diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index aec73dad..2fa96368 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -15,7 +15,7 @@ services: hex.grote.lan,routeros-config-backup,/key_hex crs305.grote.lan,routeros-config-backup,/key_crs305 GIT_REPO_BRANCH: "master" - GIT_REPO_URL: "ssh://gitea@git.mgrote.net:2222/mg/routeros-configs.git" + GIT_REPO_URL: "ssh://gitea@gitea.grote.lan:2222/mg/routeros-configs.git" GIT_REPO_DEPLOY_KEY: "/deploy_token" GIT_USERNAME: oxidized-selfmade GIT_USER_MAIL: michael.grote@posteo.de diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index 8ed9ca33..760f4525 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -1,20 +1,4 @@ # TCP da SSH keine Hostnamen kennt -# alle Anfragen an diesen Port werden an Gitea weitergeleitet -tcp: -###### router ##### - routers: - router-ssh: - entryPoints: - - entry_ssh - rule: HostSNI(`*`) - service: service_gitea_ssh -###### services ##### - services: - service_gitea_ssh: - loadBalancer: - servers: - - address: gitea.grote.lan:2222 - http: ###### router ##### routers: diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index f9df980b..f064274f 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -40,7 +40,7 @@ from_ip: 192.168.2.144/24 ### l3d.gitea # config liegt in /etc/gitea/gitea.ini - gitea_version: "1.20.0" + gitea_version: "1.20.3" gitea_app_name: "Gitea" gitea_user: "gitea" gitea_home: "/var/lib/gitea" @@ -76,7 +76,7 @@ gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3 gitea_ssh_listen: 0.0.0.0 - gitea_ssh_domain: git.mgrote.net + gitea_ssh_domain: gitea.grote.lan gitea_ssh_port: 2222 gitea_start_ssh: true diff --git a/group_vars/k3s.yml b/group_vars/k3s.yml new file mode 100644 index 00000000..882ee7d6 --- /dev/null +++ b/group_vars/k3s.yml @@ -0,0 +1,81 @@ +--- + ### Allgemein + kubeconfig: /etc/rancher/k3s/k3s.yaml + + ### mgrote.restic + restic_folders_to_backup: "/ /var" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files + + ### pandemonium1986.ansible-role-k9s + k9s_version: "v0.27.3" + + ### mrlesmithjr.ansible-manage-lvm + #lvm_groups: + # - vgname: vg_gitea_data + # disks: + # - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1 + # create: true + # lvnames: + # - lvname: lv_gitea_data + # size: +100%FREE + # create: true + # filesystem: xfs + # mount: true + # mntp: /var/lib/gitea + #manage_lvm: true + #pvresize_to_max: true + + ### oefenweb.ufw + ufw_rules: + - rule: allow + comment: 'k3s - alles offen' + from_ip: 0.0.0.0/0 + + ### pyratlabs.k3s + k3s_state: installed + k3s_release_version: v1.25.11+k3s1 + k3s_airgap: false + k3s_config_file: /etc/rancher/k3s/config.yaml + k3s_build_cluster: true + k3s_install_dir: /usr/local/bin + k3s_etcd_datastore: true + k3s_become: true + k3s_use_experimental: true + k3s_debug: false + k3s_server: + # siehe https://docs.k3s.io/reference/server-config + # cli parameter OHNE -- am anfang + write-kubeconfig-mode: '644' + cluster-cidr: "10.42.0.0/16" + service-cidr: "10.43.0.0/16" + disable: + - traefik + - local-storage # disables local-path-provisioner + - disable-helm-controller # https://fluxcd.io/flux/cheatsheets/troubleshooting/ + + ### mgrote.fluxcd + flux_repo_host: gitea.grote.lan + flux_repo_host_port: 2222 + flux_repo_branch: master + flux_repo_url_complete: "ssh://gitea@{{ flux_repo_host }}:{{ flux_repo_host_port }}/mg/manifests.git" + flux_install_host: k3s4.grote.lan + flux_homedir: /home/flux + flux_path_ssh_dir: /home/flux/.ssh + flux_user_group: flux + flux_user: flux + flux_download_url: https://github.com/fluxcd/flux2/releases/download/v2.0.1/flux_2.0.1_linux_amd64.tar.gz # updaten + flux_path_bin: /usr/local/sbin + flux_path_ssh_id_file: id_rsa + flux_ssh_key_format: ed25519 + flux_sync_interval: 1m + + ### mgrote.apt_manage_packages + apt_packages_extra: + - nfs-common # für nfs-subdir-external-provisioner + + ### mgrote.sealed-secrets + sealed_secrets_homedir: /home/sealed_secrets + sealed_secrets_user_group: sealed_secrets + sealed_secrets_user: sealed_secrets + kubeseal_download_url: "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz" #updaten + kubeseal_path_bin: /usr/local/sbin + sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}" diff --git a/host_vars/k3s4.grote.lan.yml b/host_vars/k3s4.grote.lan.yml new file mode 100644 index 00000000..b056ad12 --- /dev/null +++ b/host_vars/k3s4.grote.lan.yml @@ -0,0 +1,3 @@ +--- + ### pyratlabs.k3s + k3s_control_node: true diff --git a/host_vars/pve5.grote.lan.yml b/host_vars/pve5.grote.lan.yml index 88043986..0ae4b8f8 100644 --- a/host_vars/pve5.grote.lan.yml +++ b/host_vars/pve5.grote.lan.yml @@ -169,7 +169,7 @@ ### mgrote.cv4pve-autosnap cv4pve_api_user: root@pam!cv4pve-autosnap cv4pve_api_token: "{{ lookup('keepass', 'cv4pve_api_token', 'password') }}" - cv4pve_vmid: all,-106,-115 + cv4pve_vmid: all,-106,-112,-115 cv4pve_keep_snapshots: 5 cv4pve_dl_link: "https://github.com/Corsinvest/cv4pve-autosnap/releases/download/v1.14.7/cv4pve-autosnap-linux-x64.zip" diff --git a/inventory b/inventory index 54b1c07d..cf960186 100644 --- a/inventory +++ b/inventory @@ -15,6 +15,9 @@ all: docker: hosts: docker10.grote.lan: + k3s: + hosts: + k3s4.grote.lan: vmtest: hosts: vm-test-2204.grote.lan: @@ -45,6 +48,7 @@ all: gitea.grote.lan: docker10.grote.lan: pbs.grote.lan: + k3s4.grote.lan: test: hosts: vm-test-2204.grote.lan: diff --git a/keepass_db.kdbx b/keepass_db.kdbx index 7ca24703..7bfc995e 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/playbooks/3_service/k3s.yml b/playbooks/3_service/k3s.yml new file mode 100644 index 00000000..80cd7795 --- /dev/null +++ b/playbooks/3_service/k3s.yml @@ -0,0 +1,10 @@ +--- +- hosts: k3s + roles: + - { role: PyratLabs.k3s, tags: "k3s" } + - { role: mgrote.k8s_autocompletion, tags: "autocomp" } + - { role: pandemonium1986.ansible-role-k9s, tags: "k9s", become: true } + - { role: mgrote.fluxcd, tags: "flux", become: true } + - { role: mgrote.k8s_misc, tags: "misc", become: true } + - { role: mgrote.sealed-secrets, tags: "sealed-secrets", become: true } + - { role: geerlingguy.helm, tags: "helm", become: true } diff --git a/playbooks/3_service/nfs.yml b/playbooks/3_service/nfs.yml new file mode 100644 index 00000000..e4839948 --- /dev/null +++ b/playbooks/3_service/nfs.yml @@ -0,0 +1,4 @@ +--- +- hosts: nfs + roles: + - { role: geerlingguy.nfs_server, tags: "nfs", become: true } diff --git a/roles/mgrote.fluxcd/defaults/main.yml b/roles/mgrote.fluxcd/defaults/main.yml index c08e2bca..98110d90 100644 --- a/roles/mgrote.fluxcd/defaults/main.yml +++ b/roles/mgrote.fluxcd/defaults/main.yml @@ -1,8 +1,8 @@ --- - flux_repo_host: git.mgrote.net + flux_repo_host: gitea.grote.lan flux_repo_host_port: 2222 flux_repo_branch: master - flux_repo_url_complete: ssh://gitea@git.mgrote.net:2222/mg/k3s-fluxcd.git + flux_repo_url_complete: "ssh://gitea@{{ flux_repo_host }}:{{ flux_repo_host_port }}/mg/manifests.git" flux_install_host: k3s1.grote.lan flux_homedir: /home/flux flux_path_ssh_dir: /home/flux/.ssh diff --git a/roles/mgrote.sealed-secrets/README.md b/roles/mgrote.sealed-secrets/README.md index 6fb8db2b..70ee57fc 100644 --- a/roles/mgrote.sealed-secrets/README.md +++ b/roles/mgrote.sealed-secrets/README.md @@ -2,42 +2,6 @@ Diese Rolle installiert das kubeseal-Binary und hinterlegt den Private-Key im Cluster. -Der Key ist im Keepass im Eintrag unter "Notes" abgelegt. Sollten die Secrets neu verschlüsselt werden ist hier wieder der aktuelle Private-Key abzulegen. - -Siehe: https://github.com/bitnami-labs/sealed-secrets#how-can-i-do-a-backup-of-my-sealedsecrets - -## Backup - -`kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key` - -## Restore - -``` -kubectl apply -f main.key -kubectl delete pod -n kube-system -l name=sealed-secrets-controller -``` - - -## Erstellen eines verschlüsselten Secrets - -- Wichtig ist "stringData", wird nur "data" verwendet ist der Inhalt base64 zu enkodieren. - -1. lege Secret mit Klartext VALUE als Datei() an - ``` - kind: Secret - apiVersion: v1 - metadata: - name: NAME_DES_SECRETS - namespace: drone - stringData: - ICH_BIN_DER VARIABLEN_NAME: ICH_BIN_DAS_PASSWORT - ``` - 2. diese Datei mit kubeseal verschlüsseln - ``` - cat | kubeseal --controller-namespace kube-system --format yaml > sealed-secret.yaml - ``` - 3. den Inhalt dann als Secret im Repo ablegen ablegen - ## Verwenden des Secrets ``` @@ -47,9 +11,3 @@ kubectl delete pod -n kube-system -l name=sealed-secrets-controller name: NAME_DES_SECRETS key: ICH_BIN_DER VARIABLEN_NAME ``` - -## Auslesen eines Klartext-Secrets aus dem Cluster - -``` -kubectl get secret -n -o jsonpath="{.data.}" | base64 --decode ; echo"" -``` diff --git a/roles/mgrote.sealed-secrets/defaults/main.yml b/roles/mgrote.sealed-secrets/defaults/main.yml index 4bcdbed4..744d7859 100644 --- a/roles/mgrote.sealed-secrets/defaults/main.yml +++ b/roles/mgrote.sealed-secrets/defaults/main.yml @@ -5,4 +5,4 @@ kubeseal_download_url: "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz" kubeseal_path_bin: /usr/local/sbin kubeconfig: /etc/rancher/k3s/k3s.yaml - sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}" + sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}" # mit kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key holen diff --git a/roles/mgrote.sealed-secrets/tasks/import.yml b/roles/mgrote.sealed-secrets/tasks/import.yml index e24aeb8c..b4bffc93 100644 --- a/roles/mgrote.sealed-secrets/tasks/import.yml +++ b/roles/mgrote.sealed-secrets/tasks/import.yml @@ -1,6 +1,6 @@ --- - name: check if private key exists - ansible.builtin.command: kubectl get secrets sealed-secrets-key9mpfq -n kube-system + ansible.builtin.command: kubectl get secrets sealed-secrets-keytsq4k -n kube-system register: key ignore_errors: yes changed_when: false @@ -13,7 +13,7 @@ group: root mode: '0400' when: key.rc not in [ 0 ] - no_log: True + #no_log: True - name: apply private key ansible.builtin.command: kubectl apply -f /root/private.key