Compare commits
35 Commits
feature/me
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 2c6c74fe73 | |||
| 0f995dadbd | |||
| 862278c419 | |||
| 4dbb2a1573 | |||
| f3bd1f0ee8 | |||
| 18bde2e1b9 | |||
| 722793830b | |||
| b56c0edd1f | |||
| 6c0d57b60e | |||
| d0ad44a8e8 | |||
| 754368ffce | |||
| 3796dcce50 | |||
| eb0db5f633 | |||
| 383f2c76fb | |||
| a866be86f1 | |||
| 1ecfc17231 | |||
| a76d9813bd | |||
| faf93e7eb5 | |||
| f1494b1817 | |||
| 44ad0306a9 | |||
467993dee3
|
|||
| e6b3321c2a | |||
| 140067aa15 | |||
| 8d4f4c9ab6 | |||
| 4d8a40fe8e | |||
| e48e6f0c3d | |||
|
1f7b711048
|
|||
|
e014270903
|
|||
|
5c9f96be8e
|
|||
|
9eaca5ae11
|
|||
|
1cb55b1fb3
|
|||
|
ecc2e332da
|
|||
|
ede5600da5
|
|||
|
b4ee531a81
|
|||
|
1663a469c2
|
56
.drone.yml
56
.drone.yml
@ -1,30 +1,36 @@
|
||||
type: docker
|
||||
kind: pipeline
|
||||
name: Serverctl
|
||||
|
||||
steps:
|
||||
- name: terraform plan
|
||||
image: alpine
|
||||
environment:
|
||||
HCLOUD_TOKEN:
|
||||
from_secret: serverctl_hcloud_token
|
||||
ACCESS_KEY:
|
||||
from_secret: serverctl_access_key
|
||||
SECRET_KEY:
|
||||
from_secret: serverctl_secret_key
|
||||
SSH_ZIP_KEY:
|
||||
from_secret: serverctl_ssh_zip_key
|
||||
HCLOUD_SSH_KEY_ID:
|
||||
from_secret: serverctl_hcloud_ssh_key_id
|
||||
- name: test
|
||||
image: harbor.front.kjuulh.io/docker-proxy/library/bash:latest
|
||||
commands:
|
||||
- apk --update add curl zip ansible python3
|
||||
- cd infrastructure && ./unzip-ssh-keys.sh "$SSH_ZIP_KEY" && cd ..
|
||||
- curl --silent --output terraform.zip "https://releases.hashicorp.com/terraform/1.1.6/terraform_1.1.6_linux_amd64.zip"
|
||||
- unzip terraform.zip ; rm -f terraform.zip; chmod +x terraform
|
||||
- mkdir -p ${HOME}/bin ; export PATH=${PATH}:${HOME}/bin; mv terraform ${HOME}/bin/
|
||||
- terraform -v
|
||||
- cd infrastructure/create-resources
|
||||
- terraform init -backend-config="access_key=$ACCESS_KEY" -backend-config="secret_key=$SECRET_KEY"
|
||||
- terraform validate
|
||||
- terraform apply -auto-approve -var "hcloud_token=$HCLOUD_TOKEN" -var "pvt_key=../ssh_keys/id_ed25519" -var "pub_key=../ssh_keys/id_ed25519.pub" -var "hcloud_serverctl_ssh_key_id=$HCLOUD_SSH_KEY_ID"
|
||||
- cd ansible
|
||||
- ANSIBLE_HOST_KEY_CHECKING=False /usr/bin/ansible-playbook -u root --key-file '../../ssh_keys/id_ed25519' -e 'pub_key=../../ssh_keys/id_ed25519.pub' site.yml
|
||||
- echo 'Run tests'
