diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0178e91 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*~ +k3s-host/secrets.sh +k3s-host/variables.sh diff --git a/README.md b/README.md index b9ee6e5..62d98a6 100644 --- a/README.md +++ b/README.md @@ -790,33 +790,19 @@ stream { https://hetzner05.forgejo.org & https://hetzner06.forgejo.org run on [EX44](https://www.hetzner.com/dedicated-rootserver/ex44) Hetzner hardware. -#### LXC +#### Imaging -```sh -lxc-helpers.sh lxc_install_lxc_inside 10.47.3 fc11 -``` +Using installimage from the rescue instance. -#### NFS +- `wipefs -fa /dev/nvme*n1` +- `installimage -r no -n hetzner0?` +- Debian bookworm +- `PART / ext4 100G` +- `PART /srv ext4 all` +- ESC 0 + yes +- reboot -[server](https://wiki.archlinux.org/title/NFS). - -```sh -sudo apt install nfs-kernel-server nfs-common -cat < clusterissuer.yml < metallb.yaml < traefik.yml <&/dev/null; then + sudo apt-get -q install -qq -y $dependencies +fi + +function setup_ufw() { + sudo apt-get -q install -qq -y ufw + + sudo ufw --force reset + + sudo ufw default allow incoming + sudo ufw default allow outgoing + sudo ufw default allow routed + + for from in $nodes; do + for to in $nodes; do + if test $from != $to; then + for v in ipv4 ipv6; do + eval from_ip=\${node_$v[$from]} + eval to_ip=\${node_$v[$to]} + sudo ufw allow in on $interface from $from_ip to $to_ip + done + fi + done + done + + for host_ip in ${node_ipv4[$self_node]} ${node_ipv6[$self_node]}; do + sudo ufw allow in on $interface to $host_ip port 22 proto tcp + sudo ufw deny in on $interface log-all to $host_ip + done + + for public_ip in $failover_ipv4 $failover_ipv6; do + sudo ufw allow in on $interface to $public_ip port 22,80,443,2000:3000 proto tcp + sudo ufw deny in on $interface log-all to $public_ip + done + + sudo ufw enable + sudo systemctl start ufw + sudo systemctl enable ufw + sudo ufw status verbose +} + +function setup_drbd() { + if ! test -f /etc/network/interfaces.d/drbd; then + cat <&/dev/null; then + sudo drbdadm create-md $node_drbd_resource + sudo systemctl enable drbd + sudo systemctl start drbd + fi + if ! grep --quiet '^/dev/drbd0 /precious' /etc/fstab; then + echo /dev/drbd0 /precious ext4 noauto,noatime,defaults 0 0 | sudo tee -a /etc/fstab + sudo mkdir -p /precious + fi +} + +function setup_nfs() { + sudo apt-get install -y nfs-kernel-server nfs-common + + if ! test -f /etc/network/interfaces.d/nfs; then + cat <>~/.bashrc + fi + if ! sudo systemctl --quiet is-active k3s; then + args="" + if test "$existing"; then + if ! test "$node_k8s_token"; then + echo "obtain the token from node $existing with sudo cat /var/lib/rancher/k3s/server/token and set node_k8s_token= in secrets.sh" + exit 1 + fi + args="$args --token $node_k8s_token --server https://$node_k8s_ipv4_prefix.$existing:6443" + fi + if test "$self_node" = $node_k8s_etcd; then + args="$args --disable-apiserver --disable-controller-manager --disable-scheduler" + fi + curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq + if test "$self_node" = $node_k8s_etcd; then + retry --times 20 -- kubectl taint nodes $(hostname) key1=value1:NoSchedule + fi + if test "$self_node" != $node_k8s_etcd; then + curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash - + fi + fi +} + +function setup_k8s_apply() { + retry --delay 30 --times 10 -- bash -c "$SELF_DIR/subst.sh $1 | kubectl apply --server-side=true -f -" +} + +function setup_k8s_traefik() { + setup_k8s_apply traefik.yml +} + +function setup_k8s_nfs() { + setup_k8s_apply nfs.yml +} + +function setup_k8s_metallb() { + helm repo add metallb https://metallb.github.io/metallb + helm upgrade --install metallb --set installCRDs=true metallb/metallb + setup_k8s_apply metallb.yml +} + +function setup_k8s_certmanager() { + helm upgrade --install mycertmanager --set installCRDs=true oci://registry-1.docker.io/bitnamicharts/cert-manager + setup_k8s_apply certmanager.yml +} + +function setup_k8s_pvc() { + export pvc_name=$1 + export pvc_capacity=$2 + export pvc_owner=$3 + + sudo mount -o nfsvers=4.2 $node_nfs_server:/k8s /opt + sudo mkdir -p /opt/$pvc_name + sudo chown $pvc_owner:$pvc_owner /opt/$pvc_name + sudo umount /opt + + setup_k8s_apply pvc.yml +} + +"$@" diff --git a/k3s-host/subst.sh b/k3s-host/subst.sh new file mode 100755 index 0000000..c5afc89 --- /dev/null +++ b/k3s-host/subst.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +SELF_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +source $SELF_DIR/variables.sh + +eval "cat <