my-homelab-configs/lab.sh

#!/usr/bin/env bash
set -euo pipefail

REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
BUILDX_CONFIG="/tmp/buildx-config.toml"
KUBECONFIG_PATH="${KUBECONFIG_PATH:-${TF_VAR_kubeconfig_path:-/home/jv/.kube/config}}"

trap 'rm -f "${BUILDX_CONFIG}"' EXIT

run_tofu_stack() {
    local stack="$1"

    tofu -chdir="${REPO_ROOT}/${stack}" init
    tofu -chdir="${REPO_ROOT}/${stack}" apply -auto-approve
}

cleanup_calico_links() {
    ip link show | awk -F: '/^[0-9]+: cali/ {print $2}' | cut -d@ -f1 | xargs -r -n1 sudo ip link delete 2>/dev/null || true
    sudo ip link delete vxlan.calico 2>/dev/null || true
    sudo ip link delete tunl0 2>/dev/null || true
    sudo ip link delete cni0 2>/dev/null || true
    sudo ip link delete kube-ipvs0 2>/dev/null || true
    ip netns list | awk '/^(cni-|calico)/ {print $1}' | xargs -r -n1 sudo ip netns delete 2>/dev/null || true
}

cleanup_iptables() {
    sudo iptables -F || true
    sudo iptables -X || true
    sudo iptables -t nat -F || true
    sudo iptables -t nat -X || true
    sudo iptables -t mangle -F || true
    sudo iptables -t mangle -X || true
    sudo iptables -t raw -F || true
    sudo iptables -t raw -X || true
    if command -v ipvsadm >/dev/null 2>&1; then
        sudo ipvsadm --clear || true
    fi
}

restore_node_dns() {
    sudo rm -f /etc/systemd/resolved.conf.d/homelab-k8s.conf
    if sudo test -e /etc/resolv.conf.homelab-k8s-backup; then
        sudo rm -f /etc/resolv.conf
        sudo mv /etc/resolv.conf.homelab-k8s-backup /etc/resolv.conf
    fi
    sudo systemctl restart systemd-resolved 2>/dev/null || true
}

cleanup_mounts() {
    if command -v findmnt >/dev/null 2>&1; then
        while IFS= read -r mountpoint; do
            sudo umount -f "${mountpoint}" 2>/dev/null || sudo umount -l "${mountpoint}" 2>/dev/null || true
        done < <(findmnt -Rno TARGET /var/lib/kubelet /var/lib/containerd 2>/dev/null | sort -r)
    fi
    while IFS= read -r mountpoint; do
        sudo umount -f "${mountpoint}" 2>/dev/null || sudo umount -l "${mountpoint}" 2>/dev/null || true
    done < <(find /var/lib/kubelet/pods -mindepth 2 -maxdepth 5 -type d 2>/dev/null || true)
    sudo umount -f /var/lib/containerd/srun/* 2>/dev/null || sudo umount -l /var/lib/containerd/srun/* 2>/dev/null || true
}

cleanup_node() {
    sudo kubeadm reset --force || true
    sudo systemctl stop kubelet 2>/dev/null || true
    sudo systemctl stop containerd 2>/dev/null || true
    sudo killall containerd-shim-runc-v2 2>/dev/null || true

    cleanup_mounts

    sudo rm -rf \
        /etc/kubernetes/ \
        /var/lib/etcd/ \
        /var/lib/kubelet/ \
        /var/lib/cni/ \
        /etc/cni/net.d \
        /run/flannel \
        /run/calico \
        /var/run/calico \
        /var/lib/calico \
        /var/log/calico \
        /var/lib/containerd/* \
        /run/containerd/* \
        /etc/containerd/certs.d \
        /etc/containerd/config.toml
    sudo rm -f /opt/cni/bin/calico /opt/cni/bin/calico-ipam

    cleanup_iptables
    cleanup_calico_links
    restore_node_dns

    sudo mkdir -p /etc/containerd/certs.d
    sudo systemctl reset-failed kubelet containerd 2>/dev/null || true
    sudo systemctl start containerd 2>/dev/null || true
}