|
||||
#
|
||||
# - name: terraform plan
|
||||
# image: alpine
|
||||
# environment:
|
||||
# HCLOUD_TOKEN:
|
||||
# from_secret: serverctl_hcloud_token
|
||||
# ACCESS_KEY:
|
||||
# from_secret: serverctl_access_key
|
||||
# SECRET_KEY:
|
||||
# from_secret: serverctl_secret_key
|
||||
# SSH_ZIP_KEY:
|
||||
# from_secret: serverctl_ssh_zip_key
|
||||
# HCLOUD_SSH_KEY_ID:
|
||||
# from_secret: serverctl_hcloud_ssh_key_id
|
||||
# commands:
|
||||
# - apk --update add curl zip ansible python3
|
||||
# - cd infrastructure && ./unzip-ssh-keys.sh "$SSH_ZIP_KEY" && cd ..
|
||||
# - curl --silent --output terraform.zip "https://releases.hashicorp.com/terraform/1.1.6/terraform_1.1.6_linux_amd64.zip"
|
||||
# - unzip terraform.zip ; rm -f terraform.zip; chmod +x terraform
|
||||
# - mkdir -p ${HOME}/bin ; export PATH=${PATH}:${HOME}/bin; mv terraform ${HOME}/bin/
|
||||
# - terraform -v
|
||||
# - cd infrastructure/create-resources
|
||||
# - terraform init -backend-config="access_key=$ACCESS_KEY" -backend-config="secret_key=$SECRET_KEY"
|
||||
# - terraform validate
|
||||
# - terraform apply -auto-approve -var "hcloud_token=$HCLOUD_TOKEN" -var "pvt_key=../ssh_keys/id_ed25519" -var "pub_key=../ssh_keys/id_ed25519.pub" -var "hcloud_serverctl_ssh_key_id=$HCLOUD_SSH_KEY_ID"
|
||||
# - cd ansible
|
||||
# - ANSIBLE_HOST_KEY_CHECKING=False /usr/bin/ansible-playbook -u root --key-file '../../ssh_keys/id_ed25519' -e 'pub_key=../../ssh_keys/id_ed25519.pub' site.yml
|
||||
|
||||
@ -55,7 +55,7 @@ services:
|
||||
|
||||
# Logging
|
||||
loki:
|
||||
image: grafana/loki:2.4.2
|
||||
image: grafana/loki:2.7.0
|
||||
ports:
|
||||
- 3100
|
||||
networks:
|
||||
@ -66,7 +66,7 @@ services:
|
||||
logging: *loki-logging
|
||||
|
||||
promtail:
|
||||
image: grafana/promtail:2.4.2
|
||||
image: grafana/promtail:2.7.0
|
||||
volumes:
|
||||
- ./services/logs/promtail/config.yaml:/mnt/config/promtail-config.yaml
|
||||
- /var/lib/docker/containers:/host/containers
|
||||
|
||||
@ -2,6 +2,14 @@
|
||||
k3s_version: v1.22.3+k3s1
|
||||
ansible_user: root
|
||||
systemd_dir: /etc/systemd/system
|
||||
master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['ansible_host'] | default(groups['serverctl_master_hosts'][0]) }}"
|
||||
extra_server_args: ""
|
||||
extra_agent_args: ""
|
||||
systemd_network_dir: /etc/systemd/network
|
||||
master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['wireguard_ip'] | default(groups['serverctl_master_hosts'][0]) }}"
|
||||
extra_server_args: "--flannel-iface=serverctl-wg0"
|
||||
extra_agent_args: "--flannel-iface=serverctl-wg0"
|
||||
|
||||
ansible_become_method: su
|
||||
|
||||
ufw_enabled: true
|
||||
|
||||
wireguard_mask_bits: 24
|
||||
wireguard_port: 51871
|
||||
32
infrastructure/create-resources/ansible/inventory/hosts.cfg
Executable file
32
infrastructure/create-resources/ansible/inventory/hosts.cfg
Executable file
@ -0,0 +1,32 @@
|
||||
[serverctl_master_hosts]
|
||||
95.217.155.228 ansible_host=95.217.155.228 wireguard_ip=10.1.1.1
|
||||
|
||||
[serverctl_node_hosts]
|
||||
65.21.50.146 ansible_host=65.21.50.146 wireguard_ip=10.1.1.10
|
||||
95.216.162.16 ansible_host=95.216.162.16 wireguard_ip=10.1.1.11
|
||||
|
||||
[serverctl_home_servers]
|
||||
192.168.1.150 ansible_host=192.168.1.150 wireguard_ip=10.1.1.8
|
||||
#192.168.1.233 ansible_host=192.168.1.233 wireguard_ip=10.1.1.9
|
||||
|
||||
[serverctl_cluster:children]
|
||||
serverctl_master_hosts
|
||||
serverctl_node_hosts
|
||||
|
||||
[serverctl_super_cluster:children]
|
||||
serverctl_cluster
|
||||
serverctl_home_servers
|
||||
|
||||
[serverctl_home_servers:vars]
|
||||
client_server=True
|
||||
|
||||
[serverctl_super_cluster:vars]
|
||||
pipelining=true
|
||||
ansible_ssh_user=root
|
||||
