init
This commit is contained in:
parent
1b788dbe37
commit
f4d635c335
|
@ -0,0 +1,10 @@
|
||||||
|
* adapt IPs in inventory.yaml
|
||||||
|
|
||||||
|
* add host keys `./trust-hosts.sh`
|
||||||
|
|
||||||
|
* change wg encryption keys in host\_vars: `./generate-keys.sh`
|
||||||
|
* requires wireguard-tools, yq
|
||||||
|
|
||||||
|
* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system
|
||||||
|
|
||||||
|
* run play again, without the tag
|
|
@ -0,0 +1,12 @@
|
||||||
|
[master]
|
||||||
|
cluster-master01 ansible_ssh_host=212.47.246.128
|
||||||
|
#cluster-master02 ansible_ssh_host=
|
||||||
|
#cluster-master03 ansible_ssh_host=
|
||||||
|
|
||||||
|
[worker]
|
||||||
|
cluster-worker01 ansible_ssh_host=51.15.238.164
|
||||||
|
cluster-worker02 ansible_ssh_host=51.158.115.24
|
||||||
|
cluster-worker03 ansible_ssh_host=51.158.108.159
|
||||||
|
#cluster-worker04 ansible_ssh_host=
|
||||||
|
#cluster-worker05 ansible_ssh_host=
|
||||||
|
#cluster-worker06 ansible_ssh_host=
|
|
@ -0,0 +1,122 @@
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
tasks:
|
||||||
|
- name: deactivate swap
|
||||||
|
command: swapoff -a
|
||||||
|
when:
|
||||||
|
- ansible_swaptotal_mb != 0
|
||||||
|
notify: disable swap
|
||||||
|
- name: upgrade all the packages
|
||||||
|
apt:
|
||||||
|
name: '*'
|
||||||
|
state: latest
|
||||||
|
update_cache: yes
|
||||||
|
tags: ['initial', 'never']
|
||||||
|
- name: install deps
|
||||||
|
apt:
|
||||||
|
name: ['aptitude', 'sudo', 'nfs-common', 'apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common']
|
||||||
|
state: present
|
||||||
|
- name: import docker gpg key
|
||||||
|
apt_key:
|
||||||
|
url: "https://download.docker.com/linux/debian/gpg"
|
||||||
|
state: present
|
||||||
|
- name: add docker repository
|
||||||
|
apt_repository:
|
||||||
|
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable"
|
||||||
|
state: present
|
||||||
|
- name: install docker
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
name: ['docker-ce', 'python-pip', 'python-setuptools']
|
||||||
|
state: present
|
||||||
|
- name: enable & start docker
|
||||||
|
systemd:
|
||||||
|
name: docker
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
- name: install wireguard repo
|
||||||
|
apt_repository:
|
||||||
|
repo: "deb http://deb.debian.org/debian/ unstable main"
|
||||||
|
state: present
|
||||||
|
- name: pin unstables
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/apt/preferences.d/limit-unstable
|
||||||
|
create: yes
|
||||||
|
block: |
|
||||||
|
Package: *
|
||||||
|
Pin: release a=unstable
|
||||||
|
Pin-Priority: 90
|
||||||
|
- name: install wireguard
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
name: wireguard
|
||||||
|
state: present
|
||||||
|
#- name: generate wireguard keys
|
||||||
|
# shell: wg genkey | tee wg-private.key | wg pubkey > wg-public.key
|
||||||
|
# args:
|
||||||
|
# creates: wg-private.key
|
||||||
|
- name: configure wireguard interface
|
||||||
|
template:
|
||||||
|
src: templates/wireguard.cfg
|
||||||
|
dest: /etc/network/interfaces.d/wireguard.cfg
|
||||||
|
notify: restart wireguard
|
||||||
|
- name: configure wireguard connections
|
||||||
|
template:
|
||||||
|
src: templates/wg-k8s.conf
|
||||||
|
dest: /etc/wireguard/wg-k8s.conf
|
||||||
|
notify: restart wireguard
|
||||||
|
|
||||||
|
- name: install k8s apt key
|
||||||
|
apt_key:
|
||||||
|
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
|
||||||
|
state: present
|
||||||
|
- name: add k8s repository
|
||||||
|
apt_repository:
|
||||||
|
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
|
||||||
|
state: present
|
||||||
|
- name: install k8s
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
name: ["kubelet", "kubeadm", "kubectl"]
|
||||||
|
state: present
|
||||||
|
#- name: init kubeadm
|
||||||
|
