feat: Align configuration and Makefile

This contains a lot of changes, including better system configuration for some issues discovered during testing, and minor tweaking for better user experience when doing maintenance
2025-03-22 19:26:04 +01:00 · 2025-03-22 19:26:04 +01:00 · f983f9f2ed
commit f983f9f2ed
parent 54ca928b10
13 changed files with 212 additions and 36 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
 vault
 .vault_pass
+inventory/prod
+inventory/dev
--- a/43
+++ b/43
@ -1,20 +1,49 @@
+ENV ?= none
+ANSIBLE_USER ?= atmen
+ANSIBLE_SSH_KEY ?= ~/.ssh/atmen
+CLUSTER_NAME ?= halis
+
+ifeq ($(ENV), prod)
+	INVENTORY:=$(shell ls -p inventory/prod | grep -v / | sed 's/^/-i inventory\/prod\//g' | sed -z 's/\n/ /g' | head -c -1)
+	NODE_IP:=$(shell grep -s server inventory/prod/* | head -1 | cut -d ':' -f 1 | xargs cat | grep ansible_host | head -1 | cut -d ':' -f 2 | cut -c2-)
+ifeq ($(ENV), dev)
+	INVENTORY:=$(shell ls -p inventory/dev | grep -v / | sed 's/^/-i inventory\/dev\//g' | sed -z 's/\n/ /g' | head -c -1)
+	NODE_IP:=$(shell grep -s server inventory/dev/* | head -1 | cut -d ':' -f 1 | xargs cat | grep ansible_host | head -1 | cut -d ':' -f 2 | cut -c2-)
+else
+	INVENTORY = -i inventory/templates/hosts.yml
+	NODE_IP:=$(shell grep -s server inventory/templates/* | head -1 | cut -d ':' -f 1 | xargs cat | grep ansible_host | head -1 | cut -d ':' -f 2 | cut -c2-)
+endif
+
 init:
-	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml"
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "init.yml"

 install:
-	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
+
+upgrade:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "k3s-upgrade.yml"
+
+conf:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) node-configuration

 wg:
-	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=true enable_k3s=false"
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_setup=false enable_wireguard=true enable_k3s=false"

 k3s:
-	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=false enable_k3s=true"
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_wireguard=false enable_k3s=true enable_setup=false"

-uninstall:
-	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "k3s-ansible/reset.yml"
+k3s-uninstall:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "k3s-uninstall.yml"

 ping:
-	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/hosts.yml --extra-vars "@inventory/vars/main.yaml" -m ping
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all $(INVENTORY) -m ping

