feat(k3s): multi cluster setup (#1111)

Author: raisedadead

ansible/play-k3s--clickhouse.yml

@@ -0,0 +1,161 @@
+---
+# Prepare k3s cluster for ClickHouse deployment
+#
+# Applies:
+#   - sysctl tuning for ClickHouse performance
+#   - Storage symlink from DO Block Storage to /data/clickhouse
+#   - local-path provisioner config for /data/clickhouse
+#
+# Usage:
+#   ansible-playbook -i inventory/digitalocean.yml play-k3s--clickhouse.yml \
+#     -e variable_host=<group>
+#
+# Example:
+#   uv run ansible-playbook -i inventory/digitalocean.yml play-k3s--clickhouse.yml -e variable_host=logs_k3s
+
+
+# Play 1: Apply ClickHouse tuning to all nodes
+- name: ClickHouse - System tuning
+  hosts: '{{ variable_host }}'
+  gather_facts: true
+  become: true
+
+  tasks:
+    - name: Apply sysctl settings
+      ansible.posix.sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
+        sysctl_set: true
+        reload: true
+      loop:
+        # Memory settings
+        - { key: vm.max_map_count, value: "262144" }
+        - { key: vm.swappiness, value: "1" }
+        - { key: vm.dirty_background_ratio, value: "5" }
+        - { key: vm.dirty_ratio, value: "10" }
+        # Network settings
+        - { key: net.core.somaxconn, value: "65535" }
+        - { key: net.core.netdev_max_backlog, value: "65535" }
+        - { key: net.ipv4.tcp_max_syn_backlog, value: "65535" }
+        - { key: net.ipv4.tcp_fin_timeout, value: "15" }
+        - { key: net.ipv4.tcp_keepalive_time, value: "300" }
+        - { key: net.ipv4.tcp_keepalive_intvl, value: "30" }
+        - { key: net.ipv4.tcp_keepalive_probes, value: "5" }
+
+    - name: Disable transparent huge pages
+      shell: |
+        echo never > /sys/kernel/mm/transparent_hugepage/enabled
+        echo never > /sys/kernel/mm/transparent_hugepage/defrag
+      changed_when: false
+
+    - name: Detect mounted block storage
+      shell: findmnt -rno TARGET -t ext4 | grep '/mnt' | head -1
+      register: storage_mount
+      changed_when: false
+      failed_when: false
+
+    - name: Fail if no block storage detected
+      fail:
+        msg: "No DO Block Storage found mounted at /mnt/*. Ensure volume is attached and mounted."
+      when: storage_mount.stdout | length == 0
+
+    - name: Verify mount is in fstab (persistent)
+      shell: grep -q "{{ storage_mount.stdout }}" /etc/fstab
+      register: fstab_check
+      changed_when: false
+      failed_when: false
+
+    - name: Warn if mount not in fstab
+      debug:
+        msg: "WARNING: {{ storage_mount.stdout }} not in fstab - mount may not survive reboot"
+      when: fstab_check.rc != 0
+
+    - name: Get block device for mount
+      shell: findmnt -rno SOURCE "{{ storage_mount.stdout }}"
+      register: block_device
+      changed_when: false
+
+    - name: Set I/O scheduler to none
+      shell: |
+        DEV=$(basename {{ block_device.stdout }} | sed 's/[0-9]*$//')
+        echo none > /sys/block/${DEV}/queue/scheduler 2>/dev/null || true
+      changed_when: false
+
+    - name: Make I/O scheduler persistent via udev rule
+      copy:
+        dest: /etc/udev/rules.d/60-clickhouse-scheduler.rules
+        content: |
+          # Set I/O scheduler to none for DO block storage (SSD)
+          ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="none"
+          ACTION=="add|change", KERNEL=="vd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="none"
+        mode: '0644'
+
+    - name: Make THP disable persistent
+      copy:
+        dest: /etc/systemd/system/disable-thp.service
+        content: |
+          [Unit]
+          Description=Disable Transparent Huge Pages
+          DefaultDependencies=no
+          After=sysinit.target local-fs.target
+          Before=basic.target
+
+          [Service]
+          Type=oneshot
+          ExecStart=/bin/sh -c 'echo never > /sys/kernel/mm/transparent_hugepage/enabled'
+          ExecStart=/bin/sh -c 'echo never > /sys/kernel/mm/transparent_hugepage/defrag'
+
+          [Install]
+          WantedBy=basic.target
+        mode: '0644'
+      register: thp_service
+
+    - name: Enable THP disable service
+      systemd:
+        name: disable-thp
+        enabled: true
+        daemon_reload: "{{ thp_service.changed }}"
+
+    - name: Create /data directory
+      file:
+        path: /data
+        state: directory
+        mode: '0755'
+
+    - name: Create storage symlink
+      file:
+        src: "{{ storage_mount.stdout }}"
+        dest: /data/clickhouse
+        state: link
+        force: true
+
+
+# Play 2: Configure local-path provisioner for ClickHouse storage (runs on first server only)
+- name: ClickHouse - Storage provisioner
+  hosts: '{{ variable_host }}[0]'
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: Update local-path provisioner config
+      shell: |
+        k3s kubectl patch configmap local-path-config -n kube-system --type merge \
+          -p '{"data":{"config.json":"{\"nodePathMap\":[{\"node\":\"DEFAULT_PATH_FOR_NON_LISTED_NODES\",\"paths\":[\"/data/clickhouse\"]}]}"}}'
+      register: patch_result
+      changed_when: "'patched' in patch_result.stdout"
+
+    - name: Restart local-path provisioner
+      command: k3s kubectl rollout restart deployment local-path-provisioner -n kube-system
+
+    - name: Wait for rollout
+      command: k3s kubectl rollout status deployment local-path-provisioner -n kube-system --timeout=60s
+      changed_when: false
+
+    - name: Verify config
+      command: k3s kubectl get configmap local-path-config -n kube-system -o jsonpath='{.data.config\.json}'
+      register: config
+      changed_when: false
+
+    - name: Display
+      debug:
+        msg: "local-path provisioner configured: {{ config.stdout }}"

