diff --git a/tasks/bridgegate_kitchen.yaml b/tasks/bridgegate_kitchen.yaml new file mode 100644 index 0000000..d504ead --- /dev/null +++ b/tasks/bridgegate_kitchen.yaml @@ -0,0 +1,36 @@ +--- +# tasks file for wordpress +- name: Deploy Wordpress + kubernetes.core.helm: + name: bridgegate-kitchen + chart_ref: bitnami/wordpress + release_namespace: bridgegate-kitchen + create_namespace: true + values: + resourcesPreset: small + wordpressUsername: wordpress_admin + wordpressPassword: "{{ wordpress_admin_password }}" + wordpressEmail: wordpress@eom.dev + wordpressFirstName: Administrator + wordpressLastName: Wordpress + wordpressBlogName: Bridgegate Kitchen + wordpressScheme: https + service: + type: ClusterIP + ingress: + enabled: true + ingressClassName: nginx + hostname: bridgegate-kitchen.eom.dev + annotations: + cert-manager.io/cluster-issuer: ca-issuer + tls: true + persistence: + enabled: true + size: 128Gi + mariadb: + enabled: true + auth: + password: "{{ wordpress_admin_password }}" + primary: + persistence: + size: 256Gi diff --git a/tasks/coturn.yaml b/tasks/coturn.yaml index cd06a3a..207b5c5 100644 --- a/tasks/coturn.yaml +++ b/tasks/coturn.yaml @@ -17,28 +17,83 @@ release_namespace: coturn create_namespace: true values: + service: + type: LoadBalancer + externalTrafficPolicy: Local certificate: enabled: true host: coturn.eom.dev - issuer: ca-issuer - uris: - - turns:coturn.eom.dev?transport=udp - allowGuests: true + issuerName: ca-issuer sharedSecret: "{{ coturn_shared_secret }}" - service: - type: NodePort image: tag: latest pullPolicy: Always externalDatabase: enabled: true postgresql: - enabled: false + enabled: true global: postgresql: auth: password: "{{ coturn_admin_password }}" primary: + initdb: + scripts: + schema.sql: | + CREATE TABLE turnusers_lt ( + realm varchar(127) default '', + name varchar(512), + hmackey char(128), + PRIMARY KEY (realm,name) + ); + + CREATE TABLE turn_secret ( + realm varchar(127) default '', + value varchar(256), + primary key (realm,value) + ); + + CREATE TABLE allowed_peer_ip ( + realm varchar(127) default '', + ip_range varchar(256), + primary key (realm,ip_range) + ); + + CREATE TABLE denied_peer_ip ( + realm varchar(127) default '', + ip_range varchar(256), + primary key (realm,ip_range) + ); + + CREATE TABLE turn_origin_to_realm ( + origin varchar(127), + realm varchar(127), + primary key (origin) + ); + + CREATE TABLE turn_realm_option ( + realm varchar(127) default '', + opt varchar(32), + value varchar(128), + primary key (realm,opt) + ); + + CREATE TABLE oauth_key ( + kid varchar(128), + ikm_key varchar(256), + timestamp bigint default 0, + lifetime integer default 0, + as_rs_alg varchar(64) default '', + realm varchar(127), + primary key (kid) + ); + + CREATE TABLE admin_user ( + name varchar(32), + realm varchar(127), + password varchar(127), + primary key (name) + ); persistence: size: 256Gi coturn: diff --git a/tasks/discourse.yaml b/tasks/discourse.yaml index 008cba5..d712750 100644 --- a/tasks/discourse.yaml +++ b/tasks/discourse.yaml @@ -21,7 +21,9 @@ user: "discourse" password: "{{ discourse_admin_password }}" image: - debug: true + debug: false + service: + externalTrafficPolicy: Local discourse: skipInstall: false plugins: @@ -30,6 +32,9 @@ - https://github.com/discourse/discourse-activity-pub - https://github.com/discourse/discourse-openid-connect - https://github.com/jonmbake/discourse-ldap-auth + - https://github.com/discourse/discourse-post-voting + - https://github.com/discourse/discourse-prometheus + - https://github.com/discourse/discourse-reactions command: - /bin/bash args: diff --git a/tasks/luanti.yaml b/tasks/luanti.yaml index 73f4803..c3aeec5 100644 --- a/tasks/luanti.yaml +++ b/tasks/luanti.yaml @@ -10,6 +10,7 @@ service: main: type: LoadBalancer + externalTrafficPolicy: Local workload: main: podSpec: diff --git a/tasks/mail.yaml b/tasks/mail.yaml index 9823077..006b124 100644 --- a/tasks/mail.yaml +++ b/tasks/mail.yaml @@ -42,6 +42,22 @@ name: ca-issuer kind: ClusterIssuer +- name: Create a persistent volume