from Arch-specific common role

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 16:52:20 +02:00
Adyrem 37b5b12478 Rotate Gitea secret_key and internal_token
Ansible Lint / lint (push) Failing after 4s
Old values were exposed in plaintext in the initial commit history.
New values generated via `gitea generate secret`.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 18:16:33 +02:00
Adyrem 39be9fafe7 Add Gitea Actions runner, ansible-lint CI, vault setup, and fix group_vars layout
- Move group_vars into inventory/ so playbooks can find them (was only
  visible to ad-hoc commands via CWD)
- Add Ansible Vault for sensitive variables (gitea/grafana passwords,
  tokens, db credentials) with vault_password_file outside the repo
- Enable Gitea Actions and deploy act_runner with Docker backend on
  the gitea VM
- Add .gitea/workflows/lint.yml to run ansible-lint on every push
- Set up Gitea → GitHub push mirror (sync_on_commit)
- Fix ansible.cfg stdout_callback for ansible-core 2.20 compatibility
- Add python-psycopg2 to gitea role (required for postgresql modules)
- Add docker to gitea_runner role (required by act_runner at startup)
- Exclude password hashes and VM images from git

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 17:34:03 +02:00
Adyrem c23274c7ab Initial Ansible automation for homelab infrastructure 2026-05-13 16:17:04 +02:00