init

2019-05-22 13:37:13 +02:00 · 2019-05-22 13:37:13 +02:00 · f4d635c335
parent 1b788dbe37
commit f4d635c335
7 changed files with 208 additions and 0 deletions
--- a/setup/README.md
+++ b/setup/README.md
@ -0,0 +1,10 @@
+* adapt IPs in inventory.yaml
+
+* add host keys `./trust-hosts.sh`
+
+* change wg encryption keys in host\_vars: `./generate-keys.sh`
+    * requires wireguard-tools, yq
+
+* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system
+
+* run play again, without the tag
--- a/setup/inventory.yaml
+++ b/setup/inventory.yaml
@ -0,0 +1,12 @@
+[master]
+cluster-master01 ansible_ssh_host=212.47.246.128
+#cluster-master02 ansible_ssh_host=
+#cluster-master03 ansible_ssh_host=
+
+[worker]
+cluster-worker01 ansible_ssh_host=51.15.238.164
+cluster-worker02 ansible_ssh_host=51.158.115.24
+cluster-worker03 ansible_ssh_host=51.158.108.159
+#cluster-worker04 ansible_ssh_host=
+#cluster-worker05 ansible_ssh_host=
+#cluster-worker06 ansible_ssh_host=
--- a/setup/setup.yml
+++ b/setup/setup.yml
@ -0,0 +1,122 @@
+---
+- hosts: all
+  tasks:
+    - name: deactivate swap
+      command: swapoff -a
+      when:
+        - ansible_swaptotal_mb != 0
+      notify: disable swap
+    - name: upgrade all the packages
+      apt:
+        name: '*'
+        state: latest
+        update_cache: yes
+      tags: ['initial', 'never']
+    - name: install deps
+      apt:
+        name: ['aptitude', 'sudo', 'nfs-common', 'apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common']
+        state: present
+    - name: import docker gpg key
+      apt_key:
+        url: "https://download.docker.com/linux/debian/gpg"
+        state: present
+    - name: add docker repository
+      apt_repository:
+        repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable"
+        state: present
+    - name: install docker
+      apt:
+        update_cache: yes
+        name: ['docker-ce', 'python-pip', 'python-setuptools']
+        state: present
+    - name: enable & start docker
+      systemd:
+        name: docker
+        enabled: yes
+        state: started
+    - name: install wireguard repo
+      apt_repository:
+        repo: "deb http://deb.debian.org/debian/ unstable main"
+        state: present
+    - name: pin unstables
+      blockinfile:
+        path: /etc/apt/preferences.d/limit-unstable
+        create: yes
+        block: |
+          Package: *
+          Pin: release a=unstable
+          Pin-Priority: 90
+    - name: install wireguard
+      apt:
+        update_cache: yes
+        name: wireguard
+        state: present
+    #- name: generate wireguard keys
+    #  shell: wg genkey | tee wg-private.key | wg pubkey > wg-public.key
+    #  args:
+    #    creates: wg-private.key
+    - name: configure wireguard interface
+      template:
+        src: templates/wireguard.cfg
+        dest: /etc/network/interfaces.d/wireguard.cfg
+      notify: restart wireguard
+    - name: configure wireguard connections
+      template:
+        src: templates/wg-k8s.conf
+        dest: /etc/wireguard/wg-k8s.conf
+      notify: restart wireguard
+
+    - name: install k8s apt key
+      apt_key:
+        url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
+        state: present
+    - name: add k8s repository
+      apt_repository:
+        repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
+        state: present
+    - name: install k8s
+      apt:
+        update_cache: yes
+        name: ["kubelet", "kubeadm", "kubectl"]
+        state: present
+    #- name: init kubeadm
+    #  command: kubeadm init --apiserver-advertise-address 10.42.23.11 --pod-network-cidr=10.244.0.0/16 > kubeadm.log
+    #  args:
+    #    creates: kubeadm.log
+      #kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
+      #kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
+    - name: restart system
+      command: reboot
+      tags: ['initial', 'never']
+
+  handlers:
+    - name: disable swap
+      lineinfile:
+        path: /etc/fstab
+        regexp: '.*swap.*'
+        state: absent
+    - name: restart wireguard
+      shell: ifdown wg-k8s; ifup wg-k8s
+
+- hosts: master
+  tasks:
+    - name: install haproxy
+      apt:
+        name: haproxy
+        state: present
+      notify: restart haproxy
+    - name: copy haproxy template
+      template:
+        src: templates/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
+      notify: restart haproxy
+    - name: enable haproxy service
+      service:
+        name: haproxy
+        enabled: true
+      notify: restart haproxy
+  handlers:
+    - name: restart haproxy
+      service:
+        name: haproxy
+        state: restarted
--- a/setup/templates/haproxy.cfg
+++ b/setup/templates/haproxy.cfg
@ -0,0 +1,29 @@
+global
+  daemon
+  maxconn 256
+
+defaults
+  mode http
+  timeout connect 5000ms
+  timeout client 50000ms
+  timeout server 50000ms
+
+listen http-in
+  bind *:80
+  {% for host in groups['worker'] %}
+  server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30080 maxconn 32
+  {% endfor %}
+
+listen https-in
+  bind *:443
+  mode tcp
+  option tcplog
+  timeout client  1m
+  option log-health-checks
+  option redispatch
+  log global
+  timeout connect 10s
+  timeout server 1m   
+  {% for host in groups['worker'] %}
+  server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30143 check
+  {% endfor %}
--- a/setup/templates/wg-k8s.conf
+++ b/setup/templates/wg-k8s.conf
@ -0,0 +1,24 @@
+[Interface]
+PrivateKey = {{ wg_secret_key }}
+ListenPort = 51820
+
+[Peer]
+Endpoint = {{ hostvars['cluster-master'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-master'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-master'].wg_ip }}/32
+
+[Peer]
+Endpoint = {{ hostvars['cluster-worker01'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-worker01'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-worker01'].wg_ip }}/32
+
+[Peer]
+Endpoint = {{ hostvars['cluster-worker02'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-worker02'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-worker02'].wg_ip }}/32
+
+[Peer]
+Endpoint = {{ hostvars['cluster-worker03'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-worker03'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-worker03'].wg_ip }}/32
+
--- a/setup/templates/wireguard.cfg
+++ b/setup/templates/wireguard.cfg
@ -0,0 +1,7 @@
+auto wg-k8s
+iface wg-k8s inet static
+        address {{ wg_ip }}
+        netmask 255.255.255.0
+        pre-up ip link add $IFACE type wireguard
+        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
+        post-down ip link del $IFACE
--- a/setup/trust-hosts.sh
+++ b/setup/trust-hosts.sh
@ -0,0 +1,4 @@
+for i in $(cat inventory.yaml | grep ssh | cut -d= -f2)
+  do
+	  ssh-keyscan $i >> ~/.ssh/known_hosts
+  done