phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use packer to create a base preconfigured base image

Browse source
This commit is contained in:
Paul-Henri Froidmont 2018-10-18 22:45:01 +02:00
parent 3090cc6818
commit 3731d10987
12 changed files with 153 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -2,3 +2,6 @@
.vagrant .vagrant
.virtualenv .virtualenv
*.retry *.retry
.terraform*
terraform.tfstate
terraform.tfstate.backup

18
group_vars/all/vars
View file

@ -1,18 +1,16 @@
--- ---
ansible_python_interpreter: /usr/bin/python3
initial_master: master1 initial_master: master1
tinc_primary_router: proxy1 tinc_primary_router: proxy1
vpn_interface: tun0 vpn_interface: tun0
k8s_release: "1.10.6" # Kubernetes
k8s_apiserver_secure_port: "6443" kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg
k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}" kubernetes_apt_channel: main
k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}" kubernetes_release: xenial
k8s_ca_certificate_owner: "{{ harden_linux_deploy_user }}" kubernetes_version: 1.11.3
k8s_ca_certificate_group: "root" kubernetes_version_apt: "{{kubernetes_version}}-00"
k8s_config_cluster_name: banditlair.com kubernetes_port: 6443
k8s_encryption_config_directory: "{{k8s_config_directory}}"
k8s_interface: "{{peervpn_conf_interface}}"
k8s_conf_dir: /etc/kubernetes
etcd_version: "3.2.24" etcd_version: "3.2.24"

56
packer/common.yml Normal file
View file

@ -0,0 +1,56 @@
---
- hosts: localhost
tasks:
- name: Install tinc and ping
apt:
name: [ 'tinc', 'iputils-ping' ]
state: latest
- name: Adding Kubernetes official gpg key
apt_key:
url: "{{ kubernetes_apt_key }}"
state: present
- name: Adding Kubernetes repository
apt_repository:
repo: "deb http://apt.kubernetes.io/ kubernetes-{{ kubernetes_release }} {{ kubernetes_apt_channel }}"
state: present
filename: 'kubernetes'
- name: Installing kubernetes core components (kubectl, kubelet ...)
apt:
name: ['kubelet={{kubernetes_version_apt}}', 'kubeadm={{kubernetes_version_apt}}', 'kubectl={{kubernetes_version_apt}}']
register: result
retries: 3
until: result is success
- name: Get the kernel revision
shell: "uname -r"
register: kernel
changed_when: False
check_mode: False
- name: Try install linux-image
apt:
state: present
name: "{{ 'linux-image-' + kernel.stdout }}"
register: result
failed_when: False
- name: modprobe
modprobe:
name: "{{ item }}"
state: present
with_items:
- ip_vs
- nf_conntrack_ipv4
- name: /etc/modules
lineinfile:
path: /etc/modules
line: "{{ item }}"
with_items:
- ip_vs
- nf_conntrack_ipv4
roles:
- role: docker

58
packer/packer.json Normal file
View file

@ -0,0 +1,58 @@
{
"variables": {
"api_access_key": "{{ env `SCALEWAY_ORGANIZATION` }}",
"api_token": "{{ env `SCALEWAY_TOKEN` }}",
"vault_pass_file": ""
},
"builders": [
{
"type": "scaleway",
"api_access_key": "{{ user `api_access_key` }}",
"api_token": "{{ user `api_token` }}",
"server_name": "k8s-template",
"image_name": "ubuntu-bionic-k8s",
"snapshot_name": "ubuntu-bionic-k8s-snapshot",
"image": "d4067cdc-dc9d-4810-8a26-0dae51d7df42",
"region": "par1",
"commercial_type": "START1-S",
"ssh_username": "root"
}
],
"provisioners": [
{
"type": "shell",
"inline": [
"sleep 30",
"apt -y update",
"DEBIAN_FRONTEND=noninteractive apt-get -y upgrade",
"apt -y install software-properties-common",
"apt-add-repository ppa:ansible/ansible",
"apt -y update",
"apt -y install ansible"
]
},
{
"type": "file",
"source": "{{ user `vault_pass_file` }}",
"destination": "/tmp/vault-pass"
},
{
"type": "ansible-local",
"role_paths": "../roles/docker",
"group_vars": "../group_vars",
"clean_staging_directory": true,
"playbook_file": "common.yml",
"extra_arguments": "--vault-password-file=/tmp/vault-pass"
},
{
"type": "shell",
"inline": [
"rm -f /tmp/vault-pass",
"apt -y remove --purge ansible",
"apt-add-repository --remove ppa:ansible/ansible",
"apt autoremove -y",
"apt update"
]
}
]
}

