amirmoghi3
/
ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ALL

master
Amir Hossein Moghiseh 2021-12-30 14:43:02 +03:30
parent 968c50f089
commit 5fe18449c0
32 changed files with 788 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored 100644
View File

Binary file not shown.

56
luncher.sh 100644
View File

@ -0,0 +1,56 @@
#!/bin/sh
echo "87.107.132.77 master1" >> /etc/hosts;
echo "31.7.74.79 master2" >> /etc/hosts;
echo "87.107.132.78 worker1" >> /etc/hosts;
echo "31.7.74.118 worker2" >> /etc/hosts;
echo "31.7.74.96 worker3" >> /etc/hosts;
sudo apt update -y;
sudo apt install apt-transport-https ca-certificates curl software-properties-common -y;
sudo apt install -y docker.io;
sudo systemctl start docker;
sudo systemctl enable docker;
# installing docker swarm
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -;
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable";
sudo apt update -y;
sudo apt install docker-ce -y;
# create user dockerman
sudo useradd -m dockerman;
sudo usermod -aG docker dockerman;
# add to sudoers
sudo echo "dockerman ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers;
# Get active primary interface name
interface=$(ip route | awk '/^default/ { print $5 }');
# Get IP address of active primary interface
ip=$(ip addr show $interface | awk '/inet / { sub("/.*", "", $2); print $2 }');
export HOST_IP=$ip;
export INT_name=$interface;
# remove ufw
sudo ufw disable;
# purge ufw
sudo apt-get purge ufw -y;
# disable swap
sudo swapoff -a;
sudo sed -i '/ swap / s/^/#/' /etc/fstab;
# set initial iptables rules
# open docker swarm ports in iptables

8
playbooks/apt/autoremove.yml 100644
View File

@ -0,0 +1,8 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: autoremove
apt:
autoremove: yes

9
playbooks/apt/update-and-reboot.yml 100644
View File

@ -0,0 +1,9 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: Update apt repo and cache on all Debian/Ubuntu boxes
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
- name: reboot
reboot:

7
playbooks/apt/update.yml 100644
View File

@ -0,0 +1,7 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: Update apt repo and cache on all Debian/Ubuntu boxes
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

10
playbooks/dns/begzar.yml 100644
View File

@ -0,0 +1,10 @@
- hosts: all
become: yes
tasks:
- name: set bgzar dns
copy:
src: resolv.begzar.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: u=rwx,g=rwx,o=rwx

5
playbooks/dns/clearcache.yml 100644
View File

@ -0,0 +1,5 @@
---
- hosts: all
become: yes
tasks:
- shell: sudo systemd-resolve --flush-caches

4
playbooks/dns/resolv.begzar.conf 100644
View File

@ -0,0 +1,4 @@
nameserver 185.55.226.26
nameserver 185.55.225.25
nameserver 127.0.0.53
options edns0 trust-ad

4
playbooks/dns/resolv.conf 100644
View File

@ -0,0 +1,4 @@
nameserver 178.22.122.100
nameserver 185.51.200.2
nameserver 127.0.0.53
options edns0 trust-ad

10
playbooks/dns/shecan.yml 100644
View File

@ -0,0 +1,10 @@
- hosts: all
become: yes
tasks:
- name: set shecan dns
copy:
src: resolv.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: u=rwx,g=rwx,o=rwx

55
playbooks/docker/install-docker.yml 100644
View File

@ -0,0 +1,55 @@
---
- hosts: all
become: true
tasks:
- name: installa dipendenze
apt:
name: "{{item}}"
state: present
update_cache: yes
loop:
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- name: aggiungi chiave GPG
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: aggiungi repository docker
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present
- name: installa docker
apt:
name: "{{item}}"
state: latest
update_cache: yes
loop:
- docker-ce
- docker-ce-cli
- containerd.io
- name: assicurati che docker sia attivo
service:
name: docker
state: started
enabled: yes
- name: Create "docker" group
group:
name: docker
state: present
- name: Add remote "ubuntu" user to "docker" group
user:
name: ubuntu
groups: docker
append: yes
handlers:
- name: restart docker
service:
name: docker
state: restarted

23
playbooks/docker/purge-install.yml 100644
View File

@ -0,0 +1,23 @@
---
- hosts: all
become: yes
tasks:
- shell: |
sudo apt update -y
sudo apt purge docker docker-engine docker.io containerd runc -y
sudo apt autoremove -y
- shell: |
sudo apt install docker.io -y
- service:
name: docker
state: start
- service:
name: docker
enable: yes
- name: print version of docker
command: docker --version
register: dockerversion
- debug:
msg: "{{ dockerversion.stdout }}"

9
playbooks/firewall/disable.yml 100644
View File

@ -0,0 +1,9 @@
---
- name: ufw
become: yes
hosts: all
tasks:
- name: disable ufw service
apt:
name: ufw
state: absent

