Initial commit: Turbo Mothership bare metal management cluster

- k0s bootstrap with Cilium and OpenEBS
- ArgoCD apps for infra, CAPI, Tinkerbell, and Netris
- Ansible playbooks for virtual baremetal lab and Netris switches
- CAPI provider manifests for k0smotron and Tinkerbell

ansible/virtual-bm/br-mgmt-nat.yml

@@ -0,0 +1,120 @@
+---
+- name: Configure br-mgmt bridge for libvirt and Tinkerbell
+  hosts: local
+  become: true
+  gather_facts: false
+
+  vars:
+    br_mgmt_name: br-mgmt
+    br_mgmt_ip: 172.16.81.254
+    br_mgmt_cidr: 24
+    br_mgmt_netmask: 255.255.255.0
+
+  tasks:
+    - name: Ensure bridge-utils is installed
+      ansible.builtin.apt:
+        name: bridge-utils
+        state: present
+        update_cache: false
+
+    - name: Create bridge interface configuration file
+      ansible.builtin.copy:
+        dest: /etc/network/interfaces.d/br-mgmt
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          # Management bridge for libvirt VMs and Tinkerbell
+          # This bridge provides the 172.16.81.0/24 network for bare metal provisioning
+
+          auto {{ br_mgmt_name }}
+          iface {{ br_mgmt_name }} inet static
+              address {{ br_mgmt_ip }}
+              netmask {{ br_mgmt_netmask }}
+              bridge_ports none
+              bridge_stp off
+              bridge_fd 0
+              bridge_maxwait 0
+
+    - name: Check if bridge already exists
+      ansible.builtin.command: ip link show {{ br_mgmt_name }}
+      register: bridge_exists
+      changed_when: false
+      failed_when: false
+
+    - name: Create bridge interface
+      ansible.builtin.command: ip link add name {{ br_mgmt_name }} type bridge
+      when: bridge_exists.rc != 0
+
+    - name: Set bridge interface up
+      ansible.builtin.command: ip link set {{ br_mgmt_name }} up
+      when: bridge_exists.rc != 0
+
+    - name: Check current IP on bridge
+      ansible.builtin.shell: ip addr show {{ br_mgmt_name }} | grep -q '{{ br_mgmt_ip }}'
+      register: ip_configured
+      changed_when: false
+      failed_when: false
+
+    - name: Assign IP address to bridge
+      ansible.builtin.command: ip addr add {{ br_mgmt_ip }}/{{ br_mgmt_cidr }} dev {{ br_mgmt_name }}
+      when: ip_configured.rc != 0
+
+    - name: Enable IP forwarding
+      ansible.posix.sysctl:
+        name: net.ipv4.ip_forward
+        value: "1"
+        sysctl_set: true
+        state: present
+        reload: true
+
+    - name: Install iptables-persistent
+      ansible.builtin.apt:
+        name: iptables-persistent
+        state: present
+        update_cache: false
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+
+    - name: Configure NAT masquerade for br-mgmt network
+      ansible.builtin.iptables:
+        table: nat
+        chain: POSTROUTING
+        source: 172.16.81.0/24
+        out_interface: enp41s0
+        jump: MASQUERADE
+        comment: "NAT for br-mgmt network"
+
+    - name: Allow forwarding from br-mgmt to external
+      ansible.builtin.iptables:
+        chain: FORWARD
+        in_interface: "{{ br_mgmt_name }}"
+        out_interface: enp41s0
+        jump: ACCEPT
+        comment: "Forward br-mgmt to internet"
+
+    - name: Allow forwarding return traffic to br-mgmt
+      ansible.builtin.iptables:
+        chain: FORWARD
+        in_interface: enp41s0
+        out_interface: "{{ br_mgmt_name }}"
+        ctstate: ESTABLISHED,RELATED
+        jump: ACCEPT
+        comment: "Return traffic to br-mgmt"
+
+    - name: Save iptables rules
+      ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
+
+    - name: Display bridge status
+      ansible.builtin.shell: |
+        echo "=== Bridge Status ==="
+        ip addr show {{ br_mgmt_name }}
+        echo ""
+        echo "=== Bridge Details ==="
+        brctl show {{ br_mgmt_name }}
+      register: bridge_status
+      changed_when: false
+
+    - name: Show bridge status
+      ansible.builtin.debug:
+        var: bridge_status.stdout_lines