Merge pull request #4 from dbrennand/k3s

Merge progress to dev

.github/workflows/ansible-lint.yml

@@ -8,7 +8,7 @@ jobs:
     name: Ansible Lint
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/ansible/creator-ee:v0.20.0
+      image: ghcr.io/ansible/creator-ee:v0.21.0
     steps:
       - uses: actions/checkout@v3
         with:

Taskfile.yml

@@ -21,12 +21,12 @@ tasks:
   ansible:adhoc:
     desc: |
       Run Ansible adhoc command.
-      Example: task ansible:adhoc -- -m ping
+      Example: task ansible:adhoc -- proxmox -m ping
     dir: "{{.USER_WORKING_DIR}}"
     cmds:
       - task: op:vault
       - task: venv:source
-      - ansible all {{.CLI_ARGS}}
+      - ansible {{.CLI_ARGS}}
     <<: *ansible-preconditions
 
   ansible:play:
@@ -61,7 +61,7 @@ tasks:
     dir: "{{.USER_WORKING_DIR}}"
     cmds:
       - task: venv:source
-      - ansible-galaxy install --force -r requirements.yml
+      - ansible-galaxy install {{ .CLI_ARGS }} -r requirements.yml
     preconditions:
       - sh: command -v ansible-galaxy
         msg: ansible-galaxy is not installed. Have you ran `task venv`?

ansible/README.md

@@ -7,5 +7,7 @@ The Ansible playbooks in this repository are used to configure my homelab server
 - [minecraft-playbook.yml](playbooks/minecraft-playbook.yml): Deploy Minecraft server.
 - [proxmox-create-vm-template.yml](playbooks/proxmox-create-vm-template.yml): Create VM templates.
 - [proxmox-download-iso-playbook.yml](playbooks/proxmox-download-iso-playbook.yml): Download ISOs to Proxmox.
+- [proxmox-storage-playbook.yml](playbooks/proxmox-storage-playbook.yml): Provision Proxmox LVM Storage.
+- [proxmox-external-vote.yml](playbooks/proxmox-external-vote.yml): Cluster External Vote Support.
 - [pihole-playbook.yml](playbooks/pihole-playbook.yml): Deploy Pi-hole on Raspberry Pi 3.
 - [tailscale-playbook.yml](playbooks/tailscale-playbook.yml): Install or update Tailscale.

ansible/files/proxmox_tailscale_cert.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Used on Proxmox node(s) to generate a certificate for the node's Tailscale FQDN
+# This allows for the Proxmox Web GUI to be accessed via the Tailscale FQDN
+# Requires jq and tailscale to be installed
+# Checks every 60 days if the certificate needs to be renewed
+
+# File where the last run date is stored
+LAST_RUN_FILE="${HOME}/proxmox_tailscale_cert.last_run"
+
+# Read the last run date from the file
+if [[ -f "${LAST_RUN_FILE}" ]]; then
+    last_run=$(cat "${LAST_RUN_FILE}")
+else
+    last_run=$(date -d "60 days ago" +%F)
+fi
+
+# Calculate the next run date (60 days after the last run)
+next_run=$(date -d "${last_run} + 60 days" +%F)
+today=$(date +%F)
+
+# Run the task if today is the next run date
+if [[ "${today}" == "${next_run}" ]]; then
+    # Snippet below taken from: https://tailscale.com/kb/1133/proxmox#enable-https-access-to-the-proxmox-web-ui
+    NAME="$(tailscale status --json | jq '.Self.DNSName | .[:-1]' -r)"
+    tailscale cert "${NAME}"
+    pvenode cert set "${NAME}.crt" "${NAME}.key" --force --restart
+    # Update the last run date
+    echo "${today}" > "${LAST_RUN_FILE}"
+fi

