Compare commits

..

6 Commits

Author SHA1 Message Date
54ebc8f329 Add k8s configuration scripts
WEW SOURCE CONTROL
2021-02-28 23:33:31 -06:00
3498092ae9 Add openshift to desktops, define some Pi vars 2021-02-28 21:40:17 -06:00
759e8609dc Add Grafana DB and stuff 2021-02-28 21:18:00 -06:00
4e6e287b19 Set up REALLY INSECURE NFS
Oh god I need to pare this down
But I mean it's NFS so you have to assume really high trust anyway
But still
2021-02-28 20:37:33 -06:00
51a1f63504 Set up mass storage Pi, run it before k8s inits 2021-02-28 19:50:49 -06:00
a771ddd16b Split Pi playbooks again 2021-02-28 19:48:42 -06:00
35 changed files with 599 additions and 79 deletions

View File

@ -0,0 +1,6 @@
# vim:ft=ansible:
all:
hosts:
localhost:
ansible_connection: local
ansible_become: no

View File

@ -0,0 +1,11 @@
# vim:ft=ansible:
# DB secrets
secret_grafana_local_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
32326333383035393665316566363266623130313435353165613463336663393634353261623738
3466636437303938363332633635363666633965386534630a646132666239623666306133313034
63343030613033653964303330643063326636346263363264333061663964373036386536313333
6432613734616361380a346138396335366638323266613963623731633437653964326465373538
63613762633635613232303565383032313164393935303531356666303965663463366335376137
6135376566336662313734333235633362386132333064303534

7
k8s.sh Executable file
View File

@ -0,0 +1,7 @@
#! /bin/sh
ansible-playbook playbooks/pik8s.yml \
-i inventory-localhost \
-l localhost \
--tags k8s

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMDIxOTAxMTMyNVoXDTMxMDIxNzAxMTMyNVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9r
fEaETyWkO49xZIyw37JNcgbwixDN+cLvnKtKqCW7u573PU0cJ+7KBuefewM6Uf+6
Xjn/AO+vm8c1iSz41bWXcS2902SkmjWCi4H4XlxhJgSYmVJrRxL44yfrh/kNOU8T
WFtABhX2pc8HZLduvhx2CUoZSp+O3uITY3qiHaeoaoAF1eR99SCU8MAYYvRx21IO
oRK98vFAi9M2gN5/rteUXxkREdabpqDZHFgQfNUwQ7OfNMjZcOxOjY5FZc3ZYdz8
MuboYvAtbhXfwe6dADiZHoryuMypIpMO+6sf/NFQLRr6RozT01Tn6AeSryGG1Ycl
KmKVvvnolZy4oSbVtusCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFD5eBd3k5DosRSoQG9FawHPy3hKnMA0GCSqGSIb3
DQEBCwUAA4IBAQBWDw0Qn1EGV+ouigIQp8Te28dXA8tIO4jR5NawqTQPcLMU1QQV
/jjs5E5lpiHLECZ2vPFTSdUdmhHKbUiLwSHOn2IEI8pb43Lk8US+uiEy4K7wleu9
SgSAVmAW7fN6w8DyYFvwqLdCiYi84CmI6BTymaYzyA3NQ2FigPjBgV4QBw8VJqG5
bDh5Jfu/nDnxcibKt9x0BDTxS3d3OLzAnyjj5Ie9RBEYoku4Y8oHxMyWkFjeyTiT
kP07hN7Uf1Ui2+FEpcWai/WOLX3etqoT/SjLRiNWF4N4ZZPLGjpMsO+OnoqCi9Zu
vdr+IpCJrQjSuwwNiJHEphvkLtOuNOgkihky
-----END CERTIFICATE-----

