From cd6cb978c537ca04dc91f9bcf90a4eaa4c6d268b Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 29 Nov 2023 09:21:33 +0800 Subject: [PATCH] feat(hercules/kairos): working config w/ WG+nodeIP --- .../hercules/kairos/cloud-config.yaml | 45 ++++++++++++++++--- .../clusters/hercules/kairos/secrets.sops.env | 13 +++--- 2 files changed, 45 insertions(+), 13 deletions(-) diff --git a/kube/clusters/hercules/kairos/cloud-config.yaml b/kube/clusters/hercules/kairos/cloud-config.yaml index c81a2d02..df5d47f5 100644 --- a/kube/clusters/hercules/kairos/cloud-config.yaml +++ b/kube/clusters/hercules/kairos/cloud-config.yaml @@ -1,4 +1,5 @@ #cloud-config +# This config is oriented entirely for use with a single node k3s cluster running on my OVH VPS, which will act as my homelab's ingress point, and to host some off-cluster stuff too. hostname: "hercules" users: - name: "jj" @@ -39,7 +40,7 @@ kubevip: k3s: enabled: true replace_args: true - args: ["--disable=flannel,traefik,servicelb,local-storage,metrics-server", "--flannel-backend=none", "--disable-network-policy", "--service-cidr 172.24.0.0/16", "--cluster-cidr 172.23.0.0/16", "--disable-cloud-controller", "--disable-kube-proxy", "--write-kubeconfig-mode 0644"] + args: ["--disable=flannel,traefik,servicelb,local-storage,metrics-server", "--flannel-backend=none", "--disable-network-policy", "--service-cidr 172.24.0.0/16", "--cluster-cidr 172.23.0.0/16", "--disable-cloud-controller", "--disable-kube-proxy", "--write-kubeconfig-mode 0644", "--node-ip ${SECRET_HERCULES_WG_ADDRESS_V4}"] stages: after-install-chroot: &apt - name: Install extra packages @@ -48,15 +49,30 @@ stages: - apt install -y wireguard-tools after-upgrade-chroot: *apt boot: - - name: "1. Load WireGuard kernel module" + - name: "Setup sysctls to more aggressively use zram" + sysctl: + vm.vfs_cache_pressure: "500" + vm.swappiness: "180" + vm.dirty_background_ratio: "1" + vm.dirty_ratio: "50" + vm.watermark_scale_factor: "100" + vm.page-cluster: "0" + - name: "1. Load zram kernel module" + modules: ["zram"] + - name: "2. Configure zram swap" + commands: + - zramctl -f -s 2G -a lz4 + - mkswap /dev/zram0 + - swapon -d -p 1000 /dev/zram0 + - name: "3. Load WireGuard kernel module" modules: ["wireguard"] - - name: "2. Create WireGuard config folder" + - name: "4. Create WireGuard config folder" directories: - path: "/etc/wireguard" permissions: 0700 owner: 0 group: 0 - - name: "3. Install WireGuard config" + - name: "5. Install WireGuard config" files: - path: "/etc/wireguard/wg0.conf" permissions: 