This commit is contained in:
parent
5f301ce32a
commit
1663a469c2
@ -2,6 +2,14 @@
|
|||||||
k3s_version: v1.22.3+k3s1
|
k3s_version: v1.22.3+k3s1
|
||||||
ansible_user: root
|
ansible_user: root
|
||||||
systemd_dir: /etc/systemd/system
|
systemd_dir: /etc/systemd/system
|
||||||
|
systemd_network_dir: /etc/systemd/network
|
||||||
master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['ansible_host'] | default(groups['serverctl_master_hosts'][0]) }}"
|
master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['ansible_host'] | default(groups['serverctl_master_hosts'][0]) }}"
|
||||||
extra_server_args: ""
|
extra_server_args: ""
|
||||||
extra_agent_args: ""
|
extra_agent_args: ""
|
||||||
|
|
||||||
|
ansible_become_method: su
|
||||||
|
|
||||||
|
ufw_enabled: true
|
||||||
|
|
||||||
|
wireguard_mask_bits: 24
|
||||||
|
wireguard_port: 51871
|
18
infrastructure/create-resources/ansible/inventory/hosts.cfg
Executable file
18
infrastructure/create-resources/ansible/inventory/hosts.cfg
Executable file
@ -0,0 +1,18 @@
|
|||||||
|
[serverctl_master_hosts]
|
||||||
|
|
||||||
|
[serverctl_node_hosts]
|
||||||
|
|
||||||
|
[serverctl_mesh_nodes]
|
||||||
|
65.21.50.146 ansible_host=65.21.50.146 wireguard_ip=192.168.0.1
|
||||||
|
65.21.251.3 ansible_host=65.21.251.3 wireguard_ip=192.168.0.2
|
||||||
|
65.21.255.102 ansible_host=65.21.255.102 wireguard_ip=192.168.0.3
|
||||||
|
95.216.162.16 ansible_host=95.216.162.16 wireguard_ip=192.168.0.4
|
||||||
|
|
||||||
|
[serverctl_mesh_nodes:vars]
|
||||||
|
pipelining=true
|
||||||
|
ansible_ssh_user=root
|
||||||
|
ansible_ssh_port=22
|
||||||
|
|
||||||
|
[serverctl_cluster:children]
|
||||||
|
serverctl_master_hosts
|
||||||
|
serverctl_node_hosts
|
7
infrastructure/create-resources/ansible/ping.yml
Normal file
7
infrastructure/create-resources/ansible/ping.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- hosts: serverctl_mesh_nodes
|
||||||
|
gather_facts: yes
|
||||||
|
tasks:
|
||||||
|
- name: ping
|
||||||
|
command: "ping -c3 {{ hostvars[item].wireguard_ip}}"
|
||||||
|
with_items: "{{groups['all']}}"
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: systemd network restart
|
||||||
|
service:
|
||||||
|
name: systemd-networkd
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
become: yes
|
@ -0,0 +1,128 @@
|
|||||||
|
---
|
||||||
|
- name: update packages
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 3600
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
|
||||||
|
- name: install ufw
|
||||||
|
apt:
|
||||||
|
name: ufw
|
||||||
|
state: present
|
||||||
|
become: yes
|
||||||
|
when: ufw_enabled
|
||||||
|
|
||||||
|
- name: Allow SSH in UFW
|
||||||
|
ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ ansible_ssh_port }}"
|
||||||
|
proto: tcp
|
||||||
|
become: yes
|
||||||
|
when: ufw_enabled
|
||||||
|
|
||||||
|
- name: Set ufw logging
|
||||||
|
ufw:
|
||||||
|
logging: "on"
|
||||||
|
become: yes
|
||||||
|
when: ufw_enabled
|
||||||
|
|
||||||
|
- name: inter-node Wireguard UFW connectivity
|
||||||
|
ufw:
|
||||||
|
rule: allow
|
||||||
|
src: "{{ hostvars[item].wireguard_ip }}"
|
||||||
|
with_items: "{{ groups['all'] }}"
|
||||||
|
become: yes
|
||||||
|
when: ufw_enabled and item != inventory_hostname
|
||||||
|
|
||||||
|
- name: Reject everything and enable UFW
|
||||||
|
ufw:
|
||||||
|
state: enabled
|
||||||
|
policy: reject
|
||||||
|
log: yes
|
||||||
|
become: yes
|
||||||
|
when: ufw_enabled
|
||||||
|
|
||||||
|
- name: enable and persist ip forwarding
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.ip_forward
|
||||||
|
value: "1"
|
||||||
|
state: present
|
||||||
|
sysctl_set: yes
|
||||||
|
reload: yes
|
||||||
|
|
||||||
|
- name: install wireguard
|
||||||
|
apt:
|
||||||
|
name: wireguard
|
||||||
|
state: present