 ping-unprovisioned:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/unprovisioned.yml -m ping
+
+get_k3s_credentials:
+	@echo "Retrieving k3s credentials locally..."
+	ssh $(ANSIBLE_USER)@$(NODE_IP) -i $(ANSIBLE_SSH_KEY) -p 7929 "cat /home/$(ANSIBLE_USER)/.kube/config" > ~/.kube/config-$(CLUSTER_NAME)
+	@sed -i 's/127.0.*:/$(NODE_IP):/g' ~/.kube/config-$(CLUSTER_NAME)
+	@curl https://git.halis.io/therbron/dotfiles/raw/branch/master/.bin/kube-merge | bash
+	@kubectl get nodes --context $(CLUSTER_NAME)
--- a/README.md
+++ b/README.md
@ -40,25 +40,3 @@ The ssh port can be configured in 2 steps:
 - Create FS
 - Enable NFS
 - `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
-
-# Vault
-Sensitive data is stored under two files in the `vault` directory:
- `user_provisioning.yml` contains the vault password
- `vault.yml` contains the sensitive data
-
-## user_provisioning.yml
-Configure users for provisioning and manual maintenance
-```yaml
-vault_atmen_password: <atmen_password>
-vault_maintainer_user: <your_user>
-vault_maintainer_password: <maintainer_password>
-```
-
-## vault.yml
-Configure k3s secrets
-```yaml
-ansible_become_password: <atmen_password>
-token: <k3s_token>
-```
-
-To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.
--- a/bootstrap.yml
+++ b/bootstrap.yml
@ -18,10 +18,6 @@
      include_role:
        name: node-configuration
      when: enable_setup | bool
-    - name: Configure headscale
-      include_role:
-        name: headscale
-      when: enable_headscale | bool
 - name: Configure wireguard
  ansible.builtin.import_playbook: wireguard/wireguard.yml
  when: enable_wireguard|bool
--- a/init.yml
+++ b/init.yml
@ -4,7 +4,7 @@
  tasks:
    - name: Add unprovisioned vars
      include_vars: 
-        file: inventory/vars/unprovisioned.yaml
+        file: inventory/vars/unprovisioned.yml
    - name: Wait for hosts
      ansible.builtin.wait_for_connection:
        timeout: 60
--- a/k3s-uninstall.yml
+++ b/k3s-uninstall.yml
@ -0,0 +1,19 @@
+- hosts: all
+  gather_facts: no
+  vars_prompt:
+    - name: user_check
+      prompt: "You are about to destroy your cluster and uninstall k3s, this action is irreversible. Do you want to continue? (yes/no)"
+      private: no
+  tasks:
+    - name: Include vault vars
+      include_vars: 
+        file: "{{ playbook_dir ~ '/vault/secrets' }}"
+    - name: Include vars
+      include_vars: 
+        file: inventory/vars/main.yml
+    - name: Wait for hosts
+      ansible.builtin.wait_for_connection:
+        timeout: 60
+    - name: Uninstall k3s
+      ansible.builtin.import_playbook: k3s-ansible/reset.yml
+      when: user_check == "yes"
--- a/k3s-upgrade.yml
+++ b/k3s-upgrade.yml
@ -0,0 +1,15 @@
+- hosts: all
+  gather_facts: no
+  tasks:
+    - name: Include vault vars
+      include_vars: 
+        file: "{{ playbook_dir ~ '/vault/secrets' }}"
+    - name: Include vars
+      include_vars: 
+        file: inventory/vars/main.yml
+    - name: Wait for hosts
+      ansible.builtin.wait_for_connection:
+        timeout: 60
+- name: Upgrade k3s
+  ansible.builtin.import_playbook: k3s-ansible/upgrade.yml
+  throttle: 1
--- a/node-configuration/tasks/firmware_control.yml
+++ b/node-configuration/tasks/firmware_control.yml
@ -0,0 +1,82 @@
+# TBD
+# Add fan control config for rasp 4
+---
+
+- name: Check if Raspi5
+  lineinfile:
+    path: /proc/cpuinfo
+    regexp: "Raspberry Pi 5"
+    state: absent
+  register: is_raspi5
+  check_mode: yes
+  changed_when: false
+
+- name: Check if Raspi4
+  lineinfile:
+    path: /proc/cpuinfo
+    regexp: "Raspberry Pi 4"
+    state: absent
+  register: is_raspi4
+  check_mode: yes
+  changed_when: false
+
+- name: Check if PAGESIZE has been set
+  lineinfile:
+    path: /boot/firmware/config.txt
+    regexp: "kernel=kernel8.img"
+    state: absent
+  register: has_pagesize
+  check_mode: yes
+  changed_when: false
+
+- name: Set PAGESIZE to 4k
+  blockinfile:
+    dest: /boot/firmware/config.txt
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - PAGESIZE"
+    content: |
+      # Change PAGESIZE to 4k
+      kernel=kernel8.img
+  when: is_raspi5.found and not has_pagesize.found
+  register: pagesize
+
+- name: Check if manual fan control is enabled
+  lineinfile:
+    path: /boot/firmware/config.txt
+    regexp: "dtparam=pwm_fan_temp0=255"
+    state: absent
+  register: has_manual_fan_control5
+  check_mode: yes
+  changed_when: false
+
+- name: Enable manual fan control
+  blockinfile:
+    dest: /boot/firmware/config.txt
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - PWM FAN CONTROL"
+    content: |
+      # Enable manual fan control
+      dtparam=pwm_fan_temp0=255
+  when: is_raspi5.found and not has_manual_fan_control5.found
+  register: fan_control
+
+- name: Check if fan control is enabled
+  lineinfile:
+    path: /boot/firmware/config.txt
+    regexp: "dtoverlay=pwm,pin=18,func=2"
+    state: absent
+  register: has_manual_fan_control4
+  check_mode: yes
+  changed_when: false
+
+- name: Enable fan control
+  blockinfile:
+    dest: /boot/firmware/config.txt
+    content: |
+      # Enable fan control
+      dtoverlay=pwm,pin=18,func=2
+  when: is_raspi4.found and not has_manual_fan_control4.found
+  register: fan_control
+
+- name: Reboot to apply changes
+  ansible.builtin.reboot:
+  when: fan_control.changed or (pagesize and pagesize.changed)
+
--- a/node-configuration/tasks/journalctl.yml
+++ b/node-configuration/tasks/journalctl.yml
@ -0,0 +1,20 @@
+---
+- name: Ensures journalctl dir exists
+  file: 
+    path: /etc/systemd 
+    state: directory
+
+- name: Configure journalctl
+  copy:
+    src: ../templates/journald.conf
+    dest: /etc/systemd/journald.conf
+    backup: yes
+  register: journalctl_conf
+
+- name: Restart journalctl service
+  ansible.builtin.systemd:
+    name: systemd-journald
+    state: restarted
+    daemon_reload: true
+    enabled: true
+  when: journalctl_conf.changed
--- a/node-configuration/tasks/main.yml
+++ b/node-configuration/tasks/main.yml
@ -3,10 +3,18 @@
  import_tasks: ./ssh.yml
  become: yes