12
playbooks/host/hosts 100644
View File

@ -0,0 +1,12 @@
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
31.7.74.79 master1
31.7.74.96 worker1
31.7.74.118 worker2

12
playbooks/host/setHosts.yml 100644
View File

@ -0,0 +1,12 @@
---
- name: set ip and hosts to hosts file
hosts: all
become: yes
tasks:
- name: ensure ip and hosts setted
copy:
src: hosts
dest: /etc/hosts
owner: root
group: root
mode: u=rw,g=r,o=r

178
playbooks/initialServer/build.yml 100644
View File

@ -0,0 +1,178 @@
---
- name: server initial command
hosts: 'all'
become: yes
become_method: sudo
become_user: root
vars_files:
- var/registry.yml
tasks:
- name: set hosts file
copy:
src: hosts
dest: /etc/hosts
mode: '0644'
- name: disable ufw
shell: ufw disable
- name: disable swap
shell: swapoff -a
### sudo ufw allow 2376/tcp && sudo ufw allow 7946/udp && sudo ufw allow 7946/tcp && sudo ufw allow 80/tcp && sudo ufw allow 2377/tcp && sudo ufw allow 4789/udp
- name: flush iptables
shell: |
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
- name: iptables for masters
when: inventory_hostname in groups['masters']
shell: |
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --dport 2376 -j ACCEPT
iptables -I INPUT -p tcp --dport 7946 -j ACCEPT
iptables -I INPUT -p udp --dport 7946 -j ACCEPT
iptables -I INPUT -p tcp --dport 2377 -j ACCEPT
iptables -I INPUT -p udp --dport 4789 -j ACCEPT
iptables -I INPUT -p tcp --dport 25196 -j ACCEPT
iptables-save >> /etc/iptables.rules.v4
- name: iptables for workers
when: inventory_hostname in groups['workers']
shell: |
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 25196 -j ACCEPT
iptables-save >> /etc/iptables.rules.v4
- name: sid swap off in fstab
shell: sed -i '/swap/d' /etc/fstab
- name: set timezone
shell: timedatectl set-timezone Asia/Tehran
- name: apt-get update
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
- name: installing docker dependencies
apt:
name: "{{item}}"
state: present
update_cache: yes
with_items:
- ca-certificates
- curl
- gnupg
- lsb-release
- name: add docker key and add docker repo
shell: |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
- name: installing docker-ce and docker-ce-cli and
apt:
name: "{{item}}"
state: present
update_cache: yes
with_items:
- docker-ce
- docker-ce-cli
- containerd.io
- name: start and enable docker and containerd
service:
name: "{{item}}"
state: started
enabled: yes
with_items:
- docker
- containerd
- name: create the docker user account
user: name=dockerman append=yes state=present createhome=yes shell=/bin/bash
- name: allow 'dockerman' to use sudo without needing a password
lineinfile:
dest: /etc/sudoers
line: 'dockerman ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
- name: add user to docker group
user:
name: dockerman
groups: docker
state: present
- name: reset and enable docker
shell: |
systemctl daemon-reload
systemctl restart docker
systemctl enable docker
- name: Get active primary interface name
shell: ip route | awk '/default/ { print $5 }'
register: interface
- name: Get active primary interface IP
shell: ip -o -4 addr show dev {{ interface.stdout_lines[0] }} | awk '{print $4}' | cut -d/ -f1
register: ip_address
# add docker home to enviroment variable
- name: add docker home to enviroment variable
shell: echo "export HOST_IP={{ ip_address.stdout_lines[0] }}" >> /home/dockerman/.bashrc
- name: add docker home to enviroment variable
shell: echo "export INT_NAME={{ interface.stdout_lines[0] }}" >> /home/dockerman/.bashrc
- name: nfs common
when: inventory_hostname in groups['workers']
apt:
name: nfs-common
state: present
update_cache: yes
- name: login docker
become: dockerman
shell: docker login -u {{ registry_user }} -p {{ registry_password }} {{ registry_url }}
- name: reboot
shell: reboot
ignore_errors: yes

19
playbooks/initialServer/hosts 100644
View File

@ -0,0 +1,19 @@
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
87.107.132.77 masterold
87.107.132.78 workerold
192.168.1.6 master1local
192.168.1.73 worker1local
192.168.1.254 worker2local
31.7.74.79 master1
31.7.74.118 worker1
31.7.74.96 worker2

15
playbooks/initialServer/letsencrypt.yml 100644
View File

@ -0,0 +1,15 @@
---
- name: installing lets encrypt for masters
hosts: masters
become: yes
tasks:
- name: installing lets encrypt
apt:
name: "{{item}}"
state: latest
update_cache: yes
with_items:
- letsencrypt
- python3-certbot-nginx

