Merge pull request 'Configure Renovate' (#1) from renovate/configure into main

Reviewed-on: https://git.front.kjuulh.io/kjuulh/serverctl/pulls/1

infrastructure/create-resources/ansible/inventory/group_vars/all.yml

@@ -2,6 +2,14 @@
 k3s_version: v1.22.3+k3s1
 ansible_user: root
 systemd_dir: /etc/systemd/system
-master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['ansible_host'] | default(groups['serverctl_master_hosts'][0]) }}"
-extra_server_args: ""
-extra_agent_args: ""
+systemd_network_dir: /etc/systemd/network
+master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['wireguard_ip'] | default(groups['serverctl_master_hosts'][0]) }}"
+extra_server_args: "--flannel-iface=serverctl-wg0"
+extra_agent_args: "--flannel-iface=serverctl-wg0"
+
+ansible_become_method: su
+
+ufw_enabled: true
+
+wireguard_mask_bits: 24
+wireguard_port: 51871

infrastructure/create-resources/ansible/inventory/hosts.cfg

@@ -0,0 +1,32 @@
+[serverctl_master_hosts]
+95.217.155.228 ansible_host=95.217.155.228 wireguard_ip=10.1.1.1
+
+[serverctl_node_hosts]
+65.21.50.146 ansible_host=65.21.50.146 wireguard_ip=10.1.1.10
+95.216.162.16 ansible_host=95.216.162.16 wireguard_ip=10.1.1.11
+
+[serverctl_home_servers]
+192.168.1.150 ansible_host=192.168.1.150 wireguard_ip=10.1.1.8
+#192.168.1.233 ansible_host=192.168.1.233 wireguard_ip=10.1.1.9
+
+[serverctl_cluster:children]
+serverctl_master_hosts
+serverctl_node_hosts
+
+[serverctl_super_cluster:children]
+serverctl_cluster
+serverctl_home_servers
+
+[serverctl_home_servers:vars]
+client_server=True
+
+[serverctl_super_cluster:vars]
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22
+
+[serverctl_cluster:vars]
+client_server=False
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22

infrastructure/create-resources/ansible/kubeconfig.yml

@@ -0,0 +1,8 @@
+- hosts: serverctl_master_hosts[0]
+  become: yes
+  tasks:
+    - name: Fetch kubeconfig
+      ansible.builtin.fetch:
+        src: ~/.kube/config
+        dest: temp/.kube/config
+

infrastructure/create-resources/ansible/ping.yml

@@ -0,0 +1,7 @@
+---
+- hosts: serverctl_super_cluster
+  gather_facts: yes
+  tasks:
+    - name: ping
+      command: "ping -c3 {{ hostvars[item].wireguard_ip}}"
+      with_items: "{{groups['all']}}"

infrastructure/create-resources/ansible/roles/firewall/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: update packages
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+  become: yes
+
+- name: install ufw
+  apt:
+    name: ufw
+    state: present
+  become: yes
+  when: ufw_enabled
+
+- name: Allow SSH in UFW
+  ufw:
+    rule: allow
+    port: "{{ ansible_ssh_port }}"
+    proto: tcp
+  become: yes
+  when: ufw_enabled
+
+- name: Allow wireguard port in UFW
+  ufw:
+    rule: allow
+    port: "{{ wireguard_port }}"
+    proto: udp
+  become: yes
+  when: ufw_enabled
+
+- name: Set ufw logging
+  ufw:
+    logging: "on"
+  become: yes
+  when: ufw_enabled
+
+- name: inter-node Wireguard UFW connectivity
+  ufw:
+    rule: allow
+    src: "{{ hostvars[item].wireguard_ip }}"
+  with_items: "{{ groups['all'] }}"
+  become: yes
+  when: ufw_enabled and item != inventory_hostname
+
+- name: Reject everything and enable UFW
+  ufw:
+    state: enabled
+    policy: reject
+    log: yes
+  become: yes
+  when: ufw_enabled
+
+- name: Allow 6443 in UFW /tcp
+  ufw:
+    rule: allow
+    port: "6443"
+    proto: tcp
+  become: yes
+  when: ufw_enabled
+
+- name: Allow 6443 in UFW udp
+  ufw:
+    rule: allow
+    port: "6443"
+    proto: udp
+  become: yes
+  when: ufw_enabled

infrastructure/create-resources/ansible/roles/k3s/master/tasks/main.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: Copy K3s service file
   register: k3s_service
   template:

infrastructure/create-resources/ansible/roles/k3s/master/templates/k3s.service.j2

@@ -7,7 +7,7 @@ After=network-online.target
 Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args | default("") }}
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args | default("") }} --advertise-address {{master_ip}}
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead

infrastructure/create-resources/ansible/roles/k3s/node/templates/k3s.service.j2

@@ -7,7 +7,7 @@ After=network-online.target
 Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['serverctl_master_hosts'][0]]['token'] }} {{ extra_agent_args | default("") }}
+ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['serverctl_master_hosts'][0]]['token'] }} {{ extra_agent_args | default("") }} --node-ip {{inventory_hostname}}
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead

infrastructure/create-resources/ansible/roles/wireguard/mesh/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: systemd network restart
+  service:
+    name: systemd-networkd
+    state: restarted
+    enabled: yes
+  become: yes

infrastructure/create-resources/ansible/roles/wireguard/mesh/tasks/main.yml

@@ -0,0 +1,89 @@
+---
+- name: install wireguard
+  apt:
+    name: wireguard
+    state: present
+  become: yes
+  when: ansible_distribution == 'Debian' or ansible_distribution == "Ubuntu"
+
+- name: install wireguard
+  pacman:
+    name: wireguard-tools
+    state: present
+  become: yes
+  when: ansible_distribution == "Archlinux"
+
+- name: generate wireguard keypair
+  shell: wg genkey | tee /etc/wireguard/serverctl-privatekey | wg pubkey | tee /etc/wireguard/serverctl-publickey
+  args:
+    creates: /etc/wireguard/serverctl-privatekey
+  become: yes
+
+- name: register private key
+  shell: cat /etc/wireguard/serverctl-privatekey
+  register: wireguard_private_key
+  changed_when: false
+  become: yes
+
+- name: register public key
+  shell: cat /etc/wireguard/serverctl-publickey
+  register: wireguard_public_key
+  changed_when: false
+  become: yes
+
+- name: generate preshared keypair
+  shell: "wg genpsk > /etc/wireguard/serverctl-psk-{{item}}"
+  args:
+    creates: "/etc/wireguard/serverctl-psk-{{item}}"
+  when: inventory_hostname < item
+  with_items: "{{groups['serverctl_super_cluster']}}"
+  become: yes
+
+- name: register preshared key
+  shell: "cat /etc/wireguard/serverctl-psk-{{item}}"
+  register: wireguard_preshared_key
+  changed_when: false
+  when: inventory_hostname < item
+  with_items: "{{groups['serverctl_super_cluster']}}"
+  become: yes
+
+- name: message preshared keys
+  set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
+  when: item.skipped is not defined
+  with_items: "{{wireguard_preshared_key.results}}"
+  become: yes
+
+#- name: print hostvars
+#  ansible.builtin.debug:
+#    msg: "{{hostvars[item]}}"
+#  with_items: "{{groups['serverctl_super_cluster']}}"
+
+- name: Setup wg0 device
+  template:
+    src: 'systemd.netdev'
+    dest: '{{systemd_network_dir}}/99-serverctl-wg0.netdev'
+    owner: root
+    group: systemd-network
+    mode: 0640
+  become: yes
+  notify: systemd network restart
+
+- name: Setup wg0 network
+  template:
+    src: 'systemd.network'
+    dest: "{{systemd_network_dir}}/99-serverctl-wg0.network"
+    owner: root
+    group: systemd-network
+    mode: 0640
+  become: yes
+  notify: systemd network restart
+
+#- name: Start and enalbe wireguard on book
+#  systemd:
+#    name: wg-quick@wgserverctl0
+#    enabled: yes
+#    state: started
+
+#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
+#  with_indexed_items: "{{groups.serverctl_mesh_nodes}}"
+

infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.netdev

@@ -0,0 +1,22 @@
+[NetDev]
+Name=serverctl-wg0
+Kind=wireguard
+Description=WireGuard tunnel serverctl-wg0
+
+[WireGuard]
+ListenPort={{ wireguard_port }}
+PrivateKey={{ wireguard_private_key.stdout }}
+
+{% for peer in groups['serverctl_super_cluster'] %}
+{% if peer != inventory_hostname %}
+
+[WireGuardPeer]
+PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
+PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
+AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
+{% if not hostvars[peer].client_server %}
+Endpoint={{ hostvars[peer].ansible_host }}:{{ wireguard_port }}
+PersistentKeepalive=25
+{% endif %}
+{% endif %}
+{% endfor %}

infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.network

@@ -0,0 +1,5 @@
+[Match]
+Name=serverctl-wg0
+
+[Network]
+Address={{ wireguard_ip }}/{{ wireguard_mask_bits }}

infrastructure/create-resources/ansible/site.yml

@@ -5,12 +5,21 @@
   roles:
     - role: prereq
     - role: download
+    - role: firewall
+
+- hosts: serverctl_super_cluster
+  gather_facts: yes
+  become: yes
+  roles:
+    - role: wireguard/mesh
+
 - hosts: serverctl_master_hosts
   become: yes
   roles:
     - role: "./k3s/master"
-#- hosts: serverctl_node_hosts
-#  become: yes
-#  roles:
-#    - role: "./k3s/node"
-#
+
+- hosts: serverctl_node_hosts
+  become: yes
+  roles:
+    - role: "./k3s/node"
+

infrastructure/create-resources/hcloud.tf

@@ -1,4 +1,3 @@
-
 variable "serverctl_master_count" {
   default = 0
 }
@@ -7,7 +6,6 @@ variable "serverctl_node_count" {
   default = 0
 }
 
-
 resource "hcloud_placement_group" "serverctl_master" {
   name = "serverctl_master_group"
   type = "spread"
@@ -18,7 +16,7 @@ resource "hcloud_server" "serverctl_master" {
   name        = "serverctl-master-${count.index}"
   image       = "debian-11"
   server_type = "cx11"
-  ssh_keys = [
+  ssh_keys    = [
     var.hcloud_serverctl_ssh_key_id
   ]
   placement_group_id = hcloud_placement_group.serverctl_master.id
@@ -50,7 +48,7 @@ resource "hcloud_server" "serverctl_node" {
   name        = "serverctl-node-${count.index}"
   image       = "debian-11"
   server_type = "cx11"
-  ssh_keys = [
+  ssh_keys    = [
     var.hcloud_serverctl_ssh_key_id
   ]
   placement_group_id = hcloud_placement_group.serverctl_node.id
@@ -73,10 +71,10 @@ resource "hcloud_server" "serverctl_node" {
 }
 
 resource "local_file" "hosts_cfg" {
-  content = templatefile("${path.module}/templates/hosts.tpl",
+  content = templatefile("${path.module}/templates/hosts.tftpl",
     {
-      serverctl_masters = hcloud_server.serverctl_master.*.ipv4_address
-      serverctl_nodes   = hcloud_server.serverctl_node.*.ipv4_address
+      serverctl_masters    = hcloud_server.serverctl_master.*.ipv4_address
+      serverctl_nodes      = hcloud_server.serverctl_node.*.ipv4_address
     }
   )
   filename = "ansible/inventory/hosts.cfg"

infrastructure/create-resources/templates/hosts.tftpl

@@ -0,0 +1,35 @@
+[serverctl_master_hosts]
+%{ for ip in serverctl_masters ~}
+${ip} ansible_host=${ip} wireguard_ip=${cidrhost("10.1.1.0/24", index(serverctl_masters, ip) + 1)}
+%{ endfor ~}
+
+[serverctl_node_hosts]
+%{ for ip in serverctl_nodes ~}
+${ip} ansible_host=${ip} wireguard_ip=${cidrhost("10.1.1.0/24", index(serverctl_nodes, ip) + 10)}
+%{ endfor ~}
+
+[serverctl_home_servers]
+192.168.1.150 ansible_host=192.168.1.150 wireguard_ip=10.1.1.8
+#192.168.1.233 ansible_host=192.168.1.233 wireguard_ip=10.1.1.9
+
+[serverctl_cluster:children]
+serverctl_master_hosts
+serverctl_node_hosts
+
+[serverctl_super_cluster:children]
+serverctl_cluster
+serverctl_home_servers
+
+[serverctl_home_servers:vars]
+client_server=True
+
+[serverctl_super_cluster:vars]
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22
+
+[serverctl_cluster:vars]
+client_server=False
+pipelining=true
+ansible_ssh_user=root
+ansible_ssh_port=22

infrastructure/create-resources/templates/hosts.tpl

@@ -1,13 +0,0 @@
-[serverctl_master_hosts]
-%{ for ip in serverctl_masters ~}
-${ip}
-%{ endfor ~}
-
-[serverctl_node_hosts]
-%{ for ip in serverctl_nodes ~}
-${ip}
-%{ endfor ~}
-
-[serverctl_cluster:children]
-serverctl_master_hosts
-serverctl_node_hosts

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}