website_registry_endpoint() {
    local image

    image="$(awk '$1 == "image:" && $2 ~ /php-website/ {print $2; exit}' "${REPO_ROOT}/apps/website/web-app.yaml")"
    if [[ -z "${image}" || "${image}" != */* ]]; then
        echo "Could not determine website registry endpoint from apps/website/web-app.yaml" >&2
        exit 1
    fi

    printf '%s\n' "${image%%/*}"
}

up() {
    local registry_endpoint

    registry_endpoint="$(website_registry_endpoint)"
    export TF_VAR_registry_endpoint="${TF_VAR_registry_endpoint:-${registry_endpoint}}"
    export TF_VAR_kubeconfig_path="${TF_VAR_kubeconfig_path:-${KUBECONFIG_PATH}}"
    export KUBECONFIG="${TF_VAR_kubeconfig_path}"

    if [[ "${TF_VAR_registry_endpoint}" != "${registry_endpoint}" ]]; then
        echo "TF_VAR_registry_endpoint must match apps/website/web-app.yaml (${registry_endpoint})" >&2
        exit 1
    fi

    echo "Deploying the homelab infrastructure..."

    docker run --rm --privileged multiarch/qemu-user-static --reset -p yes

    cat <<EOF > "${BUILDX_CONFIG}"
[registry."${registry_endpoint}"]
  http = true
  insecure = true
[registry."127.0.0.1:30500"]
  http = true
  insecure = true
[registry."localhost:30500"]
  http = true
  insecure = true
EOF

    docker buildx rm lab-builder 2>/dev/null || true
    docker buildx create --name lab-builder --driver docker-container --driver-opt network=host --config "${BUILDX_CONFIG}" --use
    docker buildx inspect --bootstrap

    run_tofu_stack "bootstrap/cluster"
    run_tofu_stack "bootstrap/platform"
    run_tofu_stack "bootstrap/apps"

    kubectl --kubeconfig "${KUBECONFIG}" -n container-registry rollout status deployment/local-registry --timeout=300s

    docker buildx build \
        --network host \
        --platform linux/amd64,linux/arm64 \
        -t "${registry_endpoint}/php-website:latest" \
        -f "${REPO_ROOT}/apps/website/Dockerfile" \
        "${REPO_ROOT}/apps/website/" \
        --push

    kubectl --kubeconfig "${KUBECONFIG}" patch application website-production -n argocd --type merge -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"sync"}}}'

    echo "Deployment successfully completed."
}

nuke() {
    local worker_ssh_targets
    local worker_targets
    local target

    echo "Brutally nuking the homelab infrastructure..."
    worker_ssh_targets="${WORKER_SSH_TARGETS-jv@192.168.100.89}"
    read -r -a worker_targets <<< "${worker_ssh_targets}"

    echo "--> Terminating local OpenTofu tasks..."
    killall tofu terraform 2>/dev/null || true

    echo "--> Eviscerating local Kubernetes components..."
    cleanup_node
    sudo rm -f "${KUBECONFIG_PATH}"

    for target in "${worker_targets[@]}"; do
        echo "--> Eviscerating remote Kubernetes components (${target})..."
        if ! ssh -o ConnectTimeout=5 "${target}" "bash -s" <<'EOF'
set -euo pipefail

cleanup_calico_links() {
    ip link show | awk -F: '/^[0-9]+: cali/ {print $2}' | cut -d@ -f1 | xargs -r -n1 sudo ip link delete 2>/dev/null || true
    sudo ip link delete vxlan.calico 2>/dev/null || true
    sudo ip link delete tunl0 2>/dev/null || true
    sudo ip link delete cni0 2>/dev/null || true
    sudo ip link delete kube-ipvs0 2>/dev/null || true
    ip netns list | awk '/^(cni-|calico)/ {print $1}' | xargs -r -n1 sudo ip netns delete 2>/dev/null || true
}

cleanup_iptables() {
    sudo iptables -F || true
    sudo iptables -X || true
    sudo iptables -t nat -F || true
    sudo iptables -t nat -X || true
    sudo iptables -t mangle -F || true
    sudo iptables -t mangle -X || true
    sudo iptables -t raw -F || true
    sudo iptables -t raw -X || true
    if command -v ipvsadm >/dev/null 2>&1; then
        sudo ipvsadm --clear || true
    fi
}

