fix: update gitea service volume path to use named volume

fix: correct gitea image path in service configuration
feat: add deployment support for gitea stack in the makefile and create gitea service configuration
2026-05-19 20:18:13 +08:00 · 2026-05-19 19:55:06 +08:00 · 2026-05-18 10:51:13 +08:00 · 2026-05-12 21:31:32 +08:00 · 2026-05-12 21:22:50 +08:00 · 2026-05-12 20:49:08 +08:00
369 changed files with 27522 additions and 968 deletions
@@ -1,15 +1,20 @@
 # Environment variables for docker-compose.yml
 PUID=1000
 PGID=1000
-LOG_LEVEL="DEBUG"
+LOG_LEVEL="INFO"
 NETWORK="web"
 TZ="Asia/Singapore"
 ## dashboard configs
-HOST="furyhawk.lol"
+HOST="localhost"
+# TLD="lol"
+# LOCALDOMAIN="$(hostname).${TLD}"
+# DOMAIN="$(hostname).${TLD}"
+# DOMAINNAME="$(hostname).${TLD}"
 HOSTNAME="node00"
-DATADIR="/home/furyhawk/media"
+# media directory for jellyfin
+MEDIADIR="/var/media"
 # subdomain for dashboard.
-DASHBOARD_HOST="dashboard.furyhawk.lol"
+DASHBOARD_HOST="dashboard.example.lol"

 ## TLS configs
 CERT_PATH=./certs
@@ -43,7 +48,7 @@ POSTGRES_PASSWORD=12345678
 PGADMIN_DEFAULT_EMAIL=youremail.com
 PGADMIN_DEFAULT_PASSWORD=12345678

-DATABASE__HOSTNAME=furyhawk.lol
+DATABASE__HOSTNAME=example.lol
 DATABASE__USERNAME=admin
 DATABASE__PASSWORD=12345678
 DATABASE__PORT=5432
@@ -58,6 +63,27 @@ MINIO_ROOT_PASSWORD=123456

 NEO4J_PASSWORD=12345678

+SEARXNG_SECRET=ultrasecretkey
+
+#echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
+AUTHENTIK_SECRET_KEY=
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
+# SMTP Host Emails are sent to
+AUTHENTIK_EMAIL__HOST=localhost
+AUTHENTIK_EMAIL__PORT=25
+# Optionally authenticate (don't add quotation marks to your password)
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=authentik@localhost
+COMPOSE_PORT_HTTP=80
+COMPOSE_PORT_HTTPS=443
+
 #=====================================================================#
 #                       LibreChat Configuration                       #
 #=====================================================================#
@@ -482,3 +508,77 @@ REDLIB_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION=off
 REDLIB_DEFAULT_HIDE_SCORE=off
 # Enable fixed navbar by default
 REDLIB_DEFAULT_FIXED_NAVBAR=on
+
+# outline
+NODE_ENV=production
+
+# Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32`
+# in your terminal to generate a random value.
+OUTLINE_SECRET_KEY=00b5677d3ce6c106f3d95ec830f9530f9014a2620d16fe60ed867a30c4964c5e
+
+# Generate a unique random key. The format is not important but you could still use
+# `openssl rand -hex 32` in your terminal to produce this.
+OUTLINE_UTILS_SECRET=4b8235fdc01295571bd0946abb5eaf7c131f1a652386c98b658bbc4b1b4e3540
+
+# For production point these at your databases, in development the default
+# should work out of the box.
+DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DATABASE__HOSTNAME}:5432/outline
+# DATABASE_CONNECTION_POOL_MIN=
+# DATABASE_CONNECTION_POOL_MAX=
+# Uncomment this to disable SSL for connecting to Postgres
+# PGSSLMODE=disable
+
+# For redis you can either specify an ioredis compatible url like this
+REDIS_URL=redis://tasks.redis:6379
+# or alternatively, if you would like to provide additional connection options,
+# use a base64 encoded JSON connection option object. Refer to the ioredis documentation
+# for a list of available options.
+# Example: Use Redis Sentinel for high availability
+# {"sentinels":[{"host":"sentinel-0","port":26379},{"host":"sentinel-1","port":26379}],"name":"mymaster"}
+# REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJzZW50aW5lbC0wIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InNlbnRpbmVsLTEiLCJwb3J0IjoyNjM3OX1dLCJuYW1lIjoibXltYXN0ZXIifQ==
+
+# URL should point to the fully qualified, publicly accessible URL. If using a
+# proxy the port in URL and PORT may be different.
+OUTLINE_URL=https://outline.${DOMAIN}
+OUTLINE_PORT=3000
+
+# See [documentation](docs/SERVICES.md) on running a separate collaboration
+# server, for normal operation this does not need to be set.
+COLLABORATION_URL=
+
+# Specify what storage system to use. Possible value is one of "s3" or "local".
+# For "local", the avatar images and document attachments will be saved on local disk. 
+FILE_STORAGE=local
+
+# If "local" is configured for FILE_STORAGE above, then this sets the parent directory under
+# which all attachments/images go. Make sure that the process has permissions to create
+# this path and also to write files to it.
+FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
+
+# Maximum allowed size for the uploaded attachment.
+FILE_STORAGE_UPLOAD_MAX_SIZE=262144000
+
+# Override the maximum size of document imports, generally this should be lower
+# than the document attachment maximum size.
+FILE_STORAGE_IMPORT_MAX_SIZE=
+
+# Override the maximum size of workspace imports, these can be especially large
+# and the files are temporary being automatically deleted after a period of time.
+FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE=
+
+# –––––––––––––– AUTHENTICATION ––––––––––––––
+
+# Third party signin credentials, at least ONE OF EITHER Google, Slack,
+# or Microsoft is required for a working installation or you'll have no sign-in
+# options.
+
+# To configure Google auth, you'll need to create an OAuth Client ID at
+# => https://console.cloud.google.com/apis/credentials
+#
+# When configuring the Client ID, add an Authorized redirect URI:
+# https://<URL>/auth/google.callback
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+SLACK_CLIENT_ID=
+SLACK_CLIENT_SECRET=
@@ -120,7 +120,7 @@ celerybeat.pid
 *.sage.py

 # Environments
-.env
+.env*
 .env_encoded
 .venv
 env/
@@ -165,10 +165,21 @@ cython_debug/
 # production.yml

 cache/
+config/
 data-node/
 meili_data*/
 privatebin-data/
 # postgres-data/
 minio-data/
 usersfile
-.DS_Store
+.DS_Store
+fstab
+
+kubernetes/talos/kubeconfig.yaml
+kubernetes/talos/kubeconfig
+kubernetes/talos/config
+kubernetes/talos/_out/
+kubernetes/config/
+kubernetes/_out/
+swarm/seafile/seafile-data/
+swarm/seafile/seafile-mysql/db/
@@ -1,6 +0,0 @@
-[submodule "LibreChat"]
-	path = LibreChat
-	url = https://github.com/furyhawk/LibreChat.git
-[submodule "emqx-docker"]
-	path = emqx-docker
-	url = https://github.com/furyhawk/emqx-docker.git
@@ -0,0 +1,3 @@
+{
+    "makefile.configureOnOpen": false
+}
@@ -0,0 +1,162 @@
+# AGENTS.md
+
+## Purpose
+- This repository is primarily infrastructure-as-code for Docker Compose, Docker Swarm, Kubernetes, Helm, and Ansible.
+- There is also a small Python Flask service in `webhook/` and a Streamlit app in `src/`.
+- Prefer narrow, low-risk edits. Many files are deployment manifests where a small typo can break production behavior.
+
+## Agent Priorities
+- Preserve the existing structure and conventions of the file you are editing.
+- Favor minimal diffs over broad refactors.
+- Do not rotate secrets, change domains, or alter deployment targets unless the task explicitly requires it.
+- Treat `archive/` as historical unless the task explicitly mentions it.
+- When changing runtime configuration, update only the active path (`compose/`, `swarm/`, `cluster/`, `ansible/`, `webhook/`, `src/`) relevant to the request.
+
+## Rule Files
+- No `.cursor/rules/` directory was found.
+- No `.cursorrules` file was found.
+- No `.github/copilot-instructions.md` file was found.
+- This file therefore acts as the main agent guidance for the repository.
+
+## Repository Areas
+- `makefile`: top-level operator commands for Compose and Swarm deploys.
+- `compose.yml` + `compose/`: Docker Compose configuration assembled via `include:`.
+- `swarm/`: Docker Swarm stacks, environment-driven labels, and Traefik config.
+- `cluster/`: Kubernetes manifests and Helm charts.
+- `ansible/`: playbooks and RKE2 automation.
+- `webhook/`: Poetry-managed Flask app.
+- `src/`: Streamlit app and Python requirements.
+- `scripts/`: setup, build, and smoke-test scripts.
+
+## Build Commands
+- Full local compose stack: `make serve`
+- Stop local compose stack: `make down`
+- Validate merged compose config: `docker compose -f compose.yml config`
+- Bring local compose stack up manually: `docker compose -f compose.yml up -d --build --pull always`
+- Legacy CI-style compose build path: `./scripts/build.sh`
+- Local Streamlit app only: `streamlit run src/app.py`
+- Local webhook app only: `cd webhook && poetry run python http_server.py`
+- Swarm core deploy: `make deploy-core`
+- Swarm app deploy: `make deploy-apps`
+- Swarm services deploy: `make deploy-services`
+- Ansible RKE2 cluster bootstrap: `cd ansible/rke2 && ansible-playbook site.yaml -i inventory/hosts.ini --key-file ~/.ssh/id_rsa -K`
+
+## Lint And Validation Commands
+- There is no repo-wide lint target or CI workflow checked into the repository.
+- There are no configured `ruff`, `black`, `flake8`, `mypy`, `yamllint`, `ansible-lint`, or `pytest` configs in the root.
+- Use syntax and render validation that matches the area you changed.
+- Compose validation: `docker compose -f compose.yml config`
+- Swarm file validation: `docker stack deploy --compose-file ./swarm/<stack>.yml <stack> --dry-run` is not available in Docker Swarm, so use `docker compose config` patterns where possible and review label/env interpolation carefully.
+- Helm chart render check: `helm template test-release cluster/coder-chart`
+- Helm chart lint check: `helm lint cluster/coder-chart`
+- Helm dependency check for `cluster/code-server`: `helm dependency update cluster/code-server`
+- Kubernetes manifest spot check: `kubectl apply --dry-run=client -f <file>`
+- Ansible syntax check: `ansible-playbook --syntax-check <playbook> -i <inventory>`
+- Python webhook dependency install: `cd webhook && poetry install`
+- Python webhook quick import/run check: `cd webhook && poetry run python http_server.py`
+
+## Test Commands
+- Main end-to-end smoke test script: `./scripts/test.sh`
+- Legacy CI path: `./scripts/travis.sh`
+- The smoke test expects a populated `.env`, reachable hosts, and a running local Traefik/Compose environment.
+- It verifies redirects and dashboard auth using values from `.env`.
+- Helm chart test hook exists for `cluster/coder-chart`; after install, run: `helm test <release-name>`
+- There are example/test deployment files under `test/`, but no unified automated test runner is wired to them.
+- There are currently no checked-in Python unit tests for `webhook/` or `src/`.
+
+## Running A Single Test
+- There is no first-class single-test command for the main smoke suite in `./scripts/test.sh`; it is a single shell script.
+- To run one smoke assertion, copy the relevant `curl` command from `./scripts/test.sh` and execute it directly.
+- For Helm, the narrowest useful check is a single chart render/lint:
+- `helm lint cluster/coder-chart`
+- `helm template test-release cluster/coder-chart`
+- For a single Kubernetes manifest, use: `kubectl apply --dry-run=client -f path/to/file.yaml`
+- For a single Ansible playbook, use: `ansible-playbook --syntax-check path/to/playbook.yml -i inventory`
+- If Python tests are added later, the expected targeted form would be: `cd webhook && poetry run pytest path/to/test_file.py::test_name`
+- Do not claim pytest support exists today unless you also add the test dependency and test files.
+
+## Working Safely With Config
+- Many YAML files interpolate env vars like `${DOMAINNAME}`, `${POSTGRES_PASSWORD}`, or `${VAR?Variable not set}`.
+- Preserve existing variable names exactly; accidental renames will break deployments.
+- Prefer existing anchors and aliases, such as `x-environment` blocks, over duplicating env declarations.
+- Preserve quoting style when editing Traefik labels or shell-sensitive strings.
+- Be careful with `$` escaping inside labels and regex replacements.
+- Avoid changing published ports, hostnames, or Traefik router rules unless explicitly requested.
+
+## Code Style: General
+- Match the local style of the file you touch rather than imposing a new formatter.
+- Keep YAML keys, Helm templates, and Ansible tasks visually aligned and easy to scan.
+- Prefer small, direct changes over restructuring files.
+- Keep comments only when they explain a non-obvious operational constraint.
+- Reuse existing naming patterns like `api_server`, `postgres_db`, `streamlit-fin`, and `deploy-core`.
+- Preserve file-specific indentation conventions: YAML uses spaces, Make uses tabs for recipe lines, shell scripts use the existing shell style.
+
+## Imports
+- In Python, keep imports at the top of the file.
+- Prefer standard library imports first, then third-party imports.
+- Avoid unused imports.
+- Follow the existing concise import style unless you are already refactoring the file for readability.
+- When touching `webhook/http_server.py` or `src/app.py`, it is acceptable to improve import ordering if part of a necessary edit.
+
+## Formatting
+- YAML: two-space indentation, no tab characters.
+- Helm templates: preserve current whitespace trimming markers like `{{-` and `-}}`.
+- Python: use four-space indentation even though some existing files are inconsistent.
+- Shell: keep `set -e` or `set -ev` when present; do not remove safety flags casually.
+- Markdown: keep bullets short and operational.
+- Do not introduce large-scale formatting churn in files that are otherwise working.
+
+## Types And Data Shapes
+- Python code in this repo is lightly typed today; there is no mypy configuration.
+- Add type hints when they clarify new or changed Python logic, but do not force a repo-wide typing conversion.
+- For YAML, respect the existing scalar style and only quote when interpolation, special characters, or parser ambiguity require it.
+- Keep environment values as strings unless the target format clearly expects booleans or integers.
+- In Helm values and templates, preserve the expected shape of objects and lists; changing key structure is usually a breaking change.
+
+## Naming Conventions
+- Docker Compose services commonly use snake_case or hyphenated names already established in the file; follow the surrounding pattern.
+- Ansible task names should be descriptive imperative phrases.
+- Kubernetes resource names should stay lowercase and DNS-safe.
+- Python function names should be `snake_case`.
+- Python constants and environment variable names should be uppercase.
+- Keep public-facing hostnames and router names consistent with nearby services.
+
+## Error Handling
+- Do not swallow errors silently in new Python code.
+- Avoid bare `except:`; catch specific exceptions where practical.
+- Return clear HTTP responses in Flask handlers.
+- In shell scripts, prefer failing fast over ignoring command failures.
+- In Ansible, use `register`, `when`, and `changed_when` intentionally; do not mark tasks changed without a reason.
+- In deployment config, prefer explicit required vars like `${VAR?Variable not set}` for critical settings.
+
+## Python-Specific Notes
+- `webhook/http_server.py` currently uses minimal Flask code and would benefit from improved formatting and more explicit error handling when modified.
+- `src/app.py` contains Streamlit logic with some inconsistent spacing and a bare `except:`; fix such issues only when your change touches that area.
+- Preserve current runtime entrypoints unless the task explicitly changes startup behavior.
+
+## Ansible-Specific Notes
+- Prefer fully qualified module names such as `ansible.builtin.command` where the surrounding file already uses them.
+- Keep playbooks idempotent where possible.
+- Avoid unnecessary `shell` usage when `command`, `template`, `copy`, or dedicated modules work.
+- Respect existing inventory and variable layout under `ansible/rke2/inventory/`.
+- Be cautious with `become_user`, `changed_when`, and cluster bootstrap sequencing.
