# 🧠 DevOps Infra Stack --- Proxmox + Ceph + Kubernetes + DNS Fully automated self-hosted infrastructure. ![Project Logo](documentation/images/arch-diagram.jpg) The project deploys: - Proxmox infrastructure - Golden VM templates via Packer - VM provisioning via Terraform - Hardened nodes (SSH, nftables, fail2ban) - DNS (PowerDNS) - NTP (chrony hierarchy) - Ceph cluster - Kubernetes cluster - K8s apps (MetalLB, ingress, postgres operator, valkey) Everything is deployed via Makefile + Ansible + Terraform + Packer. ------------------------------------------------------------------------ # 🏗 Architecture Infrastructure components: - Proxmox host (bare metal) - LXC packer builder - Golden VM templates - VM nodes: - DNS - NTP - Ceph (3 nodes) - Kubernetes master - Kubernetes worker - K8s stack: - MetalLB - nginx ingress - Crunchy Postgres Operator - Valkey (Redis alternative) ------------------------------------------------------------------------ # 📦 Technology Stack - Proxmox VE - Terraform - Ansible - Packer - Docker + Docker Compose (for DNS) - Ceph - Kubernetes - Helm - PowerDNS - Chrony - nftables + fail2ban hardening ------------------------------------------------------------------------ # 🚀 Full Infrastructure Bootstrap Main entrypoint: ``` bash make -f bootstrap.mk ``` It will execute: 1. VM creation 2. Hardening 3. DNS setup 4. NTP setup 5. Ceph cluster ------------------------------------------------------------------------ # 🧱 Deployment Stages ## 0. Create LXC + Packer ``` bash make -f 00_create_and_setup_lxc_container_with_packer.mk ``` - Download LXC template - Create LXC via Terraform - Install packer inside LXC ------------------------------------------------------------------------ ## 1. Golden VM template ``` bash make -f 01_create_vm_golden_template.mk ``` - Download ISO - Upload packer config - Build golden image - Shut down packer LXC ------------------------------------------------------------------------ ## 2. Create VMs ``` bash make -f 02_create_vms.mk ``` - Enable cloud-init snippets - Terraform creates VMs ------------------------------------------------------------------------ ## 3. Harden nodes ``` bash make -f 03_harden_vms.mk ``` - Remove packer user - SSH hardening - nftables - fail2ban ------------------------------------------------------------------------ ## 4. DNS ``` bash make -f 04_setup_dns.mk ``` - PowerDNS install - Zones + records via Terraform - systemd-resolved config ------------------------------------------------------------------------ ## 5. NTP ``` bash make -f 05_setup_ntp.mk ``` Hierarchy: - edge NTP server (proxmox) - core NTP server - clients use core NTP server ------------------------------------------------------------------------ ## 6. Ceph ``` bash make -f 06_setup_ceph.mk ``` - install - bootstrap - share keys - cluster init ------------------------------------------------------------------------ ## 7. Kubernetes ``` bash make -f 07_setup_k8s.mk ``` After installation: ``` bash ssh user@k8smasternode -p 10525 ``` Replace cluster endpoint with localhost tunnel. Then: ``` bash terraform apply -target=module.metallb_helm terraform apply -target=module.crunchy_operator terraform apply ``` Get credentials: ``` bash # postgres kubectl -n postgres-operator get secret hippo-pguser-gitlab -o jsonpath='{.data.user}' | base64 -d; echo # valkey kubectl -n valkey get secret valkey-users -o jsonpath='{.data.default}' | base64 -d; echo ``` ------------------------------------------------------------------------ # 📁 Project Structure ansible/ terraform/ packer/ makefiles/ bootstrap.mk ------------------------------------------------------------------------ # 🔐 Requirements Before running: - SSH access to Proxmox - Proxmox API token - terraform.tfvars filled - inventory.ini filled - kubeconfig path specified ------------------------------------------------------------------------ # 🔭 Planned Services & Future Stack The following services are planned for the next deployment stages: - **NetBird** --- internal VPN mesh network (currently working on this stage) - **Keycloak** --- unified authentication and identity provider across services - **Monitoring stack (Grafana, Loki, Prometheus, Trickster)** --- monitoring and observability tools\ *(previously deployed, but not yet integrated into this project)* - **FreeIPA** --- centralized user and identity management inside operating systems - **Vault** --- centralized storage for passwords, tokens, and operational credentials - **OpenNebula** --- additional virtualization layer for providing user VM spaces\ *(similar to AWS EC2 for internal infrastructure)* - **Nextcloud + LibreOffice** --- Google Cloud alternative for collaborative document editing\ *(Nextcloud deployed previously, but not yet within this project)* - **Element + Matrix** --- Telegram-like communication platform\ *(stack deployed previously, but not yet integrated into this project)* - **LLM (local language model)** --- neural network for text processing\ *(GPT‑2 already tested; LLaMA 7B planned as MVP depending on available resources)*\ Future usage: - LibreOffice document assistant - Matrix/Element chatbot integration - **Kafka** --- message queue layer between LibreOffice, Element, and LLM services\ Ensures reliable request delivery and acts as a service integration layer - **OCR tools** --- document recognition and conversion pipeline\ Enables transforming documents into formats suitable for LLM processing and search ------------------------------------------------------------------------ # 🧠 Project Idea Self-hosted cloud platform, own mini cloud. Fully autonomous infrastructure. # 👤 Author Aleksandr Hrankin