ansible/play-k3s--cluster.yml

@@ -0,0 +1,125 @@
+---
+# Deploy k3s HA cluster with Traefik + Gateway API
+#
+# Prerequisites (manual):
+#   - 3x Ubuntu VMs on DigitalOcean with VPC attached (eth1)
+#   - Tailscale installed and connected on all nodes
+#   - DO Load Balancer: HTTP:80->30080, HTTPS:443->30443 (TLS passthrough)
+#   - DO Firewall configured
+#
+# Usage:
+#   ansible-playbook -i inventory/digitalocean.yml play-k3s--cluster.yml \
+#     -e variable_host=<group>
+#
+# Examples:
+#   ansible-playbook -i inventory/digitalocean.yml play-k3s--cluster.yml \
+#     -e variable_host=tools_k3s
+
+
+# Play 1: Validate and Prepare
+- name: K3s - Validate Prerequisites
+  hosts: '{{ variable_host }}'
+  gather_facts: true
+  become: true
+
+  tasks:
+    - name: Validate VPC interface exists (eth1)
+      assert:
+        that:
+          - ansible_eth1 is defined
+          - ansible_eth1.ipv4 is defined
+          - ansible_eth1.ipv4.address is defined
+        fail_msg: "VPC interface eth1 not found. Ensure VM is attached to DO VPC."
+
+    - name: Validate Tailscale is connected
+      assert:
+        that:
+          - ansible_tailscale0 is defined
+          - ansible_tailscale0.ipv4 is defined
+          - ansible_tailscale0.ipv4.address is defined
+        fail_msg: "Tailscale interface not found. Ensure Tailscale is installed and connected."
+
+    - name: Validate VPC IP is in expected range
+      assert:
+        that:
+          - ansible_eth1.ipv4.address | regex_search('^10\\.')
+        fail_msg: "VPC IP {{ ansible_eth1.ipv4.address }} not in 10.x.x.x range."
+
+    - name: Set network facts
+      set_fact:
+        vpc_ip: "{{ ansible_eth1.ipv4.address }}"
+        tailscale_ip: "{{ ansible_tailscale0.ipv4.address }}"
+
+    - name: Display network configuration
+      debug:
+        msg: "{{ inventory_hostname }}: VPC={{ vpc_ip }}, Tailscale={{ tailscale_ip }}"
+
+    - name: Build k3s_cluster group
+      group_by:
+        key: k3s_cluster
+
+    - name: Build server group
+      group_by:
+        key: server
+
+
+# Play 2: System Prerequisites
+- name: K3s - System Prerequisites
+  hosts: k3s_cluster
+  gather_facts: true
+  become: true
+  roles:
+    - role: k3s.orchestration.prereq
+
+
+# Play 3: Deploy k3s Servers
+- name: K3s - Deploy Cluster
+  hosts: server
+  gather_facts: true
+  become: true
+  vars:
+    k3s_version: v1.32.11+k3s1
+    api_endpoint: "{{ hostvars[groups['server'][0]]['vpc_ip'] }}"
+    extra_server_args: >-
+      --node-ip={{ hostvars[inventory_hostname]['vpc_ip'] }}
+      --advertise-address={{ hostvars[inventory_hostname]['vpc_ip'] }}
+      --flannel-iface=eth1
+      --tls-san={{ hostvars[inventory_hostname]['vpc_ip'] }}
+      --tls-san={{ hostvars[inventory_hostname]['tailscale_ip'] }}
+    server_group: server
+  roles:
+    - role: k3s.orchestration.k3s_server
+
+
+# Play 4: Configure Ingress
+- name: K3s - Configure Traefik and Gateway API
+  hosts: server[0]
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: Apply Traefik HelmChartConfig
+      copy:
+        src: "{{ playbook_dir }}/../k3s/shared/traefik-config.yaml"
+        dest: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
+        mode: '0600'
+
+    - name: Install Gateway API CRDs
+      command: >
+        k3s kubectl apply -f
+        https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+      register: gateway_result
+      changed_when: "'created' in gateway_result.stdout or 'configured' in gateway_result.stdout"
+
+    - name: Wait for all nodes ready
+      command: k3s kubectl wait --for=condition=Ready nodes --all --timeout=300s
+      changed_when: false
+
+    - name: Display cluster status
+      command: k3s kubectl get nodes -o wide
+      register: cluster_status
+      changed_when: false
+
+    - name: Cluster ready
+      debug:
+        msg: "{{ cluster_status.stdout_lines }}"

