DevOps/ansible-role-eom
1
0
Fork 0
Code Issues 18 Pull Requests Actions Packages Projects Releases Wiki Activity

Lots of changes

Browse Source
This commit is contained in:
Eric Meehan 2025-05-10 12:44:08 -04:00
parent 247da412ff
commit 44bc9e4f25
11 changed files with 383 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
tasks/bridgegate_kitchen.yaml Normal file
View File

@ -0,0 +1,36 @@
---
# tasks file for wordpress
- name: Deploy Wordpress
kubernetes.core.helm:
name: bridgegate-kitchen
chart_ref: bitnami/wordpress
release_namespace: bridgegate-kitchen
create_namespace: true
values:
resourcesPreset: small
wordpressUsername: wordpress_admin
wordpressPassword: "{{ wordpress_admin_password }}"
wordpressEmail: wordpress@eom.dev
wordpressFirstName: Administrator
wordpressLastName: Wordpress
wordpressBlogName: Bridgegate Kitchen
wordpressScheme: https
service:
type: ClusterIP
ingress:
enabled: true
ingressClassName: nginx
hostname: bridgegate-kitchen.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
tls: true
persistence:
enabled: true
size: 128Gi
mariadb:
enabled: true
auth:
password: "{{ wordpress_admin_password }}"
primary:
persistence:
size: 256Gi

69
tasks/coturn.yaml
View File

@ -17,28 +17,83 @@
release_namespace: coturn release_namespace: coturn
create_namespace: true create_namespace: true
values: values:
service:
type: LoadBalancer
externalTrafficPolicy: Local
certificate: certificate:
enabled: true enabled: true
host: coturn.eom.dev host: coturn.eom.dev
issuer: ca-issuer issuerName: ca-issuer
uris:
- turns:coturn.eom.dev?transport=udp
allowGuests: true
sharedSecret: "{{ coturn_shared_secret }}" sharedSecret: "{{ coturn_shared_secret }}"
service:
type: NodePort
image: image:
tag: latest tag: latest
pullPolicy: Always pullPolicy: Always
externalDatabase: externalDatabase:
enabled: true enabled: true
postgresql: postgresql:
enabled: false enabled: true
global: global:
postgresql: postgresql:
auth: auth:
password: "{{ coturn_admin_password }}" password: "{{ coturn_admin_password }}"
primary: primary:
initdb:
scripts:
schema.sql: |
CREATE TABLE turnusers_lt (
realm varchar(127) default '',
name varchar(512),
hmackey char(128),
PRIMARY KEY (realm,name)
);
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(256),
primary key (realm,value)
);
CREATE TABLE allowed_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE denied_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE turn_origin_to_realm (
origin varchar(127),
realm varchar(127),
primary key (origin)
);
CREATE TABLE turn_realm_option (
realm varchar(127) default '',
opt varchar(32),
value varchar(128),
primary key (realm,opt)
);
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
as_rs_alg varchar(64) default '',
realm varchar(127),
primary key (kid)
);
CREATE TABLE admin_user (
name varchar(32),
realm varchar(127),
password varchar(127),
primary key (name)
);
persistence: persistence:
size: 256Gi size: 256Gi
coturn: coturn:

7
tasks/discourse.yaml
View File

@ -21,7 +21,9 @@
user: "discourse" user: "discourse"
password: "{{ discourse_admin_password }}" password: "{{ discourse_admin_password }}"
image: image:
debug: true debug: false
service:
externalTrafficPolicy: Local
discourse: discourse:
skipInstall: false skipInstall: false
plugins: plugins:
@ -30,6 +32,9 @@
- https://github.com/discourse/discourse-activity-pub - https://github.com/discourse/discourse-activity-pub
- https://github.com/discourse/discourse-openid-connect - https://github.com/discourse/discourse-openid-connect
- https://github.com/jonmbake/discourse-ldap-auth - https://github.com/jonmbake/discourse-ldap-auth
- https://github.com/discourse/discourse-post-voting
- https://github.com/discourse/discourse-prometheus
- https://github.com/discourse/discourse-reactions
command: command:
- /bin/bash - /bin/bash
args: args:

1
tasks/luanti.yaml
View File

@ -10,6 +10,7 @@
service: service:
main: main:
type: LoadBalancer type: LoadBalancer
externalTrafficPolicy: Local
workload: workload:
main: main:
podSpec: podSpec:

51
tasks/mail.yaml
View File

@ -42,6 +42,22 @@
name: ca-issuer name: ca-issuer
kind: ClusterIssuer kind: ClusterIssuer
- name: Create a persistent volume claim for mail
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: config
namespace: mail
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
- name: Create a persistent volume claim for mail - name: Create a persistent volume claim for mail
k8s: k8s:
state: present state: present
@ -79,7 +95,38 @@
containers: containers:
- name: mail - name: mail
image: mailserver/docker-mailserver image: mailserver/docker-mailserver
securityContext:
# `allowPrivilegeEscalation: true` is required to support SGID via the `postdrop`
# executable in `/var/mail-state` for Postfix (maildrop + public dirs):
# https://github.com/docker-mailserver/docker-mailserver/pull/3625
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: false
capabilities:
add:
# file permission capabilities
- CHOWN
- FOWNER
- MKNOD
- SETGID
- SETUID
- DAC_OVERRIDE
# network capabilities
- NET_ADMIN # needed for F2B
- NET_RAW # needed for F2B
- NET_BIND_SERVICE
# miscellaneous capabilities
- SYS_CHROOT
- KILL
drop: [ALL]
seccompProfile:
type: RuntimeDefault
volumeMounts: volumeMounts:
- name: config
mountPath: /tmp/docker-mailserver
- name: ssl - name: ssl
mountPath: /etc/letsencrypt mountPath: /etc/letsencrypt
- name: mail - name: mail
@ -145,6 +192,9 @@
- name: ssl - name: ssl
secret: secret:
secretName: mail secretName: mail
- name: config
persistentVolumeClaim:
claimName: config
- name: mail - name: mail
persistentVolumeClaim: persistentVolumeClaim:
claimName: mail claimName: mail
@ -172,3 +222,4 @@
- port: 995 - port: 995
name: pop3 name: pop3
type: LoadBalancer type: LoadBalancer
externalTrafficPolicy: Local

2
tasks/main.yaml
View File

@ -3,4 +3,4 @@
- name: Deploy - name: Deploy
include_tasks: "{{ item }}" include_tasks: "{{ item }}"
loop: loop:
- luanti.yaml - mail.yaml

86
tasks/matrix.yaml
View File

@ -36,7 +36,7 @@
enabled: true enabled: true
host: eom.dev host: eom.dev
oidc: oidc:
enabled: false enabled: true
providers: providers:
- idp_id: github - idp_id: github
idp_name: Github idp_name: Github
@ -155,32 +155,88 @@
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
coturn: coturn:
enabled: false enabled: false
external: true
uris:
- turns:coturn.eom.dev?transport=udp
- turns:coturn.eom.dev?transport=tcp
allowGuests: false
sharedSecret: "{{ coturn_shared_secret }}"
service:
type: LoadBalancer
externalTrafficPolicy: Local
certificate: certificate:
enabled: true enabled: true
host: coturn.eom.dev host: coturn.eom.dev
issuer: ca-issuer issuerName: ca-issuer
uris:
- turn:coturn.eom.dev?transport=udp
allowGuests: true
service:
type: NodePort
image: image:
tag: latest tag: latest
pullPolicy: IfNotPresent pullPolicy: Always
externalDatabase: externalDatabase:
enabled: true enabled: true
hostname: matrix-postgresql
username: matrix
password: "{{ matrix_admin_password }}"
database: coturn
postgresql: postgresql:
enabled: false enabled: true
nameOverride: matrix-coturn-postgresql
global: global:
postgresql: postgresql:
auth: auth:
password: "{{ coturn_admin_password }}" password: "{{ coturn_admin_password }}"
primary: primary:
initdb:
scripts:
schema.sql: |
CREATE TABLE turnusers_lt (
realm varchar(127) default '',
name varchar(512),
hmackey char(128),
PRIMARY KEY (realm,name)
);
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(256),
primary key (realm,value)
);
CREATE TABLE allowed_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE denied_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
CREATE TABLE turn_origin_to_realm (
origin varchar(127),
realm varchar(127),
primary key (origin)
);
CREATE TABLE turn_realm_option (
realm varchar(127) default '',
opt varchar(32),
value varchar(128),
primary key (realm,opt)
);
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
as_rs_alg varchar(64) default '',
realm varchar(127),
primary key (kid)
);
CREATE TABLE admin_user (
name varchar(32),
realm varchar(127),
password varchar(127),
primary key (name)
);
persistence: persistence:
size: 256Gi size: 256Gi
coturn: coturn:
@ -243,7 +299,7 @@
secret: SacP5rWpci6GMqb2 secret: SacP5rWpci6GMqb2
email: email:
from: Matrix Auth Service <matrix-auth-service@eom.dev> from: Matrix Auth Service <matrix-auth-service@eom.dev>
reply_to: No reply <no-reply@eom.dev> reply_to: Matrix Auth Service <matrix-auth-service@eom.dev>
transport: smtp transport: smtp
mode: tls mode: tls
hostname: postfix.eom.dev hostname: postfix.eom.dev

