Use packer to create a base preconfigured base image

roles/docker/defaults/main.yml

@@ -4,4 +4,4 @@ docker_apt_repository: https://download.docker.com/linux/ubuntu
 docker_apt_channel: stable
 # Docker daemon config file
 docker_daemon_config: /etc/docker/daemon.json
-docker_version: 17.03.*
+docker_version: 18.06.*

roles/kubernetes/defaults/main.yml

@@ -3,7 +3,6 @@
 kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg
 kubernetes_apt_channel: main
 kubernetes_release: xenial
-# versions can be found here
 kubernetes_version: 1.11.3
 kubernetes_version_apt: "{{kubernetes_version}}-00"
 kubernetes_port: 6443

roles/kubernetes/tasks/main.yml

@@ -8,15 +8,6 @@
   - "'k8s_masters' in group_names"
   - groups.k8s_masters | length > 1
 
-- name: Install iputils-ping
-  apt:
-    name: iputils-ping
-    state: latest
-    cache_valid_time: 3600
-  register: result
-  retries: 3
-  until: result is success
-
 - name: Check all hosts can ping API floating IP
   shell: "ping {{ api_floating_ip }} -c 1"
   register: result

roles/proxy/tasks/main.yml

@@ -5,34 +5,11 @@
   changed_when: False
   check_mode: False
 
-- name: Check for internet access
-  shell: |-
-    false \{% for url in proxy_test_urls %}
-      || curl -IsSL -m{{ proxy_test_timeout }} {{ url }} \
-    {% endfor %}
-      || false
-  args:
-    warn: False
-  register: curl_result_initial
-  ignore_errors: True
-  changed_when: False
-  check_mode: False
-
 - name: Set host interface facts
   set_fact:
     proxy_interface: "{{ interface_result.stdout | trim }}"
-    proxy_inet: "{{ curl_result_initial.rc == 0 }}"
 
-- name: Assert at least one node has internet connectivity
-  assert:
-    that: hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', True) | list | length != 0
-  run_once: true
-
-- name: Set router hostname fact
-  set_fact:
-    proxy_router_hostname: "{{ hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', True) | map(attribute='inventory_hostname') | first }}"
-
-- name: Allow ip forwarding (kernel)
+- name: Allow ip forwarding
   sysctl:
     name: net.ipv4.ip_forward
     value: 1
@@ -40,17 +17,32 @@
     reload: True
   when: inventory_hostname == tinc_primary_router
 
-- name: Allow ip forwarding (iptables)
+- name: Activate masquerade
   iptables:
     table: nat
     chain: POSTROUTING
     out_interface: "{{ proxy_interface }}"
     jump: MASQUERADE
-  register: iptables_result
+  when: inventory_hostname == tinc_primary_router
 
-- name: Set up SSH tunnels
-  include: ssh-up.yml
-  when: hostvars.values() |  selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', False) | list | length != 0
+- name: Allow packet forwarding from WAN to LAN
+  iptables:
+    chain: FORWARD
+    in_interface: tun0
+    out_interface: "{{ proxy_interface }}"
+    jump: ACCEPT
+  when: inventory_hostname == tinc_primary_router
+
+- name: Check if incoming packets comme from an active connexion
+  iptables:
+    chain: FORWARD
+    in_interface: "{{ proxy_interface }}"
+    out_interface: tun0
+    ctstate: 
+      - ESTABLISHED
+      - RELATED
+    jump: ACCEPT
+  when: inventory_hostname == tinc_primary_router
 
 - name: Set up tinc
   include_role:
@@ -59,9 +51,6 @@
 - name: Set up keepalived
   include: keepalived.yml
 
-- name: Tear down SSH tunnels
-  include: ssh-down.yml
-
 - name: Check for internet access
   shell: |-
     false \{% for url in proxy_test_urls %}
@@ -70,6 +59,5 @@
       || false
   args:
     warn: False
-  register: curl_result
-  changed_when: curl_result_initial.rc != curl_result.rc
   check_mode: False
+  changed_when: no

roles/tinc/tasks/main.yml

@@ -1,9 +1,4 @@
 ---
-- name: Install tinc
-  apt:
-    name: tinc
-    state: latest
-
 - name: Ensure tinc netname directory exists
   file:
     path: /etc/tinc/{{ netname }}/hosts
@@ -126,7 +121,7 @@
 
 - name: Start tinc on boot
   systemd:
-    name: tinc
+    name: tinc@{{ netname }}
     enabled: yes
     state: started