diff --git a/ansible/playbooks/k8s.yaml b/ansible/playbooks/k8s.yaml index a9bb78c..580e913 100644 --- a/ansible/playbooks/k8s.yaml +++ b/ansible/playbooks/k8s.yaml @@ -1,16 +1,26 @@ --- +- name: create the vms + hosts: hv00 + gather_facts: true + become: true + roles: + - k8s_vms + - name: python bootstrap hosts: k8s gather_facts: false become: true roles: - python-install -- name: ssh hardening + +- name: vm hardening hosts: k8s gather_facts: true become: true roles: - sshd + - firewall + - name: configure control plane hosts: k8s_control gather_facts: true diff --git a/ansible/roles/k8s_vms/defaults/main.yml b/ansible/roles/k8s_vms/defaults/main.yml new file mode 100644 index 0000000..f6bddbe --- /dev/null +++ b/ansible/roles/k8s_vms/defaults/main.yml @@ -0,0 +1,19 @@ +--- +vm_name_prefix: "kube" +vm_name_suffixes: ["01","02","03"] +vhd_template: "kube_template_vda.qcow2" +root_vhd_pool_dir: "/vhds" # No trailing / +data_vhd_pool_dir: +fw_vars_pool_dir: "/var/lib/libvirt/qemu/nvram" # No trailing / +vm_memory: "16" +vm_cpu: "4" +vm_cpu_cores: "2" +vm_cpu_threads: "2" +vm_bridge: "br1" +vm_mac_prefix: "52:54:00:e3:af:" +vm_subnet_prefix: "192.168.199.1" # vm suffix will be appended to this +vm_subnet_suffix: "/24" +vm_gateway: "192.168.199.254" +vm_domain: "balsillie.net" +vm_machine_type: "pc-q35-7.1" +vm_machine_arch: "x86_64" \ No newline at end of file diff --git a/ansible/roles/k8s_vms/tasks/main.yml b/ansible/roles/k8s_vms/tasks/main.yml new file mode 100644 index 0000000..6418d8d --- /dev/null +++ b/ansible/roles/k8s_vms/tasks/main.yml @@ -0,0 +1,69 @@ +--- +- name: create k8s vms + with_items: "{{ vm_name_suffixes }}" + loop_control: + loop_var: vm_number + block: + + - name: create root vhd from template + ansible.builtin.shell: + cmd: | + qemu-img create \ + -b {{ root_vhd_pool_dir }}/{{ vhd_template }} \ + -F qcow2 \ + -f qcow2 \ + {{ root_vhd_pool_dir }}/{{ vm_name_prefix }}{{ vm_number }}_vda.qcow2 + creates: "{{ root_vhd_pool_dir }}/{{ vm_name_prefix }}{{ vm_number }}_vda.qcow2" + register: root_vhd_created + +# TODO check this template copy + - name: copy network files in + when: root_vhd_created is changed + ansible.builtin.template: + src: eno1.network.j2 + dest: /tmp/eno1_{{ vm_number }}.network + + - name: customize root vhd + when: root_vhd_created is changed + ansible.builtin.shell: +# TODO check virt customize command +# TODO select host vars for vm_number for password and ssh string + cmd: | + virt-customize -a {{ root_vhd_pool_dir }}/{{ vm_name_prefix }}{{ vm_number }}_vda.qcow2 \ + --format qcow2 \ + --hostname {{ vm_name_prefix }}{{ vm_number }}.{{ vm_domain }} \ + --copy-in /tmp/eno1_{{ vm_number }}.network:/etc/systemd/network/eno1.network \ + --append-line "/etc/hosts:127.0.1.1 {{ vm_name_prefix }}{{ vm_number }}.{{ vm_domain }} {{ vm_name_prefix }}{{ vm_number }}" + --password ladmin:password:{{ }} \ + --password-crypto sha512 \ + --ssh-inject 'ladmin:string:{{ }}' + + - name: create container storage vhd + ansible.builtin.shell: + cmd: | + qemu-img create -f qcow2 {{ root_vhd_pool_dir }}/{{ vm_name_prefix }}{{ vm_number }}_vdb.qcow2 64G + creates: "{{ root_vhd_pool_dir }}/{{ vm_name_prefix }}{{ vm_number }}_vdb.qcow2" + + # - name: create data storage vhd + # ansible.builtin.shell: + # cmd: | + # qemu-img create -f qcow2 {{ data_vhd_pool_dir }}/kube{{ vm_number }}_vdc.qcow2 4096G + # creates: "{{ data_vhd_pool_dir }}/kube{{ vm_number }}_vdc.qcow2" + + - name: list vms + community.libvirt.virt: + command: list + register: vm_list + + - name: define vm + community.libvirt.virt: + command: define + autostart: true + name: "{{ vm_name_prefix }}{{ vm_number }}" + xml: "{{ lookup('template', 'vm_template.xml.j2') }}" + when: not (vm_list contains {{ vm_name_prefix }}{{ vm_number }}) + + - name: start vm + community.libvirt.virt: + command: start + name: "{{ vm_name_prefix }}{{ vm_number }}" \ No newline at end of file diff --git a/ansible/roles/k8s_vms/templates/eno1.network.j2 b/ansible/roles/k8s_vms/templates/eno1.network.j2 new file mode 100644 index 0000000..7eaf4e3 --- /dev/null +++ b/ansible/roles/k8s_vms/templates/eno1.network.j2 @@ -0,0 +1,13 @@ +[Match] +MACAddress={{ vm_mac_prefix }}{{ vm_number }} + +[Address] +{{ vm_subnet_prefix }}{{ vm_number }}{{ vm_subnet_suffix }} + +[Route] +Gateway={{ vm_gateway }} + +[Network] +DHCP=no +DNS={{ vm_gateway }} +Domains={{ vm_domain }} diff --git a/ansible/roles/k8s_vms/templates/vm_template.xml.j2 b/ansible/roles/k8s_vms/templates/vm_template.xml.j2 new file mode 100644 index 0000000..9d2e6b9 --- /dev/null +++ b/ansible/roles/k8s_vms/templates/vm_template.xml.j2 @@ -0,0 +1,88 @@ + + {{ vm_name_prefix }}{{ vm_number }} + + + + + + {{ vm_memory }} + {{ vm_memory }} + {{ vm_cpu }} + + /machine + + + hvm + /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd + {{ fw_vars_pool_dir }}/{{ vm_name_prefix }}{{ vm_number }}_VARS.fd + + + + + + + + + + + + + + + + + destroy + restart + destroy + + + + + + /usr/bin/qemu-system-x86_64 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +
+ + + + + + + + /dev/urandom + + +