# datatroniq Challenge

## Description

This repository contains various ansible roles to install a single-node k3s for wordpress with ingress-nginx, kube-prom-stack and cert-manager.
You are able to execute single steps by specifing tags.

## How to use

***Requirements***

- ansible and sed needs to be installed locally
- root server access via key authentication

⚠️   full-install.yaml playbook can only run once cause for inital configuration root access is required which is locked down after ssh_hardening! → Open a ssh session before executing

***Steps***

- Clone this repository

`git clone ssh://$REPO`

- Change to cloned directory and create root.key with the root private key

```
cd datatroniq-challenge
cat <<EOF > root.key
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
EOF
```

- Set your server IP in ansible/inventory/dev.yaml

```
export IP=$SERVERIP
sed -i "s/0.0.0.0/$IP/" ansible/inventory/dev.yaml
```

- Adjust your desired admin username in ansible/ansible.cfg and ansible/roles/user_add/vars/main.yml

```
export USER=$USERNAME
export NAME=$FULLNAME
sed -i "s/admin_dev/$USER/" ansible/ansible.cfg
sed -i "s/admin_dev/$USER/" ansible/roles/user_add/vars/main.yml 
sed -i "s/FULLNAME/$NAME/" ansible/roles/user_add/vars/main.yml 
```

- Copy your personal public key in ansible/roles/user_add/files/key.pub

```
cp ~/.ssh/id_rsa.pub ansible/roles/user_add/files/key.pub

```

- Run `cd ansible && ansible-playbook full-install.yaml`

..wait for a sec and grab a ☕

💥 Profit!

Following ingresses are created:

[https://wordpress.moritz.agitronic.net](https://wordpress.moritz.agitronic.net)

[https://grafana.moritz.agitronic.net](https://grafana.moritz.agitronic.net) (Credentials in roles/k8s-kube-prom-stack/files/values.yaml:grafana.admin(User|Password)

[https://alertmanager.moritz.agitronic.net](https://alertmanager.moritz.agitronic.net) (secured with basic auth, same creds as for grafana)

[https://prometheus.moritz.agitronic.net](https://prometheus.moritz.agitronic.net) (secured with basic auth, same creds as for grafana)

----
**ToDo**
- sealedSecrets via kube-seal
- cilium CNI
- Loki
- modSecurity configurations
- housekeeping

***(c)2025 Moritz Kleiber***

***Credits:***

**helm Charts**

https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx
https://artifacthub.io/packages/helm/cert-manager/cert-manager
https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
https://artifacthub.io/packages/helm/bitnami/wordpress