+
+## Helm And Kubernetes Notes
+- Render Helm templates locally before making broad chart changes.
+- Preserve helper usage like `include`, `toYaml`, `nindent`, and existing label helpers.
+- Avoid renaming values keys unless you also update every template consumer.
+- Maintain probe, volume, and securityContext structure unless there is a concrete reason to change them.
+- For plain manifests, keep apiVersion, kind, metadata, and spec ordering consistent with nearby files.
+
+## Docker And Traefik Notes
+- Traefik labels are heavily used and are sensitive to quoting and interpolation.
+- Keep router, middleware, and service label names consistent across related files.
+- Prefer extending shared env blocks and shared network definitions over one-off duplication.
+- Be careful with `host-gateway`, mounted Docker sockets, and certificate storage paths.
+- Do not commit real secrets into compose, swarm, or manifest files.
+
+## When Unsure
+- Validate the smallest affected surface first.
+- Prefer commands that only render or syntax-check before commands that deploy.
+- If a task spans multiple deployment systems, confirm which path is active before editing all of them.
+- Document assumptions in the final response if the repo does not provide a definitive source of truth.
@@ -3,9 +3,10 @@
 # Webapp + Streamlit + Traefik + Docker
 This simple project uses Traefik as a reverse proxy to a Streamlit application and handles SSL certs with Lets Encrypt.

- [Chat](https://chat.furyhawk.lol/): Chat with AI.
+- [AI](https://bot.furyhawk.lol/): OpenwebUI.
+- ~~[Chat](https://chat.furyhawk.lol/): Chat with AI.~~
 - [Stock Analysis Assistant](https://fin.furyhawk.lol/): AI assistant using GROQ and llama3.
- [Redlib](https://redlib.furyhawk.lol/): Reddit libre.
+- ~~[Redlib](https://redlib.furyhawk.lol/): Reddit libre.~~
 - [Blog](https://info.furyhawk.lol/)
 - [Beyond All Information](https://bai.furyhawk.lol/): analyse your [Beyond All Reason](https://www.beyondallreason.info/) games.
 - [CheatSheets](https://cheat.furyhawk.lol/): Collection of cheatsheets.
@@ -17,19 +18,31 @@ This simple project uses Traefik as a reverse proxy to a Streamlit application a

 ## Requirements
 - Docker Compose
- Build for ARM64 platform
+- Build for ARM64/x86 platform

 ## Production Deployment
-1. In `compose/traefik/traefik.yml`, change `example@test.com` to your email.
-2. In `compose/traefik/traefik.yml`, change `example.com` to your domain.
-3. `sudo apt-get install build-essential`
-4. `mdkir ~/st-sync`
-5. `mdkir ~/.thelounge`
-6. `touch cache/bar_cache.sqlite`
-7. `touch cache/short_cache.sqlite`
-8. `cp .env.example .env`
-9. `cp usersfile.example usersfile`
-10. `make serve`
+1. `git clone https://github.com/furyhawk/cloudy.git`
+2. `cd cloudy`
+3. `git submodule update --init --recursive`
+4. In `compose/traefik/traefik.yml`, change `example@test.com` to your email.
+5. In `compose/traefik/traefik.yml`, change `example.com` to your domain.
+6. `sudo apt-get install build-essential` (if not already installed) to use makefile.
+7. `mkdir ~/st-sync` syncthing folder.
+8. `mkdir ~/site` public site folder.
+9. `mkdir ./compose/config` to store config.
+10. `cp .env.example ./compose/.env && cp .env ~/config/.env`
+11. `cp ./compose/config/conf.php ~/config/conf.php`
+12. `cp usersfile.example ./compose/usersfile`
+13. `make serve`
+
+## Docker Swarm Deployment
+```
+docker swarm init
+docker network create -d overlay --attachable traefik-public
+make deploy-core
+
+docker service logs core_traefik --details
+```

 ### Notes:
 ```yaml
@@ -43,3 +56,29 @@ This simple project uses Traefik as a reverse proxy to a Streamlit application a
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
+
+### TODO:
+
+middleware:
+```
+# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+# Enable cross-site filter (XSS) and tell browser to block detected attacks
+X-XSS-Protection "1; mode=block"
+
+# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+X-Content-Type-Options "nosniff"
+
+# Disable some features
+Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
+
+# Disable some features (legacy)
+Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+
+# Referer
+Referrer-Policy "no-referrer"
+
+# X-Robots-Tag
+X-Robots-Tag "noindex, noarchive, nofollow"
+```
@@ -0,0 +1,69 @@
+devservers:
+  hosts:
+    node09:
+      ansible_host: 101.100.172.55
+      ansible_port: 9991
+    node00:
+      ansible_host: 101.100.172.55
+      ansible_port: 9999
+    node01:
+      ansible_host: 101.100.172.55
+      ansible_port: 9998
+
+debian:
+  hosts:
+    node00:
+      ansible_host: 101.100.172.55
+      ansible_port: 9999
+    node01:
+      ansible_host: 101.100.172.55
+      ansible_port: 9998
+
+local:
+  hosts:
+    node00:
+      ansible_host: 192.168.50.114
+      ansible_port: 22
+    node01:
+      ansible_host: 192.168.50.68
+      ansible_port: 22
+    node02:
+      ansible_host: 192.168.50.56
+      ansible_port: 22
+
+test:
+  hosts:
+    node05:
+      ansible_host: 192.168.50.205
+      ansible_port: 22
+    node09:
+      ansible_host: 192.168.50.209
+      ansible_port: 22
+
+dev:
+  hosts:
+    dev301:
+      ansible_host: 192.168.50.71
+    dev302:
+      ansible_host: 192.168.50.170
+
+prod:
+  hosts:
+    dc00:
+      ansible_host: 192.168.50.210
+      ansible_user: user
+    dc01:
+      ansible_host: 192.168.50.201
+      ansible_user: user
+    dc02:
+      ansible_host: 192.168.50.202
+      ansible_user: user
+    dc03:
+      ansible_host: 192.168.50.203
+      ansible_user: user
+    dc04:
+      ansible_host: 192.168.50.204
+      ansible_user: user
+    dc05:
+      ansible_host: 192.168.50.205
+      ansible_user: user
@@ -0,0 +1,8 @@
+---
+docker:
+  hosts:
+    docker01:
+      ansible_host: 192.168.200.222
+      ansible_user: 'ubuntu'
+      ansible_become: true
+      ansible_become_method: sudo
@@ -0,0 +1,7 @@
+---
+- name: Install Docker on Ubuntu
+  hosts: all
+  become: true
+  roles:
+    - docker_install
+    - portainer_deploy
@@ -0,0 +1,5 @@
+---
+- name: Restart Docker
+  ansible.builtin.systemd:
+    name: docker
+    state: restarted
@@ -0,0 +1,41 @@
+---
+- name: Ensure apt is using HTTPS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - apt-transport-https
+    - ca-certificates
+    - curl
+    - software-properties-common
+
+- name: Add Docker GPG key
+  ansible.builtin.apt_key:
+    url: "https://download.docker.com/linux/ubuntu/gpg"
+    state: present
+
+- name: Add Docker repository
+  ansible.builtin.apt_repository:
+    repo: "{{ docker_apt_repository }}"
+    state: present
+
+- name: Install Docker CE
+  ansible.builtin.apt:
+    name: docker-ce
+    state: present
+    update_cache: true
+
+- name: Configure Docker daemon options
+  ansible.builtin.template:
+    src: "templates/docker_daemon.json.j2"
+    dest: "/etc/docker/daemon.json"
+    owner: 'root'
+    group: 'root'
+    mode: '0755'  # Optional file permissions
+  notify: Restart Docker
+
+- name: Ensure Docker service is enabled and running
+  ansible.builtin.systemd:
+    name: docker
+    enabled: true
+    state: started
@@ -0,0 +1,3 @@
+{
+    "storage-driver": "{{ docker_daemon_options['storage-driver'] }}"
+}
@@ -0,0 +1,5 @@
+---
+docker_apt_release_channel: "stable"
+docker_apt_repository: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+docker_daemon_options:
+  storage-driver: "overlay2"
@@ -0,0 +1,6 @@
+---
+- name: Start Portainer
+  community.docker.docker_compose:
+    project_src: /home/ubuntu/docker-compose/portainer
+    state: present
+    restarted: true
@@ -0,0 +1,34 @@
+---
+- name: Ensure docker-compose is installed
+  ansible.builtin.package:
+    name: docker-compose
+    state: present
+
+- name: Ensure Docker service is running
+  ansible.builtin.service:
+    name: docker
+    state: started
+    enabled: true
+
+- name: Setup Portainer directory
+  ansible.builtin.file:
+    path: /home/ubuntu/docker-compose/portainer
+    state: directory
+    mode: '0755'  # Optional file permissions
+    owner: ubuntu  # Optional ownership
+    group: ubuntu  # Optional group ownership
+
+- name: Deploy Portainer using Docker Compose
+  ansible.builtin.template:
+    src: "templates/docker_compose.yaml.j2"
+    dest: "/home/ubuntu/docker-compose/portainer/docker-compose.yaml"
+    mode: '0755'  # Optional file permissions
+    owner: ubuntu  # Optional ownership
+    group: ubuntu  # Optional group ownership
+  notify:
+    - Start Portainer
+
+- name: Run Portainer docker-compose up
+  community.docker.docker_compose:
+    project_src: /home/ubuntu/docker-compose/portainer
+    state: present
@@ -0,0 +1,13 @@
+version: '3.3'
+services:
+  portainer:
+    image: portainer/portainer-ce:{{ portainer_version }}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+    ports:
+      - "9000:9000"
+    restart: always
+
+volumes:
+  portainer_data:
@@ -0,0 +1,2 @@
+---
+portainer_version: "latest"
@@ -0,0 +1,52 @@
+---
+- name: Deploy Docker Container with Docker Compose
+  hosts: all
+  become: true
+  tasks:
+    - name: Ensure Docker is installed
+      ansible.builtin.package:
+        name: docker
+        state: present
+
+    - name: Ensure Docker service is running
+      ansible.builtin.service:
+        name: docker
+        state: started
+        enabled: true
+
+    - name: Create a directory for Docker Compose files
+      ansible.builtin.file:
+        path: /home/ubuntu/ansible-docker/docker-compose
+        state: directory
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Create a directory for Nginx website files
+      ansible.builtin.file:
+        path: /home/ubuntu/docker/nginx/web
+        state: directory
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Copy docker-compose to remote host
+      ansible.builtin.copy:
+        src: /home/ubuntu/nginx/docker-compose.yaml
+        dest: /home/ubuntu/ansible-docker/docker-compose/docker-compose.yaml
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Copy Nginx website folder to remote host # copies a folder - note no file extension
+      ansible.builtin.copy:
+        src: /home/ubuntu/nginx/website
+        dest: /home/ubuntu/docker/nginx/web
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Start Docker Compose
+      community.docker.docker_compose:
+        project_src: /home/ubuntu/ansible-docker/docker-compose
+        state: present
@@ -0,0 +1,24 @@
+---
+- name: Undo Docker Compose Deployment
+  hosts: all
+  become: true
+  tasks:
+    - name: Stop Docker Container
+      community.docker.docker_compose:
+        project_src: /home/ubuntu/ansible-docker/docker-compose
+        state: absent
+
+    - name: Remove Docker Compose file
+      ansible.builtin.file:
+        path: /home/ubuntu/ansible-docker/docker-compose/docker-compose.yml
+        state: absent
+
+    - name: Remove Docker Compose directory
+      ansible.builtin.file:
+        path: /home/ubuntu/ansible-docker
+        state: absent
+
+    - name: Remove Website directory
+      ansible.builtin.file:
+        path: /home/ubuntu/docker/nginx/web
+        state: absent
@@ -0,0 +1,8 @@
+---
+docker:
+  hosts:
+    docker01:
+      ansible_host: 192.168.200.50
+      ansible_user: 'ubuntu'
+      ansible_become: true
+      ansible_become_method: sudo
@@ -0,0 +1,31 @@
+version: "3.9"
+services:
+  web:
+    image: nginx
+    container_name: jimsgarage
+    volumes:
+     - /home/ubuntu/docker/nginx/templates:/etc/nginx/templates
+     - /home/ubuntu/docker/nginx/web/website:/usr/share/nginx/html
+    environment:
+     - NGINX_HOST=nginx.jimsgarage.co.uk
+     - NGINX_PORT=80
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.nginx.entrypoints=http"
+      - "traefik.http.routers.nginx.rule=Host(`nginx.jimsgarage.co.uk`)"
+      - "traefik.http.middlewares.nginx-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.nginx.middlewares=nginx-https-redirect"
+      - "traefik.http.routers.nginx-secure.entrypoints=https"
+      - "traefik.http.routers.nginx-secure.rule=Host(`nginx.jimsgarage.co.uk`)"
+      - "traefik.http.routers.nginx-secure.tls=true"
+      - "traefik.http.routers.nginx-secure.service=nginx"
+      - "traefik.http.services.nginx.loadbalancer.server.port=80"
+      - "traefik.docker.network=proxy"
+    networks:
+      proxy:
+    security_opt:
+      - no-new-privileges:true
+
+networks:
+  proxy:
+    external: true
@@ -0,0 +1,108 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Jim's Garage Ansible Demo</title>
+  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
+  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/css/all.min.css">
+  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
+  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"></script>
+  <style>
+    .hero {
+      background: url(Jims-Garage-1.png) no-repeat center center;
+      background-size: cover;
+      height: 400px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      color: white;
+      text-shadow: 2px 2px 5px rgba(0, 0, 0, 0.7);
+    }
+    
+    .features {
+      margin-top: 50px;
+      text-align: center;
+    }
+    
+    .feature {
+      padding: 20px;
+      transition: transform 0.3s ease;
+    }
+    
+    .feature:hover {
+      transform: scale(1.05);
+    }
+    
+    .footer {
+      background-color: #333;
+      color: white;
+      text-align: center;
+      padding: 20px;
+      position: fixed;
+      width: 100%;
+      bottom: 0;
+    }
+  </style>
+</head>
+<body>
+  <!-- Navigation Bar -->
+  <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
+    <a class="navbar-brand" href="#">My Webpage</a>
+    <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
+      <span class="navbar-toggler-icon"></span>
+    </button>
+    <div class="collapse navbar-collapse" id="navbarNav">
+      <ul class="navbar-nav ml-auto">
+        <li class="nav-item">
+          <a class="nav-link" href="#home">Home</a>
+        </li>
+        <li class="nav-item">
+          <a class="nav-link" href="#features">Features</a>
+        </li>
+        <li class="nav-item">
+          <a class="nav-link" href="#contact">Contact</a>
+        </li>
+      </ul>
+    </div>
+  </nav>
+
+  <!-- Hero Section -->
+  <div class="hero" id="home">
+    <h1>Welcome to Jim's Garage Ansible Demo</h1>
+  </div>
+
+  <!-- Features Section -->
+  <div class="container features" id="features">
+    <h2>Our Features</h2>
+    <div class="row">
+      <div class="col-md-4">
+        <div class="feature">
+          <i class="fas fa-cogs fa-3x"></i>
+          <h4>Feature 1</h4>
+          <p>Dynamic and interactive elements.</p>
+        </div>
+      </div>
+      <div class="col-md-4">
+        <div class="feature">
+          <i class="fas fa-bolt fa-3x"></i>
+          <h4>Feature 2</h4>
+          <p>Responsive design and transitions.</p>
+        </div>
+      </div>
+      <div class="col-md-4">
+        <div class="feature">
+          <i class="fas fa-heart fa-3x"></i>
+          <h4>Feature 3</h4>
+          <p>Engaging user experiences.</p>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <!-- Footer Section -->
+  <div class="footer">
+    <p>© 2024 My Webpage. All rights reserved.</p>
+  </div>
+</body>
+</html>
@@ -0,0 +1,57 @@
+---
+- name: Update Windows, Arch Linux, and Ubuntu
+  hosts: all
+  tasks:
+    - name: Gather facts
+      ansible.builtin.setup:
+
+    - name: Update Windows
+      when: ansible_facts['os_family'] == 'Windows'
+      ansible.windows.win_updates:
+        category_names:
+          - SecurityUpdates
+          - UpdateRollups
+          - CriticalUpdates
+        state: installed
+      register: win_update_result
+
+    - name: Check if Windows requires a reboot
+      when: win_update_result.changed and win_update_result.reboot_required | default(false)
+      ansible.windows.win_reboot:
+        reboot_timeout: 600
+      register: win_reboot_result
+
+    - name: Update Arch Linux
+      when: ansible_facts['os_family'] == 'Arch'