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: generate wireguard keypair
|
||||||
|
shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
|
||||||
|
args:
|
||||||
|
creates: /etc/wireguard/privatekey
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: register private key
|
||||||
|
shell: cat /etc/wireguard/privatekey
|
||||||
|
register: wireguard_private_key
|
||||||
|
changed_when: false
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: register public key
|
||||||
|
shell: cat /etc/wireguard/publickey
|
||||||
|
register: wireguard_public_key
|
||||||
|
changed_when: false
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: generate preshared keypair
|
||||||
|
shell: "wg genpsk > /etc/wireguard/psk-{{item}}"
|
||||||
|
args:
|
||||||
|
creates: "/etc/wireguard/psk-{{item}}"
|
||||||
|
when: inventory_hostname < item
|
||||||
|
with_items: "{{groups['serverctl_mesh_nodes']}}"
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: register preshared key
|
||||||
|
shell: "cat /etc/wireguard/psk-{{item}}"
|
||||||
|
register: wireguard_preshared_key
|
||||||
|
changed_when: false
|
||||||
|
when: inventory_hostname < item
|
||||||
|
with_items: "{{groups['serverctl_mesh_nodes']}}"
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: message preshared keys
|
||||||
|
set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
|
||||||
|
when: item.skipped is not defined
|
||||||
|
with_items: "{{wireguard_preshared_key.results}}"
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: Setup wgserverctl0 device
|
||||||
|
template:
|
||||||
|
src: 'systemd.netdev'
|
||||||
|
dest: '{{systemd_network_dir}}/99-wg0.netdev'
|
||||||
|
owner: root
|
||||||
|
group: systemd-network
|
||||||
|
mode: 0640
|
||||||
|
become: yes
|
||||||
|
notify: systemd network restart
|
||||||
|
|
||||||
|
- name: Setup wgserverctl0 network
|
||||||
|
template:
|
||||||
|
src: 'systemd.network'
|
||||||
|
dest: "{{systemd_network_dir}}/99-wg0.network"
|
||||||
|
owner: root
|
||||||
|
group: systemd-network
|
||||||
|
mode: 0640
|
||||||
|
become: yes
|
||||||
|
notify: systemd network restart
|
||||||
|
|
||||||
|
#- name: Start and enalbe wireguard on book
|
||||||
|
# systemd:
|
||||||
|
# name: wg-quick@wgserverctl0
|
||||||
|
# enabled: yes
|
||||||
|
# state: started
|
||||||
|
|
||||||
|
#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
|
||||||
|
# with_indexed_items: "{{groups.serverctl_mesh_nodes}}"
|
||||||
|
|
@ -0,0 +1,20 @@
|
|||||||
|
[NetDev]
|
||||||
|
Name=wg0
|
||||||
|
Kind=wireguard
|
||||||
|
Description=WireGuard tunnel wg0
|
||||||
|
|
||||||
|
[WireGuard]
|
||||||
|
ListenPort={{ wireguard_port }}
|
||||||
|
PrivateKey={{ wireguard_private_key.stdout }}
|
||||||
|
|
||||||
|
{% for peer in groups['serverctl_mesh_nodes'] %}
|
||||||
|
{% if peer != inventory_hostname %}
|
||||||
|
|
||||||
|
[WireGuardPeer]
|
||||||
|
PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
|
||||||
|
PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
|
||||||
|
AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
|
||||||
|
Endpoint={{ hostvars[peer].ansible_host }}:{{ wireguard_port }}
|
||||||
|
PersistentKeepalive=25
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
@ -0,0 +1,5 @@
|
|||||||
|
[Match]
|
||||||
|
Name=wg0
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
Address={{ wireguard_ip }}/{{ wireguard_mask_bits }}
|
@ -9,6 +9,13 @@
|
|||||||
become: yes
|
become: yes
|
||||||
roles:
|
roles:
|
||||||
- role: "./k3s/master"
|
- role: "./k3s/master"
|
||||||
|
|
||||||
|
- hosts: serverctl_mesh_nodes
|
||||||
|
become: yes
|
||||||
|
gather_facts: yes
|
||||||
|
roles:
|
||||||
|
- role: './wireguard/mesh'
|
||||||
|
|
||||||
#- hosts: serverctl_node_hosts
|
#- hosts: serverctl_node_hosts
|
||||||
# become: yes
|