# command: kubeadm init --apiserver-advertise-address 10.42.23.11 --pod-network-cidr=10.244.0.0/16 > kubeadm.log
|
||||||
|
# args:
|
||||||
|
# creates: kubeadm.log
|
||||||
|
#kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
|
||||||
|
#kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
|
||||||
|
- name: restart system
|
||||||
|
command: reboot
|
||||||
|
tags: ['initial', 'never']
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: disable swap
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/fstab
|
||||||
|
regexp: '.*swap.*'
|
||||||
|
state: absent
|
||||||
|
- name: restart wireguard
|
||||||
|
shell: ifdown wg-k8s; ifup wg-k8s
|
||||||
|
|
||||||
|
- hosts: master
|
||||||
|
tasks:
|
||||||
|
- name: install haproxy
|
||||||
|
apt:
|
||||||
|
name: haproxy
|
||||||
|
state: present
|
||||||
|
notify: restart haproxy
|
||||||
|
- name: copy haproxy template
|
||||||
|
template:
|
||||||
|
src: templates/haproxy.cfg
|
||||||
|
dest: /etc/haproxy/haproxy.cfg
|
||||||
|
notify: restart haproxy
|
||||||
|
- name: enable haproxy service
|
||||||
|
service:
|
||||||
|
name: haproxy
|
||||||
|
enabled: true
|
||||||
|
notify: restart haproxy
|
||||||
|
handlers:
|
||||||
|
- name: restart haproxy
|
||||||
|
service:
|
||||||
|
name: haproxy
|
||||||
|
state: restarted
|
|
@ -0,0 +1,29 @@
|
||||||
|
global
|
||||||
|
daemon
|
||||||
|
maxconn 256
|
||||||
|
|
||||||
|
defaults
|
||||||
|
mode http
|
||||||
|
timeout connect 5000ms
|
||||||
|
timeout client 50000ms
|
||||||
|
timeout server 50000ms
|
||||||
|
|
||||||
|
listen http-in
|
||||||
|
bind *:80
|
||||||
|
{% for host in groups['worker'] %}
|
||||||
|
server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30080 maxconn 32
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
listen https-in
|
||||||
|
bind *:443
|
||||||
|
mode tcp
|
||||||
|
option tcplog
|
||||||
|
timeout client 1m
|
||||||
|
option log-health-checks
|
||||||
|
option redispatch
|
||||||
|
log global
|
||||||
|
timeout connect 10s
|
||||||
|
timeout server 1m
|
||||||
|
{% for host in groups['worker'] %}
|
||||||
|
server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30143 check
|
||||||
|
{% endfor %}
|
|
@ -0,0 +1,24 @@
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = {{ wg_secret_key }}
|
||||||
|
ListenPort = 51820
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
Endpoint = {{ hostvars['cluster-master'].ansible_ssh_host }}:51820
|
||||||
|
PublicKey = {{ hostvars['cluster-master'].wg_public_key }}
|
||||||
|
AllowedIPs = {{ hostvars['cluster-master'].wg_ip }}/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
Endpoint = {{ hostvars['cluster-worker01'].ansible_ssh_host }}:51820
|
||||||
|
PublicKey = {{ hostvars['cluster-worker01'].wg_public_key }}
|
||||||
|
AllowedIPs = {{ hostvars['cluster-worker01'].wg_ip }}/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
Endpoint = {{ hostvars['cluster-worker02'].ansible_ssh_host }}:51820
|
||||||
|
PublicKey = {{ hostvars['cluster-worker02'].wg_public_key }}
|
||||||
|
AllowedIPs = {{ hostvars['cluster-worker02'].wg_ip }}/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
Endpoint = {{ hostvars['cluster-worker03'].ansible_ssh_host }}:51820
|
||||||
|
PublicKey = {{ hostvars['cluster-worker03'].wg_public_key }}
|
||||||
|
AllowedIPs = {{ hostvars['cluster-worker03'].wg_ip }}/32
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
auto wg-k8s
|
||||||
|
iface wg-k8s inet static
|
||||||
|
address {{ wg_ip }}
|
||||||
|
netmask 255.255.255.0
|
||||||
|
pre-up ip link add $IFACE type wireguard
|
||||||
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
|
post-down ip link del $IFACE
|
|
@ -0,0 +1,4 @@
|
||||||
|
for i in $(cat inventory.yaml | grep ssh | cut -d= -f2)
|
||||||
|
do
|
||||||
|
ssh-keyscan $i >> ~/.ssh/known_hosts
|
||||||
|
done
|
Loading…
Reference in New Issue