diff --git a/files/httpd-dav.conf b/files/httpd-dav.conf deleted file mode 100644 index b61af02..0000000 --- a/files/httpd-dav.conf +++ /dev/null @@ -1,36 +0,0 @@ -# -# Distributed authoring and versioning (WebDAV) -# -# Required modules: mod_alias, mod_auth_digest, mod_authn_core, mod_authn_file, -# mod_authz_core, mod_authz_user, mod_dav, mod_dav_fs, -# mod_setenvif -LoadModule dav_module modules/mod_dav.so -LoadModule dav_fs_module modules/mod_dav_fs.so - -# The following example gives DAV write access to a directory called -# "uploads" under the ServerRoot directory. -# -# The User/Group specified in httpd.conf needs to have write permissions -# on the directory where the DavLockDB is placed and on any directory where -# "Dav On" is specified. - -DavLockDB "/usr/local/apache2/DavLock" - - - Dav On - - -# -# The following directives disable redirects on non-GET requests for -# a directory that does not include the trailing slash. This fixes a -# problem with several clients that do not appropriately handle -# redirects for folders with DAV methods. -# -BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully -BrowserMatch "MS FrontPage" redirect-carefully -BrowserMatch "^WebDrive" redirect-carefully -BrowserMatch "^WebDAVFS/1.[01234]" redirect-carefully -BrowserMatch "^gnome-vfs/1.0" redirect-carefully -BrowserMatch "^XML Spy" redirect-carefully -BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully -BrowserMatch " Konqueror/4" redirect-carefully diff --git a/files/httpd-gitweb.conf b/files/httpd-gitweb.conf deleted file mode 100644 index 2c4299b..0000000 --- a/files/httpd-gitweb.conf +++ /dev/null @@ -1,30 +0,0 @@ -LoadModule rewrite_module modules/mod_rewrite.so -LoadModule cgi_module modules/mod_cgi.so - -SetEnv GIT_PROJECT_ROOT /usr/local/apache2/htdocs -SetEnv GIT_HTTP_EXPORT_ALL - -ScriptAliasMatch \ - "(?x)^/(.*/(HEAD | \ - info/refs | \ - objects/(info/[^/]+ | \ - [0-9a-f]{2}/[0-9a-f]{38} | \ - pack/pack-[0-9a-f]{40}\.(pack|idx)) | \ - git-(upload|receive)-pack))$" \ - /usr/lib/git-core/git-http-backend/$1 - -ScriptAlias / /usr/lib/cgi-bin/gitweb.cgi/ - - - Options +ExecCGI +Indexes - Order allow,deny - Allow from all - Require all granted - - - - Options +ExecCGI +Indexes - Order allow,deny - Allow from all - Require all granted - diff --git a/files/httpd-proxy.conf b/files/httpd-proxy.conf deleted file mode 100644 index 79d12c0..0000000 --- a/files/httpd-proxy.conf +++ /dev/null @@ -1,139 +0,0 @@ -LoadModule proxy_module modules/mod_proxy.so -LoadModule proxy_http_module modules/mod_proxy_http.so -LoadModule rewrite_module modules/mod_rewrite.so - - - ServerName api.eom.dev - ServerAlias *.api.eom.dev - - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://api/ - ProxyPassReverse / http://api/ - - - ServerName api.eom.dev - ServerAlias *.api.eom.dev - - SSLProxyEngine On - SSLCertificateFile "/usr/local/apache2/conf/server.crt" - SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://api/ - ProxyPassReverse / http://api/ - - - - ServerName git.eom.dev - ServerAlias *.git.eom.dev - - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://git/ - ProxyPassReverse / http://git/ - - - ServerName git.eom.dev - ServerAlias *.git.eom.dev - - SSLProxyEngine On - SSLCertificateFile "/usr/local/apache2/conf/server.crt" - SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://git/ - ProxyPassReverse / http://git/ - - - - ServerName media.eom.dev - ServerAlias *.media.eom.dev - - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://media/ - ProxyPassReverse / http://media/ - - - ServerName media.eom.dev - ServerAlias *.media.eom.dev - - SSLProxyEngine On - SSLCertificateFile "/usr/local/apache2/conf/server.crt" - SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://media/ - ProxyPassReverse / http://media/ - - - - ServerName www.eom.dev - ServerAlias *.www.eom.dev - - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://www/ - ProxyPassReverse / http://www/ - - - ServerName www.eom.dev - ServerAlias *.www.eom.dev - - SSLProxyEngine On - SSLCertificateFile "/usr/local/apache2/conf/server.crt" - SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" - ProxyRequests Off - ProxyPreserveHost On - - - Order deny,allow - Allow from all - - - ProxyPass / http://www/ - ProxyPassReverse / http://www/ - diff --git a/files/httpd-ssi.conf b/files/httpd-ssi.conf deleted file mode 100644 index 6ad2a8f..0000000 --- a/files/httpd-ssi.conf +++ /dev/null @@ -1,11 +0,0 @@ -LoadModule include_module modules/mod_include.so - -AddOutputFilter INCLUDES .shtml - - - Options +Includes - - - - DirectoryIndex index.shtml - diff --git a/files/httpd-ssl.conf b/files/httpd-ssl.conf deleted file mode 100644 index 585c726..0000000 --- a/files/httpd-ssl.conf +++ /dev/null @@ -1,292 +0,0 @@ -# -# This is the Apache server configuration file providing SSL support. -# It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailed information about these -# directives see -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Required modules: mod_log_config, mod_setenvif, mod_ssl, -# socache_shmcb_module (for default value of SSLSessionCache) -LoadModule ssl_module modules/mod_ssl.so -LoadModule socache_shmcb_module modules/mod_socache_shmcb.so - -# -# Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the SSL library. -# The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -# -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed startup file:/dev/urandom 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 - - -# -# When we also provide SSL we have to listen to the -# standard HTTP port (see above) and to the HTTPS port -# -Listen 443 - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate, -# and that httpd will negotiate as the client of a proxied server. -# See the OpenSSL documentation for a complete list of ciphers, and -# ensure these follow appropriate best practices for this deployment. -# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, -# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. -SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES -SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES - -# By the end of 2016, only TLSv1.2 ciphers should remain in use. -# Older ciphers should be disallowed as soon as possible, while the -# kRSA ciphers do not offer forward secrecy. These changes inhibit -# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy -# non-browser tooling) from successfully connecting. -# -# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable -# those protocols which do not support forward secrecy, replace -# the SSLCipherSuite and SSLProxyCipherSuite directives above with -# the following two directives, as soon as practical. -# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA -# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA - -# User agents such as web browsers are not configured for the user's -# own preference of either security or performance, therefore this -# must be the prerogative of the web server administrator who manages -# cpu load versus confidentiality, so enforce the server's cipher order. -SSLHonorCipherOrder on - -# SSL Protocol support: -# List the protocol versions which clients are allowed to connect with. -# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be -# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 -# protocol or later should remain in use. -SSLProtocol all -SSLv3 -SSLProxyProtocol all -SSLv3 - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is an internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -#SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache" -SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" -SSLSessionCacheTimeout 300 - -# OCSP Stapling (requires OpenSSL 0.9.8h or later) -# -# This feature is disabled by default and requires at least -# the two directives SSLUseStapling and SSLStaplingCache. -# Refer to the documentation on OCSP Stapling in the SSL/TLS -# How-To for more information. -# -# Enable stapling for all SSL-enabled servers: -#SSLUseStapling On - -# Define a relatively small cache for OCSP Stapling using -# the same mechanism that is used for the SSL session cache -# above. If stapling is used with more than a few certificates, -# the size may need to be increased. (AH01929 will be logged.) -#SSLStaplingCache "shmcb:/usr/local/apache2/logs/ssl_stapling(32768)" - -# Seconds before valid OCSP responses are expired from the cache -#SSLStaplingStandardCacheTimeout 3600 - -# Seconds before invalid OCSP responses are expired from the cache -#SSLStaplingErrorCacheTimeout 600 - -## -## SSL Virtual Host Context -## - - - -# General setup for the virtual host -DocumentRoot "/usr/local/apache2/htdocs" -ServerName proxy.eom.dev:443 -ServerAdmin admin@mail.eom.dev -ErrorLog /proc/self/fd/2 -TransferLog /proc/self/fd/1 - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. Keep -# in mind that if you have both an RSA and a DSA certificate you -# can configure both in parallel (to also allow the use of DSA -# ciphers, etc.) -# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) -# require an ECC certificate which can also be configured in -# parallel. -SSLCertificateFile "/usr/local/apache2/conf/server.crt" -#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt" -#SSLCertificateFile "/usr/local/apache2/conf/server-ecc.crt" - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -# ECC keys, when in use, can also be configured in parallel -SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" -#SSLCertificateKeyFile "/usr/local/apache2/conf/server-dsa.key" -#SSLCertificateKeyFile "/usr/local/apache2/conf/server-ecc.key" - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convenience. -#SSLCertificateChainFile "/usr/local/apache2/conf/server-ca.crt" - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -# Note: Inside SSLCACertificatePath you need hash symlinks -# to point to the certificate files. Use the provided -# Makefile to update the hash symlinks after changes. -#SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt" -#SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt" - -# Certificate Revocation Lists (CRL): -# Set the CA revocation path where to find CA CRLs for client -# authentication or alternatively one huge file containing all -# of them (file must be PEM encoded). -# The CRL checking mode needs to be configured explicitly -# through SSLCARevocationCheck (defaults to "none" otherwise). -# Note: Inside SSLCARevocationPath you need hash symlinks -# to point to the certificate files. Use the provided -# Makefile to update the hash symlinks after changes. -#SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl" -#SSLCARevocationFile "/usr/local/apache2/conf/ssl.crl/ca-bundle.crl" -#SSLCARevocationCheck chain - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# TLS-SRP mutual authentication: -# Enable TLS-SRP and set the path to the OpenSSL SRP verifier -# file (containing login information for SRP user accounts). -# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for -# detailed instructions on creating this file. Example: -# "openssl srp -srpvfile /usr/local/apache2/conf/passwd.srpv -add username" -#SSLSRPVerifierFile "/usr/local/apache2/conf/passwd.srpv" - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is sent or allowed to be received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog /proc/self/fd/1 \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - diff --git a/files/httpd-wsgi.conf b/files/httpd-wsgi.conf deleted file mode 100644 index 87b370e..0000000 --- a/files/httpd-wsgi.conf +++ /dev/null @@ -1,3 +0,0 @@ -LoadModule wsgi_module modules/mod_wsgi.so - -WSGIScriptAlias / /usr/local/apache2/htdocs/wsgi_app.py diff --git a/files/httpd.conf b/files/httpd.conf deleted file mode 100644 index 1ccfb02..0000000 --- a/files/httpd.conf +++ /dev/null @@ -1,551 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "logs/access_log" -# with ServerRoot set to "/usr/local/apache2" will be interpreted by the -# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" -# will be interpreted as '/logs/access_log'. - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/usr/local/apache2" - -# -# Mutex: Allows you to set the mutex mechanism and mutex file directory -# for individual mutexes, or change the global defaults -# -# Uncomment and change the directory if mutexes are file-based and the default -# mutex file directory is not on a local disk or is not appropriate for some -# other reason. -# -# Mutex default:logs - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -LoadModule mpm_event_module modules/mod_mpm_event.so -#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so -#LoadModule mpm_worker_module modules/mod_mpm_worker.so -LoadModule authn_file_module modules/mod_authn_file.so -#LoadModule authn_dbm_module modules/mod_authn_dbm.so -#LoadModule authn_anon_module modules/mod_authn_anon.so -#LoadModule authn_dbd_module modules/mod_authn_dbd.so -#LoadModule authn_socache_module modules/mod_authn_socache.so -LoadModule authn_core_module modules/mod_authn_core.