index

Author: ildoc

COPYING

@@ -1,5 +1,128 @@
 # Homelab
 
-(quasi) Gitops e IAC
+[![documentation](https://img.shields.io/website?label=document&logo=gitbook&logoColor=white&style=flat-square&url=https%3A%2F%2Fhomelab.ildoc.it)](https://homelab.ildoc.it)
+[![license](https://img.shields.io/github/license/ildoc/homelab?style=flat-square&logo=gnu&logoColor=white)](https://www.gnu.org/licenses/gpl-3.0.html)
 
-[homelab.ildoc.it](https://homelab.ildoc.it)
+Questo progetto mira a utilizzare [Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code) e [GitOps](https://www.weave.works/technologies/gitops) per automatizzare il più possibile l'installazione e la configurazione del software che gira sul mio Homelab.
+
+Nel 2020 sono partito da un docker-compose e oggi sono messo così... è un work in progress continuo 😅
+
+> **Che cos'è un homelab?**
+>
+> Un Homelab è un laboratorio casalingo dove si può fare self-hosting, sperimentare nuove tecnologie, fare pratica per certificazioni e così via.
+>
+> Per maggiori informazioni fare riferimento alla introduzione di [r/homelab](https://www.reddit.com/r/homelab/wiki/introduction) e alla community Discord [Home Operations](https://discord.gg/home-operations) (ex [k8s-at-home](https://k8s-at-home.com)).
+>
+> Un ottimo articolo è anche [What is a Homelab and Why Should You Have One?](https://linuxhandbook.com/homelab/) 
+
+
+## Overview generale
+
+Tutto l'Homelab gestito (principalmente) con playbook Ansible, ArgoCD e pipeline Gitlab.
+
+**NOTA:** questo repository GitHub è un mirror del repository originale che si trova sulla mia istanza privata di GitLab
+
+## Tech stack
+
+<table>
+    <tr>
+        <th>Logo</th>
+        <th>Nome</th>
+        <th>Descrzione</th>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://simpleicons.org/icons/ansible.svg"></td>
+        <td><a href="https://www.ansible.com">Ansible</a></td>
+        <td>Automazione di deploy e configurazioni</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/30269780"></td>
+        <td><a href="https://argoproj.github.io/cd">ArgoCD</a></td>
+        <td>Tool GitOps per deployare su Kubernetes</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://github.com/jetstack/cert-manager/raw/master/logo/logo.png"></td>
+        <td><a href="https://cert-manager.io">cert-manager</a></td>
+        <td>Cloud native certificate management</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/21054566?s=200&v=4"></td>
+        <td><a href="https://cilium.io">Cilium</a></td>
+        <td>eBPF-based Networking, Observability e Security (CNI, Network Policy, ecc.)</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/314135?s=200&v=4"></td>
+        <td><a href="https://www.cloudflare.com">Cloudflare</a></td>
+        <td>Issuer dei certificati e Tunnel</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://www.docker.com/wp-content/uploads/2022/03/Moby-logo.png"></td>
+        <td><a href="https://www.docker.com">Docker</a></td>
+        <td>Orchestrazione di container con docker compose</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://images.ctfassets.net/xz1dnu24egyd/1IRkfXmxo8VP2RAE5jiS1Q/ea2086675d87911b0ce2d34c354b3711/gitlab-logo-500.png"></td>
+        <td><a href="https://gitlab.com">GitLab</a></td>
+        <td>Self-hosted Git</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/13991055?s=200&v=4"></td>
+        <td><a href="https://www.hashicorp.com/en/products/vault">HashiCorp Vault</a></td>
+        <td>Secrets management</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://helm.sh/img/helm.svg"></td>
+        <td><a href="https://helm.sh">Helm</a></td>
+        <td>Package manager per Kubernetes</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://kube-vip.io/images/kube-vip.png"></td>
+        <td><a href="https://kube-vip.io">kube-vip</a></td>
+        <td>Virtual IP e load balancer</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/13629408"></td>
+        <td><a href="https://kubernetes.io">Kubernetes</a></td>
+        <td>Container-orchestration system</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/1412239?s=200&v=4"></td>
+        <td><a href="https://www.nginx.com">NGINX</a></td>
+        <td>Reverse Proxy</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://wp-cdn.pi-hole.net/wp-content/uploads/2016/12/Vortex-R.png"></td>
+        <td><a href="https://pi-hole.net/">Pi-hole</a></td>
+        <td>Ad blocker, DNS e DHCP</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/13991055?s=200&v=4"></td>
+        <td><a href="https://www.proxmox.com">Proxmox</a></td>
+        <td>Virtualizzazione di VM e LXC</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://docs.renovatebot.com/assets/images/logo.png"></td>
+        <td><a href="https://docs.renovatebot.com/">Renovate</a></td>
+        <td>Update automatico delle dipendenze</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/14280338?s=200&v=4"></td>
+        <td><a href="https://doc.traefik.io/traefik/">Traefik</a></td>
+        <td>Kubernetes Ingress Controller</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/53482242?s=200&v=4"></td>
+        <td><a href="https://www.truenas.com/">TrueNAS</a></td>
+        <td>NFS share, Backup</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://upload.wikimedia.org/wikipedia/commons/1/16/Ubuntu_and_Ubuntu_Server_Icon.png"></td>
+        <td><a href="https://ubuntu.com/server">Ubuntu Server</a></td>
+        <td>Os di base per i nodi Kubernetes</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="https://avatars.githubusercontent.com/u/13991055?s=200&v=4"></td>
+        <td><a href="https://www.wireguard.com">Wireguard</a></td>
+        <td>VPN tunnel</td>
+    </tr>
+</table>

