Compare commits

...

2 Commits

Author SHA1 Message Date
Tuan-Dat Tran 2ae0f4863e update vault skeleton
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
2024-10-08 04:14:01 +02:00
Tuan-Dat Tran 7d58de98d9 Added storage nodes for k3s
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
2024-10-08 04:13:38 +02:00
23 changed files with 182 additions and 157 deletions

View File

@ -3,7 +3,7 @@ db:
user: "postgres" user: "postgres"
name: "k3s" name: "k3s"
user: "k3s" user: "k3s"
password: "{{ vault.k3s.db.password }}" password: "{{ vault.k3s.postgres.db.password }}"
listen_address: "{{ k3s.db.ip }}" listen_address: "{{ k3s.db.ip }}"
k3s: k3s:

View File

@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
ansible_host: 192.168.20.25 ansible_host: 192.168.20.25
ansible_port: 22 ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}" ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.server01.sudo }}" ansible_become_pass: "{{ vault.k3s.agent00.sudo }}"
host: host:
hostname: "k3s-agent00" hostname: "k3s-agent00"

View File

@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
ansible_host: 192.168.20.26 ansible_host: 192.168.20.26
ansible_port: 22 ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}" ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.server01.sudo }}" ansible_become_pass: "{{ vault.k3s.agent01.sudo }}"
host: host:
hostname: "k3s-agent01" hostname: "k3s-agent01"

View File

@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
ansible_host: 192.168.20.27 ansible_host: 192.168.20.27
ansible_port: 22 ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}" ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.server01.sudo }}" ansible_become_pass: "{{ vault.k3s.agent02.sudo }}"
host: host:
hostname: "k3s-agent02" hostname: "k3s-agent02"

View File

@ -0,0 +1,10 @@
---
ansible_user: "{{ user }}"
ansible_host: 192.168.20.32
ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.longhorn00.sudo }}"
host:
hostname: "k3s-longhorn00"
ip: "{{ ansible_host }}"

View File

@ -0,0 +1,10 @@
---
ansible_user: "{{ user }}"
ansible_host: 192.168.20.33
ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.longhorn01.sudo }}"
host:
hostname: "k3s-longhorn01"
ip: "{{ ansible_host }}"

View File

@ -0,0 +1,10 @@
---
ansible_user: "{{ user }}"
ansible_host: 192.168.20.31
ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.longhorn02.sudo }}"
host:
hostname: "k3s-longhorn02"
ip: "{{ ansible_host }}"

View File

@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
ansible_host: 192.168.20.30 ansible_host: 192.168.20.30
ansible_port: 22 ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}" ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.k3s.server01.sudo }}" ansible_become_pass: "{{ vault.k3s.server02.sudo }}"
host: host:
hostname: "k3s-server02" hostname: "k3s-server02"

31
k3s-storage.yml Normal file
View File

@ -0,0 +1,31 @@
- name: Set up storage
hosts: k3s_nodes
gather_facts: yes
vars_files:
- secrets.yml
pre_tasks:
- name: Get K3s token from the first server
when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
slurp:
src: /var/lib/rancher/k3s/server/node-token
register: k3s_token
become: true
- name: Set fact on k3s.server.ips[0]
when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
roles:
- role: common
when: inventory_hostname in groups["k3s_storage"]
tags:
- common
- role: k3s_storage
when: inventory_hostname in groups["k3s_storage"]
k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
tags:
- k3s_storage
- role: node_exporter
when: inventory_hostname in groups["k3s_storage"]
tags:
- node_exporter

