k3s: debian vm and manifest

added gitea + drone config
make drone-runner able to use hosts wireguard tunnel (not persistent)
2026-02-26 11:43:13 +01:00 · 2026-02-26 11:41:02 +01:00 · 2026-02-26 11:34:49 +01:00
16 changed files with 316 additions and 27 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,8 @@
 docs/
+
+tofu/*.tfstate
+tofu/*.tfstate.backup
+tofu/.terraform/
+tofu/terraform.tfvars
+
+gitea/drone.env
--- a/ansible/drone-runner.yml
+++ b/ansible/drone-runner.yml
@@ -53,3 +53,7 @@
          DRONE_RPC_SECRET: "dronegitea"
          DRONE_RUNNER_CAPACITY: "4"
          DRONE_RUNNER_NAME: "proxmox-runner"
+
+      # not persistent
+    - name: Add route to WireGuard network via Proxmox host
+      command: ip route add 10.0.0.0/24 via 192.168.178.2
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -3,3 +3,6 @@ all:
    drone-runner:
      ansible_host: 192.168.178.200
      ansible_user: root
+    k3s:
+      ansible_host: 192.168.178.201
+      ansible_user: debian
--- a/ansible/k3s.yml
+++ b/ansible/k3s.yml
@@ -0,0 +1,28 @@
+- name: Configure k3s VM
+  hosts: k3s
+  become: true
+  tasks:
+    - name: Install dependencies
+      apt:
+        name:
+          - curl
+
+    - name: Install k3s
+      shell: curl -sfL https://get.k3s.io | sh -
+      args:
+        creates: /usr/local/bin/k3s
+
+    - name: Copy Manifest
+      copy:
+        src: ../kubernetes/manifest.yml
+        dest: /home/debian/manifest.yml
+
+    - name: Allow Password Authetification
+      lineinfile:
+        dest=/etc/ssh/sshd_config
+        regexp="^PasswordAuthentication no"
+        line="PasswordAuthentication yes"
+        state=present
+
+    - name: Restart sshd
+      shell: systemctl restart sshd.service
--- a/gitea/docker-compose.yml
+++ b/gitea/docker-compose.yml
@@ -0,0 +1,36 @@
+version: "3"
+
+networks:
+  ci:
+    external: false
+
+services:
+  gitea:
+    image: docker.gitea.com/gitea:1.25.1
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__webhook__ALLOWED_HOST_LIST=*
+      - GITEA__server__ROOT_URL=https://gitea.gilmour109.de
+    restart: always
+    networks:
+      - ci
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+  drone:
+    container_name: drone
+    image: drone/drone:latest
+    restart: always
+    networks:
+      - ci
+    env_file: drone.env
+    volumes:
+      - ./drone:/data
+    ports:
+      - "2201:80"
--- a/gitea/drone.env.example
+++ b/gitea/drone.env.example
@@ -0,0 +1,9 @@
+DRONE_GITEA_SERVER=https://gitea.example.com
+DRONE_GITEA_CLIENT_ID=client-id
+DRONE_GITEA_CLIENT_SECRET=client-secret
+DRONE_GIT_ALWAYS_AUTH=true
+DRONE_SERVER_PROTO=https
+DRONE_SERVER_HOST=drone.example.com
+DRONE_EXTERNAL_HOST=drone.example.com
+DRONE_RPC_SECRET=rpc-secret
+DRONE_USER_CREATE=username:admin,admin:true
--- a/kubernetes/manifest.yml
+++ b/kubernetes/manifest.yml
@@ -0,0 +1,103 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mongo-${NAME}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongo-${NAME}
+  template:
+    metadata:
+      labels:
+        app: mongo-${NAME}
+    spec:
+      containers:
+        - name: mongo
+          image: mongo:8
+          ports:
+            - containerPort: 27017
+          env:
+            - name: MONGO_INITDB_ROOT_USERNAME
+              value: "root"
+            - name: MONGO_INITDB_ROOT_PASSWORD
+              value: "mongoose"
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongo-${NAME}
+spec:
+  selector:
+    app: mongo-${NAME}
+  ports:
+    - port: 27017
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: calchat-server-${NAME}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: calchat-server-${NAME}
+  template:
+    metadata:
+      labels:
+        app: calchat-server-${NAME}
+    spec:
+      containers:
+        - name: calchat-server
+          image: gitea.gilmour109.de/gilmour109/calchat-server:${TAG}
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3001
+          env:
+            - name: PORT
+              value: "3001"
+            - name: MONGODB_URI
+              value: "mongodb://root:mongoose@mongo-${NAME}:27017/calchat?authSource=admin"
+            - name: USE_TEST_RESPONSES
+              value: "true"
+            - name: VERSION
+              value: "${TAG}"
+            - name: COMMIT
+              value: "${COMMIT}"
+            - name: OPENAI_API_KEY
+              value: "dummy"
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: calchat-server-${NAME}
+spec:
+  selector:
+    app: calchat-server-${NAME}
+  ports:
+    - port: 3001
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: calchat-server-${NAME}
+spec:
+  rules:
+  - host: "${NAME}.192.168.178.201.nip.io"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: calchat-server-${NAME}
+            port:
+              number: 3001
--- a/tofu/.gitignore
+++ b/tofu/.gitignore
@@ -1,4 +0,0 @@
-*.tfstate
-*.tfstate.backup
-.terraform/
-terraform.tfvars
--- a/tofu/.terraform.lock.hcl
+++ b/tofu/.terraform.lock.hcl
@@ -23,3 +23,19 @@ provider "registry.opentofu.org/bpg/proxmox" {
    "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
  ]
 }
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.8.1"
+  hashes = [
+    "h1:EHn3jsqOKhWjbg0X+psk0Ww96yz3N7ASqEKKuFvDFwo=",
+    "zh:25c458c7c676f15705e872202dad7dcd0982e4a48e7ea1800afa5fc64e77f4c8",
+    "zh:2edeaf6f1b20435b2f81855ad98a2e70956d473be9e52a5fdf57ccd0098ba476",
+    "zh:44becb9d5f75d55e36dfed0c5beabaf4c92e0a2bc61a3814d698271c646d48e7",
+    "zh:7699032612c3b16cc69928add8973de47b10ce81b1141f30644a0e8a895b5cd3",
+    "zh:86d07aa98d17703de9fbf402c89590dc1e01dbe5671dd6bc5e487eb8fe87eee0",
+    "zh:8c411c77b8390a49a8a1bc9f176529e6b32369dd33a723606c8533e5ca4d68c1",
+    "zh:a5ecc8255a612652a56b28149994985e2c4dc046e5d34d416d47fa7767f5c28f",
+    "zh:aea3fe1a5669b932eda9c5c72e5f327db8da707fe514aaca0d0ef60cb24892f9",
+    "zh:f56e26e6977f755d7ae56fa6320af96ecf4bb09580d47cb481efbf27f1c5afff",
+  ]
+}
--- a/tofu/drone-runner.tf
+++ b/tofu/drone-runner.tf
@@ -1,15 +1,3 @@
-provider "proxmox" {
-  endpoint = var.proxmox_endpoint
-  username = "root@pam"
-  password = var.proxmox_password
-  insecure = true
-
-  ssh {
-    agent    = true
-    username = "root"
-  }
-}
-
 resource "proxmox_virtual_environment_download_file" "debian_13_lxc_template" {
  content_type = "vztmpl"
  datastore_id = "local"
@@ -73,5 +61,15 @@ resource "proxmox_virtual_environment_container" "drone_runner" {
  startup {
    order = "1"
  }
-
 }
+
+output "drone_runner_id" {
+  description = "VMID of the Drone Runner LXC"
+  value       = proxmox_virtual_environment_container.drone_runner.vm_id
+}
+
+output "drone_runner_ip" {
+  description = "IP address of the Drone Runner LXC"
+  value       = var.drone_runner_ip
+}
+
--- a/tofu/k3s.tf
+++ b/tofu/k3s.tf
@@ -0,0 +1,66 @@
+resource "proxmox_virtual_environment_download_file" "latest_debian_13_trixie_qcow2_img" {
+  content_type = "import"
+  datastore_id = "local"
+  node_name = var.node_name
+  url = "https://cloud.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2"
+}
+
+resource "proxmox_virtual_environment_vm" "debian_13_vm_for_k3s" {
+  name        = "k3s"
+  description = "Debian 13 vm for k3s"
+  tags        = ["opentofu", "debian"]
+
+  node_name = var.node_name
+  vm_id     = var.k3s_id
+
+  agent {
+    enabled = false
+  }
+  stop_on_destroy = true
+
+  startup {
+    order      = "3"
+    up_delay   = "60"
+    down_delay = "60"
+  }
+
+  cpu {
+    cores        = 2
+    type         = "host"
+  }
+
+  memory {
+    dedicated = 4096
+    floating  = 4096
+  }
+
+  disk {
+    datastore_id = "local-lvm"
+    import_from  = proxmox_virtual_environment_download_file.latest_debian_13_trixie_qcow2_img.id
+    interface    = "scsi0"
+    size         = 20
+  }
+
+  initialization {
+    ip_config {
+      ipv4 {
+        address = var.k3s_ip
+        gateway = var.gateway
+      }
+    }
+
+    user_account {
+      keys     = [trimspace(file(var.ssh_public_key_path))]
+      password = var.k3s_password
+      username = "debian"
+    }
+  }
+
+  network_device {
+    bridge = "vmbr0"
+  }
+
+  operating_system {
+    type = "l26"
+  }
+}
--- a/tofu/outputs.tf
+++ b/tofu/outputs.tf
@@ -1,9 +0,0 @@
-output "drone_runner_id" {
-  description = "VMID of the Drone Runner LXC"
-  value       = proxmox_virtual_environment_container.drone_runner.vm_id
-}
-
-output "drone_runner_ip" {
-  description = "IP address of the Drone Runner LXC"
-  value       = var.drone_runner_ip
-}
--- a/tofu/provider.tf
+++ b/tofu/provider.tf
@@ -0,0 +1,12 @@
+provider "proxmox" {
+  endpoint = var.proxmox_endpoint
+  username = "root@pam"
+  password = var.proxmox_password
+  insecure = true
+
+  ssh {
+    agent    = true
+    username = "root"
+  }
+}
+
--- a/tofu/terraform.tfvars.example
+++ b/tofu/terraform.tfvars.example
@@ -6,3 +6,6 @@ drone_runner_ip        = "192.168.x.200/24"
 gateway                = "192.168.x.1"
 ssh_public_key_path    = "~/.ssh/id_ed25519.pub"
 drone_runner_password  = "lxc-root-password"
+k3s_id                 = 201
+k3s_ip                 = "192.168.x.201/24"
+k3s_password           = "debian-vm-password"
--- a/tofu/variables.tf
+++ b/tofu/variables.tf
@@ -21,11 +21,22 @@ variable "drone_runner_id" {
  default     = 200
 }