README.md

@@ -1,4 +1,4 @@
-- name: Creare cartella certbot
+- name: Create certbot folder
   ansible.builtin.file:
     path: ~/certbot
     state: directory
@@ -41,9 +41,9 @@
     dest: "~/gitlab/renew-cert.sh"
     mode: '0755'
 
-- name: Schedula lo script di rinnovo del certificato
+- name: Schedule certificate renew script
   ansible.builtin.cron:
-    name: "Rinnovo certificato {{ gitlab.domain }}"
+    name: "Renew cert {{ gitlab.domain }}"
     minute: "0"
     hour: "*/12"
     job: "/home/{{ ansible_user }}/gitlab/renew-cert.sh"

ansible/roles/gitlab/tasks/certbot.yaml

@@ -1,5 +1,6 @@
 - name: Install docker
   ansible.builtin.include_tasks: "{{ tasks_dir }}/docker/install.yaml"
+  
 - name: Setup GitLab
   ansible.builtin.include_tasks: setup_gitlab.yaml
 

ansible/roles/gitlab/tasks/main.yaml

@@ -1,4 +1,4 @@
-- name: Creare cartella nginx
+- name: Create nginx folder
   ansible.builtin.file:
     path: ~/nginx
     state: directory

ansible/roles/gitlab/tasks/nginx.yaml

@@ -1,81 +1,81 @@
-- name: Creare cartella data
+- name: Create data folder
   ansible.builtin.file:
     path: ~/gitlab/data
     state: directory
     mode: '0755'
     recurse: true
 
-- name: Creare cartella config
+- name: Create config folder
   ansible.builtin.file:
     path: ~/gitlab/config
     state: directory
     mode: '0755'
     recurse: true
 
-- name: Creare cartella logs
+- name: Create logs folder
   ansible.builtin.file:
     path: ~/gitlab/logs
     state: directory
     mode: '0755'
     recurse: true
 
-- name: Creare cartella runnerconfig
+- name: Create runnerconfig folder
   ansible.builtin.file:
     path: ~/runner
     state: directory
     mode: '0755'
 
-- name: Copia entrypoint con permessi eseguibili
+- name: Copy entrypoint.sh
   ansible.builtin.copy:
     src: "{{ gitlab_files_path }}/entrypoint.sh"
     dest: ~/gitlab/entrypoint.sh
     mode: '0755'
 
-- name: Valorizza variabili
+- name: Set variables
   ansible.builtin.set_fact:
     remote_path: ~/docker-compose.yml
     local_path: "{{ gitlab_files_path }}/docker-compose.yml"
     project_path: .
 
-- name: Includi update docker docker-compose
+- name: Include update docker-compose
   ansible.builtin.include_tasks: "{{ tasks_dir }}/docker/update-compose.yaml"
   vars:
     update_compose_remote_path: "{{ remote_path }}"
     update_compose_local_path: "{{ local_path }}"
     update_compose_project_path: "{{ project_path }}"
 
-- name: Leggi il gitlab.rb remoto
+- name: Get remote gitlab.rb
   ansible.builtin.stat:
     path: ~/gitlab/config/gitlab.rb
   register: remote_gitlab_rb
 
-- name: Leggi il contenuto del file remoto
+- name: Read remote file content
   ansible.builtin.slurp:
     src: ~/gitlab/config/gitlab.rb
   register: remote_gitlab_rb_content
   when: remote_gitlab_rb.stat.exists
 
-- name: Rendi template come stringa
+- name: Render templates as string
   ansible.builtin.set_fact:
     gitlab_rb_template_rendered: "{{ lookup('template', gitlab_templates_path + 'gitlab.rb.j2') }}"
 
-- name: Confronta contenuti testuali
+- name: Check text differences
   ansible.builtin.set_fact:
     gitlab_rb_different: >
       {{ (remote_gitlab_rb_content.content | b64decode).strip() != gitlab_rb_template_rendered.strip() }}
 
-- name: Sono diversi?
+- name: Are they different?
   ansible.builtin.debug:
     msg: "{{ gitlab_rb_different }}"
 
