k3s/ansible/playbooks/site.yml

# K3s 集群安装 Playbook
---
# ============================================
# 阶段 0: 提前检测 检测环境变量和 SSH 端口
# ============================================
- name: Pre-check Environment and SSH Port
  hosts: k3s_cluster
  gather_facts: false
  tags: [always]
  tasks:
    # 环境验证 (run_once 确保只执行一次)
    - name: Check TAILSCALE_AUTH_KEY
      ansible.builtin.fail:
        msg: "请设置: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'"
      when: lookup('env', 'TAILSCALE_AUTH_KEY') | length == 0
      run_once: true
      delegate_to: localhost

    - name: Check SSH credentials
      ansible.builtin.debug:
        msg: |
          {% if lookup('env', 'SSH_PASSWORD') | length > 0 %}
          ✓ 优先使用密码登录
          {% else %}
          ✓ 使用密钥登录
          {% endif %}
      run_once: true
      delegate_to: localhost

    # SSH 端口探测
    - name: Try new SSH port ({{ ssh_new_port }})
      ansible.builtin.wait_for:
        host: "{{ ansible_host }}"
        port: "{{ ssh_new_port }}"
        timeout: 3
      delegate_to: localhost
      become: false
      register: new_port_check
      ignore_errors: true

    - name: Set SSH port based on availability
      ansible.builtin.set_fact:
        ansible_port: "{{ ssh_new_port if new_port_check is succeeded else 22 }}"

    - name: Display detected SSH port
      ansible.builtin.debug:
        msg: "{{ inventory_hostname }}: 使用端口 {{ ansible_port }}"
      when: ansible_verbosity > 0

# ============================================
# 阶段 1: SSH 安全加固 (可选，首次安装时使用)
# ============================================
- name: SSH Security Hardening
  hosts: k3s_cluster
  gather_facts: false
  tags: [ssh, never]
  roles:
    - ssh

# ============================================
# 阶段 2: 基础配置
# ============================================
- name: Common Setup
  hosts: k3s_cluster
  gather_facts: true
  tags: [common]
  roles:
    - common

# ============================================
# 阶段 3: 安装 K3s (按顺序: init -> masters -> agents)
# ============================================
- name: Install K3s on init node
  hosts: masters
  gather_facts: true
  serial: 1
  tags: [k3s]
  roles:
    - role: k3s
      when: cluster_init | default(false)

- name: Fetch K3S_TOKEN & K3S_SERVER_URL from init node
  hosts: k3s_cluster
  gather_facts: false
  run_once: true
  tags: [k3s]
  tasks:
    - name: Find init node
      ansible.builtin.set_fact:
        init_node: "{{ item }}"
      loop: "{{ groups['masters'] }}"
      when: hostvars[item].cluster_init | default(false)

    - name: Detect init node SSH port
      ansible.builtin.wait_for:
        host: "{{ hostvars[init_node].ansible_host }}"
        port: "{{ ssh_new_port }}"
        timeout: 3
      delegate_to: localhost
      become: false
      register: init_node_port_check
      ignore_errors: true

    - name: Set init node SSH port
      ansible.builtin.set_fact:
        init_node_port: "{{ ssh_new_port if init_node_port_check is succeeded else 22 }}"

    - name: Read K3S_TOKEN from init node
      ansible.builtin.slurp:
        src: /var/lib/rancher/k3s/server/node-token
      register: k3s_token_content
      delegate_to: "{{ init_node }}"
      vars:
        ansible_port: "{{ hostvars[inventory_hostname].init_node_port }}"

    - name: Determine K3S_SERVER_URL
      ansible.builtin.set_fact:
        # 优先使用 HA_SERVER_URL 环境变量，否则使用 init 节点地址
        k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else 'https://' + hostvars[init_node].ansible_host + ':6443' }}"

    - name: Set K3S_TOKEN and K3S_SERVER_URL for target hosts
      ansible.builtin.set_fact:
        k3s_token: "{{ k3s_token_content.content | b64decode | trim }}"
        k3s_server_url: "{{ k3s_server_url }}"
      delegate_to: "{{ item }}"
      delegate_facts: true
      loop: "{{ ansible_play_hosts }}"

- name: Install K3s on other masters
  hosts: masters
  gather_facts: true
  serial: 1
  tags: [k3s]
  roles:
    - role: k3s
      when: not (cluster_init | default(false))

- name: Install K3s on agents
  hosts: agents
  gather_facts: true
  tags: [k3s]
  roles:
    - k3s

# ============================================
# 阶段 4: 显示集群状态
# ============================================
- name: Show cluster status
  hosts: masters
  gather_facts: false
  tags: [status]
  run_once: true
  tasks:
    - name: Get nodes
      ansible.builtin.command: kubectl get nodes -o wide
      environment:
        KUBECONFIG: /etc/rancher/k3s/k3s.yaml
      register: nodes
      changed_when: false
      when: cluster_init | default(false)

    - name: Display nodes
      ansible.builtin.debug:
        msg: |
          ══════════════════════════════════════════════════════════════
          K3s 集群节点:
          {{ nodes.stdout }}
          ══════════════════════════════════════════════════════════════
      when: cluster_init | default(false)