0700 @@ -65,7 +81,7 @@ stages: content: | [Interface] PrivateKey = ${SECRET_HERCULES_WG_PRIVKEY} - Address = ${SECRET_HERCULES_WG_ADDRESS} + Address = ${SECRET_HERCULES_WG_ADDRESS_V4}/32, ${SECRET_HERCULES_WG_ADDRESS_V6}/128 DNS = ${SECRET_HERCULES_WG_DNS} ListenPort = ${SECRET_HERCULES_WG_LISTEN} MTU = 1420 @@ -74,6 +90,21 @@ stages: PresharedKey = ${SECRET_HERCULES_WG_PEERPSK} AllowedIPs = ${SECRET_HERCULES_WG_ALLOWEDIPS} PersistentKeepalive = 15 - - name: "4. Enable wg0.conf" + - name: "6. Enable wg0.conf" systemctl: - enable: ["wg-quick@wg0.service"] + enable: ["wg-quick@wg0.service"] + start: ["wg-quick@wg0.service"] + - name: "Setup $KUBECONFIG" + environment: + KUBECONFIG: "/etc/rancher/k3s/k3s.yaml" + - name: "Setup /etc/hosts" + files: + - path: "/etc/hosts" + permissions: 0644 + owner: 0 + group: 0 + content: | + 127.0.0.1 localhost hercules + ${IP_ROUTER_VLAN_K8S_PREFIX}1 biohazard.mesh.cilium.io + ${IP_ROUTER_VLAN_K8S_PREFIX}2 biohazard.mesh.cilium.io + ${IP_ROUTER_VLAN_K8S_PREFIX}3 biohazard.mesh.cilium.io diff --git a/kube/clusters/hercules/kairos/secrets.sops.env b/kube/clusters/hercules/kairos/secrets.sops.env index 1e9c3da6..26e7482c 100644 --- a/kube/clusters/hercules/kairos/secrets.sops.env +++ b/kube/clusters/hercules/kairos/secrets.sops.env @@ -1,16 +1,17 @@ SECRET_HERCULES_WG_PRIVKEY=ENC[AES256_GCM,data:tbeQdf3Dc4JL81tcCfKbQcXNpKgZrE1tsI0Joh3Uyrk0gpRjYZZYv0vgHBM=,iv:435QcjfiB5lkPZmBZf8w7DRAJD0zjmR6DRW/qdG6o8k=,tag:Y/Trzvavo/deU/C7bWhfxg==,type:str] -SECRET_HERCULES_WG_ADDRESS=ENC[AES256_GCM,data:KVoNRos39x0VmcCFDuAY6+im/AR230U3m4NUZQ==,iv:4SUCWr3mgQJWRE2qKZK1iH58oujlQBew+fUxdHiqw0k=,tag:uWOiITmvn7CSJXTrtLH29w==,type:str] +SECRET_HERCULES_WG_ADDRESS_V4=ENC[AES256_GCM,data:NA2oiQj7oLTO,iv:OdqpuZFxALVJz15ZgZdi0wavcus6NAxj8W8OkYMV0XM=,tag:GGLZ2YrWDgLXQegCOCEirw==,type:str] +SECRET_HERCULES_WG_ADDRESS_V6=ENC[AES256_GCM,data:tCoDsG1bZMc7DQ==,iv:R8xnnDJk361ILT7gPZQM/6uSeqVId3sBTTBJdsgQhh0=,tag:YZ7Cctk/m+IdbJxu6SjjyQ==,type:str] SECRET_HERCULES_WG_DNS=ENC[AES256_GCM,data:nlHkJepNuPE=,iv:VnPm37xUbCVfN/3SCfEhQWoYznqSgJV5+o1Ijnm2+TY=,tag:nLekwxCtBpx8jICQxCxiBQ==,type:str] SECRET_HERCULES_WG_LISTEN=ENC[AES256_GCM,data:4MhwTQI=,iv:bKbdM2cAcymF7Fi6m9IXdYMtKgwQ+r58MHgg4twzlFI=,tag:0Yl6zl0Nsa0ZKJpMKnOCBQ==,type:str] -SECRET_HERCULES_WG_PEERKEY=ENC[AES256_GCM,data:JxiAINVZ2M1b8dpmOcatXSv6dQFcGQvI0V6ClbQ8aK8Rj0fb2XZOesYSPQ0=,iv:fy/gGO6shUS0pMoF20SkHngd6fJjhf8a7vSiumPbCqM=,tag:WHTUswewN/UkiA9ojTHRdg==,type:str] +SECRET_HERCULES_WG_PEERKEY=ENC[AES256_GCM,data:XVeT6M/qGuirKG