ansible/play-k3s--longhorn.yml

@@ -0,0 +1,99 @@
+---
+# Install Longhorn distributed storage on k3s cluster
+#
+# For clusters running apps without built-in replication (Appsmith, Outline, etc.)
+# Provides: replicated volumes, snapshots, backups
+#
+# Usage:
+#   ansible-playbook -i inventory/digitalocean.yml play-k3s--longhorn.yml \
+#     -e variable_host=<group>
+#
+# Example:
+#   ansible-playbook -i inventory/digitalocean.yml play-k3s--longhorn.yml \
+#     -e variable_host=k3s_tools
+
+
+# Play 1: Install Longhorn prerequisites on all nodes
+- name: Longhorn - Prerequisites
+  hosts: '{{ variable_host }}'
+  gather_facts: true
+  become: true
+
+  tasks:
+    - name: Install required packages
+      apt:
+        name:
+          - open-iscsi
+          - nfs-common
+        state: present
+        update_cache: true
+
+    - name: Enable and start iscsid
+      systemd:
+        name: iscsid
+        enabled: true
+        state: started
+
+
+# Play 2: Deploy Longhorn via k3s HelmChart (runs on first server only)
+- name: Longhorn - Deploy
+  hosts: '{{ variable_host }}[0]'
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: Deploy Longhorn HelmChart
+      copy:
+        dest: /var/lib/rancher/k3s/server/manifests/longhorn.yaml
+        content: |
+          apiVersion: helm.cattle.io/v1
+          kind: HelmChart
+          metadata:
+            name: longhorn
+            namespace: default
+          spec:
+            chart: longhorn
+            repo: https://charts.longhorn.io
+            version: 1.10.1
+            targetNamespace: longhorn-system
+            createNamespace: true
+            failurePolicy: abort
+            valuesContent: |-
+              persistence:
+                defaultClassReplicaCount: 2
+              defaultSettings:
+                defaultReplicaCount: 2
+                storageMinimalAvailablePercentage: 15
+                storageOverProvisioningPercentage: 100
+        mode: '0600'
+
+    - name: Wait for Longhorn namespace
+      command: k3s kubectl get namespace longhorn-system
+      register: ns_check
+      until: ns_check.rc == 0
+      retries: 30
+      delay: 10
+      changed_when: false
+
+    - name: Wait for Longhorn manager
+      command: >
+        k3s kubectl -n longhorn-system wait --for=condition=Available
+        deployment/longhorn-driver-deployer --timeout=300s
+      changed_when: false
+
+    - name: Verify StorageClass
+      command: k3s kubectl get storageclass longhorn
+      register: sc_check
+      until: sc_check.rc == 0
+      retries: 12
+      delay: 10
+      changed_when: false
+
+    - name: Get Longhorn status
+      command: k3s kubectl -n longhorn-system get pods
+      register: status
+      changed_when: false
+
+    - name: Display
+      debug:
+        msg: "{{ status.stdout_lines }}"