+      community.general.pacman:
+        update_cache: true
+        upgrade: true
+      register: arch_update_result
+
+    - name: Check if Arch Linux requires a reboot
+      when: ansible_facts['os_family'] == 'Arch' and arch_update_result.changed
+      ansible.builtin.stat:
+        path: /run/reboot-required
+      register: arch_reboot_required
+
+    - name: Reboot Arch Linux if required
+      when: arch_reboot_required.stat.exists | default(false)
+      ansible.builtin.reboot:
+        reboot_timeout: 600
+
+    - name: Update Ubuntu
+      when: ansible_facts['os_family'] == 'Debian'
+      ansible.builtin.apt:
+        upgrade: dist
+        update_cache: true
+
+    - name: Check if a reboot is required on Ubuntu
+      when: ansible_facts['os_family'] == 'Debian'
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+      register: ubuntu_reboot_required
+
+    - name: Reboot Ubuntu if required
+      when: ubuntu_reboot_required.stat.exists | default(false)
+      ansible.builtin.reboot:
+        reboot_timeout: 600
@@ -0,0 +1,14 @@
+arch:
+  hosts:
+    arch01:
+      ansible_host: 192.168.200.214
+      ansible_user: 'root'
+      ansible_python_interpreter: /usr/bin/python3
+
+docker:
+  hosts:
+    docker01:
+      ansible_host: 192.168.200.50
+      ansible_user: 'ubuntu'
+      ansible_become: true
+      ansible_become_method: sudo
@@ -0,0 +1,6 @@
+---
+collections:
+  - name: ansible.utils
+  - name: community.general
+  - name: ansible.posix
+  - name: kubernetes.core
@@ -0,0 +1,18 @@
+os: "linux"
+arch: "amd64"
+
+kube_vip_version: "v0.8.0"
+vip_interface: eth0
+vip: 192.168.3.50
+
+metallb_version: v0.13.12
+lb_range: 192.168.3.80-192.168.3.90
+lb_pool_name: first-pool
+
+rke2_version: "v1.29.4+rke2r1"
+rke2_install_dir: "/usr/local/bin"
+rke2_binary_url: "https://github.com/rancher/rke2/releases/download/{{ rke2_version }}/rke2.linux-amd64"
+
+ansible_user: ubuntu
+ansible_become: true
+ansible_become_method: sudo
@@ -0,0 +1,11 @@
+# Make sure Ansible host has access to these devices
+# Good idea to snapshot all machines and deploy uing cloud-init
+
+[servers]
+server1 ansible_host=192.168.3.21
+server2 ansible_host=192.168.3.22
+server3 ansible_host=192.168.3.23
+
+[agents]
+agent1 ansible_host=192.168.3.24
+agent2 ansible_host=192.168.3.25
@@ -0,0 +1,17 @@
+# Copy agent config to all agents - we need to change agent2 & 3 later with the token
+- name: Deploy RKE2 Agent Configuration
+  ansible.builtin.template:
+    src: templates/rke2-agent-config.j2
+    dest: /etc/rancher/rke2/config.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['agents']
+
+# Check agents have restarted to pick up config
+- name: Ensure RKE2 agents are enabled and running
+  ansible.builtin.systemd:
+    name: rke2-agent
+    enabled: true
+    state: restarted
+    daemon_reload: true
@@ -0,0 +1,5 @@
+write-kubeconfig-mode: "0644"
+token: {{ hostvars['server1']['token'] }}
+server: https://{{ hostvars['server1']['ansible_host'] }}:9345
+node-label:
+  - "agent=true"
@@ -0,0 +1,53 @@
+# Copy server config with token to all servers except server 1 (this has token)
+- name: Deploy RKE2 server Configuration
+  ansible.builtin.template:
+    src: templates/rke2-server-config.j2
+    dest: /etc/rancher/rke2/config.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname != groups['servers'][0]
+
+# Keep checking the cluster API until it's functioning (deployed)
+- name: Wait for cluster API to be ready (can take 5-10 mins depending on internet/hardware)
+  ansible.builtin.command:
+    cmd: "kubectl get nodes"
+  register: kubectl_output
+  until: "'connection refused' not in kubectl_output.stderr"
+  retries: 120
+  delay: 10
+  changed_when: true
+  become_user: "{{ ansible_user }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# Use kubectl to deploy yaml. Perhaps this can be added to the manifest folder initially
+- name: Apply kube vip configuration file
+  ansible.builtin.command:
+    cmd: kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml apply -f https://kube-vip.io/manifests/rbac.yaml
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Apply the kube-vip configration. Perhaps this can be added to the manifest folder initially
+- name: Apply kube vip configuration file
+  ansible.builtin.command:
+    cmd: kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml apply -f https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/main/manifest/kube-vip-cloud-controller.yaml
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Check that additional servers are restarted
+- name: Ensure additional RKE2 servers are enabled and running
+  ansible.builtin.systemd:
+    name: rke2-server
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  when: inventory_hostname != groups['servers'][0]
+
+# enable additional servers
+- name: Ensure RKE2 server is enabled and running
+  ansible.builtin.systemd:
+    name: rke2-server
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  when: inventory_hostname != groups['servers'][0]
@@ -0,0 +1,10 @@
+write-kubeconfig-mode: "0644"
+token: {{ hostvars['server1']['token'] }}
+server: https://{{ hostvars['server1']['ansible_host'] }}:9345
+tls-san:
+  - {{ vip }}
+  - {{ hostvars['server1']['ansible_host'] }}
+  - {{ hostvars['server2']['ansible_host'] }}
+  - {{ hostvars['server3']['ansible_host'] }}
+node-label:
+  - server=true
@@ -0,0 +1,60 @@
+# Wait for Server 1 to be ready before continuing with metallb deployment
+- name: Wait for k8s nodes with node label 'server=true' to be ready, otherwise we cannot start metallb deployment
+  ansible.builtin.command:
+    cmd: "kubectl wait --for=condition=Ready nodes --selector server=true --timeout=600s"
+  register: nodes_ready
+  retries: 120
+  delay: 10
+  changed_when: true
+  become_user: "{{ ansible_user }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# Create namespace so that we can deploy metallb
+- name: Apply metallb namespace
+  ansible.builtin.command:
+    cmd: kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/namespace.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Apply metallb manifest
+- name: Apply metallb manifest
+  ansible.builtin.command:
+    cmd: kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/{{ metallb_version }}/config/manifests/metallb-native.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Wait for metallb deployment pods to be alive before deploying metallb manifests
+- name: Wait for metallb pods to be ready, otherwise we cannot start metallb deployment
+  ansible.builtin.command:
+    cmd: "kubectl wait --namespace metallb-system --for=condition=ready pod --selector=component=controller --timeout=1800s"
+  changed_when: true
+  become_user: "{{ ansible_user }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# Apply L2 Advertisement for metallb
+- name: Apply metallb L2 Advertisement
+  ansible.builtin.command:
+    cmd: kubectl apply -f https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Kubernetes/RKE2/l2Advertisement.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Deploy metal IP Pool to Server 1
+- name: Copy metallb IPPool to server 1
+  ansible.builtin.template:
+    src: templates/metallb-ippool.j2
+    dest: /home/{{ ansible_user }}/ippool.yaml
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0755'
+  when: inventory_hostname == groups['servers'][0]
+
+# don't think this will work as nodes are no execute, might need agents first
+- name: Apply metallb ipppool
+  ansible.builtin.command:
+    cmd: kubectl apply -f /home/{{ ansible_user }}/ippool.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: {{ lb_pool_name }}
+  namespace: metallb-system
+spec:
+  addresses:
+  - {{ lb_range }}
@@ -0,0 +1,17 @@
+# Create directory to deploy kube-vip manifest
+- name: Create directory for Kube VIP Manifest
+  ansible.builtin.file:
+    path: "/var/lib/rancher/rke2/server/manifests"
+    state: directory
+    mode: '0644'
+  when: inventory_hostname in groups['servers']
+
+# Copy kube-vip to server 1 manifest folder for auto deployment at bootstrap
+- name: Deploy Kube VIP Configuration
+  ansible.builtin.template:
+    src: templates/kube-vip-config.j2
+    dest: /var/lib/rancher/rke2/server/manifests/kube-vip.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname == groups['servers'][0]
@@ -0,0 +1,88 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: kube-vip-ds
+    app.kubernetes.io/version: {{ kube_vip_version }}
+  name: kube-vip-ds
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-vip-ds
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: kube-vip-ds
+        app.kubernetes.io/version: {{ kube_vip_version }}
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
+            - matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
+      containers:
+      - args:
+        - manager
+        env:
+        - name: vip_arp
+          value: "true"
+        - name: port
+          value: "6443"
+        - name: vip_interface
+          value: {{ vip_interface }}
+        - name: vip_cidr
+          value: "32"
+        - name: cp_enable
+          value: "true"
+        - name: cp_namespace
+          value: kube-system
+        - name: vip_ddns
+          value: "false"
+        - name: svc_enable
+          value: "false"
+        - name: svc_leasename
+          value: plndr-svcs-lock
+        - name: vip_leaderelection
+          value: "true"
+        - name: vip_leasename
+          value: plndr-cp-lock
+        - name: vip_leaseduration
+          value: "5"
+        - name: vip_renewdeadline
+          value: "3"
+        - name: vip_retryperiod
+          value: "1"
+        - name: address
+          value: {{ vip }}
+        - name: prometheus_server
+          value: :2112
+        image: ghcr.io/kube-vip/kube-vip:{{ kube_vip_version }}
+        imagePullPolicy: Always
+        name: kube-vip
+        resources: {}
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+      hostNetwork: true
+      serviceAccountName: kube-vip
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+  updateStrategy: {}
+status:
+  currentNumberScheduled: 0
+  desiredNumberScheduled: 0
+  numberMisscheduled: 0
+  numberReady: 0
@@ -0,0 +1,15 @@
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+    reload: true
+  tags: sysctl
+
+- name: Enable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: "1"
+    state: present
+    reload: true
+  tags: sysctl
@@ -0,0 +1,20 @@
+# Create a directory to download RKE2 binary to
+- name: Create directory for RKE2 binary
+  ansible.builtin.file:
+    path: "{{ rke2_install_dir }}"
+    state: directory
+    mode: '0755'
+
+# Download the RKE2 binary
+- name: Download RKE2 binary
+  ansible.builtin.get_url:
+    url: "{{ rke2_binary_url }}"
+    dest: "{{ rke2_install_dir }}/rke2"
+    mode: '0755'
+
+# Set permissions on the RKE2 binary
+- name: Set executable permissions on the RKE2 binary
+  ansible.builtin.file:
+    path: "{{ rke2_install_dir }}/rke2"
+    mode: '0755'
+    state: file
@@ -0,0 +1,134 @@
+- name: Create directory for RKE2 config
+  ansible.builtin.file:
+    path: "/etc/rancher/rke2"
+    state: directory
+    mode: '0644'
+
+- name: Create directory for RKE2 token
+  ansible.builtin.file:
+    path: "/var/lib/rancher/rke2/server"
+    state: directory
+    mode: '0644'
+
+# Copy server config to server 1 for bootstrap - we need to change server2 & 3 later with the token
+- name: Deploy RKE2 server Configuration
+  ansible.builtin.template:
+    src: templates/rke2-server-config.j2
+    dest: /etc/rancher/rke2/config.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['servers']
+
+- name: Create systemd service file for RKE2 server
+  ansible.builtin.template:
+    src: templates/rke2-server.service.j2
+    dest: /etc/systemd/system/rke2-server.service
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['servers']
+
+- name: Create systemd service file for RKE2 agent
+  ansible.builtin.template:
+    src: templates/rke2-agent.service.j2
+    dest: /etc/systemd/system/rke2-agent.service
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['agents']
+
+# we enable the first server to generate tokens etc, copy this afterwards to other servers
+- name: Ensure RKE2 server is enabled and running
+  ansible.builtin.systemd:
+    name: rke2-server
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  when: inventory_hostname in groups['servers'][0]
+
+# wait for node token to be availale so that we can copy it, we need this to join other nodes
+- name: Wait for node-token
+  ansible.builtin.wait_for:
+    path: /var/lib/rancher/rke2/server/node-token
+  when: inventory_hostname == groups['servers'][0]
+
+# wait for kubectl to be downloaded, part of the rke2 installation
+- name: Wait for kubectl
+  ansible.builtin.wait_for:
+    path: /var/lib/rancher/rke2/bin/kubectl
+  when: inventory_hostname == groups['servers'][0]
+
+# copy kubectl to usr bin so that all users can run kubectl commands
+- name: Copy kubectl to user bin
+  ansible.builtin.copy:
+    src: /var/lib/rancher/rke2/bin/kubectl
+    dest: /usr/local/bin/kubectl
+    mode: '0755'
+    remote_src: true
+  become: true
+  when: inventory_hostname == groups['servers'][0]
+
+# wait for the kubectl copy to complete
+- name: Wait for kubectl
+  ansible.builtin.wait_for:
+    path: /usr/local/bin/kubectl
+  when: inventory_hostname == groups['servers'][0]
+
+# modify token access
+- name: Register node-token file access mode
+  ansible.builtin.stat:
+    path: /var/lib/rancher/rke2/server
+  register: p
+
+- name: Change file access for node-token
+  ansible.builtin.file:
+    path: /var/lib/rancher/rke2/server
+    mode: "g+rx,o+rx"
+  when: inventory_hostname == groups['servers'][0]
+
+# Save token as variable
+- name: Fetch the token from the first server node
+  ansible.builtin.slurp:
+    src: /var/lib/rancher/rke2/server/token
+  register: rke2_token
+  when: inventory_hostname == groups['servers'][0]
+  run_once: true
+
+# convert token to fact
+- name: Save Master node-token for later
+  ansible.builtin.set_fact:
+    token: "{{ rke2_token.content | b64decode | regex_replace('\n', '') }}"
+
+# revert token file access
+- name: Restore node-token file access
+  ansible.builtin.file:
+    path: /var/lib/rancher/rke2/server
+    mode: "{{ p.stat.mode }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# check .kube folder exists so that we can use kubectl (config resides here)
+- name: Ensure .kube directory exists in user's home
+  ansible.builtin.file:
+    path: "/home/{{ ansible_user }}/.kube"
+    state: directory
+    mode: '0755'
+  become: true
+
+# copy kubectl config file to .kube folder
+- name: Copy config file to user home directory
+  ansible.builtin.copy:
+    src: /etc/rancher/rke2/rke2.yaml
+    dest: "/home/{{ ansible_user }}/.kube/config"
+    remote_src: true
+    owner: "{{ ansible_user }}"
+    mode: "u=rw,g=,o="
+  when: inventory_hostname == groups['servers'][0]
+
+# change IP from local to server 1 IP
+- name: Replace IP address with server1
+  ansible.builtin.replace:
+    path: /home/{{ ansible_user }}/.kube/config
+    regexp: '127.0.0.1'
+    replace: "{{ hostvars['server1']['ansible_host'] }}"
+  when: inventory_hostname == groups['servers'][0]
@@ -0,0 +1,13 @@
+# rke2-agent.service.j2
+[Unit]
+Description=RKE2 Agent
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/rke2 agent
+KillMode=process
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,10 @@
+write-kubeconfig-mode: "0644"
+tls-san:
+  - {{ vip }}
+  - {{ hostvars['server1']['ansible_host'] }}
+  - {{ hostvars['server2']['ansible_host'] }}
+  - {{ hostvars['server3']['ansible_host'] }}
+node-label:
+  - server=true
+disable:
+  - rke2-ingress-nginx
@@ -0,0 +1,13 @@
+# rke2-server.service.j2
+[Unit]
+Description=RKE2 server
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/rke2 server
+KillMode=process
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,61 @@
+# Hello, thanks for using my playbook, hopefully you can help to improve it.
