No description

Dockerfile 61.3%
Shell 24%
Jinja 14.7%

Find a file

ThomasTSteinbach ea9b0b919e feat(k3s): switch flannel backend from wireguard-native to host-gw On a single-node cluster, wireguard-native provides no encryption benefit (no node-to-node traffic to encrypt) but reduces pod MTU from 1500 to 1420, causing cascading MTU issues in DinD, wg-easy, and any nested tunnel. host-gw uses direct routing with no encapsulation, giving pods full 1500 MTU.		2026-05-18 22:16:08 +02:00
.vscode	cdk8s update	2021-12-08 18:22:49 +01:00
docker-ansible	fix(docker-ansible): fix playbook execution on Apple Silicon	2026-04-09 23:49:53 +02:00
group_vars	switched to github.com/k3s-io/k3s-ansible	2025-03-23 00:49:29 +01:00
roles	feat(coredns): add split-horizon DNS rewrite for *.xarif.de	2026-05-17 09:11:47 +02:00
.gitignore	fixed use of value.yaml	2021-01-13 20:04:34 +01:00
.sops.yaml	fixed sops	2024-05-01 07:58:16 +02:00
.yamllint	initial commit	2020-08-19 01:09:56 +02:00
ansible.cfg	fixes	2021-06-23 00:48:48 +02:00
create_server.yml	switched to github.com/k3s-io/k3s-ansible	2025-03-23 00:49:29 +01:00
INFRASTRUCTURE.md	chore: update renovate preset path after org move	2026-05-07 15:03:31 +02:00
README.md	docs: update gitlab.com path (xarif/base/ → xarif/) after restructuring	2026-05-06 22:48:58 +02:00
renovate.json	chore: update renovate preset path after org move	2026-05-07 15:03:31 +02:00
run-playbook.sh	fix(docker-ansible): fix playbook execution on Apple Silicon	2026-04-09 23:49:53 +02:00
site.yml	feat(k3s): switch flannel backend from wireguard-native to host-gw	2026-05-18 22:16:08 +02:00

README.md

Hetzner K3s Cluster

This repository contains the full Kubernetes infrastructure deployment on the Hetzner Cloud.

First Time Setup

install hcloud, the Hetzner cloud CLI
Restore the xarif.de AGE Key from Keepass to "$HOME/.sops/key.txt" if not already present
Create a Hetzner Cloud Project project on https://console.hetzner.cloud/projects
Store the Hetzner Cloud Projects API Token with Mozilla SOPS under group_vars/all.sops.yml

Execution

./run-playbook.sh

This runs the Ansible Playbook in this repo, doing the whole infrastructure deployment.
If not already setup, the playbook may ask you to provide access to your Hetzner Storage Box by adding two SSH Public Keys to the storage boxes ~/.ssh/authorized_keys file.
You can do that by
sftp <username>@<username>.your-storagebox.de to your storage box
cd .ssh to the ssh directory of your storage box
get authorized_keys to download the authorized_keys file
edit the file and add the keys mentioned by the playbook
put authorized_keys to upload the file back to the storage box
finally remove the downloaded file

Complete Server restore

Deploy Argo CD: https://gitlab.com/xarif/kubernetes/argocd
Deploy Applications: https://gitlab.com/xarif/kubernetes/argocd-apps
Restore Application Data: https://gitlab.com/xarif/kubernetes/k8up

Troubleshooting

The DNS record of the domain provider must point to a worker node ip, not to the master
Lets Encrypt Certificates takes some time after server restart to be received. First attempt to open a service in the browser could lead to self signed certificates from traefik.

Under the hood

The run-playbook.sh first builds a Docker image from docker-ansible, which contains all requirements to run the Playbook.
It then runs the playbook in a container of this image, passing the local Kubernetes Config, SSH Config and SOPS config into the container.
The SOPS config is required to decrypt group_vars/all.sops.yaml during the Playbook run, which is done automatically by the installed community.sops collection.
The hcloud tasks in the Playbook don't require the installation of an additional collection. The hcloud collection is per default part of Ansible.

TODO

mirror external resources
- hetzner dns collection
- k3s ansible role