From b7215f80f2c2957bc05bb4607aa88051e1a05b96 Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Wed, 13 Aug 2025 14:30:55 +0900
Subject: [PATCH] chore: initial commit

---
 .gitignore             |  3 ++
 custom-example.just    |  1 +
 env/env.local.gomplate |  5 +++
 env/justfile           | 64 +++++++++++++++++++++++++++++++++
 justfile               | 10 ++++++
 k8s/.gitignore         |  1 +
 k8s/justfile           | 80 ++++++++++++++++++++++++++++++++++++++++++
 mise.toml              |  8 +++++
 8 files changed, 172 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 custom-example.just
 create mode 100644 env/env.local.gomplate
 create mode 100644 env/justfile
 create mode 100644 justfile
 create mode 100644 k8s/.gitignore
 create mode 100644 k8s/justfile
 create mode 100644 mise.toml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..db6b85a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/.env.local*
+/custom.just
+/custom/
diff --git a/custom-example.just b/custom-example.just
new file mode 100644
index 0000000..f845b04
--- /dev/null
+++ b/custom-example.just
@@ -0,0 +1 @@
+mod custom "custom/justfile"
diff --git a/env/env.local.gomplate b/env/env.local.gomplate
new file mode 100644
index 0000000..d88a62c
--- /dev/null
+++ b/env/env.local.gomplate
@@ -0,0 +1,5 @@
+# shellcheck disable=all
+LOCAL_K8S_HOST={{ .Env.LOCAL_K8S_HOST }}
+EXTERNAL_K8S_HOST={{ .Env.EXTERNAL_K8S_HOST }}
+
+KEYCLOAK_HOST={{ .Env.KEYCLOAK_HOST }}
diff --git a/env/justfile b/env/justfile
new file mode 100644
index 0000000..508a849
--- /dev/null
+++ b/env/justfile
@@ -0,0 +1,64 @@
+set fallback
+
+export LOCAL_K8S_HOST := env("LOCAL_K8S_HOST", "")
+export EXTERNAL_K8S_HOST := env("EXTERNAL_K8S_HOST", "")
+export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
+
+[private]
+default:
+    @just --list --unsorted --list-submodules
+
+check:
+    #!/bin/bash
+    set -euo pipefail
+    if [ -z "${LOCAL_K8S_HOST}" ]; then
+        echo "LOCAL_K8S_HOST is not set. Please execute 'just env::setup'" >&2
+        exit 1
+    fi
+
+setup:
+    #!/bin/bash
+    set -euo pipefail
+    if [ -f ../.env.local ]; then
+        echo ".env.local already exists." >&2
+        if gum confirm "Do you want to overwrite it?"; then
+            LOCAL_K8S_HOST=""
+            EXTERNAL_K8S_HOST=""
+            KEYCLOAK_HOST=""
+        elif [[ $? -eq 130 ]]; then
+            echo "Setup cancelled by user." >&2
+            exit 1
+        else
+            echo "Aborting setup." >&2
+            exit 1
+        fi
+    fi
+    while [ -z "${LOCAL_K8S_HOST}" ]; do
+        if ! LOCAL_K8S_HOST=$(
+            gum input --prompt="Internal k8s hostname (for SSH): " \
+            --width=100 --placeholder="k8s-host"
+        ); then
+            echo "Setup cancelled." >&2
+            exit 1
+        fi
+    done
+    while [ -z "${EXTERNAL_K8S_HOST}" ]; do
+        if ! EXTERNAL_K8S_HOST=$(
+            gum input --prompt="External k8s hostname (FQDN): " \
+            --width=100 --placeholder="k8s.example.com"
+        ); then
+            echo "Setup cancelled." >&2
+            exit 1
+        fi
+    done
+    while [ -z "${KEYCLOAK_HOST}" ]; do
+        if ! KEYCLOAK_HOST=$(
+            gum input --prompt="Keycloak host: " \
+            --width=100 --placeholder="auth.example.com"
+        ); then
+            echo "Setup cancelled." >&2
+            exit 1
+        fi
+    done
+    rm -f ../.env.local
+    gomplate -f env.local.gomplate -o ../.env.local
diff --git a/justfile b/justfile
new file mode 100644
index 0000000..c82e108
--- /dev/null
+++ b/justfile
@@ -0,0 +1,10 @@