+# Things that need adding: (there are many more)
+# 1) Support different OS & architectures
+# 2) Support multiple CNIs
+# 3) Improve the wait logic
+# 4) Use kubernetes Ansible plugins more sensibly
+# 5) Optimise flow logic
+# 6) Clean up
+
+###############################################################
+# MAKE SURE YOU CHANGE group_vars/all.yaml VARIABLES!!!!!!!!!!!
+###############################################################
+
+# bootstraps first server and copies configs for others/agents
+- name: Prepare all nodes
+  hosts: servers,agents
+  gather_facts: true # enables us to gather lots of useful variables: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/setup_module.html
+  roles:
+    - prepare-nodes
+
+# creates directories for download and then downloads RKE2 and changes permissions
+- name: Download RKE2
+  hosts: servers,agents
+  gather_facts: true
+  roles:
+    - rke2-download
+
+# Creates RKE2 bootstrap manifests folder and copies kube-vip template over (configured with variables)
+- name: Deploy Kube VIP
+  hosts: servers
+  gather_facts: true
+  roles:
+    - kube-vip
+
+# bootstraps the first server, copies configs to nodes, saves token to use later
+- name: Prepare RKE2 on Servers and Agents
+  hosts: servers,agents
+  gather_facts: true
+  roles:
+    - rke2-prepare
+
+# Adds additional servers using the token from the previous task
+- name: Add additional RKE2 Servers
+  hosts: servers
+  gather_facts: true
+  roles:
+    - add-server
+
+# Adds agents to the cluster
+- name: Add additional RKE2 Agents
+  hosts: agents
+  gather_facts: true
+  roles:
+    - add-agent
+
+# Finish kube-vip, add metallb
+- name: Apply manifests after cluster is created
+  hosts: servers
+  gather_facts: true
+  roles:
+    - apply-manifests
@@ -0,0 +1,67 @@
+---
+- name: Deploy Docker Container with Docker Compose
+  hosts: all
+  become: true
+  tasks:
+    - name: Include variables file
+      ansible.builtin.include_vars: myvars.yaml
+
+    - name: Ensure Docker is installed
+      ansible.builtin.package:
+        name: docker
+        state: present
+
+    - name: Ensure Docker service is running
+      ansible.builtin.service:
+        name: docker
+        state: started
+        enabled: true
+
+    - name: Create a directory for Docker Compose files
+      ansible.builtin.file:
+        path: /home/ubuntu/ansible-docker/docker-compose
+        state: directory
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Create a directory for Nginx website files
+      ansible.builtin.file:
+        path: /home/ubuntu/docker/nginx/web
+        state: directory
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Copy docker-compose to remote host
+      ansible.builtin.copy:
+        src: /home/ubuntu/nginx/docker-compose.yaml
+        dest: /home/ubuntu/ansible-docker/docker-compose/docker-compose.yaml
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Copy Nginx website folder to remote host # copies a folder - note no file extension
+      ansible.builtin.copy:
+        src: /home/ubuntu/nginx/website
+        dest: /home/ubuntu/docker/nginx/web
+        mode: '0755'  # Optional file permissions
+        owner: ubuntu  # Optional ownership
+        group: ubuntu  # Optional group ownership
+
+    - name: Replace old name with new name (requires Ansible >= 2.4)
+      ansible.builtin.replace:
+        path: /home/ubuntu/docker/nginx/web/website/index.html
+        regexp: "Jim's Garage"
+        replace: "{{ website_name }}"
+
+    - name: Access and print secret
+      ansible.builtin.replace:
+        path: /home/ubuntu/docker/nginx/web/website/index.html
+        regexp: "Our Features"
+        replace: "{{ api_key }}"
+
+    - name: Start Docker Compose
+      community.docker.docker_compose:
+        project_src: /home/ubuntu/ansible-docker/docker-compose
+        state: present
@@ -0,0 +1 @@
+password
@@ -0,0 +1 @@
+api_key: SuperSecretPassword
@@ -0,0 +1,24 @@
+---
+- name: Playbook
+  hosts: all
+  become: true
+
+  vars:
+    omz_install_zsh: true
+    users:
+      - name: "user"
+        group: "user"
+        settings: ""
+  tasks:
+    - name: Run ansible-role-oh-my-zsh.
+      include_role:
+        name: "ctorgalson.oh-my-zsh"
+      vars:
+        omz_user: "{{ item }}"
+        # Only create `.zshrc` for user 'user'; item.settings will be
+        # appended to `.zshrc` for the user 'user'.
+        omz_zshrc_create: "{{ (item.name == 'user') | ternary(true, false) }}"
+        omz_plugins:
+          - "kubectl"
+          - "git"
+      with_items: "{{ users }}"
@@ -0,0 +1,131 @@
+# Ansible Role Oh My ZSH
+
+This is a basic Ansible role to enable and configure Oh My Zsh on Fedora,
+Ubuntu, or MacOS. It should also work on many other \*nix variants. It
+performs the following tasks:
+
+- Install and minimally configure Zsh:
+  - make sure it exists,
+  - set it as the default shell for the user specified by the role.
+- Install Oh My Zsh for each specified user (in `~/.oh-my-zsh` by default).
+- Configure (Oh My) Zsh by optionally creating a `.zshrc` file for each
+  specified user.
+- Alternately, configure Zsh by adding a block of lines to individual
+  users' `.zshrc` files.
+
+## Role variables
+
+| Variable name  | Default value | Description |
+|----------------|---------------|-------------|
+| `omz_install_zsh` | `false` | Defines whether or not the role should attempt to install Zsh. |
+| `omz_user` | `[]` | The user to install/configure (Oh My) Zsh for. See below for its properties. |
+| `omz_user.name` | `-` | The name of the user. |
+| `omz_user.group` | `-` | The group of the user |
+| `omz_user.settings` | `-` | Extra settings (as a mult-line string) such as variable exports or aliases to add to the user's `.zshrc` file. Only used if `omz_zshrc_create` is `true`. |
+| `omz_git_repository` | `https://github.com/robbyrussell/oh-my-zsh.git` | The git repo to clone Oh My Zsh from. |
+| `omz_install_directory` | `.oh-my-zsh` | The name of the directory to clone Oh My Zsh into. |
+| `omz_zshrc_create` | `true` | Whether or not to create `.zshrc`. If `true`, will create `.zshrc` from a template. |
+| `omz_zshrc_template` | `templates/zshrc.zsh-template.j2` | The template used to create the user's `.zshrc` file when `omz_zshrc_create` is `true`. |
+| `omz_zshrc_backup` | `true` | Whether or not to create backup the existing `.zshrc` files when the role changes it. |
+| `omz_zsh_theme` | `robbyrussell` | See `templates/zshrc.zsh-template`. |
+| `omz_case_sensitive` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_hyphen_insensitive` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_disable_auto_update` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_update_zsh_days` | `13` | See `templates/zshrc.zsh-template`. |
+| `omz_disable_ls_colors` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_disable_auto_title` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_enable_correction` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_completion_waiting_dots` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_disable_untracked_files_dirty` | `false` | See `templates/zshrc.zsh-template`. |
+| `omz_hist_stamps` | `mm/dd/yyyy` | See `templates/zshrc.zsh-template`. |
+| `omz_zsh_custom` | `$ZSH/custom` | See `templates/zshrc.zsh-template`. |
+| `omz_plugins` | `[]` | A list of Oh My Zsh plugins to enable. |
+
+## Role task files
+
+### `main.yml`: task coordination
+
+This file includes files that peform specific subsets of tasks.
+
+### `zsh.yml`: Zsh setup
+
+This task installs and sets zsh as the default shell for a user.
+
+#### Variables used
+
+- `omz_user`
+
+### `oh-my-zsh-install.yml`: Oh My Zsh installation
+
+This task clones the Oh My Zsh repository into the user directory of each
+specified user and sets the appropriate permissions on the directory.
+
+#### Variables used
+
+- `omz_user`
+- `omz_install_directory`
+- `omz_git_repository`
+- `omz_install_path`
+
+### `oh-my-zsh-zshrc.yml`: Oh My Zsh configuration
+
+This task creates the user a `.zshrc` file containing global values for various
+Oh My Zsh options based on [the `.zshrc` template in the oh-my-zsh repository](https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/templates/zshrc.zsh-template).
+The task can be configured to back up any existing `.zshrc` file.
+
+This task only runs when `omz_zshrc_create` is set to `true`.
+
+#### Variables used
+
+- `omz_user`
+- `omz_zshrc_template`
+- `omz_zshrc_backup`
+
+### `zsh-zshrc.yml`: final Zsh configuration
+
+This task adds individual lines to the `.zshrc` file. This is useful for adding
+Zsh settings on an already-existing `.zshrc` file without creating it
+from scratch.
+
+This task only runs when `omz_zshrc_create` is set to `false`.
+
+#### Variables used
+
+- `omz_user`
+- `omz_zshrc_backup`
+
+## Sample playbook
+
+    ---
+    - name: Playbook
+      hosts: all
+      become: true
+
+      vars:
+        omz_install_zsh: true
+        users:
+          - name: "lorem"
+            group: "lorem"
+            settings: ""
+          - name: "ipsum"
+            group: "ipsum"
+            settings: |
+              export PATH="/usr/local/sbin:$path"
+              alias l="ls -AF"
+      tasks:
+        - name: Run ansible-role-oh-my-zsh.
+          include_role:
+            name: "ansible-role-oh-my-zsh"
+          vars:
+            omz_user: "{{ item }}"
+            # Only create `.zshrc` for user 'lorem'; item.settings will be
+            # appended to `.zshrc` for the user 'ipsum'.
+            omz_zshrc_create: "{{ (item.name == 'lorem') | ternary(true, false) }}"
+            omz_plugins:
+              - "autojump"
+              - "git"
+          with_items: "{{ users }}"
+
+```bash
+ansible-playbook -i inventory playbooks/ansible-role-oh-my-zsh/playbook.yml -l 'dev303' -K
+```
@@ -0,0 +1,35 @@
+---
+# Role vars.
+omz_install_zsh: false
+
+# User vars.
+omz_user: []
+#  - name: "someuser"
+#    group: "somegroup"
+#    settings: |
+#     export PATH="/usr/local/sbin:$path"
+#     alias l="ls -AF"
+
+# Oh My ZSH vars.
+omz_git_repository: "https://github.com/robbyrussell/oh-my-zsh.git"
+omz_install_directory: ".oh-my-zsh"
+
+# Oh My ZSH template vars.
+omz_zshrc_create: true
+omz_zshrc_template: "templates/zshrc.zsh-template.j2"
+omz_custom_theme_template: "templates/custom.zsh-theme.j2"
+omz_zshrc_backup: true
+omz_zshrc_force: true
+omz_zsh_theme: "robbyrussell"
+omz_case_sensitive: false
+omz_hyphen_insensitive: false
+omz_disable_auto_update: false
+omz_update_zsh_days: 13
+omz_disable_ls_colors: false
+omz_disable_auto_title: false
+omz_enable_correction: false
+omz_completion_waiting_dots: false
+omz_disable_untracked_files_dirty: false
+omz_hist_stamps: "mm/dd/yyyy"
+omz_zsh_custom: "$ZSH/custom"
+omz_plugins: []
@@ -0,0 +1,34 @@
+---
+# Make sure zsh is installed and set to the user's default shell.
+- name: "OMZ | include zsh.yml tasks."
+  include_tasks: "zsh.yml"
+  tags:
+    - "zsh"
+    - "configure"
+    - "configurezsh"
+
+# Install oh-my-zsh.
+- name: "OMZ | include oh-my-zsh.yml tasks."
+  include_tasks: oh-my-zsh-install.yml
+  tags:
+    - "oh-my-zsh"
+    - "install"
+    - "installohmyzsh"
+
+# Configure oh-my-zsh with a custom .zshrc template if omz_zshrc_create
+# is set to 'true'.
+- name: "OMZ | include oh-my-zsh-zshrc.yml tasks."
+  include_tasks: oh-my-zsh-zshrc.yml
+  tags:
+    - "oh-my-zsh"
+    - "configure"
+    - "configureohmyzsh"
+
+# Finally, add exports etc to .zshrc /last/ (i.e. so they get added to whaterver
+# .zshrc exists.
+- name: "OMZ | include zsh-zshrc.yml tasks."
+  include_tasks: zsh-zshrc.yml
+  tags:
+    - "zsh"
+    - "configure"
+    - "configurezsh"
@@ -0,0 +1,21 @@
+---
+- name: "OMZ | establish install location."
+  set_fact:
+    omz_install_path: "/{{ omz_user_home_dir }}/{{ omz_user.name }}/{{ omz_install_directory }}"
+
+- name: "OMZ | clone Oh My ZSH repo for user."
+  git:
+    repo: "{{ omz_git_repository }}"
+    dest: "{{ omz_install_path }}"
+    update: "true"
+    accept_hostkey: "true"
+    version: "master"
+  register: "omz_clone"
+
+- name: "OMZ | set ownership on newly cloned repository."
+  file:
+    path: "{{ omz_install_path }}"
+    owner: "{{ omz_user.name }}"
+    group: "{{ omz_user.group }}"
+    recurse: "true"
+  when: "omz_clone is changed"
@@ -0,0 +1,14 @@
+---
+- name: "OMZ | derive user .zshrc path."
+  set_fact:
+    omz_user_zshrc_path: "/{{ omz_user_home_dir }}/{{ omz_user.name }}/.zshrc"
+
+- name: "OMZ | template .zshrc into place if required."
+  template:
+    src: "{{ omz_zshrc_template }}"
+    dest: "{{ omz_user_zshrc_path }}"
+    owner: "{{ omz_user.name }}"
+    group: "{{ omz_user.group }}"
+    backup: "{{ omz_zshrc_backup }}"
+    force: "{{ omz_zshrc_force }}"
+  when: "omz_zshrc_create"
@@ -0,0 +1,14 @@
+---
+# Note that we assume this file exists! lineinfile will fail if the file is
+# not present.
+- name: "OMZ | export vars to .zshrc if required."
+  blockinfile:
+    dest: "{{ omz_user_zshrc_path }}"
+    block: "{{ omz_user.settings }}"
+    backup: "{{ omz_zshrc_backup }}"
+  when:
+    - "omz_user.settings is defined"
+    # Don't flag this line for checking if the value is empty--checking for an
+    # empty value makes perfect sense.
+    - "omz_user.settings != ''"  # noqa 602
+    - "not omz_zshrc_create"
@@ -0,0 +1,32 @@
+---
+- name: "OMZ | establish home directory."
+  set_fact:
+    omz_user_home_dir: "{{ (ansible_system == 'Darwin') | ternary('Users', 'home') }}"
+
+- name: "OMZ | ensure zsh is installed."
+  block:
+    - name: "OMZ | install zsh for Linux."
+      package:
+        name: "zsh"
+        state: "present"
+      when:
+        - "ansible_system == 'Linux'"
+        - "omz_install_zsh"
+
+    - name: "OMZ | install zsh for macOS."
+      homebrew:
+        name: "zsh"
+        state: "present"
+      when:
+        - "ansible_system == 'Darwin'"
+        - "omz_install_zsh"
+
+- name: "OMZ | get zsh installed path."
+  shell: "command -v zsh"
+  register: omz_zsh_installed_path
+  changed_when: "false"
+
+- name: "OMZ | get user shell to zsh."
+  user:
+    name: "{{ omz_user.name }}"
+    shell: "{{ omz_zsh_installed_path.stdout }}"
@@ -0,0 +1,269 @@
+# vim:ft=zsh ts=2 sw=2 sts=2
+#
+# agnoster's Theme - https://gist.github.com/3712874
+# A Powerline-inspired theme for ZSH
+#
+# # README
+#
+# In order for this theme to render correctly, you will need a
+# [Powerline-patched font](https://github.com/Lokaltog/powerline-fonts).
