Initial commit

ansible/playbooks/templates/config-example.yaml

@@ -0,0 +1,34 @@
+# K3s server configuration
+# Enable secrets encryption at rest
+secrets-encryption: true
+
+# Node configuration - force k3s to use the physical NIC IP
+# instead of auto-detecting interfaces like mac-shim
+node-ip: "{{ ansible_host }}"
+advertise-address: "{{ ansible_host }}"
+bind-address: "{{ ansible_host }}"
+{% if k3s_node_iface is defined and k3s_node_iface | length > 0 %}
+flannel-iface: "{{ k3s_node_iface }}"
+{% endif %}
+
+# TLS configuration - add SANs for API server certificate
+# This ensures the certificate is valid for these names/IPs
+tls-san:
+  - "{{ k3s_first_server_ip }}"
+  - "{{ k3s_first_server_hostname }}"
+  - kubernetes.default.svc
+  - kubernetes.default.svc.cluster.local
+
+# Additional kube-apiserver arguments for TLS hardening
+kube-apiserver-arg:
+  - "tls-min-version=VersionTLS12"
+  - "tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+
+# Additional kubelet arguments for TLS
+kubelet-arg:
+  - "tls-min-version=VersionTLS12"
+
+# Disable unnecessary components (optional - adjust as needed)
+# disable:
+#   - traefik
+#   - servicelb