claim for mail + k8s: + state: present + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: config + namespace: mail + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + - name: Create a persistent volume claim for mail k8s: state: present @@ -79,7 +95,38 @@ containers: - name: mail image: mailserver/docker-mailserver + securityContext: + # `allowPrivilegeEscalation: true` is required to support SGID via the `postdrop` + # executable in `/var/mail-state` for Postfix (maildrop + public dirs): + # https://github.com/docker-mailserver/docker-mailserver/pull/3625 + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: false + capabilities: + add: + # file permission capabilities + - CHOWN + - FOWNER + - MKNOD + - SETGID + - SETUID + - DAC_OVERRIDE + # network capabilities + - NET_ADMIN # needed for F2B + - NET_RAW # needed for F2B + - NET_BIND_SERVICE + # miscellaneous capabilities + - SYS_CHROOT + - KILL + drop: [ALL] + seccompProfile: + type: RuntimeDefault volumeMounts: + - name: config + mountPath: /tmp/docker-mailserver - name: ssl mountPath: /etc/letsencrypt - name: mail @@ -145,6 +192,9 @@ - name: ssl secret: secretName: mail + - name: config + persistentVolumeClaim: + claimName: config - name: mail persistentVolumeClaim: claimName: mail @@ -172,3 +222,4 @@ - port: 995 name: pop3 type: LoadBalancer + externalTrafficPolicy: Local diff --git a/tasks/main.yaml b/tasks/main.yaml index 15dc628..cf30a2e 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -3,4 +3,4 @@ - name: Deploy include_tasks: "{{ item }}" loop: - - luanti.yaml + - mail.yaml diff --git a/tasks/matrix.yaml b/tasks/matrix.yaml index 9798229..36890c0 100644 --- a/tasks/matrix.yaml +++ b/tasks/matrix.yaml @@ -36,7 +36,7 @@ enabled: true host: eom.dev oidc: - enabled: false + enabled: true providers: - idp_id: github idp_name: Github @@ -155,32 +155,88 @@ cert-manager.io/cluster-issuer: ca-issuer coturn: enabled: false + external: true + uris: + - turns:coturn.eom.dev?transport=udp + - turns:coturn.eom.dev?transport=tcp + allowGuests: false + sharedSecret: "{{ coturn_shared_secret }}" + service: + type: LoadBalancer + externalTrafficPolicy: Local certificate: enabled: true host: coturn.eom.dev - issuer: ca-issuer - uris: - - turn:coturn.eom.dev?transport=udp - allowGuests: true - service: - type: NodePort + issuerName: ca-issuer image: tag: latest - pullPolicy: IfNotPresent + pullPolicy: Always externalDatabase: enabled: true - hostname: matrix-postgresql - username: matrix - password: "{{ matrix_admin_password }}" - database: coturn postgresql: - enabled: false - nameOverride: matrix-coturn-postgresql + enabled: true global: postgresql: auth: password: "{{ coturn_admin_password }}" primary: + initdb: + scripts: + schema.sql: | + CREATE TABLE turnusers_lt ( + realm varchar(127) default '', + name varchar(512), + hmackey char(128), + PRIMARY KEY (realm,name) + ); + + CREATE TABLE turn_secret ( + realm varchar(127) default '', + value varchar(256), + primary key (realm,value) + ); + + CREATE TABLE allowed_peer_ip ( + realm varchar(127) default '', + ip_range varchar(256), + primary key (realm,ip_range) + ); + + CREATE TABLE denied_peer_ip ( + realm varchar(127) default '', + ip_range varchar(256), + primary key (realm,ip_range) + ); + + CREATE TABLE turn_origin_to_realm ( + origin varchar(127), + realm varchar(127), + primary key (origin) + ); + + CREATE TABLE turn_realm_option ( + realm varchar(127) default '', + opt varchar(32), + value varchar(128), + primary key (realm,opt) + ); + + CREATE TABLE oauth_key ( + kid varchar(128), + ikm_key varchar(256), + timestamp bigint default 0, + lifetime integer default 0, + as_rs_alg varchar(64) default '', + realm varchar(127), + primary key (kid) + ); + + CREATE TABLE admin_user ( + name varchar(32), + realm varchar(127), + password varchar(127), + primary key (name) + ); persistence: size: 256Gi coturn: @@ -243,7 +299,7 @@ secret: SacP5rWpci6GMqb2 email: from: Matrix Auth Service - reply_to: No reply + reply_to: Matrix Auth Service transport: smtp mode: tls hostname: postfix.eom.dev