# become: yes
|
||||||
# roles:
|
# roles:
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
|
|
||||||
variable "serverctl_master_count" {
|
variable "serverctl_master_count" {
|
||||||
default = 0
|
default = 0
|
||||||
}
|
}
|
||||||
@ -7,6 +6,9 @@ variable "serverctl_node_count" {
|
|||||||
default = 0
|
default = 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "serverctl_mesh_count" {
|
||||||
|
default = 4
|
||||||
|
}
|
||||||
|
|
||||||
resource "hcloud_placement_group" "serverctl_master" {
|
resource "hcloud_placement_group" "serverctl_master" {
|
||||||
name = "serverctl_master_group"
|
name = "serverctl_master_group"
|
||||||
@ -72,11 +74,44 @@ resource "hcloud_server" "serverctl_node" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "hcloud_placement_group" "serverctl_mesh" {
|
||||||
|
name = "serverctl_mesh_group"
|
||||||
|
type = "spread"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "hcloud_server" "serverctl_mesh" {
|
||||||
|
count = var.serverctl_mesh_count
|
||||||
|
name = "serverctl-mesh-${count.index}"
|
||||||
|
image = "debian-11"
|
||||||
|
server_type = "cx11"
|
||||||
|
ssh_keys = [
|
||||||
|
var.hcloud_serverctl_ssh_key_id
|
||||||
|
]
|
||||||
|
placement_group_id = hcloud_placement_group.serverctl_mesh.id
|
||||||
|
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
create_before_destroy = true
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "remote-exec" {
|
||||||
|
inline = ["sudo apt update", "sudo apt install python3 -y", "echo Done!"]
|
||||||
|
|
||||||
|
connection {
|
||||||
|
host = self.ipv4_address
|
||||||
|
type = "ssh"
|
||||||
|
user = "root"
|
||||||
|
private_key = file(var.pvt_key)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "local_file" "hosts_cfg" {
|
resource "local_file" "hosts_cfg" {
|
||||||
content = templatefile("${path.module}/templates/hosts.tpl",
|
content = templatefile("${path.module}/templates/hosts.tftpl",
|
||||||
{
|
{
|
||||||
serverctl_masters = hcloud_server.serverctl_master.*.ipv4_address
|
serverctl_masters = hcloud_server.serverctl_master.*.ipv4_address
|
||||||
serverctl_nodes = hcloud_server.serverctl_node.*.ipv4_address
|
serverctl_nodes = hcloud_server.serverctl_node.*.ipv4_address
|
||||||
|
serverctl_mesh_nodes = hcloud_server.serverctl_mesh.*.ipv4_address
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
filename = "ansible/inventory/hosts.cfg"
|
filename = "ansible/inventory/hosts.cfg"
|
||||||
|
23
infrastructure/create-resources/templates/hosts.tftpl
Normal file
23
infrastructure/create-resources/templates/hosts.tftpl
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
[serverctl_master_hosts]
|
||||||
|
%{ for ip in serverctl_masters ~}
|
||||||
|
${ip}
|
||||||
|
%{ endfor ~}
|
||||||
|
|
||||||
|
[serverctl_node_hosts]
|
||||||
|
%{ for ip in serverctl_nodes ~}
|
||||||
|
${ip}
|
||||||
|
%{ endfor ~}
|
||||||
|
|
||||||
|
[serverctl_mesh_nodes]
|
||||||
|
%{ for ip in serverctl_mesh_nodes ~}
|
||||||
|
${ip} ansible_host=${ip} wireguard_ip=${cidrhost("192.168.0.0/24", index(serverctl_mesh_nodes, ip) + 1)}
|
||||||
|
%{ endfor ~}
|
||||||
|
|
||||||
|
[serverctl_mesh_nodes:vars]
|
||||||
|
pipelining=true
|
||||||
|
ansible_ssh_user=root
|
||||||
|
ansible_ssh_port=22
|
||||||
|
|
||||||
|
[serverctl_cluster:children]
|
||||||
|
serverctl_master_hosts
|
||||||
|
serverctl_node_hosts
|
@ -1,13 +0,0 @@
|
|||||||
[serverctl_master_hosts]
|
|
||||||
%{ for ip in serverctl_masters ~}
|
|
||||||
${ip}
|
|
||||||
%{ endfor ~}
|
|
||||||
|
|
||||||
[serverctl_node_hosts]
|
|
||||||
%{ for ip in serverctl_nodes ~}
|
|
||||||
${ip}
|
|
||||||
%{ endfor ~}
|
|
||||||
|
|
||||||
[serverctl_cluster:children]
|
|
||||||
serverctl_master_hosts
|
|
||||||
serverctl_node_hosts
|
|
Loading…
Reference in New Issue
Block a user