+variable "k3s_id" {
+  description = "VMID for the k3s vm"
+  type        = number
+  default     = 4321
+}
+
 variable "drone_runner_ip" {
  description = "Static IP in CIDR notation"
  type        = string
 }

+variable "k3s_ip" {
+  description = "Static IP in CIDR notation"
+  type        = string
+}
+
 variable "gateway" {
  description = "Network gateway IP"
  type        = string
@@ -42,3 +53,9 @@ variable "drone_runner_password" {
  type        = string
  sensitive   = true
 }
+
+variable "k3s_password" {
+  description = "Password for debian user on the K3s VM"
+  type        = string
+  sensitive   = true
+}
--- a/tofu/versions.tf
+++ b/tofu/versions.tf
@@ -3,7 +3,7 @@ terraform {

  backend "s3" {
    bucket = "tofu-state"
-    key    = "drone-runner/terraform.tfstate"
+    key    = "calchat-pipeline/terraform.tfstate"
    region = "garage"

    endpoints = {
Author	SHA1	Message	Date
Linus Waldowsky	8ad2c150a4	k3s: debian vm and manifest	2026-02-26 11:43:13 +01:00
Linus Waldowsky	0cab06acd4	added gitea + drone config	2026-02-26 11:41:02 +01:00
Linus Waldowsky	9688eb529d	make drone-runner able to use hosts wireguard tunnel (not persistent)	2026-02-26 11:34:49 +01:00