infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit 1a658b7c9d35f5aca492d333da1101c35f1fbb0a
parent edfd90ca32e61e1aa44a6b702649a664ffa71e5b
Author: Jul <jul@9o.is>
Date:   Wed, 15 May 2024 04:10:30 +0800

fix and refactor k0s installation

Diffstat:
M host/roles/k0s/handlers/main.yml  | 15 +++++----------
A host/roles/k0s/tasks/install.yml  | 42 ++++++++++++++++++++++++++++++++++++++++++
A host/roles/k0s/tasks/kubeconfig.yml  | 31 +++++++++++++++++++++++++++++++
M host/roles/k0s/tasks/main.yml  | 125 ++++---------------------------------------------------------------------------
A host/roles/k0s/tasks/prepare.yml  | 39 +++++++++++++++++++++++++++++++++++++++
M host/roles/setup/tasks/hostname.yml  | 9 ---------
M host/roles/wireguard/templates/nftables.conf.j2  | 3 +++
M host/site.yml  | 9 +++------

8 files changed, 129 insertions(+), 144 deletions(-)
diff --git a/host/roles/k0s/handlers/main.yml b/host/roles/k0s/handlers/main.yml
@@ -1,11 +1,6 @@
 ---
-- name: restart k0s
-  block:
-    - service:
-        name: k0scontroller
-        state: restarted
-    - wait_for:
-        host: localhost
-        port: 6443
-        delay: 15
-        timeout: 180
+- name: restart kubes
+  service:
+    name: k0scontroller
+    state: restarted
+
diff --git a/host/roles/k0s/tasks/install.yml b/host/roles/k0s/tasks/install.yml
@@ -0,0 +1,42 @@
+---
+- name: Configure k0s
+  template:
+    src: k0s.yaml.j2
+    dest: '/etc/k0s/k0s.yaml'
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart kubes
+
+- name: Install k0s controller
+  register: install_cmd
+  command: k0s install controller --single
+  args:
+    creates: /etc/systemd/system/k0scontroller.service
+  changed_when: install_cmd | length > 0
+
+- name: Ensure k0scontroller service dir exists
+  file:
+    path: /etc/systemd/system/k0scontroller.service.d
+    state: directory
+
+- name: Ensure systemd drop-in unit for custom Env exists
+  template:
+    src: env.conf.j2
+    dest: /etc/systemd/system/k0scontroller.service.d/env.conf
+  notify: restart kubes
+
+- name: Enable and start k0s service
+  systemd:
+    name: k0scontroller
+    daemon_reload: yes
+    enabled: yes
+    state: started
+
+- name: Wait for k8s apiserver
+  wait_for:
+    host: localhost
+    port: 6443
+    delay: 15
+    timeout: 180
+
diff --git a/host/roles/k0s/tasks/kubeconfig.yml b/host/roles/k0s/tasks/kubeconfig.yml
@@ -0,0 +1,31 @@
+---
+- name: Copy config file to home directory
+  copy:
+    src: '/var/lib/k0s/pki/admin.conf'
+    dest: /root/k0s-kubeconfig.yml
+    remote_src: yes
+    owner: root
+    mode: '0644'
+
+- name: Set controller IP in kubeconfig
+  replace:
+    path: /root/k0s-kubeconfig.yml
+    regexp: 'localhost'
+    replace: '{{ ansible_host }}'
+
+- name: Fetch kubeconfig
+  fetch:
+    src: /root/k0s-kubeconfig.yml
+    dest: '{{ k0s_artifacts }}/k0s-kubeconfig.yml'
+    flat: yes
+    validate_checksum: no
+
+- name: Configure fish terminal with KUBECONFIG
+  delegate_to: localhost
+  copy:
+    content: 'set -x KUBECONFIG "{{ k0s_artifacts }}/k0s-kubeconfig.yml"'
+    dest: ~user/.config/fish/conf.d/k0s.fish
+    owner: user
+    group: user
+    mode: '0644'
+
diff --git a/host/roles/k0s/tasks/main.yml b/host/roles/k0s/tasks/main.yml
@@ -1,123 +1,10 @@
 ---
-- name: create k0s user
-  user:
-    name: k0s
-    password: '*'
+- name: Prepare k0s
+  include_tasks: prepare.yml
 