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_user_module modules/mod_authz_user.so -#LoadModule authz_dbm_module modules/mod_authz_dbm.so -#LoadModule authz_owner_module modules/mod_authz_owner.so -#LoadModule authz_dbd_module modules/mod_authz_dbd.so -LoadModule authz_core_module modules/mod_authz_core.so -#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so -LoadModule access_compat_module modules/mod_access_compat.so -LoadModule auth_basic_module modules/mod_auth_basic.so -#LoadModule auth_form_module modules/mod_auth_form.so -#LoadModule auth_digest_module modules/mod_auth_digest.so -#LoadModule allowmethods_module modules/mod_allowmethods.so -#LoadModule isapi_module modules/mod_isapi.so -#LoadModule file_cache_module modules/mod_file_cache.so -#LoadModule cache_module modules/mod_cache.so -#LoadModule cache_disk_module modules/mod_cache_disk.so -#LoadModule cache_socache_module modules/mod_cache_socache.so -#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so -#LoadModule socache_dbm_module modules/mod_socache_dbm.so -#LoadModule socache_memcache_module modules/mod_socache_memcache.so -#LoadModule socache_redis_module modules/mod_socache_redis.so -#LoadModule watchdog_module modules/mod_watchdog.so -#LoadModule macro_module modules/mod_macro.so -#LoadModule dbd_module modules/mod_dbd.so -#LoadModule bucketeer_module modules/mod_bucketeer.so -#LoadModule dumpio_module modules/mod_dumpio.so -#LoadModule echo_module modules/mod_echo.so -#LoadModule example_hooks_module modules/mod_example_hooks.so -#LoadModule case_filter_module modules/mod_case_filter.so -#LoadModule case_filter_in_module modules/mod_case_filter_in.so -#LoadModule example_ipc_module modules/mod_example_ipc.so -#LoadModule buffer_module modules/mod_buffer.so -#LoadModule data_module modules/mod_data.so -#LoadModule ratelimit_module modules/mod_ratelimit.so -LoadModule reqtimeout_module modules/mod_reqtimeout.so -#LoadModule ext_filter_module modules/mod_ext_filter.so -#LoadModule request_module modules/mod_request.so -#LoadModule include_module modules/mod_include.so -LoadModule filter_module modules/mod_filter.so -#LoadModule reflector_module modules/mod_reflector.so -#LoadModule substitute_module modules/mod_substitute.so -#LoadModule sed_module modules/mod_sed.so -#LoadModule charset_lite_module modules/mod_charset_lite.so -#LoadModule deflate_module modules/mod_deflate.so -#LoadModule xml2enc_module modules/mod_xml2enc.so -#LoadModule proxy_html_module modules/mod_proxy_html.so -#LoadModule brotli_module modules/mod_brotli.so -LoadModule mime_module modules/mod_mime.so -#LoadModule ldap_module modules/mod_ldap.so -LoadModule log_config_module modules/mod_log_config.so -#LoadModule log_debug_module modules/mod_log_debug.so -#LoadModule log_forensic_module modules/mod_log_forensic.so -#LoadModule logio_module modules/mod_logio.so -#LoadModule lua_module modules/mod_lua.so -LoadModule env_module modules/mod_env.so -#LoadModule mime_magic_module modules/mod_mime_magic.so -#LoadModule cern_meta_module modules/mod_cern_meta.so -#LoadModule expires_module modules/mod_expires.so -LoadModule headers_module modules/mod_headers.so -#LoadModule ident_module modules/mod_ident.so -#LoadModule usertrack_module modules/mod_usertrack.so -#LoadModule unique_id_module modules/mod_unique_id.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule version_module modules/mod_version.so -#LoadModule remoteip_module modules/mod_remoteip.so -#LoadModule proxy_module modules/mod_proxy.so -#LoadModule proxy_connect_module modules/mod_proxy_connect.so -#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so -#LoadModule proxy_http_module modules/mod_proxy_http.so -#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so -#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so -#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so -#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so -#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so -#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so -#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -#LoadModule proxy_express_module modules/mod_proxy_express.so -#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so -#LoadModule session_module modules/mod_session.so -#LoadModule session_cookie_module modules/mod_session_cookie.so -#LoadModule session_crypto_module modules/mod_session_crypto.so -#LoadModule session_dbd_module modules/mod_session_dbd.so -#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so -#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so -#LoadModule ssl_module modules/mod_ssl.so -#LoadModule optional_hook_export_module modules/mod_optional_hook_export.so -#LoadModule optional_hook_import_module modules/mod_optional_hook_import.so -#LoadModule optional_fn_import_module modules/mod_optional_fn_import.so -#LoadModule optional_fn_export_module modules/mod_optional_fn_export.so -#LoadModule dialup_module modules/mod_dialup.so -#LoadModule http2_module modules/mod_http2.so -#LoadModule proxy_http2_module modules/mod_proxy_http2.so -#LoadModule md_module modules/mod_md.so -#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so -#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so -#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so -#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so -LoadModule unixd_module modules/mod_unixd.so -#LoadModule heartbeat_module modules/mod_heartbeat.so -#LoadModule heartmonitor_module modules/mod_heartmonitor.so -#LoadModule dav_module modules/mod_dav.so -LoadModule status_module modules/mod_status.so -LoadModule autoindex_module modules/mod_autoindex.so -#LoadModule asis_module modules/mod_asis.so -#LoadModule info_module modules/mod_info.so -#LoadModule suexec_module modules/mod_suexec.so - - #LoadModule cgid_module modules/mod_cgid.so - - - #LoadModule cgi_module modules/mod_cgi.so - -#LoadModule dav_fs_module modules/mod_dav_fs.so -#LoadModule dav_lock_module modules/mod_dav_lock.so -#LoadModule vhost_alias_module modules/mod_vhost_alias.so -#LoadModule negotiation_module modules/mod_negotiation.so -LoadModule dir_module modules/mod_dir.so -#LoadModule imagemap_module modules/mod_imagemap.so -#LoadModule actions_module modules/mod_actions.so -#LoadModule speling_module modules/mod_speling.so -#LoadModule userdir_module modules/mod_userdir.so -LoadModule alias_module modules/mod_alias.so -#LoadModule rewrite_module modules/mod_rewrite.so - - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User www-data -Group www-data - - - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin you@example.com - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/usr/local/apache2/htdocs" - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # AllowOverride FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog /proc/self/fd/2 - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - CustomLog /proc/self/fd/1 common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - #CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" - - - - - # - # ScriptSock: On threaded servers, designate the path to the UNIX - # socket used to communicate with the CGI daemon of mod_cgid. - # - #Scriptsock cgisock - - -# -# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied - # backend servers which have lingering "httpoxy" defects. - # 'Proxy' request header is undefined by the IETF, not listed by IANA - # - RequestHeader unset Proxy early - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig conf/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - #AddType text/html .shtml - #AddOutputFilter INCLUDES .shtml - - -# -# The mod_mime_magic module allows the server to use various hints from the -# contents of the file itself to determine its type. The MIMEMagicFile -# directive tells the module where the hint definitions are located. -# -#MIMEMagicFile conf/magic - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# MaxRanges: Maximum number of Ranges in a request before -# returning the entire resource, or one of the special -# values 'default', 'none' or 'unlimited'. -# Default setting is to accept 200 Ranges. -#MaxRanges unlimited - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -#EnableSendfile on - -# Supplemental configuration -# -# The configuration