feat(k3s): Updated to v1.26 (#207)

* feat(k3s): Updated to v1.26.0+k3s2

* feat(k3s): Updated to v1.26.2+k3s1

* feat(k3s): Updated to v1.26.3+k3s1

* feat(k3s): Updated to v1.26.4+k3s1

* feat(k3s): Updated to v1.26.7+k3s1

* feat(k3s): Updated to v1.26.11+k3s2

* feat(k3s): Updated to v1.26.12+k3s1

.ansible-lint

@@ -13,5 +13,8 @@ exclude_paths:
   - 'molecule/**/prepare.yml'
   - 'molecule/**/reset.yml'
 
+  # The file was generated by galaxy ansible - don't mess with it.
+  - 'galaxy.yml'
+
 skip_list:
   - 'fqcn-builtins'

.github/workflows/cache.yml

@@ -0,0 +1,42 @@
+---
+name: "Cache"
+on:
+  workflow_call:
+jobs:
+  molecule:
+    name: cache
+    runs-on: self-hosted
+    env:
+      PYTHON_VERSION: "3.11"
+
+    steps:
+      - name: Check out the codebase
+        uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v3 2.5.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # 2.3.3
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip' # caching pip dependencies
+
+      - name: Cache Vagrant boxes
+        id: cache-vagrant
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
+        with:
+          lookup-only: true #if it exists, we don't need to restore and can skip the next step
+          path: |
+            ~/.vagrant.d/boxes
+          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
+          restore-keys: |
+            vagrant-boxes
+
+      - name: Download Vagrant boxes for all scenarios
+        # To save some cache space, all scenarios share the same cache key.
+        # On the other hand, this means that the cache contents should be
+        # the same across all scenarios. This step ensures that.
+        if: steps.cache-vagrant.outputs.cache-hit != 'true' # only run if false since this is just a cache step
+        run: |
+          ./.github/download-boxes.sh
+          vagrant box list

.github/workflows/ci.yml

@@ -8,8 +8,11 @@ on:
     paths-ignore:
       - '**/README.md'
 jobs:
+  pre:
+    uses: ./.github/workflows/cache.yml
   lint:
     uses: ./.github/workflows/lint.yml
+    needs: [pre]
   test:
     uses: ./.github/workflows/test.yml
-    needs: [lint]
+    needs: [pre, lint]

.github/workflows/lint.yml

@@ -5,9 +5,9 @@ on:
 jobs:
   pre-commit-ci:
     name: Pre-Commit
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     env:
-      PYTHON_VERSION: "3.10"
+      PYTHON_VERSION: "3.11"
 
     steps:
       - name: Check out the codebase
@@ -21,21 +21,11 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
 
-      - name: Cache pip
+      - name: Restore Ansible cache
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('./requirements.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
-      - name: Cache Ansible
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
         with:
           path: ~/.ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('collections/requirements.txt') }}
+          key: ansible-${{ hashFiles('collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
 
       - name: Install dependencies
         run: |
@@ -47,16 +37,12 @@ jobs:
           python3 -m pip install -r requirements.txt
           echo "::endgroup::"
 
-          echo "::group::Install Ansible role requirements from collections/requirements.yml"
-          ansible-galaxy install -r collections/requirements.yml
-          echo "::endgroup::"
-
       - name: Run pre-commit
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # 3.0.0
 
   ensure-pinned-actions:
     name: Ensure SHA Pinned Actions
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - name: Checkout code
         uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v3 2.5.0

.github/workflows/test.yml

@@ -5,7 +5,7 @@ on:
 jobs:
   molecule:
     name: Molecule
-    runs-on: macos-12
+    runs-on: self-hosted
     strategy:
       matrix:
         scenario:
@@ -14,7 +14,7 @@ jobs:
           - single_node
       fail-fast: false
     env:
-      PYTHON_VERSION: "3.10"
+      PYTHON_VERSION: "3.11"
 
     steps:
       - name: Check out the codebase
@@ -30,35 +30,19 @@ jobs:
           * fdad:bad:ba55::/64
           EOF
 
-      - name: Cache pip
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('./requirements.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
-      - name: Cache Vagrant boxes
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
-        with:
-          path: |
-            ~/.vagrant.d/boxes
-          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
-          restore-keys: |
-            vagrant-boxes
-
-      - name: Download Vagrant boxes for all scenarios
-        # To save some cache space, all scenarios share the same cache key.
-        # On the other hand, this means that the cache contents should be
-        # the same across all scenarios. This step ensures that.
-        run: ./.github/download-boxes.sh
-
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # 2.3.3
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
 
+      - name: Restore vagrant Boxes cache
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
+        with:
+          path: ~/.vagrant.d/boxes
+          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
+          fail-on-cache-miss: true
+
       - name: Install dependencies
         run: |
           echo "::group::Upgrade pip"
@@ -75,7 +59,7 @@ jobs:
         env:
           ANSIBLE_K3S_LOG_DIR: ${{ runner.temp }}/logs/k3s-ansible/${{ matrix.scenario }}
           ANSIBLE_SSH_RETRIES: 4
-          ANSIBLE_TIMEOUT: 60
+          ANSIBLE_TIMEOUT: 120
           PY_COLORS: 1
           ANSIBLE_FORCE_COLOR: 1
 

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: 3298ddab3c13dd77d6ce1fc0baf97691430d84b0  # v4.3.0
+    rev: f71fa2c1f9cf5cb705f73dffe4b21f7c61470ba9  # frozen: v4.4.0
     hooks:
       - id: requirements-txt-fixer
       - id: sort-simple-yaml
@@ -12,24 +12,24 @@ repos:
       - id: trailing-whitespace
         args: [--markdown-linebreak-ext=md]
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: 9cce2940414e9560ae4c8518ddaee2ac1863a4d2  # v1.28.0
+    rev: b05e028c5881819161d11cb543fd96a30c06cceb  # frozen: v1.32.0
     hooks:
       - id: yamllint
         args: [-c=.yamllint]
   - repo: https://github.com/ansible-community/ansible-lint.git
-    rev: a058554b9bcf88f12ad09ab9fb93b267a214368f  # v6.8.6
+    rev: 3293b64b939c0de16ef8cb81dd49255e475bf89a  # frozen: v6.17.2
     hooks:
       - id: ansible-lint
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: 4c7c3dd7161ef39e984cb295e93a968236dc8e8a  # v0.8.0.4
+    rev: 375289a39f5708101b1f916eb729e8d6da96993f  # frozen: v0.9.0.5
     hooks:
       - id: shellcheck
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: 04618e68aa2380828a36a23ff5f65a06ae8f59b9  # v1.3.1
+    rev: 12885e376b93dc4536ad68d156065601e4433665  # frozen: v1.5.1
     hooks:
       - id: remove-crlf
       - id: remove-tabs
   - repo: https://github.com/sirosen/texthooks
-    rev: 30d9af95631de0d7cff4e282bde9160d38bb0359  # 0.4.0
+    rev: c4ffd3e31669dd4fa4d31a23436cc13839730084  # frozen: 0.5.0
     hooks:
       - id: fix-smartquotes

.yamllint

@@ -6,4 +6,6 @@ rules:
     max: 120
     level: warning
   truthy:
-    allowed-values: ['true', 'false', 'yes', 'no']
+    allowed-values: ['true', 'false']
+ignore:
+  - galaxy.yml

README.md

@@ -4,11 +4,11 @@
 
 This playbook will build an HA Kubernetes cluster with `k3s`, `kube-vip` and MetalLB via `ansible`.
 
