feat(ansible): ansible 初步稳定

2026-02-10 10:25:28 +08:00
@@ -1,4 +1,4 @@
 ---
 - name: Apply sysctl
  ansible.builtin.command: sysctl --system
-
+  changed_when: true
@@ -19,28 +19,43 @@
    content: |
      net.ipv4.ip_forward = 1
      net.ipv6.conf.all.forwarding = 1
-    mode: '0644'
+    mode: "0644"
  notify: Apply sysctl

 - name: Install dependencies
  ansible.builtin.apt:
-    name: [curl, wget, ca-certificates]
+    name:
+      - curl
+      - wget
+      - ca-certificates
    state: present
-    update_cache: yes
+    update_cache: true

 - name: Check if Tailscale is installed
  ansible.builtin.command: which tailscale
-  register: tailscale_check
-  ignore_errors: yes
+  register: common_tailscale_check
+  failed_when: false
  changed_when: false

+- name: Download Tailscale install script
+  ansible.builtin.get_url:
+    url: https://tailscale.com/install.sh
+    dest: /tmp/tailscale-install.sh
+    mode: "0755"
+  when: common_tailscale_check.rc != 0
+
 - name: Install Tailscale
-  ansible.builtin.shell: curl -fsSL https://tailscale.com/install.sh | sh
-  when: tailscale_check.rc != 0
+  ansible.builtin.command: /tmp/tailscale-install.sh
+  when: common_tailscale_check.rc != 0
+  changed_when: true
+
+- name: Remove Tailscale install script
+  ansible.builtin.file:
+    path: /tmp/tailscale-install.sh
+    state: absent

 - name: Enable Tailscale service
  ansible.builtin.systemd:
    name: tailscaled
-    enabled: yes
+    enabled: true
    state: started
-
@@ -3,69 +3,84 @@
 - name: Validate TAILSCALE_AUTH_KEY
  ansible.builtin.fail:
    msg: "请设置环境变量: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'"
-  when: tailscale_auth_key | length == 0
-
- name: Validate K3S_TOKEN for join nodes
-  ansible.builtin.fail:
-    msg: "请设置环境变量: export K3S_TOKEN='xxx'"
-  when:
-    - not (cluster_init | default(false))
-    - k3s_token | length == 0
+  when: (tailscale_auth_key | default('')) | length == 0

 - name: Create K3s config directory
  ansible.builtin.file:
    path: /etc/rancher/k3s
    state: directory
-    mode: '0755'
+    mode: "0755"

-# Server 节点配置
+# 部署配置文件
 - name: Deploy K3s server config
  ansible.builtin.template:
    src: k3s-server.yaml.j2
    dest: /etc/rancher/k3s/config.yaml
-    mode: '0600'
+    mode: "0600"
  when: "'masters' in group_names"

-# Agent 节点配置
 - name: Deploy K3s agent config
  ansible.builtin.template:
    src: k3s-agent.yaml.j2
    dest: /etc/rancher/k3s/config.yaml
-    mode: '0600'
+    mode: "0600"
  when: "'agents' in group_names"

-# 镜像加速配置
 - name: Deploy registries.yaml
  ansible.builtin.template:
    src: registries.yaml.j2
    dest: /etc/rancher/k3s/registries.yaml
-    mode: '0644'
+    mode: "0644"
  when: use_mirror | default(false)

-# 安装 K3s
- name: Set install URL
+# 设置安装变量
+- name: Set K3s install variables
  ansible.builtin.set_fact:
    k3s_install_url: "{{ mirror_k3s_install_url if (use_mirror | default(false)) else global_k3s_install_url }}"
    k3s_install_mirror: "{{ 'INSTALL_K3S_MIRROR=cn' if (use_mirror | default(false)) else '' }}"

+# 检查安装状态
 - name: Check if K3s is installed
  ansible.builtin.stat:
    path: /usr/local/bin/k3s
  register: k3s_binary

+# 下载安装脚本
+- name: Download K3s install script
+  ansible.builtin.get_url:
+    url: "{{ k3s_install_url }}"
+    dest: /tmp/k3s-install.sh
+    mode: "0755"
+  when: not k3s_binary.stat.exists
+
+# 安装 K3s
 - name: Install K3s server
-  ansible.builtin.shell: |
-    curl -sfL {{ k3s_install_url }} | {{ k3s_install_mirror }} INSTALL_K3S_VERSION={{ k3s_version }} sh -s - server
+  ansible.builtin.command:
+    cmd: /tmp/k3s-install.sh server
+  environment:
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+    INSTALL_K3S_MIRROR: "{{ 'cn' if (use_mirror | default(false)) else '' }}"
  when:
    - "'masters' in group_names"
    - not k3s_binary.stat.exists
+  changed_when: true