+# Make sure you have a recent version: the code points that Powerline
+# uses changed in 2012, and older versions will display incorrectly,
+# in confusing ways.
+#
+# In addition, I recommend the
+# [Solarized theme](https://github.com/altercation/solarized/) and, if you're
+# using it on Mac OS X, [iTerm 2](https://iterm2.com/) over Terminal.app -
+# it has significantly better color fidelity.
+#
+# If using with "light" variant of the Solarized color schema, set
+# SOLARIZED_THEME variable to "light". If you don't specify, we'll assume
+# you're using the "dark" variant.
+#
+# # Goals
+#
+# The aim of this theme is to only show you *relevant* information. Like most
+# prompts, it will only show git information when in a git working directory.
+# However, it goes a step further: everything from the current user and
+# hostname to whether the last call exited with an error to whether background
+# jobs are running in this shell will all be displayed automatically when
+# appropriate.
+
+### Segment drawing
+# A few utility functions to make it easy and re-usable to draw segmented prompts
+
+CURRENT_BG='NONE'
+
+case ${SOLARIZED_THEME:-dark} in
+    light) CURRENT_FG='black';;
+    *)     CURRENT_FG='white';;
+esac
+
+# Special Powerline characters
+
+() {
+  local LC_ALL="" LC_CTYPE="en_US.UTF-8"
+  # NOTE: This segment separator character is correct.  In 2012, Powerline changed
+  # the code points they use for their special characters. This is the new code point.
+  # If this is not working for you, you probably have an old version of the
+  # Powerline-patched fonts installed. Download and install the new version.
+  # Do not submit PRs to change this unless you have reviewed the Powerline code point
+  # history and have new information.
+  # This is defined using a Unicode escape sequence so it is unambiguously readable, regardless of
+  # what font the user is viewing this source code in. Do not replace the
+  # escape sequence with a single literal character.
+  # Do not change this! Do not make it '\u2b80'; that is the old, wrong code point.
+  SEGMENT_SEPARATOR=$'\ue0b0'
+}
+
+# Begin a segment
+# Takes two arguments, background and foreground. Both can be omitted,
+# rendering default background/foreground.
+prompt_segment() {
+  local bg fg
+  [[ -n $1 ]] && bg="%K{$1}" || bg="%k"
+  [[ -n $2 ]] && fg="%F{$2}" || fg="%f"
+  if [[ $CURRENT_BG != 'NONE' && $1 != $CURRENT_BG ]]; then
+    echo -n " %{$bg%F{$CURRENT_BG}%}$SEGMENT_SEPARATOR%{$fg%} "
+  else
+    echo -n "%{$bg%}%{$fg%} "
+  fi
+  CURRENT_BG=$1
+  [[ -n $3 ]] && echo -n $3
+}
+
+# End the prompt, closing any open segments
+prompt_end() {
+  if [[ -n $CURRENT_BG ]]; then
+    echo -n " %{%k%F{$CURRENT_BG}%}$SEGMENT_SEPARATOR"
+  else
+    echo -n "%{%k%}"
+  fi
+  echo -n "%{%f%}"
+  CURRENT_BG=''
+}
+
+### Prompt components
+# Each component will draw itself, and hide itself if no information needs to be shown
+
+# Context: user@hostname (who am I and where am I)
+prompt_context() {
+  if [[ "$USERNAME" != "$DEFAULT_USER" || -n "$SSH_CLIENT" ]]; then
+    prompt_segment black default "%(!.%{%F{yellow}%}.)%n@%m"
+  fi
+}
+
+# Git: branch/detached head, dirty status
+prompt_git() {
+  (( $+commands[git] )) || return
+  if [[ "$(git config --get oh-my-zsh.hide-status 2>/dev/null)" = 1 ]]; then
+    return
+  fi
+  local PL_BRANCH_CHAR
+  () {
+    local LC_ALL="" LC_CTYPE="en_US.UTF-8"
+    PL_BRANCH_CHAR=$'\ue0a0'         # 
+  }
+  local ref dirty mode repo_path
+
+   if [[ "$(git rev-parse --is-inside-work-tree 2>/dev/null)" = "true" ]]; then
+    repo_path=$(git rev-parse --git-dir 2>/dev/null)
+    dirty=$(parse_git_dirty)
+    ref=$(git symbolic-ref HEAD 2> /dev/null) || ref="➦ $(git rev-parse --short HEAD 2> /dev/null)"
+    if [[ -n $dirty ]]; then
+      prompt_segment yellow black
+    else
+      prompt_segment green $CURRENT_FG
+    fi
+
+    local ahead behind
+    ahead=$(git log --oneline @{upstream}.. 2>/dev/null)
+    behind=$(git log --oneline ..@{upstream} 2>/dev/null)
+    if [[ -n "$ahead" ]] && [[ -n "$behind" ]]; then
+      PL_BRANCH_CHAR=$'\u21c5'
+    elif [[ -n "$ahead" ]]; then
+      PL_BRANCH_CHAR=$'\u21b1'
+    elif [[ -n "$behind" ]]; then
+      PL_BRANCH_CHAR=$'\u21b0'
+    fi
+
+    if [[ -e "${repo_path}/BISECT_LOG" ]]; then
+      mode=" <B>"
+    elif [[ -e "${repo_path}/MERGE_HEAD" ]]; then
+      mode=" >M<"
+    elif [[ -e "${repo_path}/rebase" || -e "${repo_path}/rebase-apply" || -e "${repo_path}/rebase-merge" || -e "${repo_path}/../.dotest" ]]; then
+      mode=" >R>"
+    fi
+
+    setopt promptsubst
+    autoload -Uz vcs_info
+
+    zstyle ':vcs_info:*' enable git
+    zstyle ':vcs_info:*' get-revision true
+    zstyle ':vcs_info:*' check-for-changes true
+    zstyle ':vcs_info:*' stagedstr '✚'
+    zstyle ':vcs_info:*' unstagedstr '±'
+    zstyle ':vcs_info:*' formats ' %u%c'
+    zstyle ':vcs_info:*' actionformats ' %u%c'
+    vcs_info
+    echo -n "${${ref:gs/%/%%}/refs\/heads\//$PL_BRANCH_CHAR }${vcs_info_msg_0_%% }${mode}"
+  fi
+}
+
+prompt_bzr() {
+  (( $+commands[bzr] )) || return
+
+  # Test if bzr repository in directory hierarchy
+  local dir="$PWD"
+  while [[ ! -d "$dir/.bzr" ]]; do
+    [[ "$dir" = "/" ]] && return
+    dir="${dir:h}"
+  done
+
+  local bzr_status status_mod status_all revision
+  if bzr_status=$(bzr status 2>&1); then
+    status_mod=$(echo -n "$bzr_status" | head -n1 | grep "modified" | wc -m)
+    status_all=$(echo -n "$bzr_status" | head -n1 | wc -m)
+    revision=${$(bzr log -r-1 --log-format line | cut -d: -f1):gs/%/%%}
+    if [[ $status_mod -gt 0 ]] ; then
+      prompt_segment yellow black "bzr@$revision ✚"
+    else
+      if [[ $status_all -gt 0 ]] ; then
+        prompt_segment yellow black "bzr@$revision"
+      else
+        prompt_segment green black "bzr@$revision"
+      fi
+    fi
+  fi
+}
+
+prompt_hg() {
+  (( $+commands[hg] )) || return
+  local rev st branch
+  if $(hg id >/dev/null 2>&1); then
+    if $(hg prompt >/dev/null 2>&1); then
+      if [[ $(hg prompt "{status|unknown}") = "?" ]]; then
+        # if files are not added
+        prompt_segment red white
+        st='±'
+      elif [[ -n $(hg prompt "{status|modified}") ]]; then
+        # if any modification
+        prompt_segment yellow black
+        st='±'
+      else
+        # if working copy is clean
+        prompt_segment green $CURRENT_FG
+      fi
+      echo -n ${$(hg prompt "☿ {rev}@{branch}"):gs/%/%%} $st
+    else
+      st=""
+      rev=$(hg id -n 2>/dev/null | sed 's/[^-0-9]//g')
+      branch=$(hg id -b 2>/dev/null)
+      if `hg st | grep -q "^\?"`; then
+        prompt_segment red black
+        st='±'
+      elif `hg st | grep -q "^[MA]"`; then
+        prompt_segment yellow black
+        st='±'
+      else
+        prompt_segment green $CURRENT_FG
+      fi
+      echo -n "☿ ${rev:gs/%/%%}@${branch:gs/%/%%}" $st
+    fi
+  fi
+}
+
+# Dir: current working directory
+prompt_dir() {
+  prompt_segment blue $CURRENT_FG '%~'
+}
+
+# Virtualenv: current working virtualenv
+prompt_virtualenv() {
+  if [[ -n "$VIRTUAL_ENV" && -n "$VIRTUAL_ENV_DISABLE_PROMPT" ]]; then
+    prompt_segment blue black "(${VIRTUAL_ENV:t:gs/%/%%})"
+  fi
+}
+
+# Status:
+# - was there an error
+# - am I root
+# - are there background jobs?
+prompt_status() {
+  local -a symbols
+
+  [[ $RETVAL -ne 0 ]] && symbols+="%{%F{red}%}✘"
+  [[ $UID -eq 0 ]] && symbols+="%{%F{yellow}%}⚡"
+  [[ $(jobs -l | wc -l) -gt 0 ]] && symbols+="%{%F{cyan}%}⚙"
+
+  [[ -n "$symbols" ]] && prompt_segment black default "$symbols"
+}
+
+#AWS Profile:
+# - display current AWS_PROFILE name
+# - displays yellow on red if profile name contains 'production' or
+#   ends in '-prod'
+# - displays black on green otherwise
+prompt_aws() {
+  [[ -z "$AWS_PROFILE" || "$SHOW_AWS_PROMPT" = false ]] && return
+  case "$AWS_PROFILE" in
+    *-prod|*production*) prompt_segment red yellow  "AWS: ${AWS_PROFILE:gs/%/%%}" ;;
+    *) prompt_segment green black "AWS: ${AWS_PROFILE:gs/%/%%}" ;;
+  esac
+}
+
+## Main prompt
+build_prompt() {
+  RETVAL=$?
+  prompt_status
+  prompt_virtualenv
+  prompt_aws
+  prompt_context
+  prompt_dir
+  prompt_git
+  prompt_bzr
+  prompt_hg
+  prompt_end
+}
+
+PROMPT='%{%f%b%k%}$(build_prompt) '
@@ -0,0 +1,89 @@
+# Managed by Ansible. This file may be overwritten when playbooks are run!
+
+# If you come from bash you might have to change your $PATH.
+# export PATH=$HOME/bin:/usr/local/bin:$PATH
+
+# Path to your oh-my-zsh installation.
+export ZSH=/{{ omz_user_home_dir }}/{{ omz_user.name }}/{{ omz_install_directory }}
+
+# Set name of the theme to load. Optionally, if you set this to "random"
+# it'll load a random theme each time that oh-my-zsh is loaded.
+# See https://github.com/robbyrussell/oh-my-zsh/wiki/Themes
+ZSH_THEME="{{ omz_zsh_theme }}"
+
+# Uncomment the following line to use case-sensitive completion.
+CASE_SENSITIVE="{{ omz_case_sensitive }}"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case
+# sensitive completion must be off. _ and - will be interchangeable.
+HYPHEN_INSENSITIVE="{{ omz_hyphen_insensitive }}"
+
+# Uncomment the following line to disable bi-weekly auto-update checks.
+DISABLE_AUTO_UPDATE="{{ omz_disable_auto_update }}"
+
+# Uncomment the following line to change how often to auto-update (in days).
+export UPDATE_ZSH_DAYS={{ omz_update_zsh_days }}
+
+# Uncomment the following line to disable colors in ls.
+DISABLE_LS_COLORS="{{ omz_disable_ls_colors }}"
+
+# Uncomment the following line to disable auto-setting terminal title.
+DISABLE_AUTO_TITLE="{{ omz_disable_auto_title }}"
+
+# Uncomment the following line to enable command auto-correction.
+ENABLE_CORRECTION="{{ omz_enable_correction }}"
+
+# Uncomment the following line to display red dots whilst waiting for completion.
+COMPLETION_WAITING_DOTS="{{ omz_completion_waiting_dots }}"
+
+# Uncomment the following line if you want to disable marking untracked files
+# under VCS as dirty. This makes repository status check for large repositories
+# much, much faster.
+DISABLE_UNTRACKED_FILES_DIRTY="{{ omz_disable_untracked_files_dirty }}"
+
+# Uncomment the following line if you want to change the command execution time
+# stamp shown in the history command output.
+# The optional three formats: "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+HIST_STAMPS="{{ omz_hist_stamps }}"
+
+# Would you like to use another custom folder than $ZSH/custom?
+ZSH_CUSTOM={{ omz_zsh_custom }}
+
+# Which plugins would you like to load? (plugins can be found in ~/.oh-my-zsh/plugins/*)
+# Custom plugins may be added to ~/.oh-my-zsh/custom/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+plugins=({{ omz_plugins | join(" ") }})
+
+source $ZSH/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:$MANPATH"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='mvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch x86_64"
+
+# ssh
+# export SSH_KEY_PATH="~/.ssh/dsa_id"
+
+# Set personal aliases, overriding those provided by oh-my-zsh libs,
+# plugins, and themes. Aliases can be placed here, though oh-my-zsh
+# users are encouraged to define aliases within the ZSH_CUSTOM folder.