-This is based on the work from [this fork](https://github.com/212850a/k3s-ansible) which is based on the work from [k3s-io/k3s-ansible](https://github.com/k3s-io/k3s-ansible). It uses [kube-vip](https://kube-vip.chipzoller.dev/) to create a load balancer for control plane, and [metal-lb](https://metallb.universe.tf/installation/) for its service `LoadBalancer`.
+This is based on the work from [this fork](https://github.com/212850a/k3s-ansible) which is based on the work from [k3s-io/k3s-ansible](https://github.com/k3s-io/k3s-ansible). It uses [kube-vip](https://kube-vip.io/) to create a load balancer for control plane, and [metal-lb](https://metallb.universe.tf/installation/) for its service `LoadBalancer`.
 
 If you want more context on how this works, see:
 
-📄 [Documentation](https://docs.technotim.live/posts/k3s-etcd-ansible/) (including example commands)
+📄 [Documentation](https://technotim.live/posts/k3s-etcd-ansible/) (including example commands)
 
 📺 [Watch the Video](https://www.youtube.com/watch?v=CbkEWcUZ7zM)
 
@@ -28,7 +28,7 @@ on processor architecture:
 
 ## ✅ System requirements
 
-- Control Node (the machine you are running `ansible` commands) must have Ansible 2.11+ If you need a quick primer on Ansible [you can check out my docs and setting up Ansible](https://docs.technotim.live/posts/ansible-automation/).
+- Control Node (the machine you are running `ansible` commands) must have Ansible 2.11+ If you need a quick primer on Ansible [you can check out my docs and setting up Ansible](https://technotim.live/posts/ansible-automation/).
 
 - You will also need to install collections that this playbook uses by running `ansible-galaxy collection install -r ./collections/requirements.yml` (important❗)
 
@@ -101,7 +101,7 @@ scp debian@master_ip:~/.kube/config ~/.kube/config
 
 ### 🔨 Testing your cluster
 
-See the commands [here](https://docs.technotim.live/posts/k3s-etcd-ansible/#testing-your-cluster).
+See the commands [here](https://technotim.live/posts/k3s-etcd-ansible/#testing-your-cluster).
 
 ### Troubleshooting
 
@@ -118,6 +118,28 @@ You can find more information about it [here](molecule/README.md).
 
 This repo uses `pre-commit` and `pre-commit-hooks` to lint and fix common style and syntax errors.  Be sure to install python packages and then run `pre-commit install`.  For more information, see [pre-commit](https://pre-commit.com/)
 
+## 🌌 Ansible Galaxy
+
+This collection can now be used in larger ansible projects.
+
+Instructions:
+
+- create or modify a file `collections/requirements.yml` in your project
+
+```yml
+collections:
+  - name: ansible.utils
+  - name: community.general
+  - name: ansible.posix
+  - name: kubernetes.core
+  - name: https://github.com/techno-tim/k3s-ansible.git
+    type: git
+    version: master
+```
+
+- install via `ansible-galaxy collection install -r ./collections/requirements.yml`
+- every role is now available via the prefix `techno_tim.k3s_ansible.` e.g. `techno_tim.k3s_ansible.lxc`
+
 ## Thanks 🤝
 
 This repo is really standing on the shoulders of giants. Thank you to all those who have contributed and thanks to these repos for code and ideas:

galaxy.yml

@@ -0,0 +1,81 @@
+### REQUIRED
+# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
+# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
+# underscores or numbers and cannot contain consecutive underscores
+namespace: techno_tim
+
+# The name of the collection. Has the same character restrictions as 'namespace'
+name: k3s_ansible
+
+# The version of the collection. Must be compatible with semantic versioning
+version: 1.0.0
+
+# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
+readme: README.md
+
+# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
+# @nicks:irc/im.site#channel'
+authors:
+- your name <example@domain.com>
+
+
+### OPTIONAL but strongly recommended
+# A short summary description of the collection
+description: >
+  The easiest way to bootstrap a self-hosted High Availability Kubernetes
+  cluster. A fully automated HA k3s etcd install with kube-vip, MetalLB,
+  and more.
+
+# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
+# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
+license:
+- Apache-2.0
+
+
+# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
+# requirements as 'namespace' and 'name'
+tags:
+  - etcd
+  - high-availability
+  - k8s
+  - k3s
+  - k3s-cluster
+  - kube-vip
+  - kubernetes
+  - metallb
+  - rancher
+
+# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
+# collection label 'namespace.name'. The value is a version range
+# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
+# range specifiers can be set and are separated by ','
+dependencies:
+  ansible.utils: '*'
+  ansible.posix: '*'
+  community.general: '*'
+  kubernetes.core: '*'
+
+# The URL of the originating SCM repository
+repository: https://github.com/techno-tim/k3s-ansible
+
+# The URL to any online docs
+documentation: https://github.com/techno-tim/k3s-ansible
+
+# The URL to the homepage of the collection/project
+homepage: https://www.youtube.com/watch?v=CbkEWcUZ7zM
+
+# The URL to the collection issue tracker
+issues: https://github.com/techno-tim/k3s-ansible/issues
+
+# A list of file glob-like patterns used to filter any files or directories that should not be included in the build
+# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
+# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
+# and '.git' are always filtered. Mutually exclusive with 'manifest'
+build_ignore: []
+
+# A dict controlling use of manifest directives used in building the collection artifact. The key 'directives' is a
+# list of MANIFEST.in style
+# L(directives,https://packaging.python.org/en/latest/guides/using-manifest-in/#manifest-in-commands). The key
+# 'omit_default_directives' is a boolean that controls whether the default directives are used. Mutually exclusive
+# with 'build_ignore'
+# manifest: null

inventory/sample/group_vars/all.yml

@@ -1,5 +1,5 @@
 ---
-k3s_version: v1.24.11+k3s1
+k3s_version: v1.26.12+k3s1
 # this is the user that has ssh access to these machines
 ansible_user: ansibleuser
 systemd_dir: /etc/systemd/system
@@ -41,7 +41,7 @@ extra_agent_args: >-
   {{ extra_args }}
 