2
roles/docker/defaults/main.yml
View file

@ -4,4 +4,4 @@ docker_apt_repository: https://download.docker.com/linux/ubuntu
docker_apt_channel: stable docker_apt_channel: stable
# Docker daemon config file # Docker daemon config file
docker_daemon_config: /etc/docker/daemon.json docker_daemon_config: /etc/docker/daemon.json
docker_version: 17.03.* docker_version: 18.06.*

1
roles/kubernetes/defaults/main.yml
View file

@ -3,7 +3,6 @@
kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg
kubernetes_apt_channel: main kubernetes_apt_channel: main
kubernetes_release: xenial kubernetes_release: xenial
# versions can be found here
kubernetes_version: 1.11.3 kubernetes_version: 1.11.3
kubernetes_version_apt: "{{kubernetes_version}}-00" kubernetes_version_apt: "{{kubernetes_version}}-00"
kubernetes_port: 6443 kubernetes_port: 6443

9
roles/kubernetes/tasks/main.yml
View file

@ -8,15 +8,6 @@
- "'k8s_masters' in group_names" - "'k8s_masters' in group_names"
- groups.k8s_masters | length > 1 - groups.k8s_masters | length > 1
- name: Install iputils-ping
apt:
name: iputils-ping
state: latest
cache_valid_time: 3600
register: result
retries: 3
until: result is success
- name: Check all hosts can ping API floating IP - name: Check all hosts can ping API floating IP
shell: "ping {{ api_floating_ip }} -c 1" shell: "ping {{ api_floating_ip }} -c 1"
register: result register: result

56
roles/proxy/tasks/main.yml
View file

@ -5,34 +5,11 @@
changed_when: False changed_when: False
check_mode: False check_mode: False
- name: Check for internet access
shell: |-
false \{% for url in proxy_test_urls %}
|| curl -IsSL -m{{ proxy_test_timeout }} {{ url }} \
{% endfor %}
|| false
args:
warn: False
register: curl_result_initial
ignore_errors: True
changed_when: False
check_mode: False
- name: Set host interface facts - name: Set host interface facts
set_fact: set_fact:
proxy_interface: "{{ interface_result.stdout | trim }}" proxy_interface: "{{ interface_result.stdout | trim }}"
proxy_inet: "{{ curl_result_initial.rc == 0 }}"
- name: Assert at least one node has internet connectivity - name: Allow ip forwarding
assert:
that: hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', True) | list | length != 0
run_once: true
- name: Set router hostname fact
set_fact:
proxy_router_hostname: "{{ hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', True) | map(attribute='inventory_hostname') | first }}"
- name: Allow ip forwarding (kernel)
sysctl: sysctl:
name: net.ipv4.ip_forward name: net.ipv4.ip_forward
value: 1 value: 1
@ -40,17 +17,32 @@
reload: True reload: True
when: inventory_hostname == tinc_primary_router when: inventory_hostname == tinc_primary_router
- name: Allow ip forwarding (iptables) - name: Activate masquerade
iptables: iptables:
table: nat table: nat
chain: POSTROUTING chain: POSTROUTING
out_interface: "{{ proxy_interface }}" out_interface: "{{ proxy_interface }}"
jump: MASQUERADE jump: MASQUERADE
register: iptables_result when: inventory_hostname == tinc_primary_router
- name: Set up SSH tunnels - name: Allow packet forwarding from WAN to LAN
include: ssh-up.yml iptables:
when: hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', False) | list | length != 0 chain: FORWARD
in_interface: tun0
out_interface: "{{ proxy_interface }}"
jump: ACCEPT
when: inventory_hostname == tinc_primary_router
- name: Check if incoming packets comme from an active connexion
iptables:
chain: FORWARD
in_interface: "{{ proxy_interface }}"
out_interface: tun0
ctstate:
- ESTABLISHED
- RELATED
jump: ACCEPT
when: inventory_hostname == tinc_primary_router
- name: Set up tinc - name: Set up tinc
include_role: include_role:
@ -59,9 +51,6 @@
- name: Set up keepalived - name: Set up keepalived
include: keepalived.yml include: keepalived.yml
- name: Tear down SSH tunnels
include: ssh-down.yml
- name: Check for internet access - name: Check for internet access
shell: |- shell: |-
false \{% for url in proxy_test_urls %} false \{% for url in proxy_test_urls %}
@ -70,6 +59,5 @@
|| false || false
args: args:
warn: False warn: False
register: curl_result
changed_when: curl_result_initial.rc != curl_result.rc
check_mode: False check_mode: False
changed_when: no