View File

@ -0,0 +1 @@
/home/salt/.kube/client.crt

View File

@ -0,0 +1 @@
/home/salt/.kube/client.key

View File

@ -0,0 +1 @@
/home/salt/.kube/config

52
playbooks/pik8s.yml Executable file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
# k8s
- hosts: pik8s
gather_facts: no
roles:
- role: k8s
tags: [ k8s, skip-pull ]
- role: motd
vars:
motd_watch_services_extra:
- docker
- kubelet
tags: [ k8s, motd ]
- hosts: pik8s_masters
gather_facts: no
tasks:
- name: install openshift
pip: name=openshift state=latest
tags: [ k8s, packages, pip ]
- hosts: localhost
gather_facts: no
vars:
k8s_path: "{{ playbook_dir }}/files/k8s/desu.local"
module_defaults:
group/k8s:
api_version: v1
host: "https://192.168.102.1:6443"
ca_cert: "{{ k8s_path }}/ca.crt"
kubeconfig: "{{ k8s_path }}/kubeconfig"
client_cert: "{{ k8s_path }}/client.crt"
client_key: "{{ k8s_path }}/client.key"
tasks:
- name: assure nfs pv
k8s:
definition:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs
spec:
capacity:
storage: 1.5Ti
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
nfs:
path: /srv/nfs/k8s
server: pi-storage-1.desu.ltd
readOnly: false
tags: [ k8s, manifest, no-pull ]

110
playbooks/pimp.yml Executable file
View File

@ -0,0 +1,110 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
# Mass storage Pis
- hosts: pi-storage-1.desu.ltd
tasks:
- name: assure mount directory
file: path=/data state=directory
tags: [ pis, storage ]
- name: assure mount
mount: path=/data src=LABEL=mass state=mounted fstype=ext4
tags: [ pis, storage ]
- name: assure directories in mount
file: path=/data/{{ item }} state=directory
with_items:
- nfs
- postgresql
tags: [ pis, storage ]
- name: assure symlinks to directories in mount
file: path={{ item.path }} src=/data/{{ item.src }} state=link
with_items:
- { path: /var/lib/postgresql, src: postgresql }
- { path: /srv/nfs, src: nfs }
tags: [ pis, storage ]
roles:
- role: postgresql
vars:
postgresql_hba_entries:
- { type: local, database: all, user: postgres, auth_method: peer }
- { type: local, database: all, user: all, auth_method: md5 }
- { type: host, database: all, user: all, address: '127.0.0.0/8', auth_method: md5 }
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
# Used for internal access from other nodes
- { type: host, database: all, user: all, address: '192.168.0.0/16', auth_method: md5 }
postgresql_users:
- name: grafana
password: "{{ secret_grafana_local_db_pass }}"
postgresql_databases:
- name: grafana
owner: grafana
tags: [ pis, storage, psql ]
- role: nfs
vars:
nfs_exports:
- "/srv/nfs/bulk 192.168.0.0/16(rw,no_root_squash,sync) 172.23.0.0/16(rw,no_root_squash,sync)"
- "/srv/nfs/k8s 192.168.103.0/24(rw,no_root_squash,sync)"
tags: [ pis, storage, nfs ]
# Multipurpose Pis running unbound
- hosts: pi-mp-1.desu.ltd,pi-mp-2.desu.ltd
vars:
container_default_behavior: no_defaults
tasks:
- name: docker deploy unbound
docker_container:
name: unbound
image: rehashedsalt/unbound-desu-local:latest
restart_policy: unless-stopped
pull: yes
ports:
- "{{ ansible_facts.eth0.ipv4.address }}:53:5053/tcp"
- "{{ ansible_facts.eth0.ipv4.address }}:53:5053/udp"
tags: [ pis, mp, unbound ]
roles:
- role: motd
vars:
motd_watch_services_extra:
- docker
- isc-dhcp-server
tags: [ pis, mp, motd ]
# And also serving DHCP
- hosts: pi-mp-1.desu.ltd
vars_files:
- vars/desulocal-dhcp.yml
roles:
- role: netplan-static-ip
tags: [ pis, mp, dhcp, static-ip ]
- role: dhcp
vars:
dhcp_global_failover_peer: failover-group
dhcp_global_failover:
role: primary
address: 192.168.103.100
port: 647
peer_address: 192.168.103.101
peer_port: 647
max_response_delay: 15
max_unacked_updates: 10
load_balance_max_seconds: 5
split: 255
mclt: 3600
tags: [ pis, mp, dhcp ]
- hosts: pi-mp-2.desu.ltd
vars_files:
- vars/desulocal-dhcp.yml
roles:
- role: netplan-static-ip
tags: [ pis, mp, dhcp, static-ip ]
- role: dhcp
vars:
dhcp_global_failover_peer: failover-group
dhcp_global_failover:
role: secondary
address: 192.168.103.101
port: 647
peer_address: 192.168.103.100
peer_port: 647
max_response_delay: 15
max_unacked_updates: 10
load_balance_max_seconds: 5
tags: [ pis, mp, dhcp ]

