feat: universe

.envrc

@@ -0,0 +1,28 @@
+SECRETS_DIR="${SECRETS_DIR:-$(expand_path ../infra-secrets)}"
+
+use_sops() {
+  local path="$1"
+  local type="${2:-dotenv}"
+  if [ -f "$path" ]; then
+    local decrypted
+    decrypted=$(sops -d --input-type "$type" --output-type "$type" "$path" 2>&1) || {
+      log_error "sops decrypt failed for $path"
+      return
+    }
+    eval "$(echo "$decrypted" | direnv dotenv bash /dev/stdin)"
+    watch_file "$path"
+  fi
+}
+
+if [ -d "$SECRETS_DIR" ]; then
+  use_sops "$SECRETS_DIR/global/.env.enc"
+else
+  log_error "infra-secrets repo not found at $SECRETS_DIR"
+  log_error "Clone it: git clone [email protected]:freeCodeCamp/infra-secrets.git ../infra-secrets"
+fi
+
+dotenv_if_exists .env
+
+if [ -d ansible/.venv ]; then
+  PATH_add ansible/.venv/bin
+fi

.github/workflows/k8s--validate.yml

@@ -0,0 +1,35 @@
+name: K8s -- Manifest Validation
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: K8s -- Manifest Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install just
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://just.systems/install.sh | bash -s -- --to /usr/local/bin
+          just --version
+
+      - name: Install kubeconform
+        run: |
+          curl -sL https://github.com/yannh/kubeconform/releases/download/v0.7.0/kubeconform-linux-amd64.tar.gz | tar xz -C /usr/local/bin
+          kubeconform -v
+
+      - name: Validate K8s manifests
+        run: just k8s-validate 1.32.0

.gitignore

@@ -36,7 +36,7 @@ terraform.rc
 .vscode/
 
 # Ignore User-specific temporary files
-__scratchpad__/
+.scratchpad
 
 # Ignore generated files
 manifest.json
@@ -48,7 +48,6 @@ ansible/inventory/hosts
 # Secrets
 *.env
 *.env.*
-.envrc
 
 .kubeconfig.yaml
 *.crt
@@ -61,3 +60,7 @@ secrets.overrides.yaml
 o11y/defaults/
 
 .beads-credential-key
+
+# Beads / Dolt files (added by bd init)
+.dolt/
+*.db

ansible/ansible.cfg

@@ -8,6 +8,8 @@ inventory = ./inventory
 home = ./.ansible
 collections_path = ./.ansible/collections:./roles
 roles_path = ./.ansible/roles:./roles
+# Secrets managed via sops+age in the infra-secrets private repo
+# Env vars loaded via direnv; vault vars via community.sops collection when needed
 
 [inventory]
 enable_plugins = yaml, ini, toml, community.general.linode, community.digitalocean.digitalocean

ansible/inventory/digitalocean.yml

@@ -2,6 +2,7 @@
 plugin: community.digitalocean.digitalocean
 api_token: "{{ lookup('ansible.builtin.env', 'DO_API_TOKEN') }}"
 attributes:
+  - id
   - name
   - tags
   - networks

ansible/inventory/group_vars/gxy_mgmt_k3s.yml

@@ -0,0 +1,42 @@
+---
+# gxy-management galaxy configuration
+# Applied automatically when targeting the gxy_mgmt_k3s inventory group
+#
+# To add a new galaxy: create a new file matching the DO inventory tag.
+
+galaxy_name: gxy-management
+k3s_version: v1.34.5+k3s1
+cilium_cluster_id: 1
+
+# k3s config.yaml — written to /etc/rancher/k3s/config.yaml by the role
+# Keys are hyphenated, matching CLI flags. Docs:
+#   https://docs.k3s.io/installation/configuration
+#   https://docs.k3s.io/security/hardening-guide
+#
+# Do NOT add tls-san, token, cluster-init, or server here —
+# those are managed by the k3s-ansible role via extra_server_args.
+server_config_yaml: |
+  flannel-backend: "none"
+  disable-network-policy: true
+  # kube-proxy replacement disabled — breaks etcd on k3s HA (see field-notes Failure 7)
+  # Cilium still provides CNI + network policies + Hubble without it
+  # Revisit on bare metal where performance matters
+  disable-kube-proxy: false
+  cluster-cidr: "10.1.0.0/16"
+  service-cidr: "10.11.0.0/16"
+  protect-kernel-defaults: true
+  secrets-encryption: true
+  kube-apiserver-arg:
+    - "admission-control-config-file=/etc/rancher/k3s/pss-admission.yaml"
+    - "audit-log-path=/var/log/k3s/audit.log"
+    - "audit-policy-file=/etc/rancher/k3s/audit-policy.yaml"
+    - "audit-log-maxage=30"
+    - "audit-log-maxbackup=10"
+    - "audit-log-maxsize=100"
+  etcd-s3: true
+  etcd-s3-endpoint: "fra1.digitaloceanspaces.com"
+  etcd-s3-bucket: "net.freecodecamp.universe-backups"
+  etcd-s3-folder: "etcd/gxy-management"
+  etcd-s3-region: "fra1"
+  etcd-snapshot-schedule-cron: "0 */6 * * *"
+  etcd-snapshot-retention: 20