+- name: Configure journalctl
+  import_tasks: ./journalctl.yml
+  become: yes
+
 - name: Miscellaneous operations
  import_tasks: ./misc.yml
  become: yes

+- name: Firmware modifications
+  import_tasks: ./firmware_control.yml
+  become: yes
+
 - name: Install OpenMediaVault
  import_tasks: ./omv.yaml
  become: yes
--- a/node-configuration/tasks/misc.yml
+++ b/node-configuration/tasks/misc.yml
@ -21,9 +21,9 @@
    name: "{{ hostname }}"
  when: hostname is defined

- name: Install open-iscsi
+- name: Install curl
  ansible.builtin.package:
-      name: open-iscsi
+      name: curl
      state: present

 - name: Install nfs-common
@ -35,3 +35,20 @@
  ansible.builtin.package:
      name: libnfs-utils
      state: present
+
+- name: Install open-iscsi
+  ansible.builtin.package:
+      name: open-iscsi
+      state: present
+
+- name: Install sysstat
+  ansible.builtin.package:
+      name: sysstat
+      state: present
+
+- name: Enable sysstat service
+  ansible.builtin.systemd:
+    name: sysstat
+    enabled: true
+    state: started
+    daemon_reload: true
--- a/node-configuration/templates/journald.conf
+++ b/node-configuration/templates/journald.conf
@ -0,0 +1,4 @@
+[Journal]
+SystemMaxUse=256M
+RuntimeMaxUse=128M
+MaxFileSec=1month
--- a/user-provision/tasks/main.yml
+++ b/user-provision/tasks/main.yml
@ -49,6 +49,12 @@
      line: "PasswordAuthentication no"
    notify: restart sshd

+  - name: Remove SSH message
+    ansible.builtin.file:
+      path: /etc/ssh/sshd_config.d/rename_user.conf
+      state: absent
+    ignore_errors: yes
+
  - name: Change SSH port
    lineinfile:
      dest: "/etc/ssh/sshd_config"