-- name: Make dir for k0s distro
-  delegate_to: localhost
-  become: false
-  file:
-    path: '{{ k0s_distros }}'
-    state: directory
+- name: Install k0s
+  include_tasks: install.yml
 
-- name: Download k0s binary k0s-{{ k0s_version }}-amd64
-  delegate_to: localhost
-  become: false
-  get_url:
-    url: https://github.com/k0sproject/k0s/releases/download/{{ k0s_version }}/k0s-{{ k0s_version }}-amd64
-    dest: '{{ k0s_distros }}'
-  when: item == 'x86_64' and not (k0s_distros + '/k0s-' + k0s_version + '-amd64') is exists
-  with_items: '{{ ansible_facts.architecture }}'
+- name: Set k0s kubeconfig
+  include_tasks: kubeconfig.yml
 
-- name: Upload k0s binary
-  copy:
-    src: '{{ k0s_distros }}/k0s-{{ k0s_version }}-amd64'
-    dest: '/usr/local/bin/k0s'
-    owner: 'k0s'
-    group: 'k0s'
-    mode: '0755'
-  when: ansible_facts.architecture == 'x86_64'
-  notify: restart k0s
-
-- name: Create k0s Directories
-  file:
-    path: '{{ item }}'
-    state: directory
-    mode: '0755'
-    owner: 'k0s'
-    group: 'k0s'
-  loop:
-    - '/etc/k0s'
-    - '/var/lib/k0s'
-    - '/usr/libexec/k0s'
-
-# - name: Configure k0s
-#   template:
-#     src: k0s.yaml.j2
-#     dest: '/etc/k0s/k0s.yaml'
-#     owner: 'k0s'
-#     group: 'k0s'
-#     mode: '0600'
-#   notify: restart k0s
-
-- name: Generate default k0s config file
-  block:
-    - name: Create default k0s config
-      register: default_k0s_config
-      command: k0s default-config > /etc/k0s/k0s.yaml
-    - name: Store default k0s config
-      copy:
-        dest: '/etc/k0s/k0s.yaml'
-        content: '{{ default_k0s_config.stdout }}'
-        owner: 'k0s'
-        group: 'k0s'
-        mode: '0600'
-
-- name: Install k0s controller
-  register: install_initial_controller_cmd
-  command: k0s install controller --single
-  args:
-    creates: /etc/systemd/system/k0scontroller.service
-  changed_when: install_initial_controller_cmd | length > 0
-
-- name: Ensure k0scontroller service dir exists
-  file:
-    path: /etc/systemd/system/k0scontroller.service.d
-    state: directory
-
-- name: Ensure systemd drop-in unit for custom Env exists
-  template:
-    src: env.conf.j2
-    dest: /etc/systemd/system/k0scontroller.service.d/env.conf
-  notify: restart k0s
-
-- name: Enable and start k0s service
-  systemd:
-    name: k0scontroller
-    daemon_reload: yes
-    enabled: yes
-    state: started
-
-- name: Wait for k8s apiserver
-  wait_for:
-    host: localhost
-    port: 6443
-    delay: 15
-    timeout: 180
-
-- name: Copy config file to home directory
-  copy:
-    src: '/var/lib/k0s/pki/admin.conf'
-    dest: ~k0s/k0s-kubeconfig.yml
-    remote_src: yes
-    owner: 'k0s'
-    mode: '0644'
-
-- name: Set controller IP in kubeconfig
-  replace:
-    path: ~k0s/k0s-kubeconfig.yml
-    regexp: 'localhost'
-    replace: '{{ ansible_host }}'
-
-- name: Fetch kubeconfig
-  become: false
-  fetch:
-    src: '~k0s/k0s-kubeconfig.yml'
-    dest: '{{ k0s_artifacts }}/k0s-kubeconfig.yml'
-    flat: yes
-    validate_checksum: no
-
-- name: Print kubeconfig command
-  debug:
-    msg: 'To use Cluster: export KUBECONFIG={{ k0s_artifacts }}/k0s-kubeconfig.yml'
diff --git a/host/roles/k0s/tasks/prepare.yml b/host/roles/k0s/tasks/prepare.yml
@@ -0,0 +1,39 @@
+---
+- name: Make dir for k0s distro
+  delegate_to: localhost
+  become: false
+  file:
+    path: '{{ k0s_distros }}'
+    state: directory
+
+- name: Download k0s binary k0s-{{ k0s_version }}-amd64
+  delegate_to: localhost
+  become: false
+  get_url:
+    url: https://github.com/k0sproject/k0s/releases/download/{{ k0s_version }}/k0s-{{ k0s_version }}-amd64
+    dest: '{{ k0s_distros }}'
+  when: item == 'x86_64' and not (k0s_distros + '/k0s-' + k0s_version + '-amd64') is exists
+  with_items: '{{ ansible_facts.architecture }}'
+
+- name: Upload k0s binary
+  copy:
+    src: '{{ k0s_distros }}/k0s-{{ k0s_version }}-amd64'
+    dest: '/usr/local/bin/k0s'
+    owner: root
+    group: root
+    mode: '0755'
+  when: ansible_facts.architecture == 'x86_64'
+  notify: restart kubes
+
+- name: Create k0s Directories
+  file:
+    path: '{{ item }}'
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+  loop:
+    - '/etc/k0s'
+    - '/var/lib/k0s'
+    - '/usr/libexec/k0s'
+
diff --git a/host/roles/setup/tasks/hostname.yml b/host/roles/setup/tasks/hostname.yml
@@ -8,15 +8,6 @@
     content: |
       {{ ansible_host }}
 