diff --git a/tasks/nextcloud.yaml b/tasks/nextcloud.yaml index 187a976..fd8d28d 100644 --- a/tasks/nextcloud.yaml +++ b/tasks/nextcloud.yaml @@ -19,7 +19,10 @@ values: image: pullPolicy: IfNotPresent - tag: latest + livenessProbe: + initialDelaySeconds: 300 + readinessProbe: + initialDelaySeconds: 300 nextcloud: host: nextcloud.eom.dev username: nextcloud_admin diff --git a/tasks/obs-web.yaml b/tasks/obs-web.yaml new file mode 100644 index 0000000..1f52e0a --- /dev/null +++ b/tasks/obs-web.yaml @@ -0,0 +1,51 @@ +--- +# tasks file for obs-web +- name: Create namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: obs-web + +- name: Create a Deployment + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: obs-web + namespace: obs-web + spec: + replicas: 1 + selector: + matchLabels: + app: obs-web + template: + metadata: + labels: + app: obs-web + spec: + containers: + - name: obs-web + image: ghcr.io/niek/obs-web + ports: + - containerPort: 5000 + +- name: Expose OBS-Web Deployment as a Service + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: obs-web + namespace: obs-web + spec: + selector: + app: obs-web + ports: + - port: 80 + targetPort: 5000 + name: http + type: LoadBalancer diff --git a/tasks/prometheus.yaml b/tasks/prometheus.yaml index 504c852..b7753f4 100644 --- a/tasks/prometheus.yaml +++ b/tasks/prometheus.yaml @@ -14,6 +14,10 @@ - job_name: apps static_configs: - targets: + - targets: + - discourse.eom.dev + labels: + instance: discourse - gitea.eom.dev labels: instance: gitea @@ -21,19 +25,20 @@ - grafana.eom.dev labels: instance: grafana + metrics_path: /metrics + + - job_name: nextcloud + static_configs: - targets: - - jupyterhub.eom.dev - labels: - instance: jupyterhub - - targets: - - mastodon.eom.dev - labels: - instance: mastodon - - targets: - - nextcloud-metrics.nextcloud.svc.cluster.local + - nextcloud-metrics.nextcloud.svc.cluster.local:9205 labels: instance: nextcloud - metrics_path: /metrics + - targets: + - matrix-synapse.matrix.svc.cluster.local:9092 + labels: + instance: matrix + metrics_path: / + - job_name: libvirt_exporter static_configs: - targets: @@ -41,6 +46,7 @@ labels: instance: poweredge-t640 metrics_path: /metrics + - job_name: node_exporter static_configs: - targets: @@ -60,7 +66,7 @@ labels: instance: alpha-worker-0 - targets: - - 192.168.1.71:9100 + - 192.168.1.70:9100 labels: instance: alpha-worker-1 - targets: @@ -72,7 +78,7 @@ labels: instance: alpha-worker-3 - targets: - - 192.168.1.60:9100 + - 192.168.1.61:9100 labels: instance: alpha-worker-4 - targets: @@ -100,7 +106,7 @@ labels: instance: alpha-worker-10 - targets: - - 192.168.1.68:9100 + - 192.168.1.65:9100 labels: instance: alpha-worker-11 - targets: diff --git a/tasks/tes3mp.yaml b/tasks/tes3mp.yaml new file mode 100644 index 0000000..90aa28c --- /dev/null +++ b/tasks/tes3mp.yaml @@ -0,0 +1,81 @@ +--- +# tasks file for mail +- name: Create tes3mp namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: tes3mp + +- name: Create a persistent volume claim + k8s: + state: present + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: config + namespace: tes3mp + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 16Gi + +- name: Create a deployment + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: tes3mp + namespace: tes3mp + spec: + replicas: 1 + selector: + matchLabels: + app: tes3mp + template: + metadata: + labels: + app: tes3mp + spec: + containers: + - name: tes3mp + image: tes3mp/server + volumeMounts: + - name: data + mountPath: /server/data + ports: + - containerPort: 25565 + env: + - name: TES3MP_SERVER_GENERAL_HOSTNAME + value: tes3.eom.dev + - name: TES3MP_SERVER_GENERAL_PASSWORD + value: "{{ tes3mp_password }}" + volumes: + - name: data + persistentVolumeClaim: + claimName: data + +- name: Expose deployment as a service + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: tes3mp + namespace: tes3mp + spec: + selector: + app: tes3mp + ports: + - port: 25566 + targetPort: 25565 + name: tes3mp + protocol: UDP + type: LoadBalancer + externalTrafficPolicy: Local