 # image tag for kube-vip
-kube_vip_tag_version: "v0.5.11"
+kube_vip_tag_version: "v0.5.12"
 
 # metallb type frr or native
 metal_lb_type: "native"
@@ -55,7 +55,6 @@ metal_lb_mode: "layer2"
 # metal_lb_bgp_peer_address: "192.168.30.1"
 
 # image tag for metal lb
-metal_lb_frr_tag_version: "v7.5.1"
 metal_lb_speaker_tag_version: "v0.13.9"
 metal_lb_controller_tag_version: "v0.13.9"
 
@@ -67,9 +66,9 @@ metal_lb_ip_range: "192.168.30.80-192.168.30.90"
 # Please read https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185 before using this.
 # Most notably, your containers must be privileged, and must not have nesting set to true.
 # Please note this script disables most of the security of lxc containers, with the trade off being that lxc
-# containers are significantly more resource efficent compared to full VMs.
+# containers are significantly more resource efficient compared to full VMs.
 # Mixing and matching VMs and lxc containers is not supported, ymmv if you want to do this.
-# I would only really recommend using this if you have partiularly low powered proxmox nodes where the overhead of
+# I would only really recommend using this if you have particularly low powered proxmox nodes where the overhead of
 # VMs would use a significant portion of your available resources.
 proxmox_lxc_configure: false
 # the user that you would use to ssh into the host, for example if you run ssh some-user@my-proxmox-host,
@@ -82,3 +81,49 @@ proxmox_lxc_ct_ids:
   - 202
   - 203
   - 204
+
+# Only enable this if you have set up your own container registry to act as a mirror / pull-through cache
+# (harbor / nexus / docker's official registry / etc).
+# Can be beneficial for larger dev/test environments (for example if you're getting rate limited by docker hub),
+# or air-gapped environments where your nodes don't have internet access after the initial setup
+# (which is still needed for downloading the k3s binary and such).
+# k3s's documentation about private registries here: https://docs.k3s.io/installation/private-registry
+custom_registries: false
+# The registries can be authenticated or anonymous, depending on your registry server configuration.
+# If they allow anonymous access, simply remove the following bit from custom_registries_yaml
+#   configs:
+#     "registry.domain.com":
+#       auth:
+#         username: yourusername
+#         password: yourpassword
+# The following is an example that pulls all images used in this playbook through your private registries.
+# It also allows you to pull your own images from your private registry, without having to use imagePullSecrets
+# in your deployments.
+# If all you need is your own images and you don't care about caching the docker/quay/ghcr.io images,
+# you can just remove those from the mirrors: section.
+custom_registries_yaml: |
+  mirrors:
+    docker.io:
+      endpoint:
+        - "https://registry.domain.com/v2/dockerhub"
+    quay.io:
+      endpoint:
+        - "https://registry.domain.com/v2/quayio"
+    ghcr.io:
+      endpoint:
+        - "https://registry.domain.com/v2/ghcrio"
+    registry.domain.com:
+      endpoint:
+        - "https://registry.domain.com"
+
+  configs:
+    "registry.domain.com":
+      auth:
+        username: yourusername
+        password: yourpassword
+
+# Only enable and configure these if you access the internet through a proxy
+# proxy_env:
+#   HTTP_PROXY: "http://proxy.domain.local:3128"
+#   HTTPS_PROXY: "http://proxy.domain.local:3128"
+#   NO_PROXY: "*.domain.local,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"

inventory/sample/group_vars/proxmox.yml

@@ -0,0 +1,2 @@
+---
+ansible_user: '{{ proxmox_lxc_ssh_user }}'

molecule/default/molecule.yml

@@ -7,7 +7,7 @@ platforms:
 
   - name: control1
     box: generic/ubuntu2204
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -23,7 +23,7 @@ platforms:
 
   - name: control2
     box: generic/debian11
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -34,7 +34,7 @@ platforms:
 
   - name: control3
     box: generic/rocky9
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -45,7 +45,7 @@ platforms:
 
   - name: node1
     box: generic/ubuntu2204
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -61,7 +61,7 @@ platforms:
 
   - name: node2
     box: generic/rocky9
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -72,6 +72,8 @@ platforms:
 
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -82,7 +84,6 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax

molecule/default/overrides.yml

@@ -4,7 +4,8 @@
   tasks:
     - name: Override host variables
       ansible.builtin.set_fact:
-        # See: https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant  # noqa yaml[line-length]
+        # See:
+        # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
         flannel_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:

molecule/default/prepare.yml

@@ -17,6 +17,6 @@
       # and security needs.
       ansible.builtin.systemd:
         name: firewalld
-        enabled: no
+        enabled: false
         state: stopped
       become: true

molecule/ipv6/molecule.yml

@@ -6,7 +6,7 @@ driver:
 platforms:
   - name: control1
     box: generic/ubuntu2204
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -22,7 +22,7 @@ platforms:
 
   - name: control2
     box: generic/ubuntu2204
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -38,7 +38,7 @@ platforms:
 
   - name: node1
     box: generic/ubuntu2204
-    memory: 2048
+    memory: 1024
     cpus: 2
     groups:
       - k3s_cluster
@@ -53,6 +53,8 @@ platforms:
       ssh.password: "vagrant"
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -63,7 +65,6 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax

molecule/ipv6/overrides.yml

@@ -4,7 +4,8 @@
   tasks:
     - name: Override host variables (1/2)
       ansible.builtin.set_fact:
-        # See: https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant  # noqa yaml[line-length]
+        # See:
+        # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
         flannel_iface: eth1
 
         # In this scenario, we have multiple interfaces that the VIP could be

molecule/resources/verify.yml

@@ -2,4 +2,4 @@
 - name: Verify
   hosts: all
   roles:
-    - verify/from_outside
+    - verify_from_outside

molecule/resources/verify_from_outside/defaults/main.yml

@@ -6,4 +6,4 @@ outside_host: localhost
 testing_namespace: molecule-verify-from-outside
 
 # The directory in which the example manifests reside
-example_manifests_path: ../../../../example
+example_manifests_path: ../../../example

molecule/resources/verify_from_outside/tasks/test/deploy-example.yml

@@ -34,14 +34,14 @@
 
     - name: Assert that the nginx welcome page is available
       ansible.builtin.uri:
-        url: http://{{ ip | ansible.utils.ipwrap }}:{{ port }}/
+        url: http://{{ ip | ansible.utils.ipwrap }}:{{ port_ }}/
-        return_content: yes
+        return_content: true
       register: result
       failed_when: "'Welcome to nginx!' not in result.content"
       vars:
         ip: >-
           {{ nginx_services.resources[0].status.loadBalancer.ingress[0].ip }}
-        port: >-
+        port_: >-
           {{ nginx_services.resources[0].spec.ports[0].port }}
       # Deactivated linter rules:
       #   - jinja[invalid]: As of version 6.6.0, ansible-lint complains that the input to ipwrap

molecule/single_node/molecule.yml

@@ -21,6 +21,8 @@ platforms:
         ip: 192.168.30.50
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -31,7 +33,6 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax

molecule/single_node/overrides.yml

@@ -4,7 +4,8 @@
   tasks:
     - name: Override host variables
       ansible.builtin.set_fact:
-        # See: https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant  # noqa yaml[line-length]
+        # See:
+        # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
         flannel_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:

reboot.yml

@@ -1,7 +1,7 @@
 ---
 - name: Reboot k3s_cluster
   hosts: k3s_cluster
-  gather_facts: yes
+  gather_facts: true
   tasks:
     - name: Reboot the nodes (and Wait upto 5 mins max)
       become: true

requirements.in

@@ -1,12 +1,10 @@
-ansible-core>=2.13.5
+ansible-core>=2.16.2
-ansible-lint>=6.8.6
 jmespath>=1.0.1
-jsonpatch>=1.32
+jsonpatch>=1.33
-kubernetes>=25.3.0
+kubernetes>=29.0.0
-molecule-vagrant>=1.0.0
+molecule-plugins[vagrant]
-molecule>=4.0.3
+molecule>=6.0.3
-netaddr>=0.8.0
+netaddr>=0.10.1
-pre-commit>=2.20.0
+pre-commit>=3.6.0
-pre-commit-hooks>=1.3.1
+pre-commit-hooks>=4.5.0
-pyyaml>=6.0
+pyyaml>=6.0.1
-yamllint>=1.28.0

requirements.txt

@@ -1,211 +1,169 @@
 #
-# This file is autogenerated by pip-compile with python 3.8
+# This file is autogenerated by pip-compile with Python 3.11
-# To update, run:
+# by the following command:
 #
 #    pip-compile requirements.in
 #
-ansible-compat==3.0.1
+ansible-compat==4.1.11
     # via molecule
-ansible-core==2.14.3
+ansible-core==2.16.2
     # via
     #   -r requirements.in
     #   ansible-compat
-    #   ansible-lint
+    #   molecule
-ansible-lint==6.14.2
+attrs==23.2.0
-    # via -r requirements.in
+    # via
-arrow==1.2.3
+    #   jsonschema
-    # via jinja2-time
+    #   referencing
-attrs==22.1.0
+bracex==2.4
-    # via jsonschema
-binaryornot==0.4.4
-    # via cookiecutter
-black==22.10.0
-    # via ansible-lint
-bracex==2.3.post1
     # via wcmatch
-cachetools==5.2.0
+cachetools==5.3.2
     # via google-auth
-certifi==2022.9.24
+certifi==2023.11.17
     # via
     #   kubernetes
     #   requests
-cffi==1.15.1
+cffi==1.16.0
     # via cryptography
-cfgv==3.3.1
+cfgv==3.4.0
     # via pre-commit
-chardet==5.0.0
+charset-normalizer==3.3.2
-    # via binaryornot
-charset-normalizer==2.1.1
     # via requests
-click==8.1.3
+click==8.1.7
     # via
-    #   black
     #   click-help-colors
-    #   cookiecutter
     #   molecule
-click-help-colors==0.9.1
+click-help-colors==0.9.4
     # via molecule
-commonmark==0.9.1
+cryptography==41.0.7
-    # via rich
-cookiecutter==2.1.1
-    # via molecule
-cryptography==38.0.3
     # via ansible-core
-distlib==0.3.6
+distlib==0.3.8
     # via virtualenv
-distro==1.8.0
-    # via selinux
 enrich==1.2.7
     # via molecule
-filelock==3.8.0
+filelock==3.13.1
-    # via
+    # via virtualenv
-    #   ansible-lint
+google-auth==2.26.2
-    #   virtualenv
-google-auth==2.14.0
     # via kubernetes
-identify==2.5.8
+identify==2.5.33
     # via pre-commit
-idna==3.4
+idna==3.6
     # via requests
-jinja2==3.1.2
+jinja2==3.1.3
     # via
     #   ansible-core
-    #   cookiecutter
-    #   jinja2-time
     #   molecule
-    #   molecule-vagrant
-jinja2-time==0.2.0
-    # via cookiecutter
 jmespath==1.0.1
     # via -r requirements.in
-jsonpatch==1.32
+jsonpatch==1.33
     # via -r requirements.in
-jsonpointer==2.3
+jsonpointer==2.4
     # via jsonpatch
-jsonschema==4.17.0
+jsonschema==4.21.1
     # via
     #   ansible-compat
-    #   ansible-lint
     #   molecule
-kubernetes==25.3.0
+jsonschema-specifications==2023.12.1
+    # via jsonschema
+kubernetes==29.0.0
     # via -r requirements.in
-markupsafe==2.1.1
+markdown-it-py==3.0.0
+    # via rich
+markupsafe==2.1.4
     # via jinja2
-molecule==4.0.4
+mdurl==0.1.2
+    # via markdown-it-py
+molecule==6.0.3
     # via
     #   -r requirements.in
-    #   molecule-vagrant
+    #   molecule-plugins
-molecule-vagrant==1.0.0
+molecule-plugins[vagrant]==23.5.0
     # via -r requirements.in
-mypy-extensions==0.4.3
+netaddr==0.10.1
-    # via black
-netaddr==0.8.0
     # via -r requirements.in
-nodeenv==1.7.0
+nodeenv==1.8.0
     # via pre-commit
 oauthlib==3.2.2
-    # via requests-oauthlib
+    # via
-packaging==21.3
+    #   kubernetes
+    #   requests-oauthlib
+packaging==23.2
     # via
     #   ansible-compat
     #   ansible-core
-    #   ansible-lint
     #   molecule
-pathspec==0.10.1
+platformdirs==4.1.0
-    # via
+    # via virtualenv
-    #   black
+pluggy==1.3.0
-    #   yamllint
-platformdirs==2.5.2
-    # via
-    #   black
-    #   virtualenv
-pluggy==1.0.0
     # via molecule
-pre-commit==2.21.0
+pre-commit==3.6.0
     # via -r requirements.in
-pre-commit-hooks==4.4.0
+pre-commit-hooks==4.5.0
     # via -r requirements.in
-pyasn1==0.4.8
+pyasn1==0.5.1
     # via
     #   pyasn1-modules
     #   rsa
-pyasn1-modules==0.2.8
+pyasn1-modules==0.3.0
     # via google-auth
 pycparser==2.21
     # via cffi
-pygments==2.13.0
+pygments==2.17.2
     # via rich
-pyparsing==3.0.9
-    # via packaging
-pyrsistent==0.19.2
-    # via jsonschema
 python-dateutil==2.8.2
-    # via
+    # via kubernetes
-    #   arrow
-    #   kubernetes
-python-slugify==6.1.2
-    # via cookiecutter
 python-vagrant==1.0.0
-    # via molecule-vagrant
+    # via molecule-plugins
-pyyaml==6.0
+pyyaml==6.0.1
     # via
     #   -r requirements.in
     #   ansible-compat
     #   ansible-core
-    #   ansible-lint
-    #   cookiecutter
     #   kubernetes
     #   molecule
-    #   molecule-vagrant
     #   pre-commit
-    #   yamllint
+referencing==0.32.1
-requests==2.28.1
+    # via
+    #   jsonschema
+    #   jsonschema-specifications
+requests==2.31.0
     # via
-    #   cookiecutter
     #   kubernetes
     #   requests-oauthlib
 requests-oauthlib==1.3.1
     # via kubernetes
-resolvelib==0.8.1
+resolvelib==1.0.1
     # via ansible-core
-rich==12.6.0
+rich==13.7.0
     # via
-    #   ansible-lint
     #   enrich
     #   molecule
+rpds-py==0.17.1
+    # via
+    #   jsonschema
+    #   referencing
 rsa==4.9
     # via google-auth
-ruamel-yaml==0.17.21
+ruamel-yaml==0.18.5
-    # via
+    # via pre-commit-hooks
-    #   ansible-lint
+ruamel-yaml-clib==0.2.8
-    #   pre-commit-hooks
+    # via ruamel-yaml
-selinux==0.2.1
-    # via molecule-vagrant
 six==1.16.0
     # via
-    #   google-auth
     #   kubernetes
     #   python-dateutil
 subprocess-tee==0.4.1
-    # via
+    # via ansible-compat
-    #   ansible-compat
+urllib3==2.1.0
-    #   ansible-lint
-text-unidecode==1.3
-    # via python-slugify
-urllib3==1.26.12
     # via
     #   kubernetes
     #   requests
-virtualenv==20.16.6
+virtualenv==20.25.0
     # via pre-commit
-wcmatch==8.4.1
+wcmatch==8.5
-    # via ansible-lint
+    # via molecule
-websocket-client==1.4.2
+websocket-client==1.7.0
     # via kubernetes
-yamllint==1.29.0
-    # via
-    #   -r requirements.in
-    #   ansible-lint
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools

reset.yml

@@ -1,7 +1,7 @@
 ---
-
+- name: Reset k3s cluster
-- hosts: k3s_cluster
+  hosts: k3s_cluster
-  gather_facts: yes
+  gather_facts: true
   roles:
     - role: reset
       become: true
@@ -14,9 +14,10 @@
       reboot:
         reboot_timeout: 3600
 
-- hosts: proxmox
+- name: Revert changes to Proxmox cluster
+  hosts: proxmox
   gather_facts: true
-  become: yes
+  become: true
   remote_user: "{{ proxmox_lxc_ssh_user }}"
   roles:
     - role: reset_proxmox_lxc

roles/k3s/master/defaults/main.yml

@@ -1,16 +0,0 @@
----
-# If you want to explicitly define an interface that ALL control nodes
-# should use to propagate the VIP, define it here. Otherwise, kube-vip
-# will determine the right interface automatically at runtime.
-kube_vip_iface: null
-
-server_init_args: >-
-  {% if groups['master'] | length > 1 %}
-    {% if ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname'] %}
-      --cluster-init
-    {% else %}
-      --server https://{{ hostvars[groups['master'][0]].k3s_node_ip | split(",") | first | ansible.utils.ipwrap }}:6443
-    {% endif %}
-    --token {{ k3s_token }}
-  {% endif %}
-  {{ extra_server_args | default('') }}

roles/k3s/node/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# Name of the master group
+group_name_master: master

roles/k3s/post/defaults/main.yml

@@ -1,3 +0,0 @@
----
-# Timeout to wait for MetalLB services to come up
-metal_lb_available_timeout: 120s

roles/k3s_agent/tasks/http_proxy.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Create k3s-node.service.d directory
+  file:
+    path: '{{ systemd_dir }}/k3s-node.service.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+
+- name: Copy K3s http_proxy conf file
+  template:
+    src: "http_proxy.conf.j2"
+    dest: "{{ systemd_dir }}/k3s-node.service.d/http_proxy.conf"
+    owner: root
+    group: root
+    mode: '0755'

roles/k3s_agent/tasks/main.yml

@@ -1,5 +1,9 @@
 ---
 
+- name: Deploy K3s http_proxy conf
+  include_tasks: http_proxy.yml
+  when: proxy_env is defined
+
 - name: Copy K3s service file
   template:
     src: "k3s.service.j2"
@@ -11,6 +15,6 @@
 - name: Enable and check K3s service
   systemd:
     name: k3s-node
-    daemon_reload: yes
+    daemon_reload: true
     state: restarted
-    enabled: yes
+    enabled: true

roles/k3s_agent/templates/http_proxy.conf.j2

@@ -0,0 +1,4 @@
+[Service]
+Environment=HTTP_PROXY={{ proxy_env.HTTP_PROXY }}
+Environment=HTTPS_PROXY={{ proxy_env.HTTPS_PROXY }}
+Environment=NO_PROXY={{ proxy_env.NO_PROXY }}

roles/k3s_agent/templates/k3s.service.j2

@@ -7,7 +7,7 @@ After=network-online.target
 Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s agent --server https://{{ apiserver_endpoint | ansible.utils.ipwrap }}:6443 --token {{ hostvars[groups['master'][0]]['token'] | default(k3s_token) }} {{ extra_agent_args | default("") }}
+ExecStart=/usr/local/bin/k3s agent --server https://{{ apiserver_endpoint | ansible.utils.ipwrap }}:6443 --token {{ hostvars[groups[group_name_master | default('master')][0]]['token'] | default(k3s_token) }} {{ extra_agent_args | default("") }}
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead

roles/k3s_custom_registries/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# Indicates whether custom registries for k3s should be configured
+# Possible values:
+#   - present
+#   - absent
+state: present

roles/k3s_custom_registries/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Create directory /etc/rancher/k3s
+  file:
+    path: "/etc/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - rancher
+    - rancher/k3s
+
+- name: Insert registries into /etc/rancher/k3s/registries.yaml
+  blockinfile:
+    path: /etc/rancher/k3s/registries.yaml
+    block: "{{ custom_registries_yaml }}"
+    mode: '0600'
+    create: true

roles/k3s_server/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+# If you want to explicitly define an interface that ALL control nodes
+# should use to propagate the VIP, define it here. Otherwise, kube-vip
+# will determine the right interface automatically at runtime.
+kube_vip_iface: null
+
+# Name of the master group
+group_name_master: master
+
+# yamllint disable rule:line-length
+server_init_args: >-
+  {% if groups[group_name_master | default('master')] | length > 1 %}
+    {% if ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname'] %}
+      --cluster-init
+    {% else %}
+      --server https://{{ hostvars[groups[group_name_master | default('master')][0]].k3s_node_ip | split(",") | first | ansible.utils.ipwrap }}:6443
+    {% endif %}
+    --token {{ k3s_token }}
+  {% endif %}
+  {{ extra_server_args | default('') }}

roles/k3s_server/tasks/http_proxy.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Create k3s.service.d directory
+  file:
+    path: '{{ systemd_dir }}/k3s.service.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+
+- name: Copy K3s http_proxy conf file
+  template:
+    src: "http_proxy.conf.j2"
+    dest: "{{ systemd_dir }}/k3s.service.d/http_proxy.conf"
+    owner: root
+    group: root
+    mode: '0755'

roles/k3s_server/tasks/main.yml

@@ -1,23 +1,34 @@
 ---
 
-- name: Clean previous runs of k3s-init
+- name: Stop k3s-init
   systemd:
     name: k3s-init
     state: stopped
   failed_when: false
 
