diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index 8eedc27..92043f7 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -2,10 +2,11 @@ --- all: vars: - # SSH 配置 (初始连接使用密码) + # SSH 配置 ansible_user: root - ansible_port: 2103 - ansible_password: "{{ lookup('env', 'SSH_PASSWORD') }}" + # 默认端口,首次安装时使用22,后续会被动态覆盖 + ansible_port: 22 + ansible_password: "{{ lookup('env', 'SSH_PASSWORD') | default(omit, true) }}" # SSH 安全配置 ssh_new_port: 2103 diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index a3f9c11..a1219b5 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -1,13 +1,20 @@ # K3s 集群安装 Playbook --- -- name: Validate environment - hosts: localhost +# ============================================ +# 阶段 0: 提前检测 检测环境变量和 SSH 端口 +# ============================================ +- name: Pre-check Environment and SSH Port + hosts: k3s_cluster gather_facts: false + tags: [always] tasks: + # 环境验证 (run_once 确保只执行一次) - name: Check TAILSCALE_AUTH_KEY ansible.builtin.fail: msg: "请设置: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'" when: lookup('env', 'TAILSCALE_AUTH_KEY') | length == 0 + run_once: true + delegate_to: localhost - name: Check SSH credentials ansible.builtin.debug: @@ -17,6 +24,28 @@ {% else %} ✓ 使用密钥登录 {% endif %} + run_once: true + delegate_to: localhost + + # SSH 端口探测 + - name: Try new SSH port ({{ ssh_new_port }}) + ansible.builtin.wait_for: + host: "{{ ansible_host }}" + port: "{{ ssh_new_port }}" + timeout: 3 + delegate_to: localhost + become: false + register: new_port_check + ignore_errors: true + + - name: Set SSH port based on availability + ansible.builtin.set_fact: + ansible_port: "{{ ssh_new_port if new_port_check is succeeded else 22 }}" + + - name: Display detected SSH port + ansible.builtin.debug: + msg: "{{ inventory_hostname }}: 使用端口 {{ ansible_port }}" + when: ansible_verbosity > 0 # ============================================ # 阶段 1: SSH 安全加固 (可选,首次安装时使用) @@ -51,8 +80,9 @@ when: cluster_init | default(false) - name: Fetch K3S_TOKEN & K3S_SERVER_URL from init node - hosts: localhost + hosts: k3s_cluster gather_facts: false + run_once: true tags: [k3s] tasks: - name: Find init node @@ -61,24 +91,40 @@ loop: "{{ groups['masters'] }}" when: hostvars[item].cluster_init | default(false) + - name: Detect init node SSH port + ansible.builtin.wait_for: + host: "{{ hostvars[init_node].ansible_host }}" + port: "{{ ssh_new_port }}" + timeout: 3 + delegate_to: localhost + become: false + register: init_node_port_check + ignore_errors: true + + - name: Set init node SSH port + ansible.builtin.set_fact: + init_node_port: "{{ ssh_new_port if init_node_port_check is succeeded else 22 }}" + - name: Read K3S_TOKEN from init node ansible.builtin.slurp: src: /var/lib/rancher/k3s/server/node-token register: k3s_token_content delegate_to: "{{ init_node }}" + vars: + ansible_port: "{{ hostvars[inventory_hostname].init_node_port }}" - name: Determine K3S_SERVER_URL ansible.builtin.set_fact: # 优先使用 HA_SERVER_URL 环境变量,否则使用 init 节点地址 k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else 'https://' + hostvars[init_node].ansible_host + ':6443' }}" - - name: Set K3S_TOKEN and K3S_SERVER_URL for all hosts + - name: Set K3S_TOKEN and K3S_SERVER_URL for target hosts ansible.builtin.set_fact: k3s_token: "{{ k3s_token_content.content | b64decode | trim }}" k3s_server_url: "{{ k3s_server_url }}" delegate_to: "{{ item }}" delegate_facts: true - loop: "{{ groups['k3s_cluster'] }}" + loop: "{{ ansible_play_hosts }}" - name: Install K3s on other masters hosts: masters