better fedora setup

plays/fedora-k3s-setup.yml

@@ -1,19 +0,0 @@
-- name: Customization and hardening of fresh fedora install running on a VM
-  hosts: fedora_server
-  become: yes
-  # reuse password for sudo
-  become_method: sudo
-
-  user: ansible
-  
-  vars_prompt:
-    - name: k3s_token
-      prompt: "Enter a (single use) k3s token"
-      private: yes
-  
-  vars:
-    - master_ip: "{{ hostvars['fedora-node-1']['ansible_default_ipv4']['address'] }}"
-  roles:
-    - role: ssh-key-copy
-    - role: fail2ban
-    - role: k3s-ha

plays/k3s-fedora-lxc.yml

@@ -0,0 +1,58 @@
+- name: Setup of fedora LXC containers
+  hosts: proxmox
+  become: yes
+  user: root
+  
+  vars:
+    - proxmox_user: root@pam
+      proxmox_token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31376165343635623536393936353032333638636564646665646464386635383761623632373036
+          3433306233633465313737303039346635353363326562320a336532666632613663303730643136
+          36353430353638616239313766666233396339643431636161373965383664663230616664336162
+          3730353264643434390a386132383238613165653037623466383732323835356365326439656565
+          38666466343932356137393333623964333463303564623666656533626331646535306531343836
+          3136313232333265303336613235336334323963316439383230
+      proxmox_node: proxmox
+      proxmox_token_id: ansible
+
+
+
+  tasks:
+    - name: Create 3 fedora LXC containers
+      include_role:
+        name: proxmox-lxc-fedora
+      vars:
+        lxc_id: "{{ 150 + item.index }}"
+        lxc_ip: "192.168.1.{{ 200 + item.index }}"
+        lxc_gateway: "192.168.1.1"
+        name: "{{ item.name }}"
+
+      loop:
+        - name: k3s-1
+          index: 1
+        - name: k3s-2
+          index: 2
+        - name: k3s-3
+          index: 3
+      loop_control:
+        index_var: loop_index
+
+
+- name: Setup of k3s cluster
+  hosts: lxc_fedora
+  become: yes
+  user: root
+
+
+  vars_prompt:
+    - name: k3s_token
+      prompt: "Enter a (single use) k3s token"
+      private: yes
+
+
+  roles:
+    - role: k3s-ha
+
+
+# CAUTION - THIS IS BROKEN

plays/k3s-fedora-vm.yml

@@ -16,8 +16,34 @@
       proxmox_node: proxmox
       proxmox_token_id: ansible
 
+  tasks:
+    - name: Create 2 fedora vms
+      include_role:
+        name: proxmox-fedora-vm
+      vars:
+        name: "{{ item.name }}"
+        vm_id: "{{ 200 + item.index }}"
+        vm_ip: "192.168.1.{{ 200 + item.index }}"
+      loop:
+        - name: k3s-1
+          index: 1
+        - name: k3s-2
+          index: 2
+      loop_control:
+        index_var: loop_index
+
+
+- name: Setup of k3s cluster
+  hosts: kvm_fedora # this group is created by the previous task
+  become: yes
+  user: root
+
+
+  vars_prompt:
+    - name: k3s_token
+      prompt: "Enter a (single use) k3s token"
+      private: yes
+
+
   roles:
-    - role: proxmox-fedora-vm
+    - role: k3s-ha
-      vms:
-        - name: fedora-node-1
-        - name: fedora-node-2

plays/k3s-full-deployment.yaml

@@ -1,5 +0,0 @@
-- name: Full k3s deployment
-  hosts: localhost
-
-  roles: 
-    - role: role-k3s-deployments

plays/proxmox-lxc-wireguard.yaml

@@ -0,0 +1,16 @@
+- name: WG-easy setup on a fresh Proxmox lxc container
+  hosts: ubuntu-wireguard
+  user: ubuntu
+
+  vars_prompt:
+    - name: vpn_admin_password
+      prompt: "Enter the http password for the vpn admin interface"
+      private: yes
+
+  roles:
+    - role: ssh-key-copy
+    - role: docker-install
+    - role: wireguard-easy-docker
+      vars:
+        - vpn_hostname: vpn.kluster.moll.re
+        # - vpn_admin_password

plays/proxmox-setup.yml

@@ -2,7 +2,6 @@
   hosts: proxmox
   user: root
 
-
   roles:
     - role: proxmox-basic-setup
 

roles/docker-install/main.yml

@@ -0,0 +1,22 @@
+- name: Install docker
+  package:
+    name: docker-ce
+    state: present
+    update_cache: yes
+  become: true
+
+- name: Add user to docker group
+  user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: yes
+  become: true
+
+- name: Start docker service
+  service:
+    name: docker
+    state: started
+    enabled: yes
+  become: true
+
+  

roles/k3s-ha/tasks/main.yml

@@ -9,13 +9,20 @@
     mode: 0755
 
 
+- name: Create k3s config directory
+  file:
+    path: "/var/config/k3s"
+    state: directory
+    mode: 0755
+
+
 - name: Create k3s config file
   template:
     src: ../templates/config.yml.j2
-    dest: "/home/{{ ansible_user }}/k3s_config.yml"
+    dest: "/var/config/k3s/config.yml"
 