77fz3jHJX8Um7wvRyShBAiaYTw3Z8kIAl6OeJ77ObCbLA=,iv:QMqVgiC4CGM7/LzlhilDjk0jC980dw7kZmrHQqUKJpo=,tag:vIAsC06T5RArSv8E4PWdig==,type:str] SECRET_HERCULES_WG_PEERPSK=ENC[AES256_GCM,data:rRSwU47diWgT7xtBJbax/4xKlRjHquz8xWsT87ojdaHPKb/FNLuv016qzJw=,iv:R6+MlqIyqerrEdbT+MM/v1j27mlTDHzEVzcpPLecUOw=,tag:qrI8a/O/rwtrDO0q54oXNw==,type:str] SECRET_HERCULES_WG_ALLOWEDIPS=ENC[AES256_GCM,data:wFN+8JfCd6nAf6YfxU8idRIECQi4GxHtXEns4wB7zpdyazvIILlzrLQDnXBN7BrEls+rMLbDkDeBM8Ca7V+HRlLVKMdDManLrKXHkUl+7+SYs+2AU+3phMopolrvjpcQqYRponlVIoW6Vo1MWTwo7t4vFe8v9CgHH2tj7wkQ0tAsTXg=,iv:a3awW73iMNpFmAh+EmQ8uRRMF5TTcvlrLvzw8U68ky0=,tag:tkuFQ1WQNk/9haRqccYHDg==,type:str] sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdA/k6vL+0d2JWBQ93Su/a6+M7AknpqOD0esx+eZNjJGyMw\njZPZczHcH+0TNY8aH+CuI/Vvb7Afju9jtsMn/J3w+wsaFvAiZ5ByLjAH7/1qr4AA\n0l4BNhy+mOUBqy/h3VJGXNQ/5Re1zknwiicF42EM6DAgVlMiGuCTeZufV//HO5zH\nzdoOpGucoYLwZDYvu6nYSgk13CA2rZUhjdG0a2qFWtoln5LzNPSlMC4hy7aKuu49\n=RJ7w\n-----END PGP MESSAGE-----\n +sops_lastmodified=2023-11-25T17:10:54Z +sops_mac=ENC[AES256_GCM,data:hT+hexuIV55WkSUOW30WQU1Jg8HRZpQTOWCcBPiQxcEwQ3WLZWgtYusTI62ggUpIrfqS+sT4HSz4k3uZb+p9rCv+DJb8a3xr3lkVRz9jZR1IzKY8GlDbfRu9nhuRbys1ORTFZPXKdDO7e6uUoVOzWtYruyfo+UNjV4D9EbDQb3I=,iv:p6D7keIrqfuhoHJ7bbyGn8htdtMKaJ/9BM12CXf2Ydw=,tag:oZXIwSpM9HTmnMwFwCFAJQ==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRnMxRnBsOElOSVRBY0dv\nK1JmTEM5L2FpT2pDRTVyNUo3M2p0V1lkc2pnCmFFb3hPaGdaaFo5alZRc04zVmFE\ndU1LU1pwclQ3YVVrVktwR0JjNGhucE0KLS0tIENiOHZ2ZndldEdzTE9id0hqRW8y\nbUFiSnhROEkxN0NOSWtub0pSRnU4YTgKhV0qtJe4OmmHAdUKggM1DQafXwsRBK7J\nWjb18TNPnxp0cPQaCit/keeOUzbgsj48twei51z+pLXCFPZjDsmn9Q==\n-----END AGE ENCRYPTED FILE-----\n -sops_lastmodified=2023-10-15T11:08:09Z -sops_pgp__list_0__map_created_at=2023-10-15T11:00:20Z -sops_mac=ENC[AES256_GCM,data:dIqwPIc7KEFMUUvAZGMViHJ9qB/KJo2ILnXXr0hJrGlQMWVrW4I1bdJIriCFPgDRe+9GculyDxHqvByceBh+rnlsDwi+cUrZfmPf6pgsiIHVabNZzB5Ai69z5FMVxA/n3xjdU1t1Z95MmqOUI0bytBG24Ww5YBNaxinZrCHUVFU=,iv:4V7GSvnjWocjHaBonGJuJJ9qGKseA4/fawvuELtxe4Q=,tag:mHR9Yom7zb6++7V3nK6Urw==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.7.3 +sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdA/k6vL+0d2JWBQ93Su/a6+M7AknpqOD0esx+eZNjJGyMw\njZPZczHcH+0TNY8aH+CuI/Vvb7Afju9jtsMn/J3w+wsaFvAiZ5ByLjAH7/1qr4AA\n0l4BNhy+mOUBqy/h3VJGXNQ/5Re1zknwiicF42EM6DAgVlMiGuCTeZufV//HO5zH\nzdoOpGucoYLwZDYvu6nYSgk13CA2rZUhjdG0a2qFWtoln5LzNPSlMC4hy7aKuu49\n=RJ7w\n-----END PGP MESSAGE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 +sops_pgp__list_0__map_created_at=2023-10-15T11:00:20Z