-- name: Clean previous runs of k3s-init
+# k3s-init won't work if the port is already in use
+- name: Stop k3s
+  systemd:
+    name: k3s
+    state: stopped
+  failed_when: false
+
+- name: Clean previous runs of k3s-init  # noqa command-instead-of-module
+  # The systemd module does not support "reset-failed", so we need to resort to command.
   command: systemctl reset-failed k3s-init
   failed_when: false
   changed_when: false
-  args:
+
-    warn: false  # The ansible systemd module does not support reset-failed
+- name: Deploy K3s http_proxy conf
+  include_tasks: http_proxy.yml
+  when: proxy_env is defined
 
 - name: Deploy vip manifest
   include_tasks: vip.yml
 
 - name: Deploy metallb manifest
   include_tasks: metallb.yml
+  tags: metallb
 
 - name: Init cluster inside the transient k3s-init service
   command:
@@ -25,15 +36,16 @@
                       -p Restart=on-failure \
                       --unit=k3s-init \
                       k3s server {{ server_init_args }}"
-    creates: "{{ systemd_dir }}/k3s.service"
+    creates: "{{ systemd_dir }}/k3s-init.service"
 
 - name: Verification
+  when: not ansible_check_mode
   block:
     - name: Verify that all nodes actually joined (check k3s-init.service if this fails)
       command:
         cmd: k3s kubectl get nodes -l "node-role.kubernetes.io/master=true" -o=jsonpath="{.items[*].metadata.name}"
       register: nodes
-      until: nodes.rc == 0 and (nodes.stdout.split() | length) == (groups['master'] | length)
+      until: nodes.rc == 0 and (nodes.stdout.split() | length) == (groups[group_name_master | default('master')] | length)  # yamllint disable-line rule:line-length
       retries: "{{ retry_count | default(20) }}"
       delay: 10
       changed_when: false
@@ -49,7 +61,6 @@
         name: k3s-init
         state: stopped
       failed_when: false
-  when: not ansible_check_mode
 
 - name: Copy K3s service file
   register: k3s_service
@@ -63,9 +74,9 @@
 - name: Enable and check K3s service
   systemd:
     name: k3s
-    daemon_reload: yes
+    daemon_reload: true
     state: restarted
-    enabled: yes
+    enabled: true
 
 - name: Wait for node-token
   wait_for:
@@ -106,7 +117,7 @@
   copy:
     src: /etc/rancher/k3s/k3s.yaml
     dest: "{{ ansible_user_dir }}/.kube/config"
-    remote_src: yes
+    remote_src: true
     owner: "{{ ansible_user_id }}"
     mode: "u=rw,g=,o="
 

roles/k3s_server/tasks/metallb.yml

@@ -6,16 +6,16 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']
 
 - name: "Download to first master: manifest for metallb-{{ metal_lb_type }}"
   ansible.builtin.get_url:
-    url: "https://raw.githubusercontent.com/metallb/metallb/{{ metal_lb_controller_tag_version }}/config/manifests/metallb-{{metal_lb_type}}.yaml"  # noqa yaml[line-length]
+    url: "https://raw.githubusercontent.com/metallb/metallb/{{ metal_lb_controller_tag_version }}/config/manifests/metallb-{{ metal_lb_type }}.yaml"  # noqa yaml[line-length]
     dest: "/var/lib/rancher/k3s/server/manifests/metallb-crds.yaml"
     owner: root
     group: root
     mode: 0644
-  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']
 
 - name: Set image versions in manifest for metallb-{{ metal_lb_type }}
   ansible.builtin.replace:
@@ -27,4 +27,4 @@
       to: "metallb/speaker:{{ metal_lb_speaker_tag_version }}"
   loop_control:
     label: "{{ item.change }} => {{ item.to }}"
-  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']

roles/k3s_server/tasks/vip.yml

@@ -6,7 +6,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']
 
 - name: Download vip rbac manifest to first master
   ansible.builtin.get_url:
@@ -15,7 +15,7 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']
 
 - name: Copy vip manifest to first master
   template:
@@ -24,4 +24,4 @@
     owner: root
     group: root
     mode: 0644
-  when: ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname']
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']

roles/k3s_server/templates/http_proxy.conf.j2

@@ -0,0 +1,4 @@
+[Service]
+Environment=HTTP_PROXY={{ proxy_env.HTTP_PROXY }}
+Environment=HTTPS_PROXY={{ proxy_env.HTTPS_PROXY }}
+Environment=NO_PROXY={{ proxy_env.NO_PROXY }}

roles/k3s_server_post/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# Timeout to wait for MetalLB services to come up
+metal_lb_available_timeout: 240s
+
+# Name of the master group
+group_name_master: master

roles/k3s_server_post/tasks/main.yml

@@ -1,6 +1,7 @@
 ---
 - name: Deploy metallb pool
   include_tasks: metallb.yml
+  tags: metallb
 
 - name: Remove tmp directory used for manifests
   file:

roles/k3s_server_post/tasks/metallb.yml

@@ -5,7 +5,7 @@
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0755
-  with_items: "{{ groups['master'] }}"
+  with_items: "{{ groups[group_name_master | default('master')] }}"
   run_once: true
 
 - name: Copy metallb CRs manifest to first master
@@ -14,14 +14,14 @@
     dest: "/tmp/k3s/metallb-crs.yaml"
     owner: "{{ ansible_user_id }}"
     mode: 0755
-  with_items: "{{ groups['master'] }}"
+  with_items: "{{ groups[group_name_master | default('master')] }}"
   run_once: true
 
 - name: Test metallb-system namespace
   command: >-
     k3s kubectl -n metallb-system
   changed_when: false
-  with_items: "{{ groups['master'] }}"
+  with_items: "{{ groups[group_name_master | default('master')] }}"
   run_once: true
 
 - name: Wait for MetalLB resources
@@ -66,7 +66,7 @@
   command: >-
     k3s kubectl -n metallb-system get endpoints webhook-service
   changed_when: false
-  with_items: "{{ groups['master'] }}"
+  with_items: "{{ groups[group_name_master | default('master')] }}"
   run_once: true
 
