DevOps/ansible-role-eom
1
0
Fork 0
Code Issues 18 Pull Requests Actions Packages Projects Releases Wiki Activity

Lots of changes

Browse Source
This commit is contained in:
Eric Meehan 2025-05-10 12:44:08 -04:00
parent 247da412ff
commit 44bc9e4f25
11 changed files with 383 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
tasks/bridgegate_kitchen.yaml Normal file
View File

@ -0,0 +1,36 @@
---
# tasks file for wordpress
- name: Deploy Wordpress
kubernetes.core.helm:
name: bridgegate-kitchen
chart_ref: bitnami/wordpress
release_namespace: bridgegate-kitchen
create_namespace: true
values:
resourcesPreset: small
wordpressUsername: wordpress_admin
wordpressPassword: "{{ wordpress_admin_password }}"
wordpressEmail: wordpress@eom.dev
wordpressFirstName: Administrator
wordpressLastName: Wordpress
wordpressBlogName: Bridgegate Kitchen
wordpressScheme: https
service:
type: ClusterIP
ingress:
enabled: true
ingressClassName: nginx
hostname: bridgegate-kitchen.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
tls: true
persistence:
enabled: true
size: 128Gi
mariadb:
enabled: true
auth:
password: "{{ wordpress_admin_password }}"
primary:
persistence:
size: 256Gi

69
tasks/coturn.yaml
View File

@ -17,28 +17,83 @@
release_namespace: coturn
create_namespace: true
values:
service:
type: LoadBalancer
externalTrafficPolicy: Local
certificate:
enabled: true
host: coturn.eom.dev
issuer: ca-issuer
uris:
- turns:coturn.eom.dev?transport=udp
allowGuests: true
issuerName: ca-issuer
sharedSecret: "{{ coturn_shared_secret }}"
service:
type: NodePort
image:
tag: latest
pullPolicy: Always
externalDatabase:
enabled: true
postgresql:
enabled: false
enabled: true
global:
postgresql:
auth:
password: "{{ coturn_admin_password }}"
primary:
initdb:
scripts:
schema.sql: |
CREATE TABLE turnusers_lt (
realm varchar(127) default '',
name varchar(512),
hmackey char(128),
PRIMARY KEY (realm,name)
);
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(256),
primary key (realm,value)
);
CREATE TABLE allowed_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE denied_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE turn_origin_to_realm (
origin varchar(127),
realm varchar(127),
primary key (origin)
);
CREATE TABLE turn_realm_option (
realm varchar(127) default '',
opt varchar(32),
value varchar(128),
primary key (realm,opt)
);
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
as_rs_alg varchar(64) default '',
realm varchar(127),
primary key (kid)
);
CREATE TABLE admin_user (
name varchar(32),
realm varchar(127),
password varchar(127),
primary key (name)
);
persistence:
size: 256Gi
coturn:

7
tasks/discourse.yaml
View File

@ -21,7 +21,9 @@
user: "discourse"
password: "{{ discourse_admin_password }}"
image:
debug: true
debug: false
service:
externalTrafficPolicy: Local
discourse:
skipInstall: false
plugins:
@ -30,6 +32,9 @@
- https://github.com/discourse/discourse-activity-pub
- https://github.com/discourse/discourse-openid-connect
- https://github.com/jonmbake/discourse-ldap-auth
- https://github.com/discourse/discourse-post-voting
- https://github.com/discourse/discourse-prometheus
- https://github.com/discourse/discourse-reactions
command:
- /bin/bash
args:

1
tasks/luanti.yaml
View File

@ -10,6 +10,7 @@
service:
main:
type: LoadBalancer
externalTrafficPolicy: Local
workload:
main:
podSpec:

51
tasks/mail.yaml
View File

@ -42,6 +42,22 @@
name: ca-issuer
kind: ClusterIssuer
- name: Create a persistent volume claim for mail
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: config
namespace: mail
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
- name: Create a persistent volume claim for mail
k8s:
state: present
@ -79,7 +95,38 @@
containers:
- name: mail
image: mailserver/docker-mailserver
securityContext:
# `allowPrivilegeEscalation: true` is required to support SGID via the `postdrop`
# executable in `/var/mail-state` for Postfix (maildrop + public dirs):
# https://github.com/docker-mailserver/docker-mailserver/pull/3625
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: false
capabilities:
add:
# file permission capabilities
- CHOWN
- FOWNER
- MKNOD
- SETGID
- SETUID
- DAC_OVERRIDE
# network capabilities
- NET_ADMIN # needed for F2B
- NET_RAW # needed for F2B
- NET_BIND_SERVICE
# miscellaneous capabilities
- SYS_CHROOT
- KILL
drop: [ALL]
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: config
mountPath: /tmp/docker-mailserver
- name: ssl
mountPath: /etc/letsencrypt
- name: mail
@ -145,6 +192,9 @@
- name: ssl
secret:
secretName: mail
- name: config
persistentVolumeClaim:
claimName: config
- name: mail
persistentVolumeClaim:
claimName: mail
@ -172,3 +222,4 @@
- port: 995
name: pop3
type: LoadBalancer
externalTrafficPolicy: Local

2
tasks/main.yaml
View File

@ -3,4 +3,4 @@
- name: Deploy
include_tasks: "{{ item }}"
loop:
- luanti.yaml
- mail.yaml

86
tasks/matrix.yaml
View File

@ -36,7 +36,7 @@
enabled: true
host: eom.dev
oidc:
enabled: false
enabled: true
providers:
- idp_id: github
idp_name: Github
@ -155,32 +155,88 @@
cert-manager.io/cluster-issuer: ca-issuer
coturn:
enabled: false
external: true
uris:
- turns:coturn.eom.dev?transport=udp
- turns:coturn.eom.dev?transport=tcp
allowGuests: false
sharedSecret: "{{ coturn_shared_secret }}"
service:
type: LoadBalancer
externalTrafficPolicy: Local
certificate:
enabled: true
host: coturn.eom.dev
issuer: ca-issuer
uris:
- turn:coturn.eom.dev?transport=udp
allowGuests: true
service:
type: NodePort
issuerName: ca-issuer
image:
tag: latest
pullPolicy: IfNotPresent
pullPolicy: Always
externalDatabase:
enabled: true
hostname: matrix-postgresql
username: matrix
password: "{{ matrix_admin_password }}"
database: coturn
postgresql:
enabled: false
nameOverride: matrix-coturn-postgresql
enabled: true
global:
postgresql:
auth:
password: "{{ coturn_admin_password }}"
primary:
initdb:
scripts:
schema.sql: |
CREATE TABLE turnusers_lt (
realm varchar(127) default '',
name varchar(512),
hmackey char(128),
PRIMARY KEY (realm,name)
);
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(256),
primary key (realm,value)
);
CREATE TABLE allowed_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE denied_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE turn_origin_to_realm (
origin varchar(127),
realm varchar(127),
primary key (origin)
);
CREATE TABLE turn_realm_option (
realm varchar(127) default '',
opt varchar(32),
value varchar(128),
primary key (realm,opt)
);
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
as_rs_alg varchar(64) default '',
realm varchar(127),
primary key (kid)
);
CREATE TABLE admin_user (
name varchar(32),
realm varchar(127),
password varchar(127),
primary key (name)
);
persistence:
size: 256Gi
coturn:
@ -243,7 +299,7 @@
secret: SacP5rWpci6GMqb2
email:
from: Matrix Auth Service <matrix-auth-service@eom.dev>
reply_to: No reply <no-reply@eom.dev>
reply_to: Matrix Auth Service <matrix-auth-service@eom.dev>
transport: smtp
mode: tls
hostname: postfix.eom.dev

