Configuration as code for my lab environment which spans Azure & on-premise devices.
- Azure subscription and access to Azure Key Vault
- Proxmox nodes (on-prem)
- Raspberry Pi devices (for HA and Twingate connectors)
- Task installed for running automation tasks - not required but helpful.
- Ansible and required collections/roles (see
ansible/requirements.yaml
) - Terraform and access to remote state
Secrets must be created in Azure Key Vault (bancey-vault
). Example command:
az keyvault secret set --vault-name bancey-vault --name <secret-name> --value <secret-value>
- Proxmox URLs/Usernames/Passwords:
Wanda-Proxmox-URL
,Wanda-Proxmox-Username
,Wanda-Proxmox-Password
, etc. - VM Credentials:
Lab-VM-Username
,Lab-VM-Password
- Cloudflare:
Cloudflare-Lab-API-Token
,Cloudflare-Main-API-Token
,Cloudflare-Lab-Zone-ID
,Cloudflare-Main-Zone-ID
,Cloudflare-Lab-Zone-Name
,Cloudflare-Main-Zone-Name
- Twingate:
Twingate-URL
,Twingate-API-Token
,Twingate-<connector>-Access-Token
,Twingate-<connector>-Refresh-Token
,Twingate-<service-account>-SA-Key
- AdGuard:
Adguard-Thanos-Host
,Adguard-Thanos-Username
,Adguard-Thanos-Password
,Adguard-Gamora-Host
,Adguard-Gamora-Username
,Adguard-Gamora-Password
- GitHub Bot:
GitHub-Bot-ID
,GitHub-Bot-Installation-ID
,GitHub-Bot-Private-Key
- SOPS/Flux:
Flux-Age-Key
- Other:
Home-Public-IP
,keepalived-pass
,BunkerWeb-DB-Password
,BunkerWeb-TOTP-Secrets
,BunkerWeb-MGMT-Admin-Username
,BunkerWeb-MGMT-Admin-Password
Deployment is automated via Azure DevOps pipelines (infra-pipeline.yaml
). The pipeline will:
- Deploy Terraform components (Twingate, DNS, VPN Gateway, Game Server, Virtual Machines, etc.)
- Run Ansible playbooks (e.g.,
ansible/rpi-ha.yaml
for Raspberry Pi HA setup, including Twingate connectors) - Generate and apply Kubernetes manifests via Flux
If you're using the Terraform to deploy Proxmox VMs for the control and worker nodes it includes Ansible automation to automatically provision and bootstrap the cluster with some basic configuration as well as Flux.
However, you can manually bootstrap the clusters using the taskfile. Replacing <cluster-name>
with the name of your cluster, configuration will need to exist in the kubernetes/flux/clusters
directory.
task bootstrap -- <cluster-name>
This will install Flux and apply the necessary secrets and sources for GitOps.
ansible/
- Ansible playbooks and roles for configuring VMs, containers, and Raspberry Pis (including Twingate connector setup)kubernetes/
- GitOps-managed Kubernetes manifests, including app dependencies, apps, and infrastructureterraform/
- Infrastructure as code for Azure, Proxmox, Twingate, DNS, etc.components/
- Reusable Terraform modules for each major infra componentenvironments/
- Environment-specific variables and configuration (e.g.,prod
,test
)modules/
- Custom Terraform modules (e.g., Proxmox VM/CT, AdGuard)
Taskfile.yaml
- Task automation for common workflows (e.g., bootstrapping Flux)infra-pipeline.yaml
- Azure DevOps pipeline definition for full infra automation
- Twingate connector deployment is now handled by the
ansible/rpi-ha.yaml
playbook. Manual Docker commands are no longer required. - All secrets must be present in Key Vault before running the pipeline or Terraform/Ansible locally.