ansible_ssh_port=22
|
||||
|
||||
[serverctl_cluster:vars]
|
||||
client_server=False
|
||||
pipelining=true
|
||||
ansible_ssh_user=root
|
||||
ansible_ssh_port=22
|
||||
8
infrastructure/create-resources/ansible/kubeconfig.yml
Normal file
8
infrastructure/create-resources/ansible/kubeconfig.yml
Normal file
@ -0,0 +1,8 @@
|
||||
- hosts: serverctl_master_hosts[0]
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Fetch kubeconfig
|
||||
ansible.builtin.fetch:
|
||||
src: ~/.kube/config
|
||||
dest: temp/.kube/config
|
||||
|
||||
7
infrastructure/create-resources/ansible/ping.yml
Normal file
7
infrastructure/create-resources/ansible/ping.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- hosts: serverctl_super_cluster
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- name: ping
|
||||
command: "ping -c3 {{ hostvars[item].wireguard_ip}}"
|
||||
with_items: "{{groups['all']}}"
|
||||
@ -0,0 +1,67 @@
|
||||
---
|
||||
- name: update packages
|
||||
apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
become: yes
|
||||
|
||||
- name: install ufw
|
||||
apt:
|
||||
name: ufw
|
||||
state: present
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow SSH in UFW
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ ansible_ssh_port }}"
|
||||
proto: tcp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow wireguard port in UFW
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ wireguard_port }}"
|
||||
proto: udp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Set ufw logging
|
||||
ufw:
|
||||
logging: "on"
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: inter-node Wireguard UFW connectivity
|
||||
ufw:
|
||||
rule: allow
|
||||
src: "{{ hostvars[item].wireguard_ip }}"
|
||||
with_items: "{{ groups['all'] }}"
|
||||
become: yes
|
||||
when: ufw_enabled and item != inventory_hostname
|
||||
|
||||
- name: Reject everything and enable UFW
|
||||
ufw:
|
||||
state: enabled
|
||||
policy: reject
|
||||
log: yes
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow 6443 in UFW /tcp
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "6443"
|
||||
proto: tcp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow 6443 in UFW udp
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "6443"
|
||||
proto: udp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
@ -1,4 +1,5 @@
|
||||
---
|
||||
|
||||
- name: Copy K3s service file
|
||||
register: k3s_service
|
||||
template:
|
||||
|
||||
@ -7,7 +7,7 @@ After=network-online.target
|
||||
Type=notify
|
||||
ExecStartPre=-/sbin/modprobe br_netfilter
|
||||
ExecStartPre=-/sbin/modprobe overlay
|
||||
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args | default("") }}
|
||||
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args | default("") }} --advertise-address {{master_ip}}
|
||||
KillMode=process
|
||||
Delegate=yes
|
||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||
|
||||
@ -7,7 +7,7 @@ After=network-online.target
|
||||
Type=notify
|
||||
ExecStartPre=-/sbin/modprobe br_netfilter
|
||||
ExecStartPre=-/sbin/modprobe overlay
|
||||
ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['serverctl_master_hosts'][0]]['token'] }} {{ extra_agent_args | default("") }}
|
||||
ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['serverctl_master_hosts'][0]]['token'] }} {{ extra_agent_args | default("") }} --node-ip {{inventory_hostname}}
|
||||
KillMode=process
|
||||
Delegate=yes
|
||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
---
|
||||
- name: systemd network restart
|
||||
service:
|
||||
name: systemd-networkd
|
||||
state: restarted
|
||||
enabled: yes
|
||||
become: yes
|
||||
@ -0,0 +1,89 @@
|
||||
---
|
||||
- name: install wireguard
|
||||
apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