-- name: set hostname in /etc/hosts
-  lineinfile:
-    path: /etc/hosts
-    regexp: '^127\.0\.0\.1'
-    line: 127.0.0.1 localhost {{ ansible_host }}
-    owner: root
-    group: root
-    mode: '0644'
-
 - name: register current hostname
   shell: hostnamectl hostname
   register: current_hostname
diff --git a/host/roles/wireguard/templates/nftables.conf.j2 b/host/roles/wireguard/templates/nftables.conf.j2
@@ -29,12 +29,14 @@ table ip filter {
 
     chain wireguard-wg0 {
         tcp dport ssh accept
+        tcp dport 6443 accept
     }
 }
 
 table ip6 filter {
     chain input {
         type filter hook input priority filter; policy drop;
+        iifname lo accept
     }
 
     chain forward {
@@ -43,6 +45,7 @@ table ip6 filter {
 
     chain output {
         type filter hook output priority filter; policy drop;
+        oifname lo accept
     }
 }
 
diff --git a/host/site.yml b/host/site.yml
@@ -15,12 +15,9 @@
     - role: openssh
       tags: openssh
 
+    - role: k0s
+      tags: k0s
+
     - role: wireguard
       tags: wireguard
 
-- name: Kubernetes
-  hosts: servers
-  tags: kubes
-  roles:
-    - k0s
-

M	host/roles/k0s/handlers/main.yml	\|	15	+++++----------
A	host/roles/k0s/tasks/install.yml	\|	42	++++++++++++++++++++++++++++++++++++++++++
A	host/roles/k0s/tasks/kubeconfig.yml	\|	31	+++++++++++++++++++++++++++++++
M	host/roles/k0s/tasks/main.yml	\|	125	++++---------------------------------------------------------------------------
A	host/roles/k0s/tasks/prepare.yml	\|	39	+++++++++++++++++++++++++++++++++++++++
M	host/roles/setup/tasks/hostname.yml	\|	9	---------
M	host/roles/wireguard/templates/nftables.conf.j2	\|	3	+++
M	host/site.yml	\|	9	+++------