View File

@ -10,6 +10,9 @@ k3s-server02
k3s-agent00 k3s-agent00
k3s-agent01 k3s-agent01
k3s-agent02 k3s-agent02
k3s-longhorn00
k3s-longhorn01
k3s-longhorn02
[k3s_server] [k3s_server]
k3s-server00 k3s-server00
@ -21,6 +24,11 @@ k3s-agent00
k3s-agent01 k3s-agent01
k3s-agent02 k3s-agent02
[k3s_storage]
k3s-longhorn00
k3s-longhorn01
k3s-longhorn02
[vm] [vm]
k3s-agent00 k3s-agent00
k3s-agent01 k3s-agent01
@ -30,6 +38,9 @@ k3s-server01
k3s-server02 k3s-server02
k3s-postgres k3s-postgres
k3s-loadbalancer k3s-loadbalancer
k3s-longhorn00
k3s-longhorn01
k3s-longhorn02
[k3s_nodes] [k3s_nodes]
k3s-server00 k3s-server00
@ -38,6 +49,9 @@ k3s-server02
k3s-agent00 k3s-agent00
k3s-agent01 k3s-agent01
k3s-agent02 k3s-agent02
k3s-longhorn00
k3s-longhorn01
k3s-longhorn02
[db] [db]
k3s-postgres k3s-postgres

View File

@ -31,8 +31,7 @@ case "$TERM" in
xterm* | rxvt*) xterm* | rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;; ;;
*) *) ;;
;;
esac esac
if [ -x /usr/bin/dircolors ]; then if [ -x /usr/bin/dircolors ]; then

View File

@ -1,9 +1,9 @@
--- ---
- name: Copy .bashrc - name: Copy .bashrc
template: ansible.builtin.template:
src: files/bash/bashrc src: files/bash/bashrc
dest: "/home/{{ user }}/.bashrc" dest: "/home/{{ user }}/.bashrc"
owner: "{{ user }}" owner: "{{ user }}"
group: "{{ user }}" group: "{{ user }}"
mode: 0644 mode: "644"
become: yes become: true

View File

@ -5,10 +5,10 @@
become: true become: true
- name: Update /etc/hosts to reflect the new hostname - name: Update /etc/hosts to reflect the new hostname
lineinfile: ansible.builtin.lineinfile:
path: /etc/hosts path: /etc/hosts
regexp: '^127\.0\.1\.1' regexp: '^127\.0\.1\.1'
line: "127.0.1.1 {{ host.hostname }}" line: "127.0.1.1 {{ host.hostname }}"
state: present state: present
backup: yes backup: true
become: true become: true

View File

@ -1,6 +1,11 @@
--- ---
- include_tasks: time.yml - name: Configure Time
- include_tasks: hostname.yml ansible.builtin.include_tasks: time.yml
- include_tasks: packages.yml - name: Configure Hostname
- include_tasks: bash.yml ansible.builtin.include_tasks: hostname.yml
- include_tasks: sshd.yml - name: Configure Packages
ansible.builtin.include_tasks: packages.yml
- name: Configure Bash
ansible.builtin.include_tasks: bash.yml
- name: Configure SSH
ansible.builtin.include_tasks: sshd.yml

View File

@ -1,13 +1,13 @@
--- ---
- name: Update and upgrade packages - name: Update and upgrade packages
apt: ansible.builtin.apt:
update_cache: yes update_cache: true
upgrade: yes upgrade: true
autoremove: yes autoremove: true
become: yes become: true
- name: Install extra packages - name: Install extra packages
apt: ansible.builtin.apt:
name: "{{ common_packages }}" name: "{{ common_packages }}"
state: present state: present
become: yes become: true

View File

@ -1,15 +1,15 @@
--- ---
- name: Copy sshd_config - name: Copy sshd_config
template: ansible.builtin.template:
src: templates/ssh/sshd_config src: templates/ssh/sshd_config
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
mode: 0644 mode: "644"
notify: notify:
- Restart sshd - Restart sshd
become: yes become: true
- name: Copy pubkey - name: Copy pubkey
copy: ansible.builtin.copy:
content: "{{ pubkey }}" content: "{{ pubkey }}"
dest: "/home/{{ user }}/.ssh/authorized_keys" dest: "/home/{{ user }}/.ssh/authorized_keys"
owner: "{{ user }}" owner: "{{ user }}"

