Skip to content

hufhend/Little-IaC

Repository files navigation

Little-IaC Ansible scripts

These scripts were originally created as Ansible exercises. Later, they focused on automating Linux setup before installing a Kubernetes cluster.

Warning
The intended use is on a new bare metal installation of Linux, deployment on already running machines could be problematic.

Quick Start

  • First we clone the repository

    git clone https://github.com/hufhend/ansible.git

  • All playbooks and roles are relative is the root directory ansible, we enter it.

    cd ansible

  • Copy the sample variables, modify them as needed

    cp -rfp sample/* .

  • And simply run the first playbook

    ansible-playbook -i inventory.yaml -l node06 setup.yaml

Tip
I recommend to try the functions in a non-production environment, for example via Vagrant.

First launch

Before the first launch, we need to assign a new computer and user to run Ansible. A special playbook and roles are used for this.

Playbook host_init

After a clean Linux installation, we usually have one regular user with sudo privileges. This is usually enough for us to manage the system from the command line, but for Ansible we need additional settings. The host_init role sets the default user to run Ansible, uploads the ssh keys, adds it to sudoers, and sets the hostname.

Usage

ansible-playbook -i inventory.yaml -l host07 host-init.yaml -kK

Features of playbooks

Desktop

The goal of this playbook is to turn a regular Ubuntu for desktop or laptop into a much better tuned system. At the same time connected to IAC automation and more manageable remotely.

The playbook is simple and easy to read.

Usage:

ansible-playbook -i inventory.yaml -l notebook desktop.yaml

Kubernetes node

The goal of the playbook is to make a regular Ubuntu installation into a Kubernetes-ready system. For laptops, it disables all sleep sensors. It will install and set up keepalived for HA under the cluster for bare metal installation. Adds crontabs for updating. Optionally sets up a firewall.

This playbook can be combined with the desktop playbook.

Usage:

ansible-playbook -i inventory.yaml -l notebook K8s_cluster.yaml

Detailed description

Table 1. Common parameters
Name Description Default value

docker_user

user for the docker role

ansible_user

role

node role in the cluster: master or worker

computer

firewall

decides whether to turn on the firewall

false

desktop

determines if the computer is used by a human

false

cron

enables crontab setting at K8s value

choose

orange

enabling roles for ARM single board computers

false

The default setting of the comuter role causes tasks from the cluster_node to not be executed. The required value should be set in host_vars.

Table 2. Docker app parameters
Name Description Default value

docker_home

directory for Docker applications

docker

gitea

deploy the app gitea

false

pihole

deploy the app pi-hole

false

prometheus

deploy the app prometheus

false

Firewall role

Firewall rules were originally designed very simply and disabled by default. Later it started to evolve and add more functionality. Currently it can generate rules for a Kubernetes cluster node depending on its usage.

I followed the documentation, first by enabling known ports and then by analyzing the logs and resolving the residual blocked traffic - that’s where I used ChatGPT.

The major breakthrough was enabling East-West traffic, which I leave in Calico’s management.

Table 3. Firewall variables
Name Description Default value

safe_network

internal protected network

192.168.88.0/24

kube_network

Kubernetes internal network

10.10.0.0/16

port

destination port

proto

TCP/IP protocol

tcp

from, src

source IP address

any

route

apply the rule to routed/forwarded packets

false

comment

add a comment to the rule

Firewall is not a separately executable role, it’s just an engine. You can find the rules setup in the cluster node role.

Newly added features

1 Oct 2024

  • The last planned part of the project is nearing completion and that is the automation of Raspberry Pi and Orange Pi. They are single board computers with minimal power consumption that will do a lot of work in home IT for almost free. They actually act as infrastructure, at the moment the DNS, Monitoring, VPN and Git parts are finished.

  • This is the most complex part of the whole project, so it came last on the agenda.

  • I will finish the documentation when I have time.

23 Jul 2024

  • Since nothing much has been changed to the Kubernetes firewall for a long time and it seems to be working, I consider this part basically done.

  • I’ve moved on to the most complicated part and that’s the Raspberry/OrangePi. Gradually, I want to add small but very useful things to the infrastructure that these single board computers can handle, making a strong backend for the home network and Kubernetes cluster.

  • The monitoring and DNS is done.

21 Jun 2024

  • Fully completed DNS role on Raspberry including end-to-end pass testing

  • Selected configurations out, there will be further improvements

18 Jun 2024

  • Added a key feature for Docker applications, the ability to upload custom configuration files, see commit 43a46ab.

  • Many bugs have been fixed, especially in the desktop installer and repositories.

  • Keep an eye on the commit history, I’ve started adding comments to the major ones.

28 May 2024

  • Firewall rules for Kubernetes nodes seem to be finalized.

9 May 2024

  • Major redesign of firewall rules, added cluster rules and special guest rules. See examples.

  • Today is 3 months since I started learning Ansible. The first playbook was created in the neighboring repo ubuntu-postinstall.

7 May 2024

  • Added role for laptops or desktop computers with GUI on Ubuntu Linux. It is simple but functional.

5 May 2024

  • Added functionality to insert crontabs into K8s nodes, basic disk health check and update underlying systems including restart for maintenance.

  • Added example host_vars.

  • Add additional tasks for the crontab, they will only run if they are defined. See the example for details.

To be continued