ansible/group_vars/control.yml

@@ -0,0 +1,22 @@
+---
+# control group_vars
+k3s_control_node: true
+k3s_server:
+  node-ip: "{{ ansible_host }}"
+  tls-san:
+    - "{{ kube_vip_address }}"
+  disable-cloud-controller: true
+  write-kubeconfig-mode: "644"
+  disable:
+    - traefik
+    - servicelb
+k3s_server_manifests_urls:
+  # kube-vip rbac - https://kube-vip.io/docs/usage/k3s/#step-2-upload-kube-vip-rbac-manifest
+  - url: https://raw.githubusercontent.com/kube-vip/kube-vip/main/docs/manifests/rbac.yaml
+    filename: kube-vip-rbac.yaml
+  # kube-vip cloud controller - https://kube-vip.io/docs/usage/cloud-provider/
+  - url: https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/main/manifest/kube-vip-cloud-controller.yaml
+    filename: kube-vip-cloud-controller.yaml
+k3s_server_manifests_templates:
+  - kube-vip-daemonset.yml.j2
+  - kubevip-configmap.yml.j2

ansible/group_vars/all.yml → ansible/group_vars/docker.yml

@@ -1,5 +1,5 @@
 ---
-# all group_vars
+# docker group_vars
 # geerlingguy.pip vars
 # https://github.com/geerlingguy/ansible-role-pip#role-variables
 pip_install_packages:

ansible/group_vars/workers.yml

@@ -0,0 +1,6 @@
+---
+# workers group_vars
+k3s_control_node: false
+k3s_agent:
+  node-ip: "{{ ansible_host }}"
+longhorn_disk: /dev/sdb

ansible/inventory.yml

@@ -8,12 +8,37 @@ all:
         - pihole
     proxmox01.net.dbren.uk:
       ansible_user: root
+    proxmox02.net.dbren.uk:
+      ansible_user: root
     minecraft.net.dbren.uk:
+    control01.net.dbren.uk:
+    worker01.net.dbren.uk:
+    worker02.net.dbren.uk:
+    worker03.net.dbren.uk:
   children:
+    docker:
+      hosts:
+        pihole.net.dbren.uk:
+        minecraft.net.dbren.uk:
     tailscale:
       hosts:
         pihole.net.dbren.uk:
+          # Overrides group_vars/tailscale.yml
+          tailscale_args: --accept-dns=false --ssh
         minecraft.net.dbren.uk:
+        proxmox01.net.dbren.uk:
+        proxmox02.net.dbren.uk:
     proxmox:
       hosts:
         proxmox01.net.dbren.uk:
+        proxmox02.net.dbren.uk:
+    k3s:
+      children:
+        control:
+          hosts:
+            control01.net.dbren.uk:
+        workers:
+          hosts:
+            worker01.net.dbren.uk:
+            worker02.net.dbren.uk:
+            worker03.net.dbren.uk:

ansible/playbooks/k3s-playbook.yml

@@ -0,0 +1,83 @@
+---
+- name: Build K3s cluster
+  hosts: k3s
+  vars_files:
+    - ../vars/k3s.yml
+  pre_tasks:
+    - name: Longhorn tasks
+      when: not k3s_control_node
+      tags:
+        - longhorn
+      block:
+        - name: Install open-iscsi and nfs-common for Longhorn
+          ansible.builtin.apt:
+            name:
+              - open-iscsi
+              - nfs-common
+            state: present
+          become: true
+
+        - name: Create /mnt/longhorn directory
+          ansible.builtin.file:
+            path: /mnt/longhorn
+            state: directory
+            mode: u=rwx,g=rx,o=rx
+          become: true
+
+        - name: "Ensure disk partition exists on {{ longhorn_disk }}"
+          community.general.parted:
+            device: "{{ longhorn_disk }}"
+            number: 1
+            label: gpt
+            part_start: 0%
+            part_end: 100%
+            part_type: primary
+            fs_type: ext4
+            state: present
+          become: true
+
+        - name: "Ensure ext4 filesystem exists on {{ longhorn_disk }}1" # noqa name[template]
+          community.general.filesystem:
+            fstype: ext4
+            dev: "{{ longhorn_disk }}1"
+          become: true
+
+        - name: "Get UUID for {{ longhorn_disk }}1" # noqa name[template]
+          ansible.builtin.command:
+            cmd: "blkid {{ longhorn_disk }}1 -s UUID -o value"
+          register: longhorn_block_device_part_uuid
+          changed_when: false
+          become: true
+
+        - name: "Mount /mnt/longhorn on {{ longhorn_block_device_part_uuid.stdout }}"
+          ansible.posix.mount:
+            path: /mnt/longhorn
+            src: "UUID={{ longhorn_block_device_part_uuid.stdout }}"
+            fstype: ext4
+            state: mounted
+          become: true
+  roles:
+    - role: xanmanning.k3s
+  post_tasks:
+    - name: Copy kubeconfig to local machine
+      when: k3s_control_node
+      block:
+        - name: Ensure ~/.kube directory exists
+          ansible.builtin.file:
+            path: ~/.kube
+            state: directory
+            mode: u=rwx,g=,o=
+          delegate_to: localhost
+
+        - name: Copy kubeconfig from control node to local machine
+          ansible.builtin.fetch:
+            src: /etc/rancher/k3s/k3s.yaml
+            dest: ~/.kube/config
+            flat: true
+
+        - name: Replace localhost with control node IP
+          ansible.builtin.replace:
+            path: ~/.kube/config
+            regexp: '127.0.0.1'
+            replace: "{{ kube_vip_address }}"
+          delegate_to: localhost

ansible/playbooks/proxmox-create-vm-template.yml

@@ -1,6 +1,6 @@
 ---
 - name: Create Proxmox VM Templates
-  hosts: proxmox
+  hosts: proxmox01.net.dbren.uk
   become: true
   gather_facts: false
   vars:
@@ -109,7 +109,7 @@
 
     - name: Attach disk to Proxmox VM
       ansible.builtin.command:
-        cmd: "qm set {{ (proxmox_next_vm_id | int) + index }} --scsihw virtio-scsi-pci --scsi0 {{ proxmox_storage_name }}:vm-{{ (proxmox_next_vm_id | int) + index }}-disk-0,discard=on"
+        cmd: "qm set {{ (proxmox_next_vm_id | int) + index }} --scsihw virtio-scsi-single --scsi0 {{ proxmox_storage_name }}:vm-{{ (proxmox_next_vm_id | int) + index }}-disk-0,discard=on,iothread=1"
       loop: "{{ images }}"
       loop_control:
         index_var: index

ansible/playbooks/proxmox-download-iso-playbook.yml

@@ -1,6 +1,6 @@
 ---
 - name: Download ISOs to Proxmox
-  hosts: proxmox
+  hosts: proxmox01.net.dbren.uk
   become: true
   gather_facts: false
   vars:

ansible/playbooks/proxmox-external-vote.yml

@@ -0,0 +1,28 @@
+---
+# https://pve.proxmox.com/wiki/Cluster_Manager#_corosync_external_vote_support
+# https://www.apalrd.net/posts/2022/cluster_qdevice/
+- name: Proxmox Nodes - Cluster External Vote Support
+  hosts: proxmox
+  become: true
+  tasks:
+    - name: Install corosync-qdevice
+      ansible.builtin.apt:
+        name:
+          - corosync-qdevice
+        state: present
+
+- name: Raspberry Pi - Cluster External Vote Support
+  hosts: pihole.net.dbren.uk
+  become: true
+  tasks:
+    - name: Install corosync-qnetd
+      ansible.builtin.apt:
+        name:
+          - corosync-qnetd
+        state: present
+
+    - name: Next steps
+      ansible.builtin.debug:
+        msg: |
+          Run the following command on the Proxmox primary node:
+          pvecm qdevice setup <QDEVICE-IP>