View File

@ -1,124 +1,18 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf Include /etc/ssh/sshd_config.d/*.conf
Protocol 2 Protocol 2
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no PermitRootLogin no
#StrictModes yes
MaxAuthTries 3 MaxAuthTries 3
#MaxSessions 10
PubkeyAuthentication yes PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no PasswordAuthentication no
PermitEmptyPasswords no PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes UsePAM yes
AllowAgentForwarding no AllowAgentForwarding no
AllowTcpForwarding no AllowTcpForwarding no
#GatewayPorts no
X11Forwarding no X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no PrintMotd no
#PrintLastLog yes
TCPKeepAlive no TCPKeepAlive no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveCountMax 2 ClientAliveCountMax 2
UseDNS yes UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

View File

@ -1,6 +1,6 @@
--- ---
- name: See if k3s file exists - name: See if k3s file exists
stat: ansible.builtin.stat:
path: /usr/local/bin/k3s path: /usr/local/bin/k3s
register: k3s_status register: k3s_status
@ -13,7 +13,7 @@
- name: Install K3s server with node taint and TLS SAN - name: Install K3s server with node taint and TLS SAN
when: (host.ip == k3s.server.ips[0] and (not k3s_status.stat.exists)) when: (host.ip == k3s.server.ips[0] and (not k3s_status.stat.exists))
command: | ansible.builtin.command: |
/tmp/k3s_install.sh server \ /tmp/k3s_install.sh server \
--node-taint CriticalAddonsOnly=true:NoExecute \ --node-taint CriticalAddonsOnly=true:NoExecute \
--tls-san {{ k3s.loadbalancer.ip }} --tls-san {{ k3s.loadbalancer.ip }}
@ -43,11 +43,11 @@
- name: Set fact on k3s.server.ips[0] - name: Set fact on k3s.server.ips[0]
when: host.ip == k3s.server.ips[0] when: host.ip == k3s.server.ips[0]
set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}" ansible.builtin.set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
- name: Install K3s on the secondary servers - name: Install K3s on the secondary servers
when: (host.ip != k3s.server.ips[0] and (not k3s_status.stat.exists)) when: (host.ip != k3s.server.ips[0] and (not k3s_status.stat.exists))
command: | ansible.builtin.command: |
/tmp/k3s_install.sh server \ /tmp/k3s_install.sh server \
--node-taint CriticalAddonsOnly=true:NoExecute \ --node-taint CriticalAddonsOnly=true:NoExecute \
--tls-san {{ k3s.loadbalancer.ip }} --tls-san {{ k3s.loadbalancer.ip }}

View File

@ -0,0 +1,6 @@
---
- name: Restart k3s
service:
name: k3s
state: restarted
become: yes

View File

@ -0,0 +1,22 @@
---
- name: See if k3s file exists
ansible.builtin.stat:
path: /usr/local/bin/k3s
register: k3s_status
- name: Download K3s install script to /tmp/
when: not k3s_status.stat.exists
ansible.builtin.get_url:
url: https://get.k3s.io
dest: /tmp/k3s_install.sh
mode: "0755"
- name: Install K3s on the secondary servers with longhorn affinity
when: not k3s_status.stat.exists
ansible.builtin.command: |
/tmp/k3s_install.sh \
--node-label longhorn=true
environment:
K3S_URL: "https://{{ k3s.loadbalancer.ip }}:{{ k3s.loadbalancer.default_port }}"
K3S_TOKEN: "{{ k3s_token }}"
become: true

View File

@ -0,0 +1,2 @@
---
- include_tasks: installation.yml

View File

@ -1,3 +1,3 @@
#!/bin/bash #!/bin/bash
ansible-vault view secrets.yml | sed "s/: \w\+$/: ......../g" >>secrets.yml.skeleton ansible-vault view secrets.yml | sed "s/: [a-zA-Z0-9!\"]\+/: ......../" >secrets.yml.skeleton

View File

@ -1,4 +1,26 @@
vault: vault:
k3s: k3s:
server: server00:
sudo: ........ sudo: ........
server01:
sudo: ........
server02:
sudo: ........
agent00:
sudo: ........
agent01:
sudo: ........
agent02:
sudo: ........
longhorn00:
sudo: ........
longhorn01:
sudo: ........
longhorn02:
sudo: ........
loadbalancer:
sudo: ........
postgres:
sudo: ........
db:
password: ........