 
-- name: Only run uninstall script if it exists
+- name: Only run uninstall script if it exists (clean install)
   become: true
   shell: /usr/local/bin/k3s-uninstall.sh
   args:
@@ -23,7 +30,7 @@
   
 
 - name: Execute k3s install script providing a config.yml
-  shell: "/tmp/install-k3s.sh --config /home/{{ ansible_user }}/k3s_config.yml server"
+  shell: "/tmp/install-k3s.sh --config /var/config/k3s/config.yml server"
 
 
 - name: Copy kube config file back to local machine

roles/k3s-ha/tasks/prerequisites.yml

@@ -1,3 +1,19 @@
+- name: Install required packages
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - firewalld
+    - curl
+
+
+- name: Enable and start firewalld
+  ansible.builtin.service:
+    name: firewalld
+    state: started
+    enabled: yes
+
+
 - name: Set firewalld rule for required ports
   firewalld:
     port: "{{ item }}"
@@ -5,6 +21,8 @@
     state: enabled
     immediate: yes
   loop:
+    - 22/tcp # ssh
+    # k3s ports
     - 2379-2380/tcp
     - 6443/tcp
     - 8472/udp
@@ -13,7 +31,8 @@
     - 7946/udp
     - 7946/tcp
 
-- name: Set firewalld rule for rquired zones
+
+- name: Set firewalld rule for required zones
   firewalld:
     zone: trusted
     source: "{{ item }}"
@@ -23,13 +42,3 @@
   loop:
     - 10.42.0.0/16 # pods
     - 10.43.0.0/16 # services
-
-- name: Update hostname to be unique
-  ansible.builtin.replace:
-    path: /etc/hosts
-    regexp: '(\s+)localhost(\s+.*)?$'
-    replace: '\{{ inventory_hostname }}\2'
-
-- name: Set hostname
-  ansible.builtin.hostname:
-    name: "{{ inventory_hostname }}"

roles/k3s-ha/templates/config.yml.j2

@@ -4,9 +4,8 @@ disable:
     - traefik
     - servicelb
 
-{% if ansible_host == master_ip %}
+{% if inventory_hostname == ansible_play_hosts[0] %}
 cluster-init: true
 {% else %}
-server: https://{{ master_ip }}:6443
+server: https://{{ hostvars['k3s-1'].ansible_default_ipv4.address }}:6443
 {% endif %}
-

roles/proxmox-fedora-vm/tasks/main.yml

@@ -1,32 +1,75 @@
-- name: Proxmox VM provisioning
+# - name: Download fedora qcow2 template
-  community.general.proxmox_kvm:
+#   get_url:
-    api_host: "{{ ansible_host }}"
+#     url: "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Cloud/x86_64/images/Fedora-Cloud-Base-39-1.5.x86_64.qcow2"
-    api_user: "{{ proxmox_user }}"
+#     dest: "/var/lib/vz/template/fedora-cloud-39-template.qcow2"
-    api_token_id: "{{ proxmox_token_id }}"
+#     mode: 0644
-    api_token_secret: "{{ proxmox_token }}"
-    node: "{{ proxmox_node }}"
 
-    # source:
+#   # export the path:
-    clone: fedora-server-template
+#   register: fedora_dowload
-    # created manually already installed
+#   run_once: true
-    vmid: 100
-    # newid: "{{ 110 + loop_index }}"
-    name: "{{ item.name }}"
-    storage: VM_storage
-    agent: true
-    timeout: 60
-
-  loop: "{{ vms }}"
 