5
tasks/nextcloud.yaml
View File

@ -19,7 +19,10 @@
values:
image:
pullPolicy: IfNotPresent
tag: latest
livenessProbe:
initialDelaySeconds: 300
readinessProbe:
initialDelaySeconds: 300
nextcloud:
host: nextcloud.eom.dev
username: nextcloud_admin

51
tasks/obs-web.yaml Normal file
View File

@ -0,0 +1,51 @@
---
# tasks file for obs-web
- name: Create namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: obs-web
- name: Create a Deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: obs-web
namespace: obs-web
spec:
replicas: 1
selector:
matchLabels:
app: obs-web
template:
metadata:
labels:
app: obs-web
spec:
containers:
- name: obs-web
image: ghcr.io/niek/obs-web
ports:
- containerPort: 5000
- name: Expose OBS-Web Deployment as a Service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: obs-web
namespace: obs-web
spec:
selector:
app: obs-web
ports:
- port: 80
targetPort: 5000
name: http
type: LoadBalancer

32
tasks/prometheus.yaml
View File

@ -14,6 +14,10 @@
- job_name: apps
static_configs:
- targets:
- targets:
- discourse.eom.dev
labels:
instance: discourse
- gitea.eom.dev
labels:
instance: gitea
@ -21,19 +25,20 @@
- grafana.eom.dev
labels:
instance: grafana
metrics_path: /metrics
- job_name: nextcloud
static_configs:
- targets:
- jupyterhub.eom.dev
labels:
instance: jupyterhub
- targets:
- mastodon.eom.dev
labels:
instance: mastodon
- targets:
- nextcloud-metrics.nextcloud.svc.cluster.local
- nextcloud-metrics.nextcloud.svc.cluster.local:9205
labels:
instance: nextcloud
metrics_path: /metrics
- targets:
- matrix-synapse.matrix.svc.cluster.local:9092
labels:
instance: matrix
metrics_path: /
- job_name: libvirt_exporter
static_configs:
- targets:
@ -41,6 +46,7 @@
labels:
instance: poweredge-t640
metrics_path: /metrics
- job_name: node_exporter
static_configs:
- targets:
@ -60,7 +66,7 @@
labels:
instance: alpha-worker-0
- targets:
- 192.168.1.71:9100
- 192.168.1.70:9100
labels:
instance: alpha-worker-1
- targets:
@ -72,7 +78,7 @@
labels:
instance: alpha-worker-3
- targets:
- 192.168.1.60:9100
- 192.168.1.61:9100
labels:
instance: alpha-worker-4
- targets:
@ -100,7 +106,7 @@
labels:
instance: alpha-worker-10
- targets:
- 192.168.1.68:9100
- 192.168.1.65:9100
labels:
instance: alpha-worker-11
- targets:

81
tasks/tes3mp.yaml Normal file
View File

@ -0,0 +1,81 @@
---
# tasks file for mail
- name: Create tes3mp namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: tes3mp
- name: Create a persistent volume claim
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: config
namespace: tes3mp
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 16Gi
- name: Create a deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: tes3mp
namespace: tes3mp
spec:
replicas: 1
selector:
matchLabels:
app: tes3mp
template:
metadata:
labels:
app: tes3mp
spec:
containers:
- name: tes3mp
image: tes3mp/server
volumeMounts:
- name: data
mountPath: /server/data
ports:
- containerPort: 25565
env:
- name: TES3MP_SERVER_GENERAL_HOSTNAME
value: tes3.eom.dev
- name: TES3MP_SERVER_GENERAL_PASSWORD
value: "{{ tes3mp_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: data
- name: Expose deployment as a service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: tes3mp
namespace: tes3mp
spec:
selector:
app: tes3mp
ports:
- port: 25566
targetPort: 25565
name: tes3mp
protocol: UDP
type: LoadBalancer
externalTrafficPolicy: Local