View File

@ -15,82 +15,3 @@
- python3-docker
- libraspberrypi-bin
tags: [ pis, packages ]
# k8s
- hosts: pik8s
roles:
- role: k8s
tags: [ k8s, skip-pull ]
- role: motd
vars:
motd_watch_services_extra:
- docker
- kubelet
tags: [ k8s, motd ]
- hosts: pik8s_masters
tasks:
- name: install openshift
pip: name=openshift state=latest
tags: [ k8s, packages, pip ]
# Multipurpose Pis running unbound
- hosts: pi-mp-1.desu.ltd,pi-mp-2.desu.ltd
vars:
container_default_behavior: no_defaults
tasks:
- name: docker deploy unbound
docker_container:
name: unbound
image: rehashedsalt/unbound-desu-local:latest
restart_policy: unless-stopped
pull: yes
ports:
- "{{ ansible_facts.eth0.ipv4.address }}:53:5053/tcp"
- "{{ ansible_facts.eth0.ipv4.address }}:53:5053/udp"
tags: [ pis, mp, unbound ]
roles:
- role: motd
vars:
motd_watch_services_extra:
- docker
- isc-dhcp-server
tags: [ pis, mp, motd ]
# And also serving DHCP
- hosts: pi-mp-1.desu.ltd
vars_files:
- vars/desulocal-dhcp.yml
roles:
- role: netplan-static-ip
tags: [ pis, mp, dhcp, static-ip ]
- role: dhcp
vars:
dhcp_global_failover_peer: failover-group
dhcp_global_failover:
role: primary
address: 192.168.103.100
port: 647
peer_address: 192.168.103.101
peer_port: 647
max_response_delay: 15
max_unacked_updates: 10
load_balance_max_seconds: 5
split: 255
mclt: 3600
tags: [ pis, mp, dhcp ]
- hosts: pi-mp-2.desu.ltd
vars_files:
- vars/desulocal-dhcp.yml
roles:
- role: netplan-static-ip
tags: [ pis, mp, dhcp, static-ip ]
- role: dhcp
vars:
dhcp_global_failover_peer: failover-group
dhcp_global_failover:
role: secondary
address: 192.168.103.101
port: 647
peer_address: 192.168.103.100
peer_port: 647
max_response_delay: 15
max_unacked_updates: 10
load_balance_max_seconds: 5
tags: [ pis, mp, dhcp ]

View File

@ -2,6 +2,7 @@
## PIP3 CONFIGURATION
desktop_pip3_packages:
- openshift
- pmbootstrap
- protontricks
- randovania

2
roles/nfs/.ansible-lint Normal file
View File

@ -0,0 +1,2 @@
skip_list:
- '106'

4
roles/nfs/.github/FUNDING.yml vendored Normal file
View File

@ -0,0 +1,4 @@
# These are supported funding model platforms
---
github: geerlingguy
patreon: geerlingguy

56
roles/nfs/.github/stale.yml vendored Normal file
View File

@ -0,0 +1,56 @@
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 30
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- planned
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
pulls:
markComment: |-
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
unmarkComment: >-
This pull request is no longer marked for closure.
closeComment: >-
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
issues:
markComment: |-
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
unmarkComment: >-
This issue is no longer marked for closure.
closeComment: >-
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

68
roles/nfs/.github/workflows/ci.yml vendored Normal file
View File

@ -0,0 +1,68 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "30 1 * * 3"
defaults:
run:
working-directory: 'geerlingguy.nfs'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.nfs'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint ansible-lint
- name: Lint code.
run: |
yamllint .
ansible-lint
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos8
- centos7
- ubuntu2004
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.nfs'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

38
roles/nfs/.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,38 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.nfs'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.nfs'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

3
roles/nfs/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.retry
*/__pycache__
*.pyc

10
roles/nfs/.yamllint Normal file
View File

@ -0,0 +1,10 @@
---
extends: default
rules:
line-length:
max: 120
level: warning
ignore: |
.github/stale.yml

20
roles/nfs/LICENSE Normal file
View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