 
-- name: Ensure VMs are booted
+# - name: Provision a new VM (empty for now)
-  community.general.proxmox_kvm:
+#   community.general.proxmox_kvm:
-    api_host: "{{ ansible_host }}"
+#     api_host: "{{ ansible_host }}"
-    api_user: "{{ proxmox_user }}"
+#     api_user: "{{ proxmox_user }}"
-    api_token_id: "{{ proxmox_token_id }}"
+#     api_token_id: "{{ proxmox_token_id }}"
-    api_token_secret: "{{ proxmox_token }}"
+#     api_token_secret: "{{ proxmox_token }}"
-    node: "{{ proxmox_node }}"
+#     node: "{{ proxmox_node }}"
-    # set manually:
+
-    name: "{{ item.name }}"
+#     storage: VM_storage
-    state: started
+#     ostype: l26
-  loop: "{{ vms }}"
+#     cores: 4
+#     memory: 500
+#     net:
+#       net0: 'virtio,bridge=vmbr0'
+#     vmid: "{{ vm_id }}"
+#     name: "{{ name }}"
+#     onboot: true
+#     agent: true
+
+#     # graphics
+#     vga: serial0
+#     serial:
+#       serial0: socket
+
+#     # required for cloud-init
+#     scsihw: virtio-scsi-pci
+#     bootdisk: scsi0
+#     boot: "order=scsi0"
+
+#     # cloud init config
+#     ide:
+#       ide2: VM_storage:cloudinit
+#     sshkeys: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
+#     ipconfig:
+#       ipconfig0: 'ip={{ vm_ip }}/24,gw=192.168.1.1'
+#     ciuser: ansible
+
+#     timeout: 60
+
+
+# - name: Import fedora qcow2 template
+#   shell: |
+#     qm disk import "{{ vm_id }}" "{{ fedora_dowload.dest }}" VM_storage --format qcow2
+#     qm set "{{ vm_id }}" --scsi0 VM_storage:vm-{{ vm_id }}-disk-0,discard=on
+#     qm resize "{{ vm_id }}" scsi0 50G
+
+
+# - name: Boot VM
+#   community.general.proxmox_kvm:
+#     api_host: "{{ ansible_host }}"
+#     api_user: "{{ proxmox_user }}"
+#     api_token_id: "{{ proxmox_token_id }}"
+#     api_token_secret: "{{ proxmox_token }}"
+#     node: "{{ proxmox_node }}"
+#     vmid: "{{ vm_id }}"
+#     state: started
+
+
+- name: Add host to group 'kvm_fedora' with variable
+  ansible.builtin.add_host:
+    groups: kvm_fedora
+    name: "{{ name }}"
+    ansible_host: "{{ vm_ip }}"
+    ansible_user: ansible

roles/proxmox-lxc-fedora/tasks/main.yml

@@ -0,0 +1,72 @@
+- name: Add fedora LXC container
+  proxmox:
+    vmid: "{{ lxc_id }}"
+    hostname: "{{ name }}"
+    state: present
+    node: "{{ proxmox_node }}"
+    ostemplate: local:vztmpl/fedora-39-default_20231118_amd64.tar.xz
+    ostype: fedora
+    memory: 9216 # 9GB
+    swap: 0
+    cores: 5
+    netif: '{"net0":"name=eth0,gw={{ lxc_gateway }},ip={{ lxc_ip }}/24,bridge=vmbr0"}'
+    onboot: 1
+    pubkey: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
+    unprivileged: false
+    disk: local-lvm:20
+
+    api_user: "{{ proxmox_user }}"
+    api_host: "{{ proxmox_node }}"
+    api_token_secret: "{{ proxmox_token }}"
+    api_token_id: "{{ proxmox_token_id }}"
+    timeout: 30
+
+
+- name: Add k3s specific config to LXC config file
+  lineinfile:
+    state: present
+    path: "/etc/pve/lxc/{{ lxc_id }}.conf"
+    line: |
+      lxc.apparmor.profile: unconfined
+      lxc.cgroup.devices.allow: a
+      lxc.cap.drop:
+      lxc.mount.auto: proc:rw sys:rw
+      lxc.autodev: 1
+      lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
+      lxc.mount.entry: /lib/modules /lib/modules none bind,optional,create=dir
+
+      
+- name: Add host to group 'lxc_fedora' with variable
+  ansible.builtin.add_host:
+    groups: lxc_fedora
+    name: "{{ name }}"
+    ansible_host: "{{ lxc_ip }}"
+    ansible_user: root
+
+
+- name: Start LXC container
+  proxmox:
+    vmid: "{{ lxc_id }}"
+    state: started
+    node: "{{ proxmox_node }}"
+    api_user: "{{ proxmox_user }}"
+    api_host: "{{ proxmox_node }}"
+    api_token_secret: "{{ proxmox_token }}"
+    api_token_id: "{{ proxmox_token_id }}"
+    timeout: 30
+
+
+# Note: at this point the LXC container is running but cannot be accessed via ssh
+- name: Use lxc to install openssh-server
+  ansible.builtin.command: |
+    lxc-attach -n {{ lxc_id }} -- dnf install -y openssh-server
+
+
+- name: Push boot config to LXC container
+  ansible.builtin.command: |
+    pct push {{ lxc_id }} /boot/config-{{ ansible_kernel }} /boot/config-{{ ansible_kernel }}
+
+
+- name: Use lxc to enable openssh-server
+  ansible.builtin.command: |
+    lxc-attach -n {{ lxc_id }} -- systemctl enable --now sshd

roles/proxmox-win10-vm/tasks/main.yml

@@ -1,10 +0,0 @@
-- name: Blacklist GPU drivers
-  ansible.builtin.lineinfile:
-    path: /etc/modprobe.d/blacklist.conf
-    line: blacklist amdgpu
-
-- name: Add Windows 10 VM
-  template:
-    src: ../templates/vm.conf.j2
-    dest: /etc/pve/qm/106.conf
-

roles/proxmox-win10-vm/templates/blacklist.conf

@@ -1 +0,0 @@
-blacklist amdgpu

roles/proxmox-win10-vm/templates/vm.conf.j2

@@ -1,5 +0,0 @@
-bios: ovmf
-scsihw: virtio-scsi-pci
-bootdisk: scsi0
-scsi0: .....
-hostpci0: 34:00:00,x-vga=on