5
tasks/nextcloud.yaml
View File

@ -19,7 +19,10 @@
values: values:
image: image:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: latest livenessProbe:
initialDelaySeconds: 300
readinessProbe:
initialDelaySeconds: 300
nextcloud: nextcloud:
host: nextcloud.eom.dev host: nextcloud.eom.dev
username: nextcloud_admin username: nextcloud_admin

51
tasks/obs-web.yaml Normal file
View File

@ -0,0 +1,51 @@
---
# tasks file for obs-web
- name: Create namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: obs-web
- name: Create a Deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: obs-web
namespace: obs-web
spec:
replicas: 1
selector:
matchLabels:
app: obs-web
template:
metadata:
labels:
app: obs-web
spec:
containers:
- name: obs-web
image: ghcr.io/niek/obs-web
ports:
- containerPort: 5000
- name: Expose OBS-Web Deployment as a Service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: obs-web
namespace: obs-web
spec:
selector:
app: obs-web
ports:
- port: 80
targetPort: 5000
name: http
type: LoadBalancer

32
tasks/prometheus.yaml
View File

@ -14,6 +14,10 @@
- job_name: apps - job_name: apps
static_configs: static_configs:
- targets: - targets:
- targets:
- discourse.eom.dev
labels:
instance: discourse
- gitea.eom.dev - gitea.eom.dev
labels: labels:
instance: gitea instance: gitea
@ -21,19 +25,20 @@
- grafana.eom.dev - grafana.eom.dev
labels: labels:
instance: grafana instance: grafana
metrics_path: /metrics
- job_name: nextcloud
static_configs:
- targets: - targets:
- jupyterhub.eom.dev - nextcloud-metrics.nextcloud.svc.cluster.local:9205
labels:
instance: jupyterhub
- targets:
- mastodon.eom.dev
labels:
instance: mastodon
- targets:
- nextcloud-metrics.nextcloud.svc.cluster.local
labels: labels:
instance: nextcloud instance: nextcloud
metrics_path: /metrics - targets:
- matrix-synapse.matrix.svc.cluster.local:9092
labels:
instance: matrix
metrics_path: /
- job_name: libvirt_exporter - job_name: libvirt_exporter
static_configs: static_configs:
- targets: - targets:
@ -41,6 +46,7 @@
labels: labels:
instance: poweredge-t640 instance: poweredge-t640
metrics_path: /metrics metrics_path: /metrics
- job_name: node_exporter - job_name: node_exporter
static_configs: static_configs:
- targets: - targets:
@ -60,7 +66,7 @@
labels: labels:
instance: alpha-worker-0 instance: alpha-worker-0
- targets: - targets:
- 192.168.1.71:9100 - 192.168.1.70:9100
labels: labels:
instance: alpha-worker-1 instance: alpha-worker-1
- targets: - targets:
@ -72,7 +78,7 @@
labels: labels:
instance: alpha-worker-3 instance: alpha-worker-3
- targets: - targets:
- 192.168.1.60:9100 - 192.168.1.61:9100
labels: labels:
instance: alpha-worker-4 instance: alpha-worker-4
- targets: - targets:
@ -100,7 +106,7 @@
labels: labels:
instance: alpha-worker-10 instance: alpha-worker-10
- targets: - targets:
- 192.168.1.68:9100 - 192.168.1.65:9100
labels: labels:
instance: alpha-worker-11 instance: alpha-worker-11
- targets: - targets:

81
tasks/tes3mp.yaml Normal file
View File

@ -0,0 +1,81 @@
---
# tasks file for mail
- name: Create tes3mp namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: tes3mp
- name: Create a persistent volume claim
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: config
namespace: tes3mp
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 16Gi
- name: Create a deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: tes3mp
namespace: tes3mp
spec:
replicas: 1
selector:
matchLabels:
app: tes3mp
template:
metadata:
labels:
app: tes3mp
spec:
containers:
- name: tes3mp
image: tes3mp/server
volumeMounts:
- name: data
mountPath: /server/data
ports:
- containerPort: 25565
env:
- name: TES3MP_SERVER_GENERAL_HOSTNAME
value: tes3.eom.dev
- name: TES3MP_SERVER_GENERAL_PASSWORD
value: "{{ tes3mp_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: data
- name: Expose deployment as a service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: tes3mp
namespace: tes3mp
spec:
selector:
app: tes3mp
ports:
- port: 25566
targetPort: 25565
name: tes3mp
protocol: UDP
type: LoadBalancer
externalTrafficPolicy: Local