restore_node_dns() {
    sudo rm -f /etc/systemd/resolved.conf.d/homelab-k8s.conf
    if sudo test -e /etc/resolv.conf.homelab-k8s-backup; then
        sudo rm -f /etc/resolv.conf
        sudo mv /etc/resolv.conf.homelab-k8s-backup /etc/resolv.conf
    fi
    sudo systemctl restart systemd-resolved 2>/dev/null || true
}

cleanup_mounts() {
    if command -v findmnt >/dev/null 2>&1; then
        while IFS= read -r mountpoint; do
            sudo umount -f "${mountpoint}" 2>/dev/null || sudo umount -l "${mountpoint}" 2>/dev/null || true
        done < <(findmnt -Rno TARGET /var/lib/kubelet /var/lib/containerd 2>/dev/null | sort -r)
    fi
    while IFS= read -r mountpoint; do
        sudo umount -f "${mountpoint}" 2>/dev/null || sudo umount -l "${mountpoint}" 2>/dev/null || true
    done < <(find /var/lib/kubelet/pods -mindepth 2 -maxdepth 5 -type d 2>/dev/null || true)
    sudo umount -f /var/lib/containerd/srun/* 2>/dev/null || sudo umount -l /var/lib/containerd/srun/* 2>/dev/null || true
}

sudo kubeadm reset --force || true
sudo systemctl stop kubelet 2>/dev/null || true
sudo systemctl stop containerd 2>/dev/null || true
sudo killall containerd-shim-runc-v2 2>/dev/null || true

cleanup_mounts

sudo rm -rf \
    /etc/kubernetes/ \
    /var/lib/etcd/ \
    /var/lib/kubelet/ \
    /var/lib/cni/ \
    /etc/cni/net.d \
    /run/flannel \
    /run/calico \
    /var/run/calico \
    /var/lib/calico \
    /var/log/calico \
    /var/lib/containerd/* \
    /run/containerd/* \
    /etc/containerd/certs.d \
    /etc/containerd/config.toml
sudo rm -f /opt/cni/bin/calico /opt/cni/bin/calico-ipam

cleanup_iptables
cleanup_calico_links
restore_node_dns

sudo mkdir -p /etc/containerd/certs.d
sudo systemctl reset-failed kubelet containerd 2>/dev/null || true
sudo systemctl start containerd 2>/dev/null || true
EOF
        then
            echo "Remote cleanup failed for ${target}; not deleting OpenTofu state." >&2
            exit 1
        fi
    done

    docker buildx rm lab-builder 2>/dev/null || true
    docker rm -f buildx_buildkit_lab-builder0 2>/dev/null || true
    rm -f "${BUILDX_CONFIG}" || true

    echo "--> Deleting OpenTofu tracking state files..."
    rm -rf "${REPO_ROOT}"/bootstrap/cluster/terraform.tfstate*
    rm -f "${REPO_ROOT}"/bootstrap/cluster/.terraform.tfstate.lock.info
    rm -rf "${REPO_ROOT}"/bootstrap/cluster/.terraform/
    rm -rf "${REPO_ROOT}"/bootstrap/platform/terraform.tfstate*
    rm -f "${REPO_ROOT}"/bootstrap/platform/.terraform.tfstate.lock.info
    rm -rf "${REPO_ROOT}"/bootstrap/platform/.terraform/
    rm -rf "${REPO_ROOT}"/bootstrap/apps/terraform.tfstate*
    rm -f "${REPO_ROOT}"/bootstrap/apps/.terraform.tfstate.lock.info
    rm -rf "${REPO_ROOT}"/bootstrap/apps/.terraform/

    echo "Destruction complete. Retained data under /var/openebs/local was left intact."
}

case "${1:-}" in
    up)
        up
        ;;
    nuke)
        nuke
        ;;
    *)
        echo "Usage: $0 {up|nuke}"
        exit 1
        ;;
esac