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+{{ omz_user.settings }}
@@ -0,0 +1,6 @@
+---
+collections:
+  - name: ansible.utils
+  - name: community.general
+  - name: ansible.posix
+  - name: kubernetes.core
@@ -0,0 +1,27 @@
+os: "linux"
+arch: "amd64"
+
+talos_version: v1.7.5
+talosctl_version: v1.7.5
+control_plane_ip: 192.168.50.195
+
+control_plane_2: 192.168.50.196
+control_plane_3: 192.168.50.197
+
+worker_1: 192.168.50.198
+worker_2: 192.168.50.199
+
+config_directory: "/home/{{ ansible_user }}/.talos"
+config_file: "/home/{{ ansible_user }}/.talos/talosconfig"
+
+kube_vip_version: "v0.8.0"
+vip_interface: null
+vip: 192.168.50.220
+
+metallb_version: v0.13.12
+lb_range: 192.168.50.240-192.168.50.250
+lb_pool_name: first-pool
+
+ansible_user: ubuntu
+ansible_become: true
+ansible_become_method: sudo
@@ -0,0 +1,13 @@
+# Make sure Ansible host has access to these devices
+# Good idea to snapshot all machines and deploy uing cloud-template
+[ansible]
+127.0.0.1  ansible_connection=local
+
+[servers]
+server1 ansible_host=192.168.50.195
+server2 ansible_host=192.168.50.196
+server3 ansible_host=192.168.50.197
+
+[agents]
+agent1 ansible_host=192.168.50.198
+agent2 ansible_host=192.168.50.199
@@ -0,0 +1,11 @@
+---
+# Generate Machine Configurations. This is using the qemu agent as per: https://www.talos.dev/v1.7/talos-guides/install/virtualized-platforms/proxmox/
+- name: Apply config to first worker
+  ansible.builtin.command:
+    cmd: talosctl apply-config --insecure --nodes {{ worker_1 }} --file {{ config_directory }}/worker.yaml
+  changed_when: true
+
+- name: Apply config to second worker
+  ansible.builtin.command:
+    cmd: talosctl apply-config --insecure --nodes {{ worker_2 }} --file {{ config_directory }}/worker.yaml
+  changed_when: true
@@ -0,0 +1,16 @@
+---
+# Generate Machine Configurations. This is using the qemu agent as per: https://www.talos.dev/v1.7/talos-guides/install/virtualized-platforms/proxmox/
+- name: Apply config to first node
+  ansible.builtin.command:
+    cmd: talosctl apply-config --insecure --nodes {{ control_plane_ip }} --file {{ config_directory }}/controlplane.yaml
+  changed_when: true
+
+- name: Apply config to second node
+  ansible.builtin.command:
+    cmd: talosctl apply-config --insecure --nodes {{ control_plane_2 }} --file {{ config_directory }}/controlplane.yaml
+  changed_when: true
+
+- name: Apply config to first node
+  ansible.builtin.command:
+    cmd: talosctl apply-config --insecure --nodes {{ control_plane_3 }} --file {{ config_directory }}/controlplane.yaml
+  changed_when: true
@@ -0,0 +1,11 @@
+---
+- name: Check that the config file doesn't already exist
+  ansible.builtin.stat:
+    path: "{{ config_file }}"
+  register: stat_result
+
+# Generate Machine Configurations. This is using the qemu agent as per: https://www.talos.dev/v1.7/talos-guides/install/virtualized-platforms/proxmox/
+- name: Generate config for cluster
+  when: "not stat_result.stat.exists"
+  ansible.builtin.command: talosctl gen config talos-proxmox-cluster https://{{ control_plane_ip }}:6443 --output-dir {{ config_directory }} --install-image factory.talos.dev/installer/770f94a47e708326b61f3e641bb733dc879c544dee1972e74763798fe93a1f6d:{{ talos_version }}
+  changed_when: true
@@ -0,0 +1,26 @@
+---
+# Update TalosCTL
+- name: Update TalosCTL configs
+  ansible.builtin.command: talosctl config endpoint {{ control_plane_ip }} --talosconfig {{ config_file }}
+  changed_when: true
+
+- name: Update TalosCTL configs
+  ansible.builtin.command: talosctl config node {{ control_plane_ip }} --talosconfig {{ config_file }}
+  changed_when: true
+
+  #################################
+  # WAIT FOR REBOOT & BOOTSTRAP   #
+  #################################
+- name: Keep trying to bootstrap
+  ansible.builtin.command:
+    cmd: "talosctl bootstrap --talosconfig {{ config_file }}"
+  register: bootstrap_result
+  retries: 10
+  delay: 30
+  until: bootstrap_result.rc == 0
+  changed_when: bootstrap_result.rc == 0
+
+# Grab Kubeconfig
+- name: Get Kubeconfig
+  ansible.builtin.command: talosctl kubeconfig . --talosconfig {{ config_file }}
+  changed_when: true
@@ -0,0 +1,12 @@
+---
+# Ansible Playbook to install Talos
+- name: Download talosctl for Linux (amd64)
+  ansible.builtin.get_url:
+    url: https://github.com/siderolabs/talos/releases/download/{{ talosctl_version }}/talosctl-linux-amd64
+    dest: /usr/local/bin/talosctl
+    mode: '0755'  # Make the binary executable
+  register: download_result  # Register the result for debugging or verification
+
+- name: Display download result
+  ansible.builtin.debug:
+    var: download_result  # Display the result of the download task
@@ -0,0 +1,37 @@
+# Hello, thanks for using my playbook, hopefully you can help to improve it.
+
+# Install TalosCTL on Ansible node
+- name: Install TalosCTL
+  hosts: ansible
+  gather_facts: true # enables us to gather lots of useful variables: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/setup_module.html
+  become: true
+  roles:
+    - install-talosctl
+
+# Configure Cluster Configuration
+- name: Configure Cluster
+  hosts: ansible
+  gather_facts: true
+  roles:
+    - configure-cluster
+
+# Apply Cluster Configuration
+- name: Configure Cluster
+  hosts: ansible
+  gather_facts: true
+  roles:
+    - apply-config
+
+# Configure TalosCTL
+- name: Configure TalosCTL
+  hosts: ansible
+  gather_facts: true
+  roles:
+    - configure-talosctl
+
+# Add Workers
+- name: Add Workers
+  hosts: ansible
+  gather_facts: true
+  roles:
+    - add-workers
@@ -0,0 +1,9 @@
+# Add to Hosts File (change ansible_user if required)
+```
+[all:vars]
+ansible_user='user'
+ansible_become=yes
+ansible_become_method=sudo
+
+ansible-playbook site.yaml -i inventory/hosts.ini --key-file ~/.ssh/id_rsa -K
+```
@@ -0,0 +1,24 @@
+---
+- hosts: all
+  gather_facts: yes
+  become: yes
+
+  tasks:
+    - name: Perform a distro upgrade
+      ansible.builtin.apt:
+        upgrade: dist
+        update_cache: yes
+
+    - name: Check if a reboot is required
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+        get_checksum: no
+      register: reboot_required_file
+
+    - name: Reboot the server (if necessary)
+      ansible.builtin.reboot:
+      when: reboot_required_file.stat.exists == true
+
+    - name: Remove dependencies that are no longer needed
+      ansible.builtin.apt:
+        autoremove: yes
@@ -0,0 +1,29 @@
+---
+- name: Update APT package list and upgrade packages
+  # hosts: "dc00,dc01,dc02,dc03,dc04,dc05,dc09"
+  hosts: all
+  become: true
+  become_method: su
+
+  vars:
+    ansible_user: user
+
+  tasks:
+    - name: Update APT package list
+      ansible.builtin.apt:
+        update_cache: true
+        upgrade: dist
+
+    - name: Check if a reboot is required.
+      stat:
+        path: /var/run/reboot-required
+      register: reboot_required_file
+
+    - name: Reboot the server (if required).
+      debug:
+        msg: "Ansible Version: {{ reboot_required_file.stdout }}"
+      when: reboot_required_file.stat.exists == true
+
+    - name: Remove dependencies that are no longer required.
+      apt:
+        autoremove: yes
@@ -0,0 +1,23 @@
+---
+- hosts: all
+  become: true
+  tasks:
+    - name: Update apt repo and cache on all Debian/Ubuntu boxes
+      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
+
+    - name: Upgrade all packages on servers
+      apt: upgrade=dist force_apt_get=yes
+
+    - name: Check if a reboot is needed on all servers
+      register: reboot_required_file
+      stat: path=/var/run/reboot-required get_checksum=false
+
+    - name: Reboot the box if kernel updated
+      reboot:
+        msg: "Reboot initiated by Ansible for kernel updates"
+        connect_timeout: 5
+        reboot_timeout: 300
+        pre_reboot_delay: 0
+        post_reboot_delay: 30
+        test_command: uptime
+      when: reboot_required_file.stat.exists
@@ -0,0 +1,45 @@
+x86_64:
+  hosts:
+    dc00:
+      ansible_host: 192.168.50.210
+      ansible_user: user
+      ansible_become_method: su
+    dc09:
+      ansible_host: 192.168.50.209
+      ansible_user: user
+      ansible_become_method: su
+arm64:
+  hosts:
+    dc01:
+      ansible_host: 192.168.50.201
+      ansible_user: user
+      ansible_become_method: sudo
+    dc02:
+      ansible_host: 192.168.50.202
+      ansible_user: user
+      ansible_become_method: sudo
+    dc03:
+      ansible_host: 192.168.50.203
+      ansible_user: user
+      ansible_become_method: sudo
+    dc04:
+      ansible_host: 192.168.50.204
+      ansible_user: user
+      ansible_become_method: sudo
+    dc05:
+      ansible_host: 192.168.50.205
+      ansible_user: user
+      ansible_become_method: sudo
+    node07:
+      ansible_host: 192.168.50.207
+      ansible_user: user
+      ansible_become_method: sudo
+    node08:
+      ansible_host: 192.168.50.208
+      ansible_user: user
+      ansible_become_method: sudo
+
+prod:
+  children:
+    x86_64:
+    arm64:
@@ -0,0 +1,34 @@
+backend:
+  hosts:
+    nfs:
+      ansible_host: 192.168.50.225
+      ansible_user: root
+      ansible_become_method: su
+    swarm:
+      ansible_host: 192.168.50.220
+      ansible_user: user
+      ansible_become_method: sudo
+    firewall:
+      ansible_host: 192.168.50.170
+      ansible_user: root
+      ansible_become_method: su
+
+dev:
+  hosts:
+    dev301:
+      ansible_host: 192.168.50.71
+      ansible_user: user
+      ansible_become_method: sudo
+    dev302:
+      ansible_host: 192.168.1.10
+      ansible_user: user
+      ansible_become_method: sudo
+    dev303:
+      ansible_host: 192.168.50.30
+      ansible_user: user
+      ansible_become_method: sudo
+
+virtual:
+  children:
+    backend:
+    dev:
@@ -0,0 +1,7 @@
+# Ansible
+
+## Update all packages
+```bash
+ansible-playbook -i inventory playbooks/update/update-noreboot.yml -l '!node08' -K
+ansible-playbook -i inventory playbooks/update/update-noreboot.yml -l 'prod' -K
+```
@@ -0,0 +1,6 @@
+---
+collections:
+  - name: ansible.utils
+  - name: community.general
+  - name: ansible.posix
+  - name: kubernetes.core
@@ -0,0 +1,8 @@
+tls-san:
+  - 192.168.50.190
+  - 192.168.50.209
+  - 
+  - 
+write-kubeconfig-mode: 0644
+disable:
+  - rke2-ingress-nginx
@@ -0,0 +1,20 @@
+os: "linux"
+# arch: "amd64"
+# Set your timezone
+system_timezone: "Asia/Singapore"
+
+kube_vip_version: "v0.8.1"
+vip_interface: null
+vip: 192.168.50.210
+
+metallb_version: v0.14.5
+lb_range: 192.168.50.190-192.168.50.199
+lb_pool_name: first-pool
+
+rke2_version: "v1.28.11+rke2r1"
+rke2_install_dir: "/usr/local/bin"
+rke2_binary_url: "https://github.com/rancher/rke2/releases/download/{{ rke2_version }}"
+
+ansible_user: user
+ansible_become: true
+ansible_become_method: sudo
@@ -0,0 +1,8 @@
+# Make sure Ansible host has access to these devices
+# Good idea to snapshot all machines and deploy uing cloud-init
+
+[servers]
+server1 ansible_host=192.168.50.132
+
+[agents]
+agent1 ansible_host=192.168.50.131
@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: kube-vip-ds
+    app.kubernetes.io/version: v0.8.1
+  name: kube-vip-ds
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-vip-ds
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: kube-vip-ds
+        app.kubernetes.io/version: v0.8.1
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
+            - matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
+      containers:
+      - args:
+        - manager
+        env:
+        - name: vip_arp
+          value: "true"
+        - name: port
+          value: "6443"
+        - name: vip_interface
+          value: null
+        - name: vip_cidr
+          value: "32"
+        - name: cp_enable
+          value: "true"
+        - name: cp_namespace
+          value: kube-system
+        - name: vip_ddns
+          value: "false"
+        - name: svc_enable
+          value: "false"
+        - name: svc_leasename
+          value: plndr-svcs-lock
+        - name: vip_leaderelection
+          value: "true"
+        - name: vip_leasename
+          value: plndr-cp-lock
+        - name: vip_leaseduration
+          value: "5"
+        - name: vip_renewdeadline
+          value: "3"
+        - name: vip_retryperiod
+          value: "1"
+        - name: address
+          value: "192.168.50.210"
+        - name: prometheus_server
+          value: :2112
+        image: ghcr.io/kube-vip/kube-vip:v0.8.1
+        imagePullPolicy: Always
+        name: kube-vip
+        resources: {}
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+      hostNetwork: true
+      serviceAccountName: kube-vip
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+  updateStrategy: {}
+status:
+  currentNumberScheduled: 0
+  desiredNumberScheduled: 0
+  numberMisscheduled: 0
+  numberReady: 0
+
@@ -0,0 +1,100 @@
+#!/bin/bash
+
+echo -e " \033[33;2m    __  _          _        ___                            \033[0m"
+echo -e " \033[33;2m    \ \(_)_ __ ___( )__    / _ \__ _ _ __ __ _  __ _  ___  \033[0m"
+echo -e " \033[33;2m     \ \ | '_ \` _ \/ __|  / /_\/ _\` | '__/ _\` |/ _\` |/ _ \ \033[0m"
+echo -e " \033[33;2m  /\_/ / | | | | | \__ \ / /_\\  (_| | | | (_| | (_| |  __/ \033[0m"
+echo -e " \033[33;2m  \___/|_|_| |_| |_|___/ \____/\__,_|_|  \__,_|\__, |\___| \033[0m"
+echo -e " \033[33;2m                                               |___/       \033[0m"
+echo -e " \033[35;2m          __                   _                          \033[0m"
+echo -e " \033[35;2m         / /  ___  _ __   __ _| |__   ___  _ __ _ __      \033[0m"
+echo -e " \033[35;2m        / /  / _ \| '_ \ / _\` | '_ \ / _ \| '__| '_ \     \033[0m"
+echo -e " \033[35;2m       / /__| (_) | | | | (_| | | | | (_) | |  | | | |    \033[0m"
+echo -e " \033[35;2m       \____/\___/|_| |_|\__, |_| |_|\___/|_|  |_| |_|    \033[0m"
+echo -e " \033[35;2m                         |___/                            \033[0m"
+echo -e " \033[36;2m                                                          \033[0m"
+echo -e " \033[32;2m             https://youtube.com/@jims-garage              \033[0m"
+echo -e " \033[32;2m                                                           \033[0m"
+
+#############################################
+# YOU SHOULD ONLY NEED TO EDIT THIS SECTION #
+#############################################
+
+# THIS SCRIPT IS FOR RKE2, NOT K3S!
+# THIS SCRIPT IS FOR RKE2, NOT K3S!
+# THIS SCRIPT IS FOR RKE2, NOT K3S!
+
+# Set the IP addresses of master1
+master1=192.168.50.209
+
+# Set the IP addresses of your Longhorn nodes
+longhorn1=192.168.50.205
+
+# User of remote machines
+user=furyhawk
+
+# Interface used on remotes
+interface=eth0
+
+# Set the virtual IP address (VIP)
+vip=192.168.50.210
+
+# Array of longhorn nodes
+storage=($longhorn1)
+
+#ssh certificate name variable
+certName=id_rsa
+
+#############################################
+#            DO NOT EDIT BELOW              #
+#############################################
+# For testing purposes - in case time is wrong due to VM snapshots
+sudo timedatectl set-ntp off
+sudo timedatectl set-ntp on
+
+# add ssh keys for all nodes
+for node in "${storage[@]}"; do
+  ssh-copy-id $user@$node
+done
+
+# add open-iscsi - needed for Debian and non-cloud Ubuntu
+if ! command -v sudo service open-iscsi status &> /dev/null
+then
+    echo -e " \033[31;5mOpen-ISCSI not found, installing\033[0m"
+    sudo apt install open-iscsi
+else
+    echo -e " \033[32;5mOpen-ISCSI already installed\033[0m"
+fi
+
+# Step 1: Add new longhorn nodes to cluster (note: label added)
+# Set token variable needed for RKE2 (not required for K3S)
+token=`cat token`
+for newnode in "${storage[@]}"; do
+  ssh -tt $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
+  mkdir -p /etc/rancher/rke2
+  touch /etc/rancher/rke2/config.yaml
+  echo "token: $token" >> /etc/rancher/rke2/config.yaml
+  echo "server: https://$vip:9345" >> /etc/rancher/rke2/config.yaml
+  echo "node-label:" >> /etc/rancher/rke2/config.yaml
+  echo "  - longhorn=true" >> /etc/rancher/rke2/config.yaml
+  curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" sh -
+  systemctl enable rke2-agent.service
+  systemctl start rke2-agent.service
+  exit
+EOF
+  echo -e " \033[32;5mLonghorn node joined successfully!\033[0m"
+done
+
+# Step 2: Install Longhorn (using modified Official to pin to Longhorn Nodes)
+# kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.2/deploy/longhorn.yaml
+kubectl apply -f https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Kubernetes/Longhorn/longhorn.yaml
+kubectl get pods \
+--namespace longhorn-system \
+--watch
+
+# Step 3: Print out confirmation
+
+kubectl get nodes
+kubectl get svc -n longhorn-system
+
+echo -e " \033[32;5mHappy Kubing! Access Longhorn through Rancher UI\033[0m"
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-vip
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: system:kube-vip-role
+rules:
+  - apiGroups: [""]
+    resources: ["services/status"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["list","get","watch", "update"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list","get","watch", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["list", "get", "watch", "update", "create"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["list","get","watch", "update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-vip-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-vip-role
+subjects:
+- kind: ServiceAccount
+  name: kube-vip
+  namespace: kube-system
@@ -0,0 +1,121 @@
+# RKE2 playbook
+
+/etc/hosts
+```
+127.0.0.1       localhost
+127.0.1.1       c1.local        c1
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+```
+
+
+```bash
+export LC_ALL=en_US.UTF-8
+ansible-playbook site.yaml -i inventory/hosts.ini --key-file ~/.ssh/id_rsa -K
+k get pods --all-namespaces
+kubectl create namespace cattle-system
+# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.crds.yaml
+# install helm
+curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
+sudo apt-get install apt-transport-https --yes
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
+sudo apt-get update
+sudo apt-get install helm
+
+helm repo add jetstack https://charts.jetstack.io --force-update
+helm repo update
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.15.2 \
+  --set crds.enabled=true
+```
+NAME: cert-manager
+LAST DEPLOYED: Sat Aug  3 21:38:31 2024
+NAMESPACE: cert-manager
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+NOTES:
+cert-manager v1.15.2 has been deployed successfully!