ansible/playbooks/proxmox-storage-playbook.yml

@@ -0,0 +1,60 @@
+---
+- name: Provision Proxmox LVM Storage
+  hosts: proxmox
+  become: true
+  vars:
+    ssds:
+      # Crucial SSD
+      - device: /dev/sdb
+        partition_name: pv-ssd-crucial
+        vg_name: vg-ssd-crucial
+        lv_name: lv-ssd-crucial
+      # Samsung SSD
+      - device: /dev/sdc
+        partition_name: pv-ssd-samsung
+        vg_name: vg-ssd-samsung
+        lv_name: lv-ssd-samsung
+  tasks:
+    - name: Create | LVM Physical Volume Partition
+      loop: "{{ ssds }}"
+      community.general.parted:
+        device: "{{ item.device }}"
+        name: "{{ item.partition_name }}"
+        label: gpt
+        number: 1
+        part_start: 0%
+        part_end: 100%
+        flags:
+          - lvm
+        state: present
+
+    - name: Create | LVM Volume Group
+      loop: "{{ ssds }}"
+      community.general.lvg:
+        vg: "{{ item.vg_name }}"
+        pvs: "{{ item.device }}1"
+        state: present
+
+    - name: Create | LVM Logical Volume
+      loop: "{{ ssds }}"
+      when: item.lv_name not in ansible_lvm.lvs
+      community.general.lvol:
+        vg: "{{ item.vg_name }}"
+        thinpool: "{{ item.lv_name }}"
+        size: 100%FREE
+        state: present
+
+    - name: Proxmox | Configure LVM Logical Volumes
+      loop: "{{ ssds }}"
+      loop_control:
+        index_var: index
+      ansible.builtin.blockinfile:
+        path: /etc/pve/storage.cfg
+        backup: true
+        marker: "\n# {mark} ANSIBLE MANAGED BLOCK {{ index }}"
+        block: |
+          lvmthin: {{ item.lv_name }}
+                  thinpool {{ item.lv_name }}
+                  vgname {{ item.vg_name }}
+                  content rootdir,images
+        state: present

ansible/playbooks/tailscale-playbook.yml

@@ -3,3 +3,30 @@
   hosts: tailscale
   roles:
     - role: artis3n.tailscale
+  post_tasks:
+    # https://tailscale.com/kb/1133/proxmox
+    - name: Proxmox | Enable HTTPS Access for Proxmox Web UI
+      when: inventory_hostname in groups['proxmox']
+      tags:
+        - proxmox
+      block:
+        - name: Proxmox | Install jq
+          ansible.builtin.apt:
+            name: jq
+            state: present
+
+        - name: Proxmox | Copy Tailscale script to Proxmox node
+          ansible.builtin.copy:
+            src: ../files/proxmox_tailscale_cert.sh
+            dest: /usr/local/bin/proxmox_tailscale_cert.sh
+            owner: root
+            group: root
+            mode: "0755"
+
+        - name: Proxmox | Create cronjob to generate HTTPS certificate for Proxmox Tailscale FQDN
+          ansible.builtin.cron:
+            name: "Generate HTTPS Certificate for Proxmox Tailscale FQDN"
+            minute: "0"
+            hour: "0"
+            job: /usr/local/bin/proxmox_tailscale_cert.sh
+            state: present

ansible/requirements.yml

@@ -2,6 +2,8 @@
 collections:
   - name: community.docker
     version: 3.4.8
+  - name: community.general
+    version: 8.1.0
 roles:
   - name: dbrennand.caddy_docker
     version: 3.0.2
@@ -14,3 +16,5 @@ roles:
   - name: geerlingguy.security
     src: https://github.com/dbrennand/ansible-role-security
     version: refactor/ssh-regexp
+  - name: xanmanning.k3s
+    version: v3.4.3