misc: zot registry, k8s OIDC, server configs, sandbox experiments, and notes

- docker-30/zot: add Zot OCI registry with on-demand sync to docker.io, registry.k8s.io, ghcr.io, quay.io - kubernetes-kvm-terraform: wire Kanidm OIDC via structured AuthenticationConfiguration; add reference apiserver manifest and join-node-02 helper - servers: reorganize shadow/ under servers/, add saint vhost config and utility-101 VM definition, add shadow hrajfrisbee.cz vhost and storage-23 notes - experiments: add notes and configs for e2b dev VM, kata + firecracker on kube, microsandbox, orb-stack k3s (terraform + cloud-init), rke2 - vms/docker: document tailscale + node-exporter setup - blog: stub post on Gateway API - chore: gitignore tmp/, smtp_password, and the two local-only credential caches; add per-project .claude/settings.json Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:12:38 +02:00
parent 5ca27a832b
commit 80d0cc1168
34 changed files with 2814 additions and 1 deletions
--- a/experiments/orb-stack/modules/base-template/cloud-init-base.yaml
+++ b/experiments/orb-stack/modules/base-template/cloud-init-base.yaml
@@ -0,0 +1,27 @@
+#cloud-config
+hostname: ${hostname}
+manage_etc_hosts: true
+
+# Kernel modules for container networking
+write_files:
+  - path: /etc/modules-load.d/k8s.conf
+    content: |
+      overlay
+      br_netfilter
+  - path: /etc/sysctl.d/k8s.conf
+    content: |
+      net.bridge.bridge-nf-call-iptables  = 1
+      net.bridge.bridge-nf-call-ip6tables = 1
+      net.ipv4.ip_forward                 = 1
+
+packages:
+  - curl
+  - gpg
+  - apt-transport-https
+
+runcmd:
+  - modprobe overlay
+  - modprobe br_netfilter
+  - sysctl --system
+  - swapoff -a
+  - sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
--- a/experiments/orb-stack/modules/base-template/main.tf
+++ b/experiments/orb-stack/modules/base-template/main.tf
@@ -0,0 +1,74 @@
+terraform {
+  required_providers {
+    orbstack = {
+      source  = "robertdebock/orbstack"
+      version = "~> 3.0"
+    }
+    cloudinit = {
+      source  = "hashicorp/cloudinit"
+      version = "~> 2.0"
+    }
+  }
+}
+
+variable "node_count" {
+  description = "Number of nodes to deploy"
+  type        = number
+  default     = 3
+}
+
+variable "name" {
+  description = "Base name for the machines"
+  type        = string
+}
+
+variable "distro" {
+  description = "OS distribution"
+  type        = string
+  default     = "ubuntu"
+}
+
+variable "distro_version" {
+  description = "OS distribution version/codename"
+  type        = string
+  default     = "noble"
+}
+
+variable "extra_cloud_init_parts" {
+  description = "Additional cloud-init parts to layer on top of the base config"
+  type        = list(object({ content = string, content_type = string }))
+  default     = []
+}
+
+data "cloudinit_config" "this" {
+  count = var.node_count
+
+  part {
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/cloud-init-base.yaml", {
+      hostname = "${var.name}-${count.index + 1}"
+    })
+  }
+
+  dynamic "part" {
+    for_each = var.extra_cloud_init_parts
+    content {
+      content_type = part.value.content_type
+      content      = part.value.content
+    }
+  }
+}
+
+resource "orbstack_machine" "this" {
+  count = var.node_count
+
+  name   = "${var.name}-${count.index + 1}"
+  distro = var.distro
+  region = var.distro_version
+
+  user_data = data.cloudinit_config.this[count.index].rendered
+}
+
+output "machines" {
+  value = { for m in orbstack_machine.this : m.name => m.ip_address }
+}
--- a/experiments/orb-stack/stacks/k3s/cloud-init-cp.yaml
+++ b/experiments/orb-stack/stacks/k3s/cloud-init-cp.yaml
@@ -0,0 +1,11 @@
+#cloud-config
+merge_how:
+  - name: list
+    settings: [append]
+  - name: dict
+    settings: [recurse_array]
+
+runcmd:
+  - curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" K3S_TOKEN="${k3s_token}" sh -
+  - until kubectl get nodes; do sleep 2; done
+  - cp /etc/rancher/k3s/k3s.yaml /root/kubeconfig.yaml
--- a/experiments/orb-stack/stacks/k3s/cloud-init-worker.yaml
+++ b/experiments/orb-stack/stacks/k3s/cloud-init-worker.yaml
@@ -0,0 +1,9 @@
+#cloud-config
+merge_how:
+  - name: list
+    settings: [append]
+  - name: dict
+    settings: [recurse_array]
+
+runcmd:
+  - curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_URL="https://${cp_ip}:6443" K3S_TOKEN="${join_token}" sh -
--- a/experiments/orb-stack/stacks/k3s/main.tf
+++ b/experiments/orb-stack/stacks/k3s/main.tf
@@ -0,0 +1,39 @@
+variable "k3s_token" {
+  description = "Shared secret for k3s cluster join (set via TF_VAR or tfvars)"
+  type        = string
+  sensitive   = true
+}
+
+module "control_plane" {
+  source     = "../../modules/base-template"
+  name       = "k3s-cp"
+  node_count = 1
+
+  extra_cloud_init_parts = [{
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/cloud-init-cp.yaml", {
+      k3s_token = var.k3s_token
+    })
+  }]
+}
+
+module "workers" {
+  source     = "../../modules/base-template"
+  name       = "k3s-worker"
+  node_count = 2
+
+  extra_cloud_init_parts = [{
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/cloud-init-worker.yaml", {
+      cp_ip      = values(module.control_plane.machines)[0]
+      join_token = var.k3s_token
+    })
+  }]
+}
+
+output "cluster" {
+  value = {
+    control_plane = module.control_plane.machines
+    workers       = module.workers.machines
+  }
+}