11
playbooks/initialServer/masters.yml 100644
View File

@ -0,0 +1,11 @@
---
- name: configure master for docker swarm
become: yes
become_user: dockerman
hosts: masters
# add var file
vars_files:
- "var/swarm.yml"
tasks:
- name: join master in swarm as manager
shell: docker swarm join --token {{ manager_token }} {{ master_ip }}:2377

6
playbooks/initialServer/reboot.yml 100644
View File

@ -0,0 +1,6 @@
---
- name: reboot all servers
hosts: all
become: yes
tasks:
- shell: reboot

68
playbooks/initialServer/supermaster.yml 100644
View File

@ -0,0 +1,68 @@
---
- name: configure supermaster for docker swarm
become: yes
hosts: supermaster
vars_files:
- "var/hosts.yml"
tasks:
- name: installing lets encrypt
apt:
name: "{{item}}"
state: latest
update_cache: yes
with_items:
- letsencrypt
- python3-certbot-nginx
- name: init swarm
become: dockerman
shell: docker swarm init --advertise-addr {{ item.local }}:2377
with_items:
- "{{ supermaster }}"
register: swarm_init
ignore_errors: yes
- name: install nfs server
apt: name=nfs-kernel-server state=present update_cache=yes
- name: create nfs directory
file: path=/volume state=directory mode=0777 owner=root group=root
- name: create multiple directories
shell: |
mkdir -p /volume/mongo
mkdir -p /volume/pg
mkdir -p /volume/rabbit
mkdir -p /volume/redis
mkdir -p /volume/ig/ls/wwwroot
mkdir -p /volume/ig/api/storage
mkdir -p /volume/dns
mkdir -p /volume/nginx
mkdir -p /volume/portainer
- name: create nfs export
shell: |
echo "/volume {{item.local}}/32(rw,sync,no_subtree_check,no_root_squash)" >> /etc/exports
with_items:
- "{{ clients }}"
- name: exportfs
shell: exportfs -a
- name: set iptables for clients ip for nfs
shell: |
iptables -A INPUT -s "{{ item.local }}"/32 -p tcp -m tcp --dport 2049 -j ACCEPT
with_items:
- "{{ clients }}"
- name: create overlay network
shell: |
docker network create --driver=overlay --attachable mother
ignore_errors: yes

13
playbooks/initialServer/sync-stacks.yml 100644
View File

@ -0,0 +1,13 @@
---
- name: sync stacks with master
become: yes
become_user: dockerman
hosts: supermaster
tasks:
- name: copy stack files
copy:
src: ../../stacks
dest: /home/dockerman/
owner: dockerman
group: dockerman
mode: '0700'

19
playbooks/initialServer/var/hosts.yml 100644
View File

@ -0,0 +1,19 @@
---
clients:
- name: "worker-1"
local: 192.168.1.73
global: 31.7.74.96
- name: "worker-2"
local: 192.168.1.254
global: 31.7.74.118
masters:
- name: "master-1"
local: 192.168.1.6
master: 31.7.74.79
supermaster:
- name: "master-1"
local: 192.168.1.6
master: 31.7.74.79

4
playbooks/initialServer/var/registry.yml 100644
View File

@ -0,0 +1,4 @@
---
registry_user: Runner
registry_password: 22102210aA
registry_url: registry.vnfco.ir

3
playbooks/initialServer/var/swarm.yml 100644
View File

@ -0,0 +1,3 @@
---
manager_token: SWMTKN-1-2qwry99zn95r9ehs30mnyu6b526ccdwlk21ciwri15zjrwbmoj-8z1x15gas5ujyk860zvdbmdnk
worker_token: SWMTKN-1-2qwry99zn95r9ehs30mnyu6b526ccdwlk21ciwri15zjrwbmoj-b0sesv6f6kntbfekxq0vf44os

29
playbooks/initialServer/workers.yml 100644
View File

@ -0,0 +1,29 @@
---
- name: configure worker for docker swarm
become: yes
hosts: workers
# add var file
vars_files:
- "var/swarm.yml"
- "var/hosts.yml"
tasks:
- name: join node in swarm as worker
shell: docker swarm join --token {{ worker_token }} {{ item.local }}:2377
with_items:
- "{{ supermaster }}"
ignore_errors: yes
- name: create /volume
shell: mkdir -p /volume
- name: mount nfs
shell: mount {{ item.local }}:/volume /volume
with_items:
- "{{ masters }}"
- name: mount nfs /etc/fstab
shell: echo "{{ item.local }}:/volume /volume nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab
with_items:
- "{{ masters }}"

