Full k3s server installation done

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

group_vars/k3s/vars.yml

@@ -1,17 +1,19 @@
 db:
   default_user:
-    password: "{{ vault.k3s.postgres.default_user.password }}"
+    user: "postgres"
   name: "k3s"
   user: "k3s"
   password: "{{ vault.k3s.db.password }}"
+  listen_address: "{{ k3s.db.ip }}"
 
 k3s:
+  net: "192.168.20.0/24"
   server:
     ips:
       - 192.168.20.21
       - 192.168.20.24
   loadbalancer:
-    ips: 192.168.20.22
+    ip: 192.168.20.22
   db:
     ip: 192.168.20.23
     default_port: "5432"

k3s-servers.yml

@@ -8,6 +8,9 @@
     - role: common
       tags:
         - common
+    - role: k3s_server
+      tags:
+        - k3s_server
     - role: node_exporter
       tags:
         - node_exporter

roles/k3s_server/tasks/installation.yml

@@ -1,6 +1,59 @@
 ---
-- name: Install k3s
-  command: "curl -sfL https://get.k3s.io | sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --tls-san {{ k3s.loadbalancer.ip }}"
+# - name: Download K3s install script to /tmp/
+#   ansible.builtin.get_url:
+#     url: https://get.k3s.io
+#     dest: /tmp/k3s_install.sh
+#     mode: "0755"
+#
+# - name: Install K3s server with node taint and TLS SAN
+#   when: host.ip == k3s.server.ips[0]
+#   command: |
+#     /tmp/k3s_install.sh server \
+#     --node-taint CriticalAddonsOnly=true:NoExecute \
+#     --tls-san {{ k3s.loadbalancer.ip }}
+#   environment:
+#     K3S_DATASTORE_ENDPOINT: "{{ k3s_db_connection_string }}"
+#   become: true
+#   async: 300
+#   poll: 0
+#   register: k3s_primary_install
+#
+# - name: Wait for K3s to be installed
+#   when: host.ip == k3s.server.ips[0]
+#   async_status:
+#     jid: "{{ k3s_primary_install.ansible_job_id }}"
+#   register: k3s_primary_install_status
+#   until: k3s_primary_install_status.finished
+#   retries: 60
+#   delay: 5
+#   become: true
+
+- name: Get K3s token from the first server
+  when: host.ip == k3s.server.ips[0]
+  slurp:
+    src: /var/lib/rancher/k3s/server/node-token
+  register: k3s_token
+  become: true
+
+- name: Set fact on k3s.server.ips[0]
+  when: host.ip == k3s.server.ips[0]
+  set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
+
+- name: showdata
+  when: host.ip != k3s.server.ips[0]
+  debug:
+    msg: "{{a}} {{k3s_datastore_endpoint}}"
+  vars:
+    k3s_datastore_endpoint: "{{ k3s_db_connection_string }}"
+    a: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
+
+- name: Install K3s on the secondary servers
+  when: host.ip != k3s.server.ips[0]
+  command: |
+    /tmp/k3s_install.sh server \
+    --node-taint CriticalAddonsOnly=true:NoExecute \
+    --tls-san {{ k3s.loadbalancer.ip }}
   environment:
     K3S_DATASTORE_ENDPOINT: "{{ k3s_db_connection_string }}"
+    K3S_TOKEN: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
   become: true

roles/postgres/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Restart postgres
   systemd:
-    name: postgres
+    name: postgresql
     state: restarted
   become: true

roles/postgres/tasks/configuration.yml

@@ -21,13 +21,24 @@
   vars:
     ansible_remote_temp: "/tmp/"
 
-- name: "Grant {{ db.user }} user access to db {{ db.name }}"
-  postgresql_privs:
+- name: "Grant all privileges on database {{ db.name }} to {{ db.user }};"
+  community.postgresql.postgresql_privs:
+    db: "{{ db.name }}"
+    privs: ALL
     type: database
-    database: "{{ db.name }}"
     roles: "{{ db.user }}"
-    grant_option: no
-    privs: all
+  become: yes
+  become_user: postgres
+  vars:
+    ansible_remote_temp: "/tmp/"
+
+- name: "Grant all privileges on schema public to {{ db.user }};"
+  community.postgresql.postgresql_privs:
+    db: "{{ db.name }}"
+    privs: ALL
+    type: schema
+    obj: "public"
+    roles: "{{ db.user }}"
   become: yes
   become_user: postgres
   vars:
@@ -35,15 +46,23 @@
 
 - name: "Allow md5 connection for the {{ db.user }} user"
   postgresql_pg_hba:
-    dest: "~/15/main/pg_hba.conf"
+    dest: "/etc/postgresql/15/main/pg_hba.conf"
     contype: host
     databases: all
     method: md5
+    address: "{{ k3s.net }}"
     users: "{{ db.user }}"
-    create: true
+    create: false
   become: yes
-  become_user: postgres
   notify:
     - Restart postgres
-  vars:
-    ansible_remote_temp: "/tmp/"
+
+- name: "Set public listen address"
+  become: true
+  lineinfile:
+    dest: "/etc/postgresql/15/main/conf.d/listen.conf"
+    regexp: "^#?listen_addresses="
+    line: "listen_addresses='{{ db.listen_address | default('localhost') }}'"
+    state: present
+    create: yes
+  notify: "Restart postgres"

roles/postgres/tasks/installation.yml

@@ -4,11 +4,11 @@
     name: "{{ postgres_packages }}"
     state: present
   become: true
-  register: postgres_install
 
 - name: Start and enable the service
   systemd:
     name: postgresql
     state: started
+    daemon_reload: true
     enabled: true
   become: true

roles/postgres/vars/main.yml

@@ -1,15 +1,3 @@
-############################################
-############### CHANGE THESE ###############
-############################################
-db:
-  default_user:
-    user: "postgres"
-  name: "database"
-  user: "user"
-  password: "password"
-
-############################################
-# Don't change these (probably)
 ansible_dependencies:
   - python3-pip
   - python3-psycopg

test.yml

@@ -1,5 +1,6 @@
 ---
 - hosts: db
+  gather_facts: yes
   vars_files:
     - secrets.yml
   tasks: