MilkyCode13 · MilkyCode13 · Apr 18, 2026 · Apr 8, 2026 · Apr 12, 2026 · Apr 14, 2026
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -16,3 +16,27 @@ jobs:
         env:
           ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
       - run: ansible-lint
+
+  publish-flux-artifact:
+    name: Publish Flux Artifact
+    runs-on: ubuntu-latest
+    needs: lint
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: fluxcd/flux2/action@main
+      - name: Log in to registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Push artifact
+        run: |
+          flux push artifact oci://ghcr.io/milkycode13/manifests/infra:$(git rev-parse --short HEAD) \
+            --path="." \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
+      - name: Tag staging
+        run: flux tag artifact oci://ghcr.io/milkycode13/manifests/infra:$(git rev-parse --short HEAD) --tag staging
+      - name: Tag latest
+        if: github.ref_name == 'main'
+        run: flux tag artifact oci://ghcr.io/milkycode13/manifests/infra:$(git rev-parse --short HEAD) --tag latest
diff --git a/.gitignore b/.gitignore
@@ -2,4 +2,8 @@
 .venv/
 .ansible/
 .ansible_vault.pass
-.secrets/
+.secrets/
+.terraform/
+secrets.tfvars
+*.tfstate
+*.tfstate.*
diff --git a/.sourceignore b/.sourceignore
@@ -0,0 +1,3 @@
+/*
+
+!/clusters/
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/ansible.cfg b/ansible.cfg
@@ -328,7 +328,7 @@ vault_password_file=.ansible_vault.pass
 
 # (boolean) Set this to "False" if you want to avoid host key checking by the underlying connection plugin Ansible uses to connect to the host.
 # Please read the documentation of the specific connection plugin used for details.
-;host_key_checking=True
+host_key_checking=False
 
 # (boolean) Facts are available inside the `ansible_facts` variable, this setting also pushes them as their own vars in the main namespace.
 # Unlike inside the `ansible_facts` dictionary where the prefix `ansible_` is removed from fact names, these will have the exact names that are returned by the module.

diff --git a/clusters/staging/test.yaml b/clusters/staging/test.yaml
@@ -0,0 +1,25 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    branch: master
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  targetNamespace: default
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  path: "./kustomize"
+  prune: true
+  timeout: 1m
diff --git a/group_vars/k8s.yaml b/group_vars/k8s.yaml
@@ -0,0 +1,8 @@
+---
+k8s_endpoint: kube-master
+k8s_vip_interface: eth0
+k8s_vip_address: 10.19.1.20
+k8s_flux_sync_kind: OCIRepository
+k8s_flux_sync_repo: "oci://ghcr.io/milkycode13/manifests/infra"
+k8s_flux_sync_ref: staging
+k8s_flux_sync_path: clusters/staging
diff --git a/inventory.yaml b/inventory.yaml
@@ -1,3 +1,12 @@
 pve:
   hosts:
     nas:
+
+k8s:
+  children:
+    k8s_master:
+      hosts:
+        kube-master1:
+    k8s_worker:
+      hosts:
+        kube-node1:
diff --git a/main.tf b/main.tf
@@ -0,0 +1,52 @@
+variable "pve_token" {
+  type      = string
+  sensitive = true
+  ephemeral = true
+}
+
+variable "openwrt_password" {
+  type      = string
+  sensitive = true
+  ephemeral = true
+}
+
+provider "proxmox" {
+  endpoint  = "https://nas.home.shduo.ru:8006/api2/json"
+  insecure  = true
+  api_token = var.pve_token
+}
+
+provider "openwrt" {
+  hostname = "gw.home.shduo.ru"
+  username = "root"
+  password = var.openwrt_password
+}
+
+resource "openwrt_dhcp_domain" "kube_master" {
+  name = "kube-master"
+  ip = "10.19.1.20"
+}
+
+module "kube_master1" {
+  source = "./modules/vm"
+
+  name = "kube-master1"
+  node = "nas"
+  vm_id = 101
+  template_id = 9001
+  cpu_cores = 4
+  memory = 4096
+  ip_cidr = "10.19.1.21/24"
+}
+
+module "kube_node1" {
+  source = "./modules/vm"
+
+  name = "kube-node1"
+  node = "nas"
+  vm_id = 201
+  template_id = 9001
+  cpu_cores = 8
+  memory = 8192
+  ip_cidr = "10.19.1.31/24"
+}
diff --git a/modules/vm/main.tf b/modules/vm/main.tf
@@ -0,0 +1,48 @@
+resource "openwrt_dhcp_domain" "dns" {
+  name = var.name
+  ip = split("/", var.ip_cidr)[0]
+}
+
+resource "proxmox_virtual_environment_vm" "vm" {
+  name      = var.name
+  node_name = var.node
+  vm_id     = var.vm_id
+
+  clone {
+    vm_id = var.template_id
+    full  = false
+  }
+
+  cpu {
+    cores = var.cpu_cores
+    type  = "x86-64-v2-AES"
+  }
+
+  memory {
+    dedicated = var.memory
+    floating  = var.memory
+  }
+
+  network_device {
+    bridge = "vmbr0"
+  }
+
+  initialization {
+    dns {
+      domain  = "home.shduo.ru"
+      servers = ["10.19.1.1"]
+    }
+
+    ip_config {
+      ipv4 {
+        address = var.ip_cidr
+        gateway = "10.19.1.1"
+      }
+    }
+
+    user_account {
+      username = "deploy"
+      keys     = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDIZak62dHFoQL3Co/XYs8SC6Lc/FnCT8xOiHu2SJAWO"]
+    }
+  }
+}
diff --git a/modules/vm/terraform.tf b/modules/vm/terraform.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.100.0"
+    }
+
+    openwrt = {
+      source  = "ORFops/openwrt"
+      version = "0.1.29"
+    }
+  }
+}
diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf
@@ -0,0 +1,27 @@
+variable "name" {
+  type = string
+}
+
+variable "node" {
+  type = string
+}
+
+variable "vm_id" {
+  type = number
+}
+
+variable "template_id" {
+  type = number
+}
+
+variable "cpu_cores" {
+  type = number
+}
+
+variable "memory" {
+  type = number
+}
+
+variable "ip_cidr" {
+  type = string
+}
diff --git a/playbooks/k8s.yaml b/playbooks/k8s.yaml
@@ -0,0 +1,5 @@
+---
+- name: Apply Kubernetes nodes
+  hosts: k8s
+  roles:
+    - k8s
diff --git a/roles/k8s/defaults/main.yaml b/roles/k8s/defaults/main.yaml
@@ -0,0 +1,13 @@
+---
+k8s_master_group: k8s_master
+k8s_worker_group: k8s_worker
+k8s_endpoint: ""
+k8s_pre_init: false
+k8s_master_node_ready: false
+k8s_any_master_ready: false
+k8s_first_master: ""
+k8s_node_joined: false
+k8s_flux_sync_kind: GitRepository
+k8s_flux_sync_repo: "https://github.com/MilkyCode13/infra.git"
+k8s_flux_sync_ref: refs/heads/main
+k8s_flux_sync_path: clusters/default
diff --git a/roles/k8s/handlers/main.yaml b/roles/k8s/handlers/main.yaml
@@ -0,0 +1,14 @@
+---
+- name: Restart containerd
+  become: true
+  ansible.builtin.systemd_service:
+    name: containerd
+    state: restarted
+
+- name: Rebalance coredns
+  become: true
+  ansible.builtin.command:
+    cmd: kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-system rollout restart deployment coredns
+  changed_when: true
+  delegate_to: "{{ k8s_first_master }}"
+  run_once: true