10
playbooks/k8s/install-k8s-only.yml 100644
View File

@ -0,0 +1,10 @@
---
- hosts: all
become: true
gather_facts: yes
tasks:
- name: install kubernetes
shell: |
sudo apt-get update
sudo apt-get install -y kubelet=1.20.14 kubeadm=1.20.14 kubectl=1.20.14
sudo apt-mark hold kubelet kubeadm kubectl

77
playbooks/k8s/install-k8s.yml 100644
View File

@ -0,0 +1,77 @@
---
- hosts: "masters, workers"
remote_user: ubuntu
become: yes
become_method: sudo
become_user: root
gather_facts: yes
connection: ssh
tasks:
- name: Create containerd config file
file:
path: "/etc/modules-load.d/containerd.conf"
state: "touch"
- name: Add conf for containerd
blockinfile:
path: "/etc/modules-load.d/containerd.conf"
block: |
overlay
br_netfilter
- name: modprobe
shell: |
sudo modprobe overlay
sudo modprobe br_netfilter
- name: Set system configurations for Kubernetes networking
file:
path: "/etc/sysctl.d/99-kubernetes-cri.conf"
state: "touch"
- name: Add conf for containerd
blockinfile:
path: "/etc/sysctl.d/99-kubernetes-cri.conf"
block: |
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
- name: Apply new settings
command: sudo sysctl --system
- name: install containerd
shell: |
sudo apt-get update && sudo apt-get install -y containerd
sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml
sudo systemctl restart containerd
- name: disable swap
shell: |
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
- name: install and configure dependencies
shell: |
sudo apt-get update && sudo apt-get install -y apt-transport-https curl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
- name: Create kubernetes repo file
file:
path: "/etc/apt/sources.list.d/kubernetes.list"
state: "touch"
- name: Add K8s Source
blockinfile:
path: "/etc/apt/sources.list.d/kubernetes.list"
block: |
deb https://apt.kubernetes.io/ kubernetes-xenial main
- name: install kubernetes
shell: |
sudo apt-get update
sudo apt-get install -y kubelet=1.20.1-00 kubeadm=1.20.1-00 kubectl=1.20.1-00
sudo apt-mark hold kubelet kubeadm kubectl

43
playbooks/k8s/master.yml 100644
View File

@ -0,0 +1,43 @@
- hosts: masters
become: yes
tasks:
- name: initialize the cluster
shell: kubeadm init --pod-network-cidr=10.244.0.0/16
args:
chdir: $HOME
creates: cluster_initialized.txt
- name: create .kube directory
become: yes
become_user: kube
file:
path: $HOME/.kube
state: directory
mode: 0755
- name: copies admin.conf to user's kube config
copy:
src: /etc/kubernetes/admin.conf
dest: /home/kube/.kube/config
remote_src: yes
owner: kube
- name: install Pod network
become: yes
become_user: kube
shell: kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
args:
chdir: $HOME
- name: Get the token for joining the worker nodes
become: yes
become_user: kube
shell: kubeadm token create --print-join-command
register: kubernetes_join_command
- debug:
msg: "{{ kubernetes_join_command.stdout }}"
- name: Copy join command to local file.
become: yes
local_action: copy content="{{ kubernetes_join_command.stdout_lines[0] }}" dest="/tmp/kubernetes_join_command" mode=0777

16
playbooks/k8s/purge-k8s.yml 100644
View File

@ -0,0 +1,16 @@
---
- hosts: all
become: yes
tasks:
- shell: |
kubeadm reset -f
sudo apt-mark unhold kube*
sudo apt-get purge kubeadm kubectl kubelet kubernetes-cni kube* -y
sudo apt-get autoremove -y
sudo rm -rf ~/.kube
- shell: systemctl daemon-reload
changed_when: False
- name: restart docker
service:
name: docker
state: restarted

18
playbooks/k8s/users.yml 100644
View File

@ -0,0 +1,18 @@
---
- hosts: 'workers, masters'
become: yes
tasks:
- name: create the kube user account
user: name=kube append=yes state=present createhome=yes shell=/bin/bash
- name: allow 'kube' to use sudo without needing a password
lineinfile:
dest: /etc/sudoers
line: 'kube ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
- name: set up authorized keys for the kube user
authorized_key: user=kube key="{{item}}"
with_file:
- ~/.ssh/id_rsa.pub

35
stacks/lvl0/stack.yml 100644
View File

@ -0,0 +1,35 @@
version: '3.2'
services:
agent:
image: registry.vnfco.ir/library/portainer/agent:2.11.0
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- portainer_agent
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: registry.vnfco.ir/library/portainer/portainer-ce:2.11.0
command: -H tcp://tasks.agent:9001 --tlsskipverify
ports:
- "9443:9443"
- "9000:9000"
- "8000:8000"
volumes:
- /volume/portainer:/data
networks:
- portainer_agent
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
networks:
portainer_agent:
external: true