This commit is contained in:
chris 2019-05-22 13:37:13 +02:00
parent 1b788dbe37
commit f4d635c335
7 changed files with 208 additions and 0 deletions

10
setup/README.md Normal file
View file

@ -0,0 +1,10 @@
* adapt IPs in inventory.yaml
* add host keys `./trust-hosts.sh`
* change wg encryption keys in host\_vars: `./generate-keys.sh`
* requires wireguard-tools, yq
* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system
* run play again, without the tag

12
setup/inventory.yaml Normal file
View file

@ -0,0 +1,12 @@
[master]
cluster-master01 ansible_ssh_host=212.47.246.128
#cluster-master02 ansible_ssh_host=
#cluster-master03 ansible_ssh_host=
[worker]
cluster-worker01 ansible_ssh_host=51.15.238.164
cluster-worker02 ansible_ssh_host=51.158.115.24
cluster-worker03 ansible_ssh_host=51.158.108.159
#cluster-worker04 ansible_ssh_host=
#cluster-worker05 ansible_ssh_host=
#cluster-worker06 ansible_ssh_host=

122
setup/setup.yml Normal file
View file

@ -0,0 +1,122 @@
---
- hosts: all
tasks:
- name: deactivate swap
command: swapoff -a
when:
- ansible_swaptotal_mb != 0
notify: disable swap
- name: upgrade all the packages
apt:
name: '*'
state: latest
update_cache: yes
tags: ['initial', 'never']
- name: install deps
apt:
name: ['aptitude', 'sudo', 'nfs-common', 'apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common']
state: present
- name: import docker gpg key
apt_key:
url: "https://download.docker.com/linux/debian/gpg"
state: present
- name: add docker repository
apt_repository:
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable"
state: present
- name: install docker
apt:
update_cache: yes
name: ['docker-ce', 'python-pip', 'python-setuptools']
state: present
- name: enable & start docker
systemd:
name: docker
enabled: yes
state: started
- name: install wireguard repo
apt_repository:
repo: "deb http://deb.debian.org/debian/ unstable main"
state: present
- name: pin unstables
blockinfile:
path: /etc/apt/preferences.d/limit-unstable
create: yes
block: |
Package: *
Pin: release a=unstable
Pin-Priority: 90
- name: install wireguard
apt:
update_cache: yes
name: wireguard
state: present
#- name: generate wireguard keys
# shell: wg genkey | tee wg-private.key | wg pubkey > wg-public.key
# args:
# creates: wg-private.key
- name: configure wireguard interface
template:
src: templates/wireguard.cfg
dest: /etc/network/interfaces.d/wireguard.cfg
notify: restart wireguard
- name: configure wireguard connections
template:
src: templates/wg-k8s.conf
dest: /etc/wireguard/wg-k8s.conf
notify: restart wireguard
- name: install k8s apt key
apt_key:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
state: present
- name: add k8s repository
apt_repository:
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
state: present
- name: install k8s
apt:
update_cache: yes
name: ["kubelet", "kubeadm", "kubectl"]
state: present
#- name: init kubeadm
# command: kubeadm init --apiserver-advertise-address 10.42.23.11 --pod-network-cidr=10.244.0.0/16 > kubeadm.log
# args:
# creates: kubeadm.log
#kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
#kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
- name: restart system
command: reboot
tags: ['initial', 'never']
handlers:
- name: disable swap
lineinfile:
path: /etc/fstab
regexp: '.*swap.*'
state: absent
- name: restart wireguard
shell: ifdown wg-k8s; ifup wg-k8s
- hosts: master
tasks:
- name: install haproxy
apt:
name: haproxy
state: present
notify: restart haproxy
- name: copy haproxy template
template:
src: templates/haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
notify: restart haproxy
- name: enable haproxy service
service:
name: haproxy
enabled: true
notify: restart haproxy
handlers:
- name: restart haproxy
service:
name: haproxy
state: restarted

View file

@ -0,0 +1,29 @@
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
listen http-in
bind *:80
{% for host in groups['worker'] %}
server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30080 maxconn 32
{% endfor %}
listen https-in
bind *:443
mode tcp
option tcplog
timeout client 1m
option log-health-checks
option redispatch
log global
timeout connect 10s
timeout server 1m
{% for host in groups['worker'] %}
server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30143 check
{% endfor %}

View file

@ -0,0 +1,24 @@
[Interface]
PrivateKey = {{ wg_secret_key }}
ListenPort = 51820
[Peer]
Endpoint = {{ hostvars['cluster-master'].ansible_ssh_host }}:51820
PublicKey = {{ hostvars['cluster-master'].wg_public_key }}
AllowedIPs = {{ hostvars['cluster-master'].wg_ip }}/32
[Peer]
Endpoint = {{ hostvars['cluster-worker01'].ansible_ssh_host }}:51820
PublicKey = {{ hostvars['cluster-worker01'].wg_public_key }}
AllowedIPs = {{ hostvars['cluster-worker01'].wg_ip }}/32
[Peer]
Endpoint = {{ hostvars['cluster-worker02'].ansible_ssh_host }}:51820
PublicKey = {{ hostvars['cluster-worker02'].wg_public_key }}
AllowedIPs = {{ hostvars['cluster-worker02'].wg_ip }}/32
[Peer]
Endpoint = {{ hostvars['cluster-worker03'].ansible_ssh_host }}:51820
PublicKey = {{ hostvars['cluster-worker03'].wg_public_key }}
AllowedIPs = {{ hostvars['cluster-worker03'].wg_ip }}/32

View file

@ -0,0 +1,7 @@
auto wg-k8s
iface wg-k8s inet static
address {{ wg_ip }}
netmask 255.255.255.0
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
post-down ip link del $IFACE

4
setup/trust-hosts.sh Executable file
View file

@ -0,0 +1,4 @@
for i in $(cat inventory.yaml | grep ssh | cut -d= -f2)
do
ssh-keyscan $i >> ~/.ssh/known_hosts
done