-- name: Esegui azioni Docker se il file è stato copiato o è diverso
+- name: Actions to do if files are different
   when: gitlab_rb_different
   block:
-    - name: Copia gitlab.rb
+    - name: Copy gitlab.rb
       ansible.builtin.template:
         src: gitlab.rb.j2
         dest: ~/gitlab/config/gitlab.rb
         mode: '0644'
 
-    - name: Esegui il reconfigure di GitLab
+    - name: Reconfigure GitLab
       ansible.builtin.command: docker exec -t gitlab gitlab-ctl reconfigure

ansible/roles/gitlab/tasks/setup_gitlab.yaml

@@ -7,11 +7,9 @@ external_url 'https://{{ gitlab.domain }}'
 
 registry_external_url 'https://registry.{{ gitlab.domain }}'
 
-# Disabilita nginx interno del registry se usi nginx esterno (es: con docker)
 registry['enable'] = true
 registry['registry_http_addr'] = "0.0.0.0:5000"
 
-# Usa il certificato Let's Encrypt già usato da nginx
 registry_nginx['enable'] = false
 
 nginx['worker_processes'] = 2

ansible/roles/gitlab/templates/gitlab.rb.j2

@@ -1,60 +1,61 @@
 #!/bin/bash
 set -euo pipefail
 
-# CONFIGURAZIONE
+# CONFIGURATIONS
 POLICY_NAME="ansible-policy"
 ROLE_NAME="ansible-role"
-SECRET_PATH="ansible"  # sarà montato come kv-v2
+SECRET_PATH="ansible"
 VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
 VAULT_TOKEN="${VAULT_TOKEN:?VAULT_TOKEN mancante}"
 
+# Install dependencies
 apk add jq
 
-echo "🟡 Inizializzazione Vault..."
+echo "[+] Init Vault..."
 
-# Check se il secret engine è già abilitato
+# Check if secret engine is already enabled
 if vault secrets list -format=json | jq -e ".[\"$SECRET_PATH/\"]"; then
-  echo "✅ Secret engine '$SECRET_PATH/' già abilitato."
+  echo "[+] Secret engine '$SECRET_PATH/' already enabled."
 else
-  echo "➕ Abilitazione secret engine '$SECRET_PATH/' (kv-v2)..."
+  echo "[+] Enabling secret engine '$SECRET_PATH/' (kv-v2)..."
   vault secrets enable -path="$SECRET_PATH" -version=2 kv
 fi
 
-# Check se l'auth method approle è già abilitato
+# Check if Approle auth method is already enabled
 if vault auth list -format=json | jq -e '."approle/"'; then
-  echo "✅ Auth method AppRole già abilitato."
+  echo "[+] Auth method AppRole already enabled."
 else
-  echo "➕ Abilitazione auth method AppRole..."
+  echo "[+] Enabling auth method AppRole..."
   vault auth enable approle
 fi
 
-# Crea o aggiorna la policy
-echo "📜 Scrittura policy '$POLICY_NAME'..."
+# Create or update policy
+echo "[+] Writing policy '$POLICY_NAME'..."
 cat <<EOF | vault policy write "$POLICY_NAME" -
 path "$SECRET_PATH/data/*" {
   capabilities = ["create", "read", "update", "delete", "list"]
 }
 EOF
 
-# Check se il ruolo esiste già
+# Check if role is already created
 if vault read -format=json "auth/approle/role/$ROLE_NAME" > /dev/null 2>&1; then
-  echo "✅ Ruolo AppRole '$ROLE_NAME' già esistente."
+  echo "[+] Role AppRole '$ROLE_NAME' already existing."
 else
-  echo "➕ Creazione ruolo AppRole '$ROLE_NAME'..."
+  echo "[+] Creating role AppRole '$ROLE_NAME'..."
   vault write "auth/approle/role/$ROLE_NAME" \
     token_policies="$POLICY_NAME" \
     token_ttl="3600" \
     token_max_ttl="7200"
 fi
 
-# Recupera role_id (fisso per il ruolo)
+# Get role_id (fixed for the role)
 ROLE_ID=$(vault read -field=role_id "auth/approle/role/$ROLE_NAME/role-id")
 
-# Crea un nuovo secret_id (questo è sempre one-time-use)
+# Create new secret_id (this is always one-time-use)
 SECRET_ID=$(vault write -f -field=secret_id "auth/approle/role/$ROLE_NAME/secret-id")
 
 # Output
 echo ""
-echo "✅ AppRole configurato con successo:"
+echo "[+] AppRole successfully configured:"
 echo "export VAULT_ROLE_ID=\"$ROLE_ID\""
 echo "export VAULT_SECRET_ID=\"$SECRET_ID\""

ansible/roles/vault/files/init-vault.sh

@@ -1,13 +1,14 @@
 {
     "ui": true,
     "disable_mlock": true,
-    "api_addr":"https://127.0.0.1:8200",
+    "api_addr":"http://127.0.0.1:8200",
 
     "storage": {
       "file": {
         "path": "/vault/file"
       }
     },
+    
     "listener": {
       "tcp": {
         "address": "0.0.0.0:8200",