+
+In order to begin issuing certificates, you will need to set up a ClusterIssuer
+or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
+
+More information on the different types of issuers and how to configure them
+can be found in our documentation:
+
+https://cert-manager.io/docs/configuration/
+
+For information on how to configure cert-manager to automatically provision
+Certificates for Ingress resources, take a look at the `ingress-shim`
+documentation:
+
+https://cert-manager.io/docs/usage/ingress/
+
+
+https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/rancher-v2-8-5/
+```bash
+kubectl get pods --namespace cert-manager
+kubectl create namespace cattle-system
+helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
+helm install rancher rancher-latest/rancher \
+ --namespace cattle-system \
+ --set hostname=rancher.local \
+ --set bootstrapPassword=admin
+```
+If you provided your own bootstrap password during installation, browse to https://rancher.local to get started.
+
+If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:
+
+```
+echo https://rancher.local/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}')
+```
+https://node03/dashboard/?setup=admin
+
+To get just the bootstrap password on its own, run:
+
+```
+kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}{{ "\n" }}'
+```
+
+```bash
+sudo service open-iscsi status
+sudo apt install open-iscsi
+kubectl -n cattle-system get deploy rancher
+
+kubectl -n cattle-system rollout status deploy/rancher
+kubectl -n cattle-system get deploy rancher
+kubectl get svc -n cattle-system
+kubectl expose deployment rancher --name=rancher-lb --port=443 --type=LoadBalancer -n cattle-system
+kubectl get svc -n cattle-system
+# kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.2/deploy/longhorn.yaml
+# k delete -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.2/deploy/longhorn.yaml
+helm repo add longhorn https://charts.longhorn.io
+helm repo update
+k apply -f longhorn.yaml
+helm install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace --version 1.6.2
+kubectl get pods \
+--namespace longhorn-system \
+--watch
+kubectl -n longhorn-system get pod
+kubectl get svc
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+helm repo add traefik https://traefik.github.io/charts
+helm install traefik traefik/traefik --create-namespace -n 'traefik' -f traefik.yaml
+helm list -n traefik
+kubectl -n traefik port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name -A) 9000:9000 --address 0.0.0.0
+# Update repository
+helm repo update
+# See current Chart & Traefik version
+helm search repo traefik/traefik
+# Update CRDs (Traefik Proxy v3 CRDs)
+kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/
+# Upgrade Traefik
+helm upgrade traefik traefik/traefik
+```
@@ -0,0 +1,260 @@
+#!/bin/bash
+
+echo -e " \033[33;5m    __  _          _        ___                            \033[0m"
+echo -e " \033[33;5m    \ \(_)_ __ ___( )__    / _ \__ _ _ __ __ _  __ _  ___  \033[0m"
+echo -e " \033[33;5m     \ \ | '_ \` _ \/ __|  / /_\/ _\` | '__/ _\` |/ _\` |/ _ \ \033[0m"
+echo -e " \033[33;5m  /\_/ / | | | | | \__ \ / /_\\  (_| | | | (_| | (_| |  __/ \033[0m"
+echo -e " \033[33;5m  \___/|_|_| |_| |_|___/ \____/\__,_|_|  \__,_|\__, |\___| \033[0m"
+echo -e " \033[33;5m                                               |___/       \033[0m"
+
+echo -e " \033[36;5m                      ___ _  _____ ___                     \033[0m"
+echo -e " \033[36;5m                     | _ \ |/ / __|_  )                    \033[0m"
+echo -e " \033[36;5m                     |   / ' <| _| / /                     \033[0m"
+echo -e " \033[36;5m                     |_|_\_|\_\___/___|                    \033[0m"
+echo -e " \033[36;5m                                                           \033[0m"
+echo -e " \033[32;5m             https://youtube.com/@jims-garage              \033[0m"
+echo -e " \033[32;5m                                                           \033[0m"
+
+
+#############################################
+# YOU SHOULD ONLY NEED TO EDIT THIS SECTION #
+#############################################
+
+# Version of Kube-VIP to deploy
+KVVERSION="v0.6.3"
+
+# Set the IP addresses of the admin, masters, and workers nodes
+admin=192.168.50.143
+master1=192.168.50.132
+worker1=192.168.50.131
+
+# User of remote machines
+user=furyhawk
+
+# Interface used on remotes
+interface=eth0
+
+# Set the virtual IP address (VIP)
+vip=192.168.50.190
+
+# Array of all master nodes
+allmasters=($master1)
+
+# Array of master nodes
+masters=($master2 $master3)
+
+# Array of worker nodes
+workers=($worker1)
+
+# Array of all
+all=($master1 $worker1)
+
+# Array of all minus master1
+allnomaster1=($master2 $master3 $worker1)
+
+#Loadbalancer IP range
+lbrange=192.168.3.191-192.168.3.199
+
+#ssh certificate name variable
+certName=id_rsa
+
+#############################################
+#            DO NOT EDIT BELOW              #
+#############################################
+# For testing purposes - in case time is wrong due to VM snapshots
+sudo timedatectl set-ntp off
+sudo timedatectl set-ntp on
+
+# Move SSH certs to ~/.ssh and change permissions
+cp /home/$user/{$certName,$certName.pub} /home/$user/.ssh
+chmod 600 /home/$user/.ssh/$certName 
+chmod 644 /home/$user/.ssh/$certName.pub
+
+# Install Kubectl if not already present
+if ! command -v kubectl version &> /dev/null
+then
+    echo -e " \033[31;5mKubectl not found, installing\033[0m"
+    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+    sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+else
+    echo -e " \033[32;5mKubectl already installed\033[0m"
+fi
+
+# Create SSH Config file to ignore checking (don't use in production!)
+sed -i '1s/^/StrictHostKeyChecking no\n/' ~/.ssh/config
+
+#add ssh keys for all nodes
+for node in "${all[@]}"; do
+  ssh-copy-id $user@$node
+done
+
+# Step 1: Create Kube VIP
+# create RKE2's self-installing manifest dir
+sudo mkdir -p /var/lib/rancher/rke2/server/manifests
+# Install the kube-vip deployment into rke2's self-installing manifest folder
+curl -sO https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Kubernetes/RKE2/kube-vip
+cat kube-vip | sed 's/$interface/'$interface'/g; s/$vip/'$vip'/g' > $HOME/kube-vip.yaml
+sudo mv kube-vip.yaml /var/lib/rancher/rke2/server/manifests/kube-vip.yaml
+
+# Find/Replace all k3s entries to represent rke2
+sudo sed -i 's/k3s/rke2/g' /var/lib/rancher/rke2/server/manifests/kube-vip.yaml
+# copy kube-vip.yaml to home directory
+sudo cp /var/lib/rancher/rke2/server/manifests/kube-vip.yaml ~/kube-vip.yaml
+# change owner
+sudo chown $user:$user kube-vip.yaml
+# make kube folder to run kubectl later
+mkdir ~/.kube
+
+# create the rke2 config file
+sudo mkdir -p /etc/rancher/rke2
+touch config.yaml
+echo "tls-san:" >> config.yaml 
+echo "  - $vip" >> config.yaml
+echo "  - $master1" >> config.yaml
+echo "write-kubeconfig-mode: 0644" >> config.yaml
+echo "disable:" >> config.yaml
+echo "  - rke2-ingress-nginx" >> config.yaml
+# copy config.yaml to rancher directory
+sudo cp ~/config.yaml /etc/rancher/rke2/config.yaml
+
+# update path with rke2-binaries
+echo 'export KUBECONFIG=/etc/rancher/rke2/rke2.yaml' >> ~/.bashrc ; echo 'export PATH=${PATH}:/var/lib/rancher/rke2/bin' >> ~/.bashrc ; echo 'alias k=kubectl' >> ~/.bashrc ; source ~/.bashrc ;
+
+# Step 2: Copy kube-vip.yaml and certs to all masters
+for newnode in "${allmasters[@]}"; do
+  scp -i ~/.ssh/$certName $HOME/kube-vip.yaml $user@$newnode:~/kube-vip.yaml
+  scp -i ~/.ssh/$certName $HOME/config.yaml $user@$newnode:~/config.yaml
+  scp -i ~/.ssh/$certName ~/.ssh/{$certName,$certName.pub} $user@$newnode:~/.ssh
+  echo -e " \033[32;5mCopied successfully!\033[0m"
+done
+
+# Step 3: Connect to Master1 and move kube-vip.yaml and config.yaml. Then install RKE2, copy token back to admin machine. We then use the token to bootstrap additional masternodes
+ssh -tt $user@$master1 -i ~/.ssh/$certName sudo su <<EOF
+mkdir -p /var/lib/rancher/rke2/server/manifests
+mv kube-vip.yaml /var/lib/rancher/rke2/server/manifests/kube-vip.yaml
+mkdir -p /etc/rancher/rke2
+mv config.yaml /etc/rancher/rke2/config.yaml
+echo 'export KUBECONFIG=/etc/rancher/rke2/rke2.yaml' >> ~/.bashrc ; echo 'export PATH=${PATH}:/var/lib/rancher/rke2/bin' >> ~/.bashrc ; echo 'alias k=kubectl' >> ~/.bashrc ; source ~/.bashrc ;
+curl -sfL https://get.rke2.io | sh -
+systemctl enable rke2-server.service
+systemctl start rke2-server.service
+echo "StrictHostKeyChecking no" > ~/.ssh/config
+ssh-copy-id -i /home/$user/.ssh/$certName $user@$admin
+scp -i /home/$user/.ssh/$certName /var/lib/rancher/rke2/server/token $user@$admin:~/token
+scp -i /home/$user/.ssh/$certName /etc/rancher/rke2/rke2.yaml $user@$admin:~/.kube/rke2.yaml
+exit
+EOF
+echo -e " \033[32;5mMaster1 Completed\033[0m"
+
+# Step 4: Set variable to the token we just extracted, set kube config location
+token=`cat token`
+sudo cat ~/.kube/rke2.yaml | sed 's/127.0.0.1/'$master1'/g' > $HOME/.kube/config
+sudo chown $(id -u):$(id -g) $HOME/.kube/config
+export KUBECONFIG=${HOME}/.kube/config
+sudo cp ~/.kube/config /etc/rancher/rke2/rke2.yaml
+kubectl get nodes
+
+# Step 5: Install kube-vip as network LoadBalancer - Install the kube-vip Cloud Provider
+kubectl apply -f https://kube-vip.io/manifests/rbac.yaml
+kubectl apply -f https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/main/manifest/kube-vip-cloud-controller.yaml
+
+# Step 6: Add other Masternodes, note we import the token we extracted from step 3
+# for newnode in "${masters[@]}"; do
+#   ssh -tt $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
+#   mkdir -p /etc/rancher/rke2
+#   touch /etc/rancher/rke2/config.yaml
+#   echo "token: $token" >> /etc/rancher/rke2/config.yaml
+#   echo "server: https://$master1:9345" >> /etc/rancher/rke2/config.yaml
+#   echo "tls-san:" >> /etc/rancher/rke2/config.yaml
+#   echo "  - $vip" >> /etc/rancher/rke2/config.yaml
+#   echo "  - $master1" >> /etc/rancher/rke2/config.yaml
+#   echo "  - $master2" >> /etc/rancher/rke2/config.yaml
+#   echo "  - $master3" >> /etc/rancher/rke2/config.yaml
+#   curl -sfL https://get.rke2.io | sh -
+#   systemctl enable rke2-server.service
+#   systemctl start rke2-server.service
+#   exit
+# EOF
+#   echo -e " \033[32;5mMaster node joined successfully!\033[0m"
+# done
+
+kubectl get nodes
+
+# Step 7: Add Workers
+for newnode in "${workers[@]}"; do
+  ssh -tt $user@$newnode -i ~/.ssh/$certName sudo su <<EOF
+  mkdir -p /etc/rancher/rke2
+  touch /etc/rancher/rke2/config.yaml
+  echo "token: $token" >> /etc/rancher/rke2/config.yaml
+  echo "server: https://$vip:9345" >> /etc/rancher/rke2/config.yaml
+  echo "node-label:" >> /etc/rancher/rke2/config.yaml
+  echo "  - worker=true" >> /etc/rancher/rke2/config.yaml
+  echo "  - longhorn=true" >> /etc/rancher/rke2/config.yaml
+  curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" sh -
+  systemctl enable rke2-agent.service
+  systemctl start rke2-agent.service
+  exit
+EOF
+  echo -e " \033[32;5mWorker node joined successfully!\033[0m"
+done
+
+kubectl get nodes
+
+# Step 8: Install Metallb
+echo -e " \033[32;5mDeploying Metallb\033[0m"
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/namespace.yaml
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.12/config/manifests/metallb-native.yaml
+# Download ipAddressPool and configure using lbrange above
+curl -sO https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Kubernetes/RKE2/ipAddressPool
+cat ipAddressPool | sed 's/$lbrange/'$lbrange'/g' > $HOME/ipAddressPool.yaml
+
+# Step 9: Deploy IP Pools and l2Advertisement
+echo -e " \033[32;5mAdding IP Pools, waiting for Metallb to be available first. This can take a long time as we're likely being rate limited for container pulls...\033[0m"
+kubectl wait --namespace metallb-system \
+                --for=condition=ready pod \
+                --selector=component=controller \
+                --timeout=1800s
+kubectl apply -f ipAddressPool.yaml
+kubectl apply -f https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Kubernetes/RKE2/l2Advertisement.yaml
+
+# Step 10: Install Rancher (Optional - Delete if not required)
+#Install Helm
+echo -e " \033[32;5mInstalling Helm\033[0m"
+curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+chmod 700 get_helm.sh
+./get_helm.sh
+
+# Add Rancher Helm Repo & create namespace
+helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
+kubectl create namespace cattle-system
+
+# Install Cert-Manager
+echo -e " \033[32;5mDeploying Cert-Manager\033[0m"
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.crds.yaml
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install cert-manager jetstack/cert-manager \
+--namespace cert-manager \
+--create-namespace \
+--version v1.13.2
+kubectl get pods --namespace cert-manager
+
+# Install Rancher
+echo -e " \033[32;5mDeploying Rancher\033[0m"
+helm install rancher rancher-latest/rancher \
+ --namespace cattle-system \
+ --set hostname=rancher.my.org \
+ --set bootstrapPassword=admin
+kubectl -n cattle-system rollout status deploy/rancher
+kubectl -n cattle-system get deploy rancher
+
+# Add Rancher LoadBalancer
+kubectl get svc -n cattle-system
+kubectl expose deployment rancher --name=rancher-lb --port=443 --type=LoadBalancer -n cattle-system
+while [[ $(kubectl get svc -n cattle-system 'jsonpath={..status.conditions[?(@.type=="Pending")].status}') = "True" ]]; do
+   sleep 5
+   echo -e " \033[32;5mWaiting for LoadBalancer to come online\033[0m" 
+done
+kubectl get svc -n cattle-system
+
+echo -e " \033[32;5mAccess Rancher from the IP above - Password is admin!\033[0m"
@@ -0,0 +1,17 @@
+# Copy agent config to all agents - we need to change agent2 & 3 later with the token
+- name: Deploy RKE2 Agent Configuration
+  ansible.builtin.template:
+    src: templates/rke2-agent-config.j2
+    dest: /etc/rancher/rke2/config.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['agents']
+
+# Check agents have restarted to pick up config
+- name: Ensure RKE2 agents are enabled and running
+  ansible.builtin.systemd:
+    name: rke2-agent
+    enabled: true
+    state: restarted
+    daemon_reload: true
@@ -0,0 +1,6 @@
+write-kubeconfig-mode: "0644"
+token: {{ hostvars['server1']['token'] }}
+server: https://{{ hostvars['server1']['ansible_host'] }}:9345
+node-label:
+  - "agent=true"
+  - "longhorn=true"
@@ -0,0 +1,53 @@
+# Copy server config with token to all servers except server 1 (this has token)
+- name: Deploy RKE2 server Configuration
+  ansible.builtin.template:
+    src: templates/rke2-server-config.j2
+    dest: /etc/rancher/rke2/config.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname != groups['servers'][0]
+
+# Keep checking the cluster API until it's functioning (deployed)
