init
This commit is contained in:
parent
1b788dbe37
commit
f4d635c335
7 changed files with 208 additions and 0 deletions
10
setup/README.md
Normal file
10
setup/README.md
Normal file
|
@ -0,0 +1,10 @@
|
|||
* adapt IPs in inventory.yaml
|
||||
|
||||
* add host keys `./trust-hosts.sh`
|
||||
|
||||
* change wg encryption keys in host\_vars: `./generate-keys.sh`
|
||||
* requires wireguard-tools, yq
|
||||
|
||||
* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system
|
||||
|
||||
* run play again, without the tag
|
12
setup/inventory.yaml
Normal file
12
setup/inventory.yaml
Normal file
|
@ -0,0 +1,12 @@
|
|||
[master]
|
||||
cluster-master01 ansible_ssh_host=212.47.246.128
|
||||
#cluster-master02 ansible_ssh_host=
|
||||
#cluster-master03 ansible_ssh_host=
|
||||
|
||||
[worker]
|
||||
cluster-worker01 ansible_ssh_host=51.15.238.164
|
||||
cluster-worker02 ansible_ssh_host=51.158.115.24
|
||||
cluster-worker03 ansible_ssh_host=51.158.108.159
|
||||
#cluster-worker04 ansible_ssh_host=
|
||||
#cluster-worker05 ansible_ssh_host=
|
||||
#cluster-worker06 ansible_ssh_host=
|
122
setup/setup.yml
Normal file
122
setup/setup.yml
Normal file
|
@ -0,0 +1,122 @@
|
|||
---
|
||||
- hosts: all
|
||||
tasks:
|
||||
- name: deactivate swap
|
||||
command: swapoff -a
|
||||
when:
|
||||
- ansible_swaptotal_mb != 0
|
||||
notify: disable swap
|
||||
- name: upgrade all the packages
|
||||
apt:
|
||||
name: '*'
|
||||
state: latest
|
||||
update_cache: yes
|
||||
tags: ['initial', 'never']
|
||||
- name: install deps
|
||||
apt:
|
||||
name: ['aptitude', 'sudo', 'nfs-common', 'apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common']
|
||||
state: present
|
||||
- name: import docker gpg key
|
||||
apt_key:
|
||||
url: "https://download.docker.com/linux/debian/gpg"
|
||||
state: present
|
||||
- name: add docker repository
|
||||
apt_repository:
|
||||
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable"
|
||||
state: present
|
||||
- name: install docker
|
||||
apt:
|
||||
update_cache: yes
|
||||
name: ['docker-ce', 'python-pip', 'python-setuptools']
|
||||
state: present
|
||||
- name: enable & start docker
|
||||
systemd:
|
||||
name: docker
|
||||
enabled: yes
|
||||
state: started
|
||||
- name: install wireguard repo
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian/ unstable main"
|
||||
state: present
|
||||
- name: pin unstables
|
||||
blockinfile:
|
||||
path: /etc/apt/preferences.d/limit-unstable
|
||||
create: yes
|
||||
block: |
|
||||
Package: *
|
||||
Pin: release a=unstable
|
||||
Pin-Priority: 90
|
||||
- name: install wireguard
|
||||
apt:
|
||||
update_cache: yes
|
||||
name: wireguard
|
||||
state: present
|
||||
#- name: generate wireguard keys
|
||||
# shell: wg genkey | tee wg-private.key | wg pubkey > wg-public.key
|
||||
# args:
|
||||
# creates: wg-private.key
|
||||
- name: configure wireguard interface
|
||||
template:
|
||||
src: templates/wireguard.cfg
|
||||
dest: /etc/network/interfaces.d/wireguard.cfg
|
||||
notify: restart wireguard
|
||||
- name: configure wireguard connections
|
||||
template:
|
||||
src: templates/wg-k8s.conf
|
||||
dest: /etc/wireguard/wg-k8s.conf
|
||||
notify: restart wireguard
|
||||
|
||||
- name: install k8s apt key
|
||||
apt_key:
|
||||
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
|
||||
state: present
|
||||
- name: add k8s repository
|
||||
apt_repository:
|
||||
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
|
||||
state: present
|
||||
- name: install k8s
|
||||
apt:
|
||||
update_cache: yes
|
||||
name: ["kubelet", "kubeadm", "kubectl"]
|
||||
state: present
|
||||
#- name: init kubeadm
|
||||
# command: kubeadm init --apiserver-advertise-address 10.42.23.11 --pod-network-cidr=10.244.0.0/16 > kubeadm.log
|
