From f4d635c335f9b23162acbc7fc5e63f7efcd9ac4c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 22 May 2019 13:37:13 +0200 Subject: [PATCH] init --- setup/README.md | 10 +++ setup/inventory.yaml | 12 ++++ setup/setup.yml | 122 ++++++++++++++++++++++++++++++++++ setup/templates/haproxy.cfg | 29 ++++++++ setup/templates/wg-k8s.conf | 24 +++++++ setup/templates/wireguard.cfg | 7 ++ setup/trust-hosts.sh | 4 ++ 7 files changed, 208 insertions(+) create mode 100644 setup/README.md create mode 100644 setup/inventory.yaml create mode 100644 setup/setup.yml create mode 100644 setup/templates/haproxy.cfg create mode 100644 setup/templates/wg-k8s.conf create mode 100644 setup/templates/wireguard.cfg create mode 100755 setup/trust-hosts.sh diff --git a/setup/README.md b/setup/README.md new file mode 100644 index 0000000..85575f7 --- /dev/null +++ b/setup/README.md @@ -0,0 +1,10 @@ +* adapt IPs in inventory.yaml + +* add host keys `./trust-hosts.sh` + +* change wg encryption keys in host\_vars: `./generate-keys.sh` + * requires wireguard-tools, yq + +* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system + +* run play again, without the tag diff --git a/setup/inventory.yaml b/setup/inventory.yaml new file mode 100644 index 0000000..2169fee --- /dev/null +++ b/setup/inventory.yaml @@ -0,0 +1,12 @@ +[master] +cluster-master01 ansible_ssh_host=212.47.246.128 +#cluster-master02 ansible_ssh_host= +#cluster-master03 ansible_ssh_host= + +[worker] +cluster-worker01 ansible_ssh_host=51.15.238.164 +cluster-worker02 ansible_ssh_host=51.158.115.24 +cluster-worker03 ansible_ssh_host=51.158.108.159 +#cluster-worker04 ansible_ssh_host= +#cluster-worker05 ansible_ssh_host= +#cluster-worker06 ansible_ssh_host= diff --git a/setup/setup.yml b/setup/setup.yml new file mode 100644 index 0000000..683a9a9 --- /dev/null +++ b/setup/setup.yml @@ -0,0 +1,122 @@ +--- +- hosts: all + tasks: + - name: deactivate swap + command: swapoff -a + when: + - ansible_swaptotal_mb != 0 + notify: disable swap + - name: upgrade all the packages + apt: + name: '*' + state: latest + update_cache: yes + tags: ['initial', 'never'] + - name: install deps + apt: + name: ['aptitude', 'sudo', 'nfs-common', 'apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common'] + state: present + - name: import docker gpg key + apt_key: + url: "https://download.docker.com/linux/debian/gpg" + state: present + - name: add docker repository + apt_repository: + repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable" + state: present + - name: install docker + apt: + update_cache: yes + name: ['docker-ce', 'python-pip', 'python-setuptools'] + state: present + - name: enable & start docker + systemd: + name: docker + enabled: yes + state: started + - name: install wireguard repo + apt_repository: + repo: "deb http://deb.debian.org/debian/ unstable main" + state: present + - name: pin unstables + blockinfile: + path: /etc/apt/preferences.d/limit-unstable + create: yes + block: | + Package: * + Pin: release a=unstable + Pin-Priority: 90 + - name: install wireguard + apt: + update_cache: yes + name: wireguard + state: present + #- name: generate wireguard keys + # shell: wg genkey | tee wg-private.key | wg pubkey > wg-public.key + # args: + # creates: wg-private.key + - name: configure wireguard interface + template: + src: templates/wireguard.cfg + dest: /etc/network/interfaces.d/wireguard.cfg + notify: restart wireguard + - name: configure wireguard connections + template: + src: templates/wg-k8s.conf + dest: /etc/wireguard/wg-k8s.conf + notify: restart wireguard + + - name: install k8s apt key + apt_key: + url: https://packages.cloud.google.com/apt/doc/apt-key.gpg + state: present + - name: add k8s repository + apt_repository: + repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main" + state: present + - name: install k8s + apt: + update_cache: yes + name: ["kubelet", "kubeadm", "kubectl"] + state: present + #- name: init kubeadm + # command: kubeadm init --apiserver-advertise-address 10.42.23.11 --pod-network-cidr=10.244.0.0/16 > kubeadm.log + # args: + # creates: kubeadm.log + #kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml + #kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml + - name: restart system + command: reboot + tags: ['initial', 'never'] + + handlers: + - name: disable swap + lineinfile: + path: /etc/fstab + regexp: '.*swap.*' + state: absent + - name: restart wireguard + shell: ifdown wg-k8s; ifup wg-k8s + +- hosts: master + tasks: + - name: install haproxy + apt: + name: haproxy + state: present + notify: restart haproxy + - name: copy haproxy template + template: + src: templates/haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + notify: restart haproxy + - name: enable haproxy service + service: + name: haproxy + enabled: true + notify: restart haproxy + handlers: + - name: restart haproxy + service: + name: haproxy + state: restarted diff --git a/setup/templates/haproxy.cfg b/setup/templates/haproxy.cfg new file mode 100644 index 0000000..86e1208 --- /dev/null +++ b/setup/templates/haproxy.cfg @@ -0,0 +1,29 @@ +global + daemon + maxconn 256 + +defaults + mode http + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +listen http-in + bind *:80 + {% for host in groups['worker'] %} + server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30080 maxconn 32 + {% endfor %} + +listen https-in + bind *:443 + mode tcp + option tcplog + timeout client 1m + option log-health-checks + option redispatch + log global + timeout connect 10s + timeout server 1m + {% for host in groups['worker'] %} + server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30143 check + {% endfor %} diff --git a/setup/templates/wg-k8s.conf b/setup/templates/wg-k8s.conf new file mode 100644 index 0000000..2e1432e --- /dev/null +++ b/setup/templates/wg-k8s.conf @@ -0,0 +1,24 @@ +[Interface] +PrivateKey = {{ wg_secret_key }} +ListenPort = 51820 + +[Peer] +Endpoint = {{ hostvars['cluster-master'].ansible_ssh_host }}:51820 +PublicKey = {{ hostvars['cluster-master'].wg_public_key }} +AllowedIPs = {{ hostvars['cluster-master'].wg_ip }}/32 + +[Peer] +Endpoint = {{ hostvars['cluster-worker01'].ansible_ssh_host }}:51820 +PublicKey = {{ hostvars['cluster-worker01'].wg_public_key }} +AllowedIPs = {{ hostvars['cluster-worker01'].wg_ip }}/32 + +[Peer] +Endpoint = {{ hostvars['cluster-worker02'].ansible_ssh_host }}:51820 +PublicKey = {{ hostvars['cluster-worker02'].wg_public_key }} +AllowedIPs = {{ hostvars['cluster-worker02'].wg_ip }}/32 + +[Peer] +Endpoint = {{ hostvars['cluster-worker03'].ansible_ssh_host }}:51820 +PublicKey = {{ hostvars['cluster-worker03'].wg_public_key }} +AllowedIPs = {{ hostvars['cluster-worker03'].wg_ip }}/32 + diff --git a/setup/templates/wireguard.cfg b/setup/templates/wireguard.cfg new file mode 100644 index 0000000..9f2c804 --- /dev/null +++ b/setup/templates/wireguard.cfg @@ -0,0 +1,7 @@ +auto wg-k8s +iface wg-k8s inet static + address {{ wg_ip }} + netmask 255.255.255.0 + pre-up ip link add $IFACE type wireguard + pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf + post-down ip link del $IFACE diff --git a/setup/trust-hosts.sh b/setup/trust-hosts.sh new file mode 100755 index 0000000..472ec8b --- /dev/null +++ b/setup/trust-hosts.sh @@ -0,0 +1,4 @@ +for i in $(cat inventory.yaml | grep ssh | cut -d= -f2) + do + ssh-keyscan $i >> ~/.ssh/known_hosts + done