become: yes
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == "Ubuntu"
|
||||
|
||||
- name: install wireguard
|
||||
pacman:
|
||||
name: wireguard-tools
|
||||
state: present
|
||||
become: yes
|
||||
when: ansible_distribution == "Archlinux"
|
||||
|
||||
- name: generate wireguard keypair
|
||||
shell: wg genkey | tee /etc/wireguard/serverctl-privatekey | wg pubkey | tee /etc/wireguard/serverctl-publickey
|
||||
args:
|
||||
creates: /etc/wireguard/serverctl-privatekey
|
||||
become: yes
|
||||
|
||||
- name: register private key
|
||||
shell: cat /etc/wireguard/serverctl-privatekey
|
||||
register: wireguard_private_key
|
||||
changed_when: false
|
||||
become: yes
|
||||
|
||||
- name: register public key
|
||||
shell: cat /etc/wireguard/serverctl-publickey
|
||||
register: wireguard_public_key
|
||||
changed_when: false
|
||||
become: yes
|
||||
|
||||
- name: generate preshared keypair
|
||||
shell: "wg genpsk > /etc/wireguard/serverctl-psk-{{item}}"
|
||||
args:
|
||||
creates: "/etc/wireguard/serverctl-psk-{{item}}"
|
||||
when: inventory_hostname < item
|
||||
with_items: "{{groups['serverctl_super_cluster']}}"
|
||||
become: yes
|
||||
|
||||
- name: register preshared key
|
||||
shell: "cat /etc/wireguard/serverctl-psk-{{item}}"
|
||||
register: wireguard_preshared_key
|
||||
changed_when: false
|
||||
when: inventory_hostname < item
|
||||
with_items: "{{groups['serverctl_super_cluster']}}"
|
||||
become: yes
|
||||
|
||||
- name: message preshared keys
|
||||
set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
|
||||
when: item.skipped is not defined
|
||||
with_items: "{{wireguard_preshared_key.results}}"
|
||||
become: yes
|
||||
|
||||
#- name: print hostvars
|
||||
# ansible.builtin.debug:
|
||||
# msg: "{{hostvars[item]}}"
|
||||
# with_items: "{{groups['serverctl_super_cluster']}}"
|
||||
|
||||
- name: Setup wg0 device
|
||||
template:
|
||||
src: 'systemd.netdev'
|
||||
dest: '{{systemd_network_dir}}/99-serverctl-wg0.netdev'
|
||||
owner: root
|
||||
group: systemd-network
|
||||
mode: 0640
|
||||
become: yes
|
||||
notify: systemd network restart
|
||||
|
||||
- name: Setup wg0 network
|
||||
template:
|
||||
src: 'systemd.network'
|
||||
dest: "{{systemd_network_dir}}/99-serverctl-wg0.network"
|
||||
owner: root
|
||||
group: systemd-network
|
||||
mode: 0640
|
||||
become: yes
|
||||
notify: systemd network restart
|
||||
|
||||
#- name: Start and enalbe wireguard on book
|
||||
# systemd:
|
||||
# name: wg-quick@wgserverctl0
|
||||
# enabled: yes
|
||||
# state: started
|
||||
|
||||
#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
|
||||
# with_indexed_items: "{{groups.serverctl_mesh_nodes}}"
|
||||
|
||||
@ -0,0 +1,22 @@
|
||||
[NetDev]
|
||||
Name=serverctl-wg0
|
||||
Kind=wireguard
|
||||
Description=WireGuard tunnel serverctl-wg0
|
||||
|
||||
[WireGuard]
|
||||
ListenPort={{ wireguard_port }}
|
||||
PrivateKey={{ wireguard_private_key.stdout }}
|
||||
|
||||
{% for peer in groups['serverctl_super_cluster'] %}
|
||||
{% if peer != inventory_hostname %}
|
||||
|
||||
[WireGuardPeer]
|
||||
PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
|
||||
PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
|
||||
AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
|
||||
{% if not hostvars[peer].client_server %}
|
||||
Endpoint={{ hostvars[peer].ansible_host }}:{{ wireguard_port }}
|
||||
PersistentKeepalive=25
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
@ -0,0 +1,5 @@
|
||||
[Match]
|
||||
Name=serverctl-wg0
|
||||
|
||||
[Network]
|
||||
Address={{ wireguard_ip }}/{{ wireguard_mask_bits }}
|
||||
@ -5,12 +5,21 @@
|
||||
roles:
|
||||
- role: prereq
|
||||
- role: download
|
||||
- role: firewall
|
||||
|
||||
- hosts: serverctl_super_cluster