+- name: Wait for cluster API to be ready (can take 5-10 mins depending on internet/hardware)
+  ansible.builtin.command:
+    cmd: "kubectl get nodes"
+  register: kubectl_output
+  until: "'connection refused' not in kubectl_output.stderr"
+  retries: 120
+  delay: 10
+  changed_when: true
+  become_user: "{{ ansible_user }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# Use kubectl to deploy yaml. Perhaps this can be added to the manifest folder initially
+- name: Apply kube vip configuration file
+  ansible.builtin.command:
+    cmd: kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml apply -f https://kube-vip.io/manifests/rbac.yaml
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Apply the kube-vip configration. Perhaps this can be added to the manifest folder initially
+- name: Apply kube vip configuration file
+  ansible.builtin.command:
+    cmd: kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml apply -f https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/main/manifest/kube-vip-cloud-controller.yaml
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Check that additional servers are restarted
+- name: Ensure additional RKE2 servers are enabled and running
+  ansible.builtin.systemd:
+    name: rke2-server
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  when: inventory_hostname != groups['servers'][0]
+
+# enable additional servers
+- name: Ensure RKE2 server is enabled and running
+  ansible.builtin.systemd:
+    name: rke2-server
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  when: inventory_hostname != groups['servers'][0]
@@ -0,0 +1,8 @@
+write-kubeconfig-mode: "0644"
+token: {{ hostvars['server1']['token'] }}
+server: https://{{ hostvars['server1']['ansible_host'] }}:9345
+tls-san:
+  - {{ vip }}
+  - {{ hostvars['server1']['ansible_host'] }}
+node-label:
+  - server=true
@@ -0,0 +1,60 @@
+# Wait for Server 1 to be ready before continuing with metallb deployment
+- name: Wait for k8s nodes with node label 'server=true' to be ready, otherwise we cannot start metallb deployment
+  ansible.builtin.command:
+    cmd: "kubectl wait --for=condition=Ready nodes --selector server=true --timeout=600s"
+  register: nodes_ready
+  retries: 120
+  delay: 10
+  changed_when: true
+  become_user: "{{ ansible_user }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# Create namespace so that we can deploy metallb
+- name: Apply metallb namespace
+  ansible.builtin.command:
+    cmd: kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/namespace.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Apply metallb manifest
+- name: Apply metallb manifest
+  ansible.builtin.command:
+    cmd: kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/{{ metallb_version }}/config/manifests/metallb-native.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Wait for metallb deployment pods to be alive before deploying metallb manifests
+- name: Wait for metallb pods to be ready, otherwise we cannot start metallb deployment
+  ansible.builtin.command:
+    cmd: "kubectl wait --namespace metallb-system --for=condition=ready pod --selector=component=controller --timeout=1800s"
+  changed_when: true
+  become_user: "{{ ansible_user }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# Apply L2 Advertisement for metallb
+- name: Apply metallb L2 Advertisement
+  ansible.builtin.command:
+    cmd: kubectl apply -f https://raw.githubusercontent.com/JamesTurland/JimsGarage/main/Kubernetes/RKE2/l2Advertisement.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
+
+# Deploy metal IP Pool to Server 1
+- name: Copy metallb IPPool to server 1
+  ansible.builtin.template:
+    src: templates/metallb-ippool.j2
+    dest: /home/{{ ansible_user }}/ippool.yaml
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0755'
+  when: inventory_hostname == groups['servers'][0]
+
+# don't think this will work as nodes are no execute, might need agents first
+- name: Apply metallb ipppool
+  ansible.builtin.command:
+    cmd: kubectl apply -f /home/{{ ansible_user }}/ippool.yaml
+  become_user: "{{ ansible_user }}"
+  changed_when: true
+  when: inventory_hostname == groups['servers'][0]
@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: {{ lb_pool_name }}
+  namespace: metallb-system
+spec:
+  addresses:
+  - {{ lb_range }}
@@ -0,0 +1,17 @@
+# Create directory to deploy kube-vip manifest
+- name: Create directory for Kube VIP Manifest
+  ansible.builtin.file:
+    path: "/var/lib/rancher/rke2/server/manifests"
+    state: directory
+    mode: '0644'
+  when: inventory_hostname in groups['servers']
+
+# Copy kube-vip to server 1 manifest folder for auto deployment at bootstrap
+- name: Deploy Kube VIP Configuration
+  ansible.builtin.template:
+    src: templates/kube-vip-config.j2
+    dest: /var/lib/rancher/rke2/server/manifests/kube-vip.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname == groups['servers'][0]
@@ -0,0 +1,88 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: kube-vip-ds
+    app.kubernetes.io/version: {{ kube_vip_version }}
+  name: kube-vip-ds
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-vip-ds
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: kube-vip-ds
+        app.kubernetes.io/version: {{ kube_vip_version }}
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
+            - matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
+      containers:
+      - args:
+        - manager
+        env:
+        - name: vip_arp
+          value: "true"
+        - name: port
+          value: "6443"
+        - name: vip_interface
+          value: {{ vip_interface }}
+        - name: vip_cidr
+          value: "32"
+        - name: cp_enable
+          value: "true"
+        - name: cp_namespace
+          value: kube-system
+        - name: vip_ddns
+          value: "false"
+        - name: svc_enable
+          value: "false"
+        - name: svc_leasename
+          value: plndr-svcs-lock
+        - name: vip_leaderelection
+          value: "true"
+        - name: vip_leasename
+          value: plndr-cp-lock
+        - name: vip_leaseduration
+          value: "5"
+        - name: vip_renewdeadline
+          value: "3"
+        - name: vip_retryperiod
+          value: "1"
+        - name: address
+          value: {{ vip }}
+        - name: prometheus_server
+          value: :2112
+        image: ghcr.io/kube-vip/kube-vip:{{ kube_vip_version }}
+        imagePullPolicy: Always
+        name: kube-vip
+        resources: {}
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+      hostNetwork: true
+      serviceAccountName: kube-vip
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+  updateStrategy: {}
+status:
+  currentNumberScheduled: 0
+  desiredNumberScheduled: 0
+  numberMisscheduled: 0
+  numberReady: 0
@@ -0,0 +1,15 @@
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+    reload: true
+  tags: sysctl
+
+- name: Enable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: "1"
+    state: present
+    reload: true
+  tags: sysctl
@@ -0,0 +1,31 @@
+# Create a directory to download RKE2 binary to
+- name: Create directory for RKE2 binary
+  ansible.builtin.file:
+    path: "{{ rke2_install_dir }}"
+    state: directory
+    mode: '0755'
+
+# Download the RKE2 binary
+- name: Download RKE2 amd64 binary
+  ansible.builtin.get_url:
+    url: "{{ rke2_binary_url }}/rke2.linux-amd64"
+    dest: "{{ rke2_install_dir }}/rke2"
+    mode: '0755'
+  when: ansible_facts.architecture == "x86_64"
+
+- name: Download RKE2 arm64 binary
+  ansible.builtin.get_url:
+    url: "{{ rke2_binary_url }}/rke2.linux-arm64"
+    dest: "{{ rke2_install_dir }}/rke2"
+    mode: '0755'
+  when:
+    - ( ansible_facts.architecture is search("arm") and
+        ansible_facts.userspace_bits == "64" ) or
+      ansible_facts.architecture is search("aarch64")
+
+# Set permissions on the RKE2 binary
+- name: Set executable permissions on the RKE2 binary
+  ansible.builtin.file:
+    path: "{{ rke2_install_dir }}/rke2"
+    mode: '0755'
+    state: file
@@ -0,0 +1,134 @@
+- name: Create directory for RKE2 config
+  ansible.builtin.file:
+    path: "/etc/rancher/rke2"
+    state: directory
+    mode: '0644'
+
+- name: Create directory for RKE2 token
+  ansible.builtin.file:
+    path: "/var/lib/rancher/rke2/server"
+    state: directory
+    mode: '0644'
+
+# Copy server config to server 1 for bootstrap - we need to change server2 & 3 later with the token
+- name: Deploy RKE2 server Configuration
+  ansible.builtin.template:
+    src: templates/rke2-server-config.j2
+    dest: /etc/rancher/rke2/config.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['servers']
+
+- name: Create systemd service file for RKE2 server
+  ansible.builtin.template:
+    src: templates/rke2-server.service.j2
+    dest: /etc/systemd/system/rke2-server.service
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['servers']
+
+- name: Create systemd service file for RKE2 agent
+  ansible.builtin.template:
+    src: templates/rke2-agent.service.j2
+    dest: /etc/systemd/system/rke2-agent.service
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups['agents']
+
+# we enable the first server to generate tokens etc, copy this afterwards to other servers
+- name: Ensure RKE2 server is enabled and running
+  ansible.builtin.systemd:
+    name: rke2-server
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  when: inventory_hostname in groups['servers'][0]
+
+# wait for node token to be availale so that we can copy it, we need this to join other nodes
+- name: Wait for node-token
+  ansible.builtin.wait_for:
+    path: /var/lib/rancher/rke2/server/node-token
+  when: inventory_hostname == groups['servers'][0]
+
+# wait for kubectl to be downloaded, part of the rke2 installation
+- name: Wait for kubectl
+  ansible.builtin.wait_for:
+    path: /var/lib/rancher/rke2/bin/kubectl
+  when: inventory_hostname == groups['servers'][0]
+
+# copy kubectl to usr bin so that all users can run kubectl commands
+- name: Copy kubectl to user bin
+  ansible.builtin.copy:
+    src: /var/lib/rancher/rke2/bin/kubectl
+    dest: /usr/local/bin/kubectl
+    mode: '0755'
+    remote_src: true
+  become: true
+  when: inventory_hostname == groups['servers'][0]
+
+# wait for the kubectl copy to complete
+- name: Wait for kubectl
+  ansible.builtin.wait_for:
+    path: /usr/local/bin/kubectl
+  when: inventory_hostname == groups['servers'][0]
+
+# modify token access
+- name: Register node-token file access mode
+  ansible.builtin.stat:
+    path: /var/lib/rancher/rke2/server
+  register: p
+
+- name: Change file access for node-token
+  ansible.builtin.file:
+    path: /var/lib/rancher/rke2/server
+    mode: "g+rx,o+rx"
+  when: inventory_hostname == groups['servers'][0]
+
+# Save token as variable
+- name: Fetch the token from the first server node
+  ansible.builtin.slurp:
+    src: /var/lib/rancher/rke2/server/token
+  register: rke2_token
+  when: inventory_hostname == groups['servers'][0]
+  run_once: true
+
+# convert token to fact
+- name: Save Master node-token for later
+  ansible.builtin.set_fact:
+    token: "{{ rke2_token.content | b64decode | regex_replace('\n', '') }}"
+
+# revert token file access
+- name: Restore node-token file access
+  ansible.builtin.file:
+    path: /var/lib/rancher/rke2/server
+    mode: "{{ p.stat.mode }}"
+  when: inventory_hostname == groups['servers'][0]
+
+# check .kube folder exists so that we can use kubectl (config resides here)
+- name: Ensure .kube directory exists in user's home
+  ansible.builtin.file:
+    path: "/home/{{ ansible_user }}/.kube"
+    state: directory
+    mode: '0755'
+  become: true
+
+# copy kubectl config file to .kube folder
+- name: Copy config file to user home directory
+  ansible.builtin.copy:
+    src: /etc/rancher/rke2/rke2.yaml
+    dest: "/home/{{ ansible_user }}/.kube/config"
+    remote_src: true
+    owner: "{{ ansible_user }}"
+    mode: "u=rw,g=,o="
+  when: inventory_hostname == groups['servers'][0]
+
+# change IP from local to server 1 IP
+- name: Replace IP address with server1
+  ansible.builtin.replace:
+    path: /home/{{ ansible_user }}/.kube/config
+    regexp: '127.0.0.1'
+    replace: "{{ hostvars['server1']['ansible_host'] }}"
+  when: inventory_hostname == groups['servers'][0]
@@ -0,0 +1,13 @@
+# rke2-agent.service.j2
+[Unit]
+Description=RKE2 Agent
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/rke2 agent
+KillMode=process
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,8 @@
+write-kubeconfig-mode: "0644"
+tls-san:
+  - {{ vip }}
+  - {{ hostvars['server1']['ansible_host'] }}
+node-label:
+  - server=true
+disable:
+  - rke2-ingress-nginx
@@ -0,0 +1,13 @@
+# rke2-server.service.j2
+[Unit]
+Description=RKE2 server
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/rke2 server
+KillMode=process
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,61 @@
+# Hello, thanks for using my playbook, hopefully you can help to improve it.
+# Things that need adding: (there are many more)
+# 1) Support different OS & architectures
+# 2) Support multiple CNIs
+# 3) Improve the wait logic
+# 4) Use kubernetes Ansible plugins more sensibly
+# 5) Optimise flow logic
+# 6) Clean up
+
+###############################################################
+# MAKE SURE YOU CHANGE group_vars/all.yaml VARIABLES!!!!!!!!!!!
+###############################################################
+
+# bootstraps first server and copies configs for others/agents
+- name: Prepare all nodes
+  hosts: servers,agents
+  gather_facts: true # enables us to gather lots of useful variables: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/setup_module.html
+  roles:
+    - prepare-nodes
+
+# creates directories for download and then downloads RKE2 and changes permissions
+- name: Download RKE2
+  hosts: servers,agents
+  gather_facts: true
+  roles:
+    - rke2-download
+
+# Creates RKE2 bootstrap manifests folder and copies kube-vip template over (configured with variables)
+- name: Deploy Kube VIP
+  hosts: servers
+  gather_facts: true
+  roles:
+    - kube-vip
+
+# bootstraps the first server, copies configs to nodes, saves token to use later
+- name: Prepare RKE2 on Servers and Agents
+  hosts: servers,agents
+  gather_facts: true
+  roles:
+    - rke2-prepare
+
+# Adds additional servers using the token from the previous task
+- name: Add additional RKE2 Servers
+  hosts: servers
+  gather_facts: true
+  roles:
+    - add-server
+
+# Adds agents to the cluster
+- name: Add additional RKE2 Agents
+  hosts: agents
+  gather_facts: true
+  roles:
+    - add-agent
+
+# Finish kube-vip, add metallb
+- name: Apply manifests after cluster is created
+  hosts: servers
+  gather_facts: true
+  roles:
+    - apply-manifests
--- a/Show More
+++ b/Show More