mirror of
https://github.com/k3s-io/k3s-ansible.git
synced 2024-11-15 10:25:12 +01:00
e01a8a2a8a
* Allow additional manifests to be deployed Signed-off-by: Derek Nola <derek.nola@suse.com>
190 lines
5.2 KiB
YAML
190 lines
5.2 KiB
YAML
---
|
|
- name: Install Dependent Ubuntu Packages
|
|
when: ansible_distribution in ['Ubuntu']
|
|
ansible.builtin.apt:
|
|
name: policycoreutils # Used by install script to restore SELinux context
|
|
update_cache: yes
|
|
|
|
- name: Enable IPv4 forwarding
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
state: present
|
|
reload: true
|
|
|
|
- name: Enable IPv6 forwarding
|
|
ansible.posix.sysctl:
|
|
name: net.ipv6.conf.all.forwarding
|
|
value: "1"
|
|
state: present
|
|
reload: true
|
|
when: ansible_all_ipv6_addresses
|
|
|
|
- name: Populate service facts
|
|
ansible.builtin.service_facts:
|
|
|
|
- name: Allow UFW Exceptions
|
|
when:
|
|
- ansible_facts.services['ufw'] is defined
|
|
- ansible_facts.services['ufw'].state == 'running'
|
|
block:
|
|
- name: Get ufw status
|
|
ansible.builtin.command:
|
|
cmd: ufw status
|
|
changed_when: false
|
|
register: ufw_status
|
|
|
|
- name: If ufw enabled, open api port
|
|
when:
|
|
- ufw_status['stdout'] == "Status':' active"
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ api_port }}"
|
|
proto: tcp
|
|
|
|
- name: If ufw enabled, open etcd ports
|
|
when:
|
|
- ufw_status['stdout'] == "Status':' active"
|
|
- groups['server'] | length > 1
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "2379:2381"
|
|
proto: tcp
|
|
|
|
- name: If ufw enabled, allow default CIDRs
|
|
when:
|
|
- ufw_status['stdout'] == "Status':' active"
|
|
community.general.ufw:
|
|
rule: allow
|
|
src: '{{ item }}'
|
|
loop:
|
|
- 10.42.0.0/16 # Pods
|
|
- 10.43.0.0/16 # Services
|
|
|
|
- name: Allow Firewalld Exceptions
|
|
when:
|
|
- ansible_facts.services['firewalld.service'] is defined
|
|
- ansible_facts.services['firewalld.service'].state == 'running'
|
|
block:
|
|
- name: If firewalld enabled, open api port
|
|
ansible.posix.firewalld:
|
|
port: "{{ api_port }}/tcp"
|
|
zone: trusted
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
|
|
- name: If firewalld enabled, open etcd ports
|
|
when: groups['server'] | length > 1
|
|
ansible.posix.firewalld:
|
|
port: "2379-2381/tcp"
|
|
zone: trusted
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
|
|
- name: If firewalld enabled, allow default CIDRs
|
|
ansible.posix.firewalld:
|
|
source: "{{ item }}"
|
|
zone: trusted
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
loop:
|
|
- 10.42.0.0/16 # Pods
|
|
- 10.43.0.0/16 # Services
|
|
|
|
- name: Add br_netfilter to /etc/modules-load.d/
|
|
ansible.builtin.copy:
|
|
content: "br_netfilter"
|
|
dest: /etc/modules-load.d/br_netfilter.conf
|
|
mode: "u=rw,g=,o="
|
|
when: (ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux')
|
|
|
|
- name: Load br_netfilter
|
|
community.general.modprobe:
|
|
name: br_netfilter
|
|
state: present
|
|
when: (ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux')
|
|
|
|
- name: Set bridge-nf-call-iptables (just to be sure)
|
|
ansible.posix.sysctl:
|
|
name: "{{ item }}"
|
|
value: "1"
|
|
state: present
|
|
reload: true
|
|
when: (ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux')
|
|
loop:
|
|
- net.bridge.bridge-nf-call-iptables
|
|
- net.bridge.bridge-nf-call-ip6tables
|
|
|
|
- name: Check for Apparmor existence
|
|
ansible.builtin.stat:
|
|
path: /sys/module/apparmor/parameters/enabled
|
|
register: apparmor_enabled
|
|
|
|
- name: Check if Apparmor is enabled
|
|
when: apparmor_enabled.stat.exists
|
|
ansible.builtin.command: cat /sys/module/apparmor/parameters/enabled
|
|
register: apparmor_status
|
|
changed_when: false
|
|
|
|
- name: Install Apparmor Parser [Suse]
|
|
when:
|
|
- apparmor_status.stdout == "Y"
|
|
- ansible_os_family == 'Suse'
|
|
ansible.builtin.package:
|
|
name: apparmor-parser
|
|
state: present
|
|
|
|
- name: Install Apparmor Parser [Debian]
|
|
when:
|
|
- apparmor_status.stdout == "Y"
|
|
- ansible_distribution == 'Debian'
|
|
- ansible_facts['distribution_major_version'] == "11"
|
|
ansible.builtin.package:
|
|
name: apparmor
|
|
state: present
|
|
|
|
- name: Add /usr/local/bin to sudo secure_path
|
|
ansible.builtin.lineinfile:
|
|
line: 'Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
|
|
regexp: "Defaults(\\s)*secure_path(\\s)*="
|
|
state: present
|
|
insertafter: EOF
|
|
path: /etc/sudoers
|
|
validate: 'visudo -cf %s'
|
|
when: ansible_os_family == 'RedHat'
|
|
|
|
- name: Setup alternative K3s directory
|
|
when:
|
|
- k3s_server_location is defined
|
|
- k3s_server_location != "/var/lib/rancher/k3s"
|
|
block:
|
|
- name: Make rancher directory
|
|
ansible.builtin.file:
|
|
path: "/var/lib/rancher"
|
|
mode: 0755
|
|
state: directory
|
|
- name: Create symlink
|
|
ansible.builtin.file:
|
|
dest: /var/lib/rancher/k3s
|
|
src: "{{ k3s_server_location }}"
|
|
force: true
|
|
state: link
|
|
|
|
- name: Setup extra manifests
|
|
when: extra_manifests is defined
|
|
block:
|
|
- name: Make manifests directory
|
|
ansible.builtin.file:
|
|
path: "/var/lib/rancher/k3s/server/manifests"
|
|
mode: 0700
|
|
state: directory
|
|
- name: Copy manifests
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/var/lib/rancher/k3s/server/manifests"
|
|
mode: 0600
|
|
loop: "{{ extra_manifests }}"
|