|
||||
gather_facts: yes
|
||||
become: yes
|
||||
roles:
|
||||
- role: wireguard/mesh
|
||||
|
||||
- hosts: serverctl_master_hosts
|
||||
become: yes
|
||||
roles:
|
||||
- role: "./k3s/master"
|
||||
#- hosts: serverctl_node_hosts
|
||||
# become: yes
|
||||
# roles:
|
||||
# - role: "./k3s/node"
|
||||
#
|
||||
|
||||
- hosts: serverctl_node_hosts
|
||||
become: yes
|
||||
roles:
|
||||
- role: "./k3s/node"
|
||||
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
|
||||
variable "serverctl_master_count" {
|
||||
default = 0
|
||||
}
|
||||
@ -7,7 +6,6 @@ variable "serverctl_node_count" {
|
||||
default = 0
|
||||
}
|
||||
|
||||
|
||||
resource "hcloud_placement_group" "serverctl_master" {
|
||||
name = "serverctl_master_group"
|
||||
type = "spread"
|
||||
@ -73,7 +71,7 @@ resource "hcloud_server" "serverctl_node" {
|
||||
}
|
||||
|
||||
resource "local_file" "hosts_cfg" {
|
||||
content = templatefile("${path.module}/templates/hosts.tpl",
|
||||
content = templatefile("${path.module}/templates/hosts.tftpl",
|
||||
{
|
||||
serverctl_masters = hcloud_server.serverctl_master.*.ipv4_address
|
||||
serverctl_nodes = hcloud_server.serverctl_node.*.ipv4_address
|
||||
|
||||
@ -2,7 +2,7 @@ terraform {
|
||||
required_providers {
|
||||
hcloud = {
|
||||
source = "hetznercloud/hcloud"
|
||||
version = "1.32.2"
|
||||
version = "1.48.0"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
35
infrastructure/create-resources/templates/hosts.tftpl
Normal file
35
infrastructure/create-resources/templates/hosts.tftpl
Normal file
@ -0,0 +1,35 @@
|
||||
[serverctl_master_hosts]
|
||||
%{ for ip in serverctl_masters ~}
|
||||
${ip} ansible_host=${ip} wireguard_ip=${cidrhost("10.1.1.0/24", index(serverctl_masters, ip) + 1)}
|
||||
%{ endfor ~}
|
||||
|
||||
[serverctl_node_hosts]
|
||||
%{ for ip in serverctl_nodes ~}
|
||||
${ip} ansible_host=${ip} wireguard_ip=${cidrhost("10.1.1.0/24", index(serverctl_nodes, ip) + 10)}
|
||||
%{ endfor ~}
|
||||
|
||||
[serverctl_home_servers]
|
||||
192.168.1.150 ansible_host=192.168.1.150 wireguard_ip=10.1.1.8
|
||||
#192.168.1.233 ansible_host=192.168.1.233 wireguard_ip=10.1.1.9
|
||||
|
||||
[serverctl_cluster:children]
|
||||
serverctl_master_hosts
|
||||
serverctl_node_hosts
|
||||
|
||||
[serverctl_super_cluster:children]
|
||||
serverctl_cluster
|
||||
serverctl_home_servers
|
||||
|
||||
[serverctl_home_servers:vars]
|
||||
client_server=True
|
||||
|
||||
[serverctl_super_cluster:vars]
|
||||
pipelining=true
|
||||
ansible_ssh_user=root
|
||||
ansible_ssh_port=22
|
||||
|
||||
[serverctl_cluster:vars]
|
||||
client_server=False
|
||||
pipelining=true
|
||||
ansible_ssh_user=root
|
||||
ansible_ssh_port=22
|
||||
@ -1,13 +0,0 @@
|
||||
[serverctl_master_hosts]
|
||||
%{ for ip in serverctl_masters ~}
|
||||
${ip}
|
||||
%{ endfor ~}
|
||||
|
||||
[serverctl_node_hosts]
|
||||
%{ for ip in serverctl_nodes ~}
|
||||
${ip}
|
||||
%{ endfor ~}
|
||||
|
||||
[serverctl_cluster:children]
|
||||
serverctl_master_hosts
|
||||
serverctl_node_hosts
|
||||
3
renovate.json
Normal file
3
renovate.json
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
|
||||
}
|
||||
@ -1,4 +1,4 @@
|
||||
FROM golang:1.17-bullseye
|
||||
FROM golang:1.23-bullseye
|
||||
|
||||
RUN go install github.com/jackc/tern@latest
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
FROM golang:1.17-bullseye
|
||||
FROM golang:1.23-bullseye
|
||||
|
||||
RUN go install github.com/cosmtrek/air@latest
|
||||
# Development don't need this
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
module serverctl
|
||||
|
||||
go 1.17
|
||||
go 1.19
|
||||
|
||||
require (
|
||||
github.com/Microsoft/go-winio v0.4.17 // indirect
|
||||
|
||||
Loading…
Reference in New Issue
Block a user