[feature] rke2-node role: the basics

- Install `nfs-common` for the `mount.nfs4` binary
- Disable hardware UDP checksumming, re: flannel-io/flannel#1279
- Make `crictl` work (everywhere), as well as `kubectl` (on control plane nodes only)

roles/rke2-node/defaults/main.yml

@@ -0,0 +1,16 @@
+# The name of the main interface, to disable UDP checksums on. (See
+# ../tasks/no-hardware-udp-checksum.yml)
+rancher_rke2_main_network_interface: ens192
+
+# The RKE2 roles. You will probably want to set these separately for
+# each node (either explicitly as inventory vars, or using a Jinja
+# formula in the `vars:` stanza of the playbook)
+rancher_rke2_is_worker: true
+rancher_rke2_is_controlplane: true
+
+# True iff the Rancher server *doesn't* provide a globally-valid
+# TLS certificate:
+rancher_rke2_insecure: true
+
+# ansible_rancher_url doesn't have a default value and must be set; e.g.
+#ansible_rancher_url: https://rancher-fsd.epfl.ch

roles/rke2-node/tasks/interactive.yml

@@ -0,0 +1,22 @@
+- name: configure crictl for interactive use
+  ansible.builtin.blockinfile:
+    path: /root/.profile
+    marker: '# {mark} ANSIBLE MANAGED BLOCK - crictl'
+    block: |
+      export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
+      export CONTAINERD_ADDRESS=unix:///run/k3s/containerd/containerd.sock
+      export PATH=$PATH:/var/lib/rancher/rke2/bin
+
+# TODO: this assumes recent Ubuntu.
+- name: install kubectl
+  community.general.snap:
+    name: kubectl
+    classic: yes
+    channel: latest/stable
+
+- name: configure kubectl
+  ansible.builtin.blockinfile:
+    path: /root/.profile
+    marker: '# {mark} ANSIBLE MANAGED BLOCK - kubectl'
+    block: |
+      export KUBECONFIG=/etc/rancher/rke2/rke2.yaml

roles/rke2-node/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Interactive use / comfort features
+  tags:
+    - rke2-node
+    - rke2-node.interactive
+  include_tasks:
+    file: interactive.yml
+    apply:
+      tags:
+        - rke2-node
+        - rke2-node.interactive
+
+- name: VM platform-specific bugware
+  tags:
+    - rke2-node
+    - rke2-node.udp
+    - rke2-node.bugware
+  include_tasks:
+    file: no-hardware-udp-checksum.yml
+    apply:
+      tags:
+        - rke2-node
+        - rke2-node.udp
+        - rke2-node.bugware
+
+- name: Support for NFS volumes
+  ansible.builtin.apt:
+    name: nfs-common
+    state:
+      present

roles/rke2-node/tasks/no-hardware-udp-checksum.yml

@@ -0,0 +1,26 @@
+# Disable “hardware”-assisted UDP checksumming on VMware VMs to
+# work around https://github.com/flannel-io/flannel/issues/1279
+
+- name: udp-checksum-offload-disable.service definition
+  ansible.builtin.copy:
+    content: |
+      ; This file is maintained by Ansible
+      [Unit]
+      Description=Disable udp checksum offload
+      Before=rancher-system-agent.service
+      [Install]
+      WantedBy=rancher-system-agent.service
+      [Service]
+      Type=oneshot
+      RemainAfterExit=true
+      ExecStart=ethtool --offload  {{ rancher_rke2_main_network_interface }}  rx off  tx off
+    dest: /etc/systemd/system/udp-checksum-offload-disable.service
+  register: _ethtool_offload_systemd_definition_file
+
+- name: udp-checksum-offload-disable.service activation
+  ansible.builtin.systemd_service:
+    name: udp-checksum-offload-disable.service
+    state: started
+    enabled: true
+    daemon_reload: >
+      {{ _ethtool_offload_systemd_definition_file | default({}) is changed }}