40
roles/nfs/README.md Normal file
View File

@ -0,0 +1,40 @@
# Ansible Role: NFS
[![CI](https://github.com/geerlingguy/ansible-role-nfs/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-nfs/actions?query=workflow%3ACI)
Installs NFS utilities on RedHat/CentOS or Debian/Ubuntu.
## Requirements
None.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
nfs_exports: []
A list of exports which will be placed in the `/etc/exports` file. See Ubuntu's simple [Network File System (NFS)](https://ubuntu.com/server/docs/service-nfs) guide for more info and examples. (Simple example: `nfs_exports: [ "/home/public *(rw,sync,no_root_squash)" ]`).
nfs_rpcbind_state: started
nfs_rpcbind_enabled: true
(RedHat/CentOS/Fedora only) The state of the `rpcbind` service, and whether it should be enabled at system boot.
## Dependencies
None.
## Example Playbook
- hosts: db-servers
roles:
- { role: geerlingguy.nfs }
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

View File

@ -0,0 +1,5 @@
---
nfs_exports: []
nfs_rpcbind_state: started
nfs_rpcbind_enabled: true

View File

@ -0,0 +1,3 @@
---
- name: reload nfs
command: 'exportfs -ra'

View File

@ -0,0 +1,2 @@
install_date: Mon Mar 1 02:12:55 2021
version: 2.0.0

30
roles/nfs/meta/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
dependencies: []
galaxy_info:
role_name: nfs
author: geerlingguy
description: NFS installation for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- system
- nfs
- filesystem
- share
- nfsv4
- efs

View File

@ -0,0 +1,13 @@
---
- name: Converge
hosts: all
become: true
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
roles:
- role: geerlingguy.nfs

View File

@ -0,0 +1,17 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

36
roles/nfs/tasks/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
# Include variables and define needed variables.
- name: Include OS-specific variables.
include_vars: "{{ ansible_os_family }}.yml"
- name: Include overrides specific to Fedora.
include_vars: Fedora.yml
when:
- ansible_os_family == 'RedHat'
- ansible_distribution == "Fedora"
# Setup/install tasks.
- include_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian'
- name: Ensure directories to export exist
file: # noqa 208
path: "{{ item.strip().split()[0] }}"
state: directory
with_items: "{{ nfs_exports }}"
- name: Copy exports file.
template:
src: exports.j2
dest: /etc/exports
owner: root
group: root
mode: 0644
notify: reload nfs
- name: Ensure nfs is running.
service: "name={{ nfs_server_daemon }} state=started enabled=yes"
when: nfs_exports|length

View File

@ -0,0 +1,7 @@
---
- name: Ensure NFS utilities are installed.
apt:
name:
- nfs-common
- nfs-kernel-server
state: present

View File

@ -0,0 +1,9 @@
---
- name: Ensure NFS utilities are installed.
package: name=nfs-utils state=present
- name: Ensure rpcbind is running as configured.
service:
name: rpcbind
state: "{{ nfs_rpcbind_state }}"
enabled: "{{ nfs_rpcbind_enabled }}"

View File

@ -0,0 +1,13 @@
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
{% for export in nfs_exports %}
{{ export }}
{% endfor %}

View File

@ -0,0 +1,2 @@
---
nfs_server_daemon: nfs-kernel-server

View File

@ -0,0 +1,2 @@
---
nfs_server_daemon: nfs-server

View File

@ -0,0 +1,2 @@
---
nfs_server_daemon: nfs-server

View File

@ -5,11 +5,18 @@
# MAD PROPS to geerlingguy; if for some reason you end up reading this, hit me
# up and I'll buy you a beer or a pizza or something.
# DHCP
# Upstream: https://github.com/bertvv/ansible-role-dhcp
- src: bertvv.dhcp
version: master
name: dhcp
# NFS
# Upstream: https://github.com/geerlingguy/ansible-role-nfs
- src: geerlingguy.nfs
version: 2.0.0
name: nfs
# Orchestration
# Upstream: https://github.com/geerlingguy/ansible-role-docker
- src: geerlingguy.docker

View File

@ -21,4 +21,6 @@
- import_playbook: playbooks/web.yml
- import_playbook: playbooks/game.yml
- import_playbook: playbooks/pis.yml
- import_playbook: playbooks/pimp.yml
- import_playbook: playbooks/pik8s.yml
- import_playbook: playbooks/desktop.yml