||||
# args:
|
||||
# creates: kubeadm.log
|
||||
#kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
|
||||
#kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
|
||||
- name: restart system
|
||||
command: reboot
|
||||
tags: ['initial', 'never']
|
||||
|
||||
handlers:
|
||||
- name: disable swap
|
||||
lineinfile:
|
||||
path: /etc/fstab
|
||||
regexp: '.*swap.*'
|
||||
state: absent
|
||||
- name: restart wireguard
|
||||
shell: ifdown wg-k8s; ifup wg-k8s
|
||||
|
||||
- hosts: master
|
||||
tasks:
|
||||
- name: install haproxy
|
||||
apt:
|
||||
name: haproxy
|
||||
state: present
|
||||
notify: restart haproxy
|
||||
- name: copy haproxy template
|
||||
template:
|
||||
src: templates/haproxy.cfg
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
notify: restart haproxy
|
||||
- name: enable haproxy service
|
||||
service:
|
||||
name: haproxy
|
||||
enabled: true
|
||||
notify: restart haproxy
|
||||
handlers:
|
||||
- name: restart haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: restarted
|
29
setup/templates/haproxy.cfg
Normal file
29
setup/templates/haproxy.cfg
Normal file
|
@ -0,0 +1,29 @@
|
|||
global
|
||||
daemon
|
||||
maxconn 256
|
||||
|
||||
defaults
|
||||
mode http
|
||||
timeout connect 5000ms
|
||||
timeout client 50000ms
|
||||
timeout server 50000ms
|
||||
|
||||
listen http-in
|
||||
bind *:80
|
||||
{% for host in groups['worker'] %}
|
||||
server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30080 maxconn 32
|
||||
{% endfor %}
|
||||
|
||||
listen https-in
|
||||
bind *:443
|
||||
mode tcp
|
||||
option tcplog
|
||||
timeout client 1m
|
||||
option log-health-checks
|
||||
option redispatch
|
||||
log global
|
||||
timeout connect 10s
|
||||
timeout server 1m
|
||||
{% for host in groups['worker'] %}
|
||||
server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30143 check
|
||||
{% endfor %}
|
24
setup/templates/wg-k8s.conf
Normal file
24
setup/templates/wg-k8s.conf
Normal file
|
@ -0,0 +1,24 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ wg_secret_key }}
|
||||
ListenPort = 51820
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ hostvars['cluster-master'].ansible_ssh_host }}:51820
|
||||
PublicKey = {{ hostvars['cluster-master'].wg_public_key }}
|
||||
AllowedIPs = {{ hostvars['cluster-master'].wg_ip }}/32
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ hostvars['cluster-worker01'].ansible_ssh_host }}:51820
|
||||
PublicKey = {{ hostvars['cluster-worker01'].wg_public_key }}
|
||||
AllowedIPs = {{ hostvars['cluster-worker01'].wg_ip }}/32
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ hostvars['cluster-worker02'].ansible_ssh_host }}:51820
|
||||
PublicKey = {{ hostvars['cluster-worker02'].wg_public_key }}
|
||||
AllowedIPs = {{ hostvars['cluster-worker02'].wg_ip }}/32
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ hostvars['cluster-worker03'].ansible_ssh_host }}:51820
|
||||
PublicKey = {{ hostvars['cluster-worker03'].wg_public_key }}
|
||||
AllowedIPs = {{ hostvars['cluster-worker03'].wg_ip }}/32
|
||||
|
7
setup/templates/wireguard.cfg
Normal file
7
setup/templates/wireguard.cfg
Normal file
|
@ -0,0 +1,7 @@
|
|||
auto wg-k8s
|
||||
iface wg-k8s inet static
|
||||
address {{ wg_ip }}
|
||||
netmask 255.255.255.0
|
||||
pre-up ip link add $IFACE type wireguard
|
||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||
post-down ip link del $IFACE
|
4
setup/trust-hosts.sh
Executable file
4
setup/trust-hosts.sh
Executable file
|
@ -0,0 +1,4 @@
|
|||
for i in $(cat inventory.yaml | grep ssh | cut -d= -f2)
|
||||
do
|
||||
ssh-keyscan $i >> ~/.ssh/known_hosts
|
||||
done
|
Loading…
Reference in a new issue