7
roles/tinc/tasks/main.yml
View file

@ -1,9 +1,4 @@
--- ---
- name: Install tinc
apt:
name: tinc
state: latest
- name: Ensure tinc netname directory exists - name: Ensure tinc netname directory exists
file: file:
path: /etc/tinc/{{ netname }}/hosts path: /etc/tinc/{{ netname }}/hosts
@ -126,7 +121,7 @@
- name: Start tinc on boot - name: Start tinc on boot
systemd: systemd:
name: tinc name: tinc@{{ netname }}
enabled: yes enabled: yes
state: started state: started

3
terraform/.gitignore vendored
View file

@ -1,3 +0,0 @@
.terraform*
terraform.tfstate
terraform.tfstate.backup

4
terraform/sl.tf
View file

@ -42,7 +42,7 @@ resource "scaleway_server" "master" {
resource "scaleway_server" "proxy1" { resource "scaleway_server" "proxy1" {
count = 1 count = 1
name = "proxy1" name = "proxy1"
image = "${data.scaleway_image.ubuntu_mini.id}" image = "${data.scaleway_image.ubuntu.id}"
type = "${var.proxy_instance_type}" type = "${var.proxy_instance_type}"
public_ip = "51.158.77.6" public_ip = "51.158.77.6"
state = "running" state = "running"
@ -52,7 +52,7 @@ resource "scaleway_server" "proxy1" {
resource "scaleway_server" "proxy2" { resource "scaleway_server" "proxy2" {
count = 1 count = 1
name = "proxy2" name = "proxy2"
image = "${data.scaleway_image.ubuntu_mini.id}" image = "${data.scaleway_image.ubuntu.id}"
type = "${var.proxy_instance_type}" type = "${var.proxy_instance_type}"
state = "running" state = "running"
tags = ["k8s","k8s_proxy","secondary"] tags = ["k8s","k8s_proxy","secondary"]

4
terraform/variables.tf
View file

@ -7,7 +7,7 @@ variable "architecture" {
} }
variable "image" { variable "image" {
default = "Ubuntu Xenial" default = "ubuntu-bionic-k8s"
} }
variable "mini_image" { variable "mini_image" {
@ -23,7 +23,7 @@ variable "master_instance_count" {
} }
variable "proxy_instance_type" { variable "proxy_instance_type" {
default = "START1-XS" default = "START1-S"
} }
variable "worker_instance_type" { variable "worker_instance_type" {