 - name: Install K3s agent
-  ansible.builtin.shell: |
-    curl -sfL {{ k3s_install_url }} | {{ k3s_install_mirror }} INSTALL_K3S_VERSION={{ k3s_version }} sh -s - agent
+  ansible.builtin.command:
+    cmd: /tmp/k3s-install.sh agent
+  environment:
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+    INSTALL_K3S_MIRROR: "{{ 'cn' if (use_mirror | default(false)) else '' }}"
  when:
    - "'agents' in group_names"
    - not k3s_binary.stat.exists
+  changed_when: true
+
+# 清理安装脚本
+- name: Remove install script
+  ansible.builtin.file:
+    path: /tmp/k3s-install.sh
+    state: absent

 # 等待 K3s 就绪 (仅 Server)
 - name: Wait for K3s server ready
@@ -74,30 +89,19 @@
    timeout: 120
  when: "'masters' in group_names"

-# 输出 Token (仅 cluster-init)
- name: Get node token
-  ansible.builtin.slurp:
-    src: /var/lib/rancher/k3s/server/node-token
-  register: node_token
-  when: cluster_init | default(false)
-
- name: Display node token
-  ansible.builtin.debug:
-    msg: |
-      ══════════════════════════════════════════════════════════════
-      K3S_TOKEN (用于添加新节点):
-      {{ node_token.content | b64decode | trim }}
-      
-      K3S_SERVER_URL:
-      https://{{ ansible_host }}:6443
-      ══════════════════════════════════════════════════════════════
-  when: cluster_init | default(false)
-
 # 保存 kubeconfig (仅 cluster-init)
 - name: Fetch kubeconfig
  ansible.builtin.fetch:
    src: /etc/rancher/k3s/k3s.yaml
    dest: "{{ playbook_dir }}/../kubeconfig.yaml"
-    flat: yes
+    flat: true
  when: cluster_init | default(false)

+- name: Update kubeconfig server address
+  ansible.builtin.replace:
+    path: "{{ playbook_dir }}/../kubeconfig.yaml"
+    regexp: 'server: https://127\.0\.0\.1:6443'
+    replace: "server: {{ ha_server_url if (ha_server_url | default('') | length > 0) else 'https://' + ansible_host + ':6443' }}"
+  delegate_to: localhost
+  become: false
+  when: cluster_init | default(false)
@@ -9,8 +9,14 @@ server: "{{ k3s_server_url }}"
 token: "{{ k3s_token }}"
 {% endif %}

+# TLS SAN: 包含 HA 地址 + 所有 master 节点地址
 tls-san:
-  - "{{ k3s_tls_san }}"
+{% if ha_server_url | default('') | length > 0 %}
+  - "{{ ha_server_url | regex_replace('^https?://([^:]+)(:[0-9]+)?$', '\\1') }}"
+{% endif %}
+{% for host in groups['masters'] %}
+  - "{{ hostvars[host].ansible_host }}"
+{% endfor %}

 # ETCD 快照配置
 etcd-snapshot-retention: {{ etcd_snapshot_retention }}
@@ -0,0 +1,21 @@
+---
+- name: Restart sshd
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted
+  listen: Restart sshd
+
+- name: Update ansible port
+  ansible.builtin.set_fact:
+    ansible_port: "{{ ssh_new_port }}"
+  listen: Update ansible port
+
+- name: Wait for new SSH port
+  ansible.builtin.wait_for:
+    port: "{{ ssh_new_port }}"
+    host: "{{ ansible_host }}"
+    delay: 5
+    timeout: 60
+  delegate_to: localhost
+  become: false
+  listen: Wait for new SSH port
@@ -5,7 +5,7 @@
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
-    mode: '0700'
+    mode: "0700"

 - name: Add SSH public key
  ansible.builtin.authorized_key:
@@ -17,35 +17,17 @@
  ansible.builtin.copy:
    src: /etc/ssh/sshd_config
    dest: /etc/ssh/sshd_config.bak
-    remote_src: yes
-    force: no
+    remote_src: true
+    force: false
+    mode: "0600"

 - name: Deploy secure sshd_config
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
-    mode: '0600'
-    validate: '/usr/sbin/sshd -t -f %s'
-  register: sshd_config
-
- name: Restart sshd service
-  ansible.builtin.systemd:
-    name: sshd
-    state: restarted
-  when: sshd_config.changed
-
- name: Update ansible_port to new SSH port
-  ansible.builtin.set_fact:
-    ansible_port: "{{ ssh_new_port }}"
-  when: sshd_config.changed
-
- name: Wait for SSH on new port
-  ansible.builtin.wait_for:
-    port: "{{ ssh_new_port }}"
-    host: "{{ ansible_host }}"
-    delay: 5
-    timeout: 60
-  delegate_to: localhost
-  become: no
-  when: sshd_config.changed
-
+    mode: "0600"
+    validate: "/usr/sbin/sshd -t -f %s"
+  notify:
+    - Restart sshd
+    - Update ansible port
+    - Wait for new SSH port