Change general network stuff (VLANs, changing CIDRs) using the templates.
Change host_net
, host_num
and/or ansible_host
in hosts.
When changes are made, generate_inventory.yml MUST be run. If both were changed, it must be run TWICE.
Generate keys on the command line with wg genkey | tee /dev/stderr | wg pubkey
, private is the first string.
Store the private key with gopass, i.e.
gopass edit -c network/<inventory_hostname>_wg_pk
If using preshared keys, generate it with
wg genpsk
gopass edit -c network/<inventory_hostname>_wg_psk
mkdir -p ~/.ansible/plugins/connection
# use fork until PR is merged
# wget -O ~/.ansible/plugins/connection/
wget -O ~/.ansible/plugins/connection/
wget -O library/
sudo pacman -S python-botocore python-boto3
On MacOS, install libssh
with Homebrew then
CFLAGS="-I $(brew --prefix)/include -I ext -L $(brew --prefix)/lib -lssh" pip install ansible-pylibssh
See Ansible guide for more details.
Requires requests google-auth
to be installed for the Python interpreter.
Create service account with DNS Administrator role.
# If playbook needs vault, ask
ansible-playbook <playbook> --ask-vault-pass
# from file
ansible-playbook <playbook> --vault-password-file .vault_key
# Run only on server host (if hosts is all in playbook)
ansible-playbook -l server playbook.yml
# Run only one tag in playbook
ansible-playbook playbook.yml --tags grafana
# Run in vscode docker
ansible-playbook -i hosts_local server.yml --tags nginx
# Run with sudo remote user
ansible-playbook -i hosts -K -e 'ansible_user=andrei' playbooks/laptop.yml --diff --check --tags laptop
- name: Get FW rules
path: ip firewall filter
handle_disabled: omit
register: __fw
- name: Write to file
delegate_to: localhost
content: "{{ __fw.result | to_nice_yaml(indent=2) }}"
dest: "/tmp/{{ inventory_hostname }}.yml"
yq -iy 'map(del(.".id"))' /tmp/rb5009.yml
sed -i -E "/^ (log|disabled): false.*/d;/^ log-prefix: ''/d;/^-.*/i\\ " /tmp/rb5009.yml
sed -i 's/^ $//g' /tmp/rb5009.yml
kubectl delete ns inteldeviceplugins-system
kubectl delete ns node-feature-discovery
kubectl apply -k ''
kubectl -n node-feature-discovery wait job.batch/nfd-master --for=condition=complete
kubectl delete -k ''
kubectl delete intel-dp-devices
kubectl delete intel-gpu-platform-labeling
kubectl delete crd
kubectl delete crd
Setup config
./playbooks/talos.yml -t config,host -e force=true
cd /tmp/talos-config
export TALOSCONFIG=$(realpath ./talosconfig)
Generate new SSH key, save password in pass
at k8s/flux-gitlab-ssh
gopass edit -c k8s/flux-gitlab-ssh
ssh-keygen -C "flux@talos" -N "$(gopass show -o k8s/flux-gitlab-ssh)" -t ed25519 -f /tmp/flux-ssh
Decrypt flux-gitlab-secret_vault.yml and add the contents of /tmp/flux-ssh
in the identity
Add the contents of /tmp/
to GitLab in Settings/Repository/Deploy Keys (/flux/talos/-/settings/repository
), ensure write access is enabled.
Remove key from disk
rm -fv /tmp/flux-ssh /tmp/