 - name: Apply metallb CRs

roles/lxc/handlers/main.yml

@@ -1,4 +1,5 @@
 ---
-- name: reboot server
+- name: Reboot server
   become: true
   reboot:
+  listen: reboot server

roles/prereq/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+secure_path:
+  RedHat: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
+  Suse: '/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin'

roles/prereq/tasks/main.yml

@@ -1,34 +1,37 @@
 ---
 - name: Set same timezone on every Server
-  timezone:
+  community.general.timezone:
     name: "{{ system_timezone }}"
   when: (system_timezone is defined) and (system_timezone != "Your/Timezone")
 
 - name: Set SELinux to disabled state
-  selinux:
+  ansible.posix.selinux:
     state: disabled
   when: ansible_os_family == "RedHat"
 
 - name: Enable IPv4 forwarding
-  sysctl:
+  ansible.posix.sysctl:
     name: net.ipv4.ip_forward
     value: "1"
     state: present
-    reload: yes
+    reload: true
+  tags: sysctl
 
 - name: Enable IPv6 forwarding
-  sysctl:
+  ansible.posix.sysctl:
     name: net.ipv6.conf.all.forwarding
     value: "1"
     state: present
-    reload: yes
+    reload: true
+  tags: sysctl
 
 - name: Enable IPv6 router advertisements
-  sysctl:
+  ansible.posix.sysctl:
     name: net.ipv6.conf.all.accept_ra
     value: "2"
     state: present
-    reload: yes
+    reload: true
+  tags: sysctl
 
 - name: Add br_netfilter to /etc/modules-load.d/
   copy:
@@ -38,28 +41,29 @@
   when: ansible_os_family == "RedHat"
 
 - name: Load br_netfilter
-  modprobe:
+  community.general.modprobe:
     name: br_netfilter
     state: present
   when: ansible_os_family == "RedHat"
 
 - name: Set bridge-nf-call-iptables (just to be sure)
-  sysctl:
+  ansible.posix.sysctl:
     name: "{{ item }}"
     value: "1"
     state: present
-    reload: yes
+    reload: true
   when: ansible_os_family == "RedHat"
   loop:
     - net.bridge.bridge-nf-call-iptables
     - net.bridge.bridge-nf-call-ip6tables
+  tags: sysctl
 
 - name: Add /usr/local/bin to sudo secure_path
   lineinfile:
-    line: 'Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
+    line: 'Defaults    secure_path = {{ secure_path[ansible_os_family] }}'
     regexp: "Defaults(\\s)*secure_path(\\s)*="
     state: present
     insertafter: EOF
     path: /etc/sudoers
     validate: 'visudo -cf %s'
-  when: ansible_os_family == "RedHat"
+  when: ansible_os_family in [ "RedHat", "Suse" ]

roles/proxmox_lxc/handlers/main.yml

@@ -1,5 +1,13 @@
 ---
-- name: reboot containers
+- name: Reboot containers
-  command:
+  block:
-    "pct reboot {{ item }}"
+    - name: Get container ids from filtered files
-  loop: "{{ proxmox_lxc_filtered_ids }}"
+      set_fact:
+        proxmox_lxc_filtered_ids: >-
+          {{ proxmox_lxc_filtered_files | map("split", "/") | map("last") | map("split", ".") | map("first") }}
+      listen: reboot containers
+    - name: Reboot container
+      command: "pct reboot {{ item }}"
+      loop: "{{ proxmox_lxc_filtered_ids }}"
+      changed_when: true
+      listen: reboot containers

roles/proxmox_lxc/tasks/main.yml

@@ -1,21 +1,15 @@
 ---
-- name: check for container files that exist on this host
+- name: Check for container files that exist on this host
   stat:
     path: "/etc/pve/lxc/{{ item }}.conf"
   loop: "{{ proxmox_lxc_ct_ids }}"
   register: stat_results
 
-- name: filter out files that do not exist
+- name: Filter out files that do not exist
   set_fact:
     proxmox_lxc_filtered_files:
       '{{ stat_results.results | rejectattr("stat.exists", "false") | map(attribute="stat.path") }}'
 
-# used for the reboot handler
-- name: get container ids from filtered files
-  set_fact:
-    proxmox_lxc_filtered_ids:
-      '{{ proxmox_lxc_filtered_files | map("split", "/") | map("last") | map("split", ".") | map("first") }}'
-
 # https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185
 - name: Ensure lxc config has the right apparmor profile
   lineinfile:

roles/raspberrypi/handlers/main.yml

@@ -1,3 +1,4 @@
 ---
-- name: reboot
+- name: Reboot
   reboot:
+  listen: reboot

roles/raspberrypi/tasks/main.yml

@@ -17,21 +17,19 @@
   when:
     grep_cpuinfo_raspberrypi.rc == 0 or grep_device_tree_model_raspberrypi.rc == 0
 
-- name: Set detected_distribution to Raspbian
+- name: Set detected_distribution to Raspbian (ARM64 on Raspbian, Debian Buster/Bullseye/Bookworm)
-  set_fact:
-    detected_distribution: Raspbian
-  when: >
-    raspberry_pi|default(false) and
-    ( ansible_facts.lsb.id|default("") == "Raspbian" or
-      ansible_facts.lsb.description|default("") is match("[Rr]aspbian.*") )
-
-- name: Set detected_distribution to Raspbian (ARM64 on Debian Buster)
   set_fact:
     detected_distribution: Raspbian
+  vars:
+    allowed_descriptions:
+      - "[Rr]aspbian.*"
+      - "Debian.*buster"
+      - "Debian.*bullseye"
+      - "Debian.*bookworm"
   when:
     - ansible_facts.architecture is search("aarch64")
     - raspberry_pi|default(false)
-    - ansible_facts.lsb.description|default("") is match("Debian.*buster")
+    - ansible_facts.lsb.description|default("") is match(allowed_descriptions | join('|'))
 
 - name: Set detected_distribution_major_version
   set_fact:
@@ -39,28 +37,16 @@
   when:
     - detected_distribution | default("") == "Raspbian"
 
-- name: Set detected_distribution to Raspbian (ARM64 on Debian Bullseye)
+- name: Execute OS related tasks on the Raspberry Pi - {{ action_ }}
-  set_fact:
-    detected_distribution: Raspbian
-  when:
-    - ansible_facts.architecture is search("aarch64")
-    - raspberry_pi|default(false)
-    - ansible_facts.lsb.description|default("") is match("Debian.*bullseye")
-
-- name: execute OS related tasks on the Raspberry Pi - {{ action }}
   include_tasks: "{{ item }}"
   with_first_found:
-    - "{{ action }}/{{ detected_distribution }}-{{ detected_distribution_major_version }}.yml"
+    - "{{ action_ }}/{{ detected_distribution }}-{{ detected_distribution_major_version }}.yml"
-    - "{{ action }}/{{ detected_distribution }}.yml"
+    - "{{ action_ }}/{{ detected_distribution }}.yml"
-    - "{{ action }}/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ action_ }}/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ action }}/{{ ansible_distribution }}.yml"
+    - "{{ action_ }}/{{ ansible_distribution }}.yml"
-    - "{{ action }}/default.yml"
+    - "{{ action_ }}/default.yml"
   vars:
-    action: >-
+    action_: >-
-      {% if state == "present" -%}
+      {% if state == "present" %}setup{% else %}teardown{% endif %}
-      setup
-      {%- else -%}
-      teardown
-      {%- endif %}
   when:
     - raspberry_pi|default(false)

roles/raspberrypi/tasks/setup/Raspbian.yml

@@ -8,20 +8,22 @@
   notify: reboot
 
 - name: Install iptables
-  apt: name=iptables state=present
+  apt:
+    name: iptables
+    state: present
 
