Recently, I was intrigued by the idea that it is possible to use Ansible to manage real computers similar to the services in Kubernetes. That is, to achieve such a degree of automation that we can replace a burnt computer with another one and give it the same settings relatively quickly via Ansible.
This small project builds on these principles and strongly integrates DevOps approaches of infrastructure as code.
Warning
|
The intended use is on a new bare metal installation of Linux, deployment on already running machines could be problematic. |
-
First we clone the repository
git clone https://github.com/hufhend/ansible.git
-
All playbooks and roles are relative is the root directory ansible, we enter it.
cd ansible
-
Copy the sample variables, modify them as needed
cp -rfp sample/* .
-
And simply run the first playbook
ansible-playbook -i inventory.yaml -l node06 setup.yaml
Tip
|
I recommend to try the functions in a non-production environment, for example via Vagrant. |
Before the first launch, we need to assign a new computer and user to run Ansible. A special playbook and roles are used for this.
After a clean Linux installation, we usually have one regular user with sudo privileges. This is usually enough for us to manage the system from the command line, but for Ansible we need additional settings. The host_init role sets the default user to run Ansible, uploads the ssh keys, adds it to sudoers, and sets the hostname.
The goal of this playbook is to turn a regular Ubuntu for desktop or laptop into a much better tuned system. At the same time connected to IAC automation and more manageable remotely.
The playbook is simple and easy to read.
Usage:
ansible-playbook -i inventory.yaml -l notebook desktop.yaml
The goal of the playbook is to make a regular Ubuntu installation into a Kubernetes-ready system. For laptops, it disables all sleep sensors. It will install and set up keepalived for HA under the cluster for bare metal installation. Adds crontabs for updating. Optionally sets up a firewall.
This playbook can be combined with the desktop playbook.
Usage:
ansible-playbook -i inventory.yaml -l notebook K8s_cluster.yaml
Name | Description | Default value |
---|---|---|
|
user for the docker role |
|
|
node role in the cluster: master or worker |
|
|
decides whether to turn on the firewall |
|
|
determines if the computer is used by a human |
|
|
enables crontab setting at K8s value |
|
|
enabling roles for ARM single board computers |
|
The default setting of the comuter role causes tasks from the cluster_node to not be executed. The required value should be set in host_vars.
Name | Description | Default value |
---|---|---|
|
directory for Docker applications |
|
|
deploy the app gitea |
|
|
deploy the app pi-hole |
|
|
deploy the app prometheus |
|
Firewall rules were originally designed very simply and disabled by default. Later it started to evolve and add more functionality. Currently it can generate rules for a Kubernetes cluster node depending on its usage.
I followed the documentation, first by enabling known ports and then by analyzing the logs and resolving the residual blocked traffic - that’s where I used ChatGPT.
The major breakthrough was enabling East-West traffic, which I leave in Calico’s management.
Name | Description | Default value |
---|---|---|
|
internal protected network |
|
|
Kubernetes internal network |
|
|
destination port |
|
|
TCP/IP protocol |
|
|
source IP address |
|
|
apply the rule to routed/forwarded packets |
|
|
add a comment to the rule |
Firewall is not a separately executable role, it’s just an engine. You can find the rules setup in the cluster node role.
22 Dec 2024
-
New Home Assistant service added, both for Kubernetes and for OrangePi in remote locations
9 Dec 2024
-
Exposing a separate role for crontab
1 Oct 2024
-
The last planned part of the project is nearing completion and that is the automation of Raspberry Pi and Orange Pi. They are single board computers with minimal power consumption that will do a lot of work in home IT for almost free. They actually act as infrastructure, at the moment the DNS, Monitoring, VPN and Git parts are finished.
-
This is the most complex part of the whole project, so it came last on the agenda.
-
I will finish the documentation when I have time.
23 Jul 2024
-
Since nothing much has been changed to the Kubernetes firewall for a long time and it seems to be working, I consider this part basically done.
-
I’ve moved on to the most complicated part and that’s the Raspberry/OrangePi. Gradually, I want to add small but very useful things to the infrastructure that these single board computers can handle, making a strong backend for the home network and Kubernetes cluster.
-
The monitoring and DNS is done.
21 Jun 2024
-
Fully completed DNS role on Raspberry including end-to-end pass testing
-
Selected configurations out, there will be further improvements
18 Jun 2024
-
Added a key feature for Docker applications, the ability to upload custom configuration files, see commit 43a46ab.
-
Many bugs have been fixed, especially in the desktop installer and repositories.
-
Keep an eye on the commit history, I’ve started adding comments to the major ones.
28 May 2024
-
Firewall rules for Kubernetes nodes seem to be finalized.
9 May 2024
-
Major redesign of firewall rules, added cluster rules and special guest rules. See examples.
-
Today is 3 months since I started learning Ansible. The first playbook was created in the neighboring repo ubuntu-postinstall.
7 May 2024
-
Added role for laptops or desktop computers with GUI on Ubuntu Linux. It is simple but functional.
5 May 2024
-
Added functionality to insert crontabs into K8s nodes, basic disk health check and update underlying systems including restart for maintenance.
-
Added example host_vars.
-
Add additional tasks for the crontab, they will only run if they are defined. See the example for details.
To be continued