Note
The "hybrid-cloud" aspect of this playbook has been deprecated and moved to the cloud branch.
This Ansible playbook provisions a group of bare-metal Debian Stable servers and deploys a container orchestration cluster. In this particular setup, the assumption on infrastructure is:
| NODE | ROLE | DATACENTER |
|---|---|---|
| apex | Manager / Worker | 1 |
| ambi | Manager / Worker | 1 |
| horreum | Manager / Worker | 1 |
- Orchestration: The cluster is orchestrated by Nomad (default) or Docker Swarm mode
- Encryption: Cluster nodes communicate exclusively over a private Wireguard mesh network
- Security: CrowdSec (default) or Fail2ban; reasonably hardened
sshconfig; unattended upgrades - Need-to-know: Service ports (
HTTPS,IMAP,DoT, etc.) are open on ingress nodes only; all requests get reverse-proxied to services over the encrypted mesh network - Distributed storage: JuiceFS (default – bring your own backend), GlusterFS or Syncthing
- Cloud storage: Rclone with systemd-managed FUSE mounts (default) or as a Docker volume plugin for using almost any cloud storage as a backend for services
Caution
This is a personalized setup, not a cookie-cutter playbook, so any use outside of the intended environment requires the appropriate adjustments to roles and variables.
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
venv/bin/ansible-galaxy collection install -r requirements.ymlansible-playbook -i inventory.yml main.ymlansible-playbook -i inventory.yml upgrade.yml