 - name: Flush iptables before changing to iptables-legacy
   iptables:
     flush: true
 
 - name: Changing to iptables-legacy
-  alternatives:
+  community.general.alternatives:
     path: /usr/sbin/iptables-legacy
     name: iptables
   register: ip4_legacy
 
 - name: Changing to ip6tables-legacy
-  alternatives:
+  community.general.alternatives:
     path: /usr/sbin/ip6tables-legacy
     name: ip6tables
   register: ip6_legacy

roles/raspberrypi/tasks/setup/Rocky.yml

@@ -2,7 +2,7 @@
 - name: Enable cgroup via boot commandline if not already enabled for Rocky
   lineinfile:
     path: /boot/cmdline.txt
-    backrefs: yes
+    backrefs: true
     regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
     line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
   notify: reboot

roles/raspberrypi/tasks/setup/Ubuntu.yml

@@ -2,7 +2,7 @@
 - name: Enable cgroup via boot commandline if not already enabled for Ubuntu on a Raspberry Pi
   lineinfile:
     path: /boot/firmware/cmdline.txt
-    backrefs: yes
+    backrefs: true
     regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
     line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
   notify: reboot

roles/reset/tasks/main.yml

@@ -3,7 +3,7 @@
   systemd:
     name: "{{ item }}"
     state: stopped
-    enabled: no
+    enabled: false
   failed_when: false
   with_items:
     - k3s
@@ -46,9 +46,20 @@
     - /var/lib/rancher/
     - /var/lib/cni/
 
+- name: Remove K3s http_proxy files
+  file:
+    name: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ systemd_dir }}/k3s.service.d/http_proxy.conf"
+    - "{{ systemd_dir }}/k3s.service.d"
+    - "{{ systemd_dir }}/k3s-node.service.d/http_proxy.conf"
+    - "{{ systemd_dir }}/k3s-node.service.d"
+  when: proxy_env is defined
+
 - name: Reload daemon_reload
   systemd:
-    daemon_reload: yes
+    daemon_reload: true
 
 - name: Remove tmp directory used for manifests
   file:
@@ -67,18 +78,18 @@
     content: "{{ lookup('template', 'templates/rc.local.j2') }}"
     create: false
     state: absent
-  when: proxmox_lxc_configure and rclocal.stat.exists
+  when: proxmox_lxc_configure and rcfile.stat.exists
 
 - name: Check rc.local for cleanup
   become: true
   slurp:
     src: /etc/rc.local
   register: rcslurp
-  when: proxmox_lxc_configure and rclocal.stat.exists
+  when: proxmox_lxc_configure and rcfile.stat.exists
 
 - name: Cleanup rc.local if we only have a Shebang line
   become: true
   file:
     path: /etc/rc.local
     state: absent
-  when: proxmox_lxc_configure and rclocal.stat.exists and ((rcslurp.content | b64decode).splitlines() | length) <= 1
+  when: proxmox_lxc_configure and rcfile.stat.exists and ((rcslurp.content | b64decode).splitlines() | length) <= 1

roles/reset/tasks/umount_with_children.yml

@@ -9,7 +9,7 @@
   check_mode: false
 
 - name: Umount filesystem
-  mount:
+  ansible.posix.mount:
     path: "{{ item }}"
     state: unmounted
   with_items:

roles/reset_proxmox_lxc/handlers/main.yml

@@ -1,5 +0,0 @@
----
-- name: reboot containers
-  command:
-    "pct reboot {{ item }}"
-  loop: "{{ proxmox_lxc_filtered_ids }}"

roles/reset_proxmox_lxc/handlers/main.yml

@@ -0,0 +1 @@
+../../proxmox_lxc/handlers/main.yml

roles/reset_proxmox_lxc/tasks/main.yml

@@ -1,21 +1,15 @@
 ---
-- name: check for container files that exist on this host
+- name: Check for container files that exist on this host
   stat:
     path: "/etc/pve/lxc/{{ item }}.conf"
   loop: "{{ proxmox_lxc_ct_ids }}"
   register: stat_results
 
-- name: filter out files that do not exist
+- name: Filter out files that do not exist
   set_fact:
     proxmox_lxc_filtered_files:
       '{{ stat_results.results | rejectattr("stat.exists", "false") | map(attribute="stat.path") }}'
 
-# used for the reboot handler
-- name: get container ids from filtered files
-  set_fact:
-    proxmox_lxc_filtered_ids:
-      '{{ proxmox_lxc_filtered_files | map("split", "/") | map("last") | map("split", ".") | map("first") }}'
-
 - name: Remove LXC apparmor profile
   lineinfile:
     dest: "{{ item }}"

site.yml

@@ -1,15 +1,17 @@
 ---
-
+- name: Prepare Proxmox cluster
-- hosts: proxmox
+  hosts: proxmox
   gather_facts: true
-  become: yes
+  become: true
-  remote_user: "{{ proxmox_lxc_ssh_user }}"
+  environment: "{{ proxy_env | default({}) }}"
   roles:
     - role: proxmox_lxc
       when: proxmox_lxc_configure
 
-- hosts: k3s_cluster
+- name: Prepare k3s nodes
-  gather_facts: yes
+  hosts: k3s_cluster
+  gather_facts: true
+  environment: "{{ proxy_env | default({}) }}"
   roles:
     - role: lxc
       become: true
@@ -20,18 +22,27 @@
       become: true
     - role: raspberrypi
       become: true
+    - role: k3s_custom_registries
+      become: true
+      when: custom_registries
 
-- hosts: master
+- name: Setup k3s servers
+  hosts: master
+  environment: "{{ proxy_env | default({}) }}"
   roles:
-    - role: k3s/master
+    - role: k3s_server
       become: true
 
-- hosts: node
+- name: Setup k3s agents
+  hosts: node
+  environment: "{{ proxy_env | default({}) }}"
   roles:
-    - role: k3s/node
+    - role: k3s_agent
       become: true
 
-- hosts: master
+- name: Configure k3s cluster
+  hosts: master
+  environment: "{{ proxy_env | default({}) }}"
   roles:
-    - role: k3s/post
+    - role: k3s_server_post
       become: true