+set dotenv-filename := ".env.local"
+
+[private]
+default:
+    @just --list --unsorted --list-submodules
+
+mod env
+mod k8s
+
+import? "custom.just"
diff --git a/k8s/.gitignore b/k8s/.gitignore
new file mode 100644
index 0000000..f940e0b
--- /dev/null
+++ b/k8s/.gitignore
@@ -0,0 +1 @@
+kubeconfig
diff --git a/k8s/justfile b/k8s/justfile
new file mode 100644
index 0000000..14ad4f7
--- /dev/null
+++ b/k8s/justfile
@@ -0,0 +1,80 @@
+set fallback := true
+
+export LOCAL_K8S_HOST := env("LOCAL_K8S_HOST", "")
+export EXTERNAL_K8S_HOST := env("EXTERNAL_K8S_HOST", "")
+export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
+export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "k8shl")
+
+[private]
+default:
+    @just --list --unsorted --list-submodules
+
+# Install k3s cluster
+install:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    username=$(gum input --prompt="SSH username: " --value="${USER}" --width=100)
+    kubeconfig=""
+    context=""
+    if gum confirm "Update KUBECONFIG?"; then
+        kubeconfig=$(
+            gum input --prompt="KUBECONFIG file: " --value="${HOME}/.kube/config" --width=100
+        )
+        context=$(
+            gum input --prompt="Context name: " --value="${LOCAL_K8S_HOST}" --width=100
+        )
+    fi
+    args=(
+        "install"
+        "--host" "${LOCAL_K8S_HOST}"
+        "--tls-san" "${EXTERNAL_K8S_HOST}"
+        "--user" "${username}"
+    )
+    if [ -n "${context}" ]; then
+        args+=("--context" "${context}")
+    fi
+
+    if [ -n "${kubeconfig}" ]; then
+        mkdir -p "$(dirname "${kubeconfig}")"
+        args+=("--local-path" "${kubeconfig}" "--merge")
+    fi
+    echo "Running: k3sup ${args[*]}"
+    k3sup "${args[@]}"
+    echo "k3s cluster installed on ${LOCAL_K8S_HOST}."
+
+# Uninstall k3s cluster
+uninstall:
+    #!/bin/bash
+    set -euo pipefail
+    if gum confirm "Uninstall k3s from ${LOCAL_K8S_HOST}?"; then
+        ssh "${LOCAL_K8S_HOST}" "/usr/local/bin/k3s-uninstall.sh"
+    else
+        echo "Uninstallation cancelled." >&2
+        exit 1
+    fi
+
+# Setup k8s OIDC authentication (proxy-url example: socks5://localhost:6443)
+setup-oidc proxy-url='':
+    #!/bin/bash
+    set -euo pipefail
+    kubectl config set-credentials ${LOCAL_K8S_HOST}-oidc \
+        --exec-api-version=client.authentication.k8s.io/v1beta1 \
+        --exec-command=kubectl \
+        --exec-arg=oidc-login \
+        --exec-arg=get-token \
+        --exec-arg=--oidc-issuer-url=https://${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM} \
+        --exec-arg=--oidc-client-id=${K8S_OIDC_CLIENT_ID}
+    ssh ${LOCAL_K8S_HOST} \
+        'openssl s_client -connect 127.0.0.1:6443 -showcerts </dev/null 2>/dev/null |
+         openssl x509 -outform PEM' > ${HOME}/.kube/${LOCAL_K8S_HOST}.crt
+    kubectl config set-cluster ${LOCAL_K8S_HOST}-oidc \
+        --certificate-authority=${HOME}/.kube/${LOCAL_K8S_HOST}.crt \
+        --server=https://${EXTERNAL_K8S_HOST}
+    if [ -n "{{ proxy-url }}" ]; then
+        kubectl config set-cluster ${LOCAL_K8S_HOST}-oidc --proxy-url={{ proxy-url }} \
+            --server=https://${EXTERNAL_K8S_HOST}
+    fi
+    kubectl config set-context ${LOCAL_K8S_HOST}-oidc \
+        --cluster=${LOCAL_K8S_HOST}-oidc --user=${LOCAL_K8S_HOST}-oidc
+    kubectl config use-context ${LOCAL_K8S_HOST}-oidc
diff --git a/mise.toml b/mise.toml
new file mode 100644
index 0000000..1f2aa76
--- /dev/null
+++ b/mise.toml
@@ -0,0 +1,8 @@
+[tools]
+gomplate = "4.3.3"
+gum = "0.16.2"
+helm = "3.17.4"
+just = "1.42.4"
+k3sup = "0.13.10"
+kubelogin = "1.34.0"
+vault = "1.20.2"