files in the conf/extra/ directory can be -# included to add extra features or to modify the default configuration of -# the server, or you may simply copy their contents here and change as -# necessary. - -# Server-pool management (MPM specific) -#Include conf/extra/httpd-mpm.conf - -# Multi-language error messages -#Include conf/extra/httpd-multilang-errordoc.conf - -# Fancy directory listings -#Include conf/extra/httpd-autoindex.conf - -# Language settings -#Include conf/extra/httpd-languages.conf - -# User home directories -#Include conf/extra/httpd-userdir.conf - -# Real-time info on requests and configuration -#Include conf/extra/httpd-info.conf - -# Virtual hosts -#Include conf/extra/httpd-vhosts.conf - -# Local access to the Apache HTTP Server Manual -#Include conf/extra/httpd-manual.conf - -# Distributed authoring and versioning (WebDAV) -#Include conf/extra/httpd-dav.conf - -# Various default settings -#Include conf/extra/httpd-default.conf - -# Configure mod_proxy_html to understand HTML4/XHTML1 - -Include conf/extra/proxy-html.conf - - -# Secure (SSL/TLS) connections -#Include conf/extra/httpd-ssl.conf -# -# Note: The following must must be present to support -# starting without SSL on platforms with no /dev/random equivalent -# but a statically compiled-in mod_ssl. -# - -SSLRandomSeed startup builtin -SSLRandomSeed connect builtin - - diff --git a/tasks/api.yaml b/tasks/api.yaml deleted file mode 100644 index 1fc5839..0000000 --- a/tasks/api.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# tasks file for api -- name: Create a config map for api - vars: - httpd_server_name: "api.eom.dev" - httpd_conf_extra: - - httpd-auth.conf - - httpd-wsgi.conf - k8s: - state: present - api_version: v1 - kind: ConfigMap - name: api - namespace: "eom-{{ target_namespace }}" - definition: - data: - httpd.conf: "{{ lookup('template', 'httpd.conf.j2') }}" - httpd-auth.conf: "{{ lookup('template', 'httpd-auth.conf.j2') }}" - httpd-wsgi.conf: "{{ lookup('file', 'httpd-wsgi.conf') }}" - mime.types: "{{ lookup('file', 'mime.types') }}" - -- name: Create a deployment - k8s: - definition: - apiVersion: v1 - kind: Deployment - metadata: - name: api - namespace: "eom-{{ target_namespace }}" - spec: - replicas: 1 - selector: - matchLabels: - app: api - template: - metadata: - labels: - app: api - spec: - containers: - - name: api - image: ericomeehan/api - volumeMounts: - - name: config - mountPath: /usr/local/apache2/conf - ports: - - containerPort: 80 - volumes: - - name: config - configMap: - name: api - -- name: Expose deployment as a service - k8s: - definition: - apiVersion: v1 - kind: Service - metadata: - name: api - namespace: "eom-{{ target_namespace }}" - spec: - selector: - app: api - ports: - - port: 80 - name: api-80 - type: ClusterIP diff --git a/tasks/elasticsearch.yaml b/tasks/elasticsearch.yaml new file mode 100644 index 0000000..7cd0c5f --- /dev/null +++ b/tasks/elasticsearch.yaml @@ -0,0 +1,21 @@ +--- +# tasks file for elasticsearch +- name: Deploy Elasticsearch + kubernetes.core.helm: + name: elasticsearch + chart_ref: bitnami/elasticsearch + release_namespace: elasticsearch + create_namespace: true + values: + master: + replicaCount: 1 + persistence: + size: 64Gi + coordinating: + replicaCount: 1 + data: + replicaCount: 1 + persistence: + size: 256Gi + ingest: + replicaCount: 1 diff --git a/tasks/full.yaml b/tasks/full.yaml new file mode 100644 index 0000000..69199e5 --- /dev/null +++ b/tasks/full.yaml @@ -0,0 +1,35 @@ +--- +# Tasks file for full deployment +- name: Deploy authentication sources + include_tasks: "{{ item }}" + loop: + - openldap.yaml + - phpldapadmin.yaml + +- name: Populate OpenLDAP database + pause: + prompt: "Press Enter to continue..." + +- name: Deploy databases + include_tasks: "{{ item }}" + loop: + - postgresql.yaml + - redis.yaml + - elsaticsearch.yaml + +- name: Deploy user services + include_tasks: "{{ item }}" + loop: + - postfix.yaml + - nextcloud.yaml + - mastodon.yaml + - jupyterhub.yaml + - gitea.yaml + - owncast.yaml + - mediawiki.yaml + +- name: Deploy monitoring + include_tasks: "{{ item }}" + loop: + - prometheus.yaml + - grafana.yaml diff --git a/tasks/git.yaml b/tasks/git.yaml deleted file mode 100644 index d1ab6fa..0000000 --- a/tasks/git.yaml +++ /dev/null @@ -1,96 +0,0 @@ ---- -# tasks file for gitea -- name: Add gitea repo - kubernetes.core.helm_repository: - name: gitea - repo_url: https://dl.gitea.com/charts/ - -- name: Update Helm repos - command: helm repo update - -- name: Deploy Gitea - kubernetes.core.helm: - name: gitea - chart_ref: gitea/gitea - release_namespace: git - create_namespace: true - values: - service: - ssh: - type: LoadBalancer - ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: ca-issuer - hosts: - - host: git.eom.dev - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - git.eom.dev - secretName: gitea-tls - persistence: - size: 128Gi - actions: - enabled: true - provisioning: - enabled: true - gitea: - admin: - username: gitea - password: "{{ gitea_admin_password }}" - email: "gitea@mail.eom.dev" - metrics: - enabled: false - serviceMonitor: - enabled: false - # additionalLabels: - # prometheus-release: prom1 - interval: "" - relabelings: [] - scheme: "" - scrapeTimeout: "" - tlsConfig: {} - ldap: - - name: OpenLDAP - securityProtocol: unencrypted - host: openldap.auth.svc.cluster.local - port: 389 - userSearchBase: ou=People,dc=eom,dc=dev - userFilter: (&(objectClass=inetOrgPerson)(uid=%s)) - adminFilter: (&(cn=Gitea Admin,ou=Gitea,ou=Services,dc=eom,dc=dev)(memberUid=%s)) - emailAttribute: mail - bindDn: cn=readonly,dc=eom,dc=dev - bindPassword: "{{ ldap_readonly_password }}" - usernameAttribute: uid - publicSSHKeyAttribute: publicSSHKey - config: - APP_NAME: "Gitea" - additionalConfigFromEnvs: - - name: GITEA_DISABLE_REGISTRATION - value: "true" - - name: GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION - value: "false" - redis-cluster: - enabled: false - redis: - enabled: true - global: - redis: - password: "{{ gitea_redis_password }}" - postgresql-ha: - enabled: false - postgresql: - enabled: true - global: - postgresql: - auth: - password: "{{ gitea_postgres_password }}" - database: gitea - username: gitea - primary: - persistence: - size: 128Gi diff --git a/tasks/gitea.yaml b/tasks/gitea.yaml new file mode 100644 index 0000000..f821600 --- /dev/null +++ b/tasks/gitea.yaml @@ -0,0 +1,90 @@ +--- +# tasks file for gitea +- name: Add gitea repo + kubernetes.core.helm_repository: + name: gitea + repo_url: https://dl.gitea.com/charts/ + register: repo_update + +- name: Update Helm repos + command: helm repo update + when: repo_update.changed + +- name: Deploy Gitea + kubernetes.core.helm: + name: gitea + chart_ref: gitea/gitea + release_namespace: gitea + create_namespace: true + values: + service: + ssh: + type: LoadBalancer + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: ca-issuer + hosts: + - host: gitea.eom.dev + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - gitea.eom.dev + secretName: gitea-tls + persistence: + size: 2Ti + actions: + enabled: true + provisioning: + enabled: true + gitea: + metrics: + enabled: true + admin: + username: gitea + password: "{{ gitea_admin_password }}" + email: gitea@postfix.eom.dev + ldap: + - name: OpenLDAP + securityProtocol: unencrypted + host: openldap.openldap.svc.cluster.local + port: 389 + userSearchBase: dc=eom,dc=dev + userFilter: (&(objectClass=posixAccount)(uid=%s)(memberOf=cn=Gitea Users,ou=Gitea,ou=Services,dc=eom,dc=dev)) + adminFilter: (memberOf=cn=Gitea Administrators,ou=Gitea,ou=Services,dc=eom,dc=dev) + emailAttribute: mail + bindDn: cn=readonly,dc=eom,dc=dev + bindPassword: "{{ openldap_readonly_password }}" + usernameAttribute: uid + publicSSHKeyAttribute: sshPublicKey + config: + APP_NAME: "Gitea" + service: + DISABLE_REGISTRATION: true + DEFAULT_ALLOW_CREATE_ORGANIZATION: false + database: + DB_TYPE: postgres + HOST: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local + NAME: gitea + USER: gitea + PASSWD: "{{ gitea_admin_password }}" + session: + PROVIDER: redis + PROVIDER_CONFIG: "redis+cluster://:{{ redis_auth_password }}@redis-redis-cluster.redis.svc.cluster.local:6379" + cache: + ADAPTER: redis + HOST: "redis+cluster://:{{ redis_auth_password }}@redis-redis-cluster.redis.svc.cluster.local:6379" + queue: + TYPE: redis + CONN_STR: "redis+cluster://:{{ redis_auth_password }}@redis-redis-cluster.redis.svc.cluster.local:6379" + redis: + enabled: false + redis-cluster: + enabled: false + postgresql: + enabled: false + postgresql-ha: + enabled: false diff --git a/tasks/grafana.yaml b/tasks/grafana.yaml index 6fdcf17..9fa9dfd 100644 --- a/tasks/grafana.yaml +++ b/tasks/grafana.yaml @@ -1,193 +1,69 @@ --- # tasks file for grafana -- name: Create Grafana namespace - k8s: - state: present - definition: - apiVersion: v1 - kind: Namespace - metadata: - name: grafana - -- name: Create PVC for MySQL - k8s: - state: present - definition: - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: mysql - namespace: grafana - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Gi - -- name: Create Deployment for MySQL - k8s: - state: present - definition: - apiVersion: v1 - kind: Deployment - metadata: - name: mysql - namespace: grafana - labels: - app: mysql - spec: - replicas: 1 - selector: - matchLabels: - app: mysql - template: - metadata: - labels: - app: mysql - spec: - containers: - - name: mysql - image: mysql - volumeMounts: - - name: data - mountPath: /var/lib/mysql - ports: - - containerPort: 3306 - env: - - name: MYSQL_ROOT_PASSWORD - value: "{{ mysql_root_password }}" - - name: MYSQL_DATABASE - value: grafana - - name: MYSQL_USER - value: grafana - - name: MYSQL_PASSWORD - value: "{{ grafana_mysql_password }}" - volumes: - - name: data - persistentVolumeClaim: - claimName: mysql - -- name: Create Service for MySQL - k8s: - state: present - definition: - apiVersion: v1 - kind: Service - metadata: - name: mysql - namespace: grafana - spec: - selector: - app: mysql - ports: - - port: 3306 - name: mysql - type: ClusterIP - -- name: Create a config map for grafana - k8s: - state: present - api_version: v1 - kind: ConfigMap +- name: Deploy Grafana + kubernetes.core.helm: name: grafana - namespace: grafana - definition: - data: - ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}" - -- name: Create Deployment for Grafana - k8s: - state: present - definition: - apiVersion: v1 - kind: Deployment - metadata: - name: grafana - namespace: grafana - labels: - app: grafana - spec: - replicas: 1 - selector: - matchLabels: - app: grafana - template: - metadata: - labels: - app: grafana - spec: - containers: - - name: grafana - image: grafana/grafana - ports: - - containerPort: 3000 - env: - - name: GF_DATABASE_TYPE - value: mysql - - name: GF_DATABASE_HOST - value: mysql - - name: GF_DATABASE_USER - value: grafana - - name: GF_DATABASE_PASSWORD - value: "{{ grafana_mysql_password }}" - - name: GF_AUTH_LDAP_ENABLED - value: "true" - - name: GF_AUTH_LDAP_CONFIG_FILE - value: /etc/grafana/cm/ldap.toml - - name: GF_AUTH_LDAP_ALLOW_SIGN_UP - value: "true" - volumeMounts: - - name: config - mountPath: /etc/grafana/cm - volumes: - - name: config - configMap: - name: grafana - -- name: Create Service for Grafana - k8s: - state: present - definition: - apiVersion: v1 - kind: Service - metadata: - name: grafana - namespace: grafana - spec: - selector: - app: grafana - ports: - - port: 80 - targetPort: 3000 - name: grafana - type: ClusterIP - -- name: Create Ingress - k8s: - state: present - definition: - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: + chart_ref: bitnami/grafana + release_namespace: grafana + create_namespace: true + values: + metrics: + enabled: true + admin: + user: grafana + password: "{{ grafana_admin_password }}" + persistence: + size: 32Gi + grafana: + extraEnvVars: + - name: GF_DATABASE_TYPE + value: postgres + - name: GF_DATABASE_HOST + value: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local + - name: GF_DATABASE_NAME + value: grafana + - name: GF_DATABASE_USER + value: grafana + - name: GF_DATABASE_PASSWORD + value: "{{ grafana_admin_password }}" + - name: GF_DATABASE_URL + value: "postgres://grafana:{{ grafana_admin_password }}@postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local:5432/grafana" + smtp: + enabled: true + user: grafana + password: "{{ grafana_admin_password }}" + host: postfix.eom.dev + fromAddress: grafana@postfix.eom.dev + fromName: Grafana + ldap: + enabled: true + allowSignUp: true + configuration: "{{ lookup('template', 'ldap.toml.j2') }}" + ingress: + enabled: true + pathType: Prefix + hostname: grafana.eom.dev annotations: cert-manager.io/cluster-issuer: ca-issuer - name: grafana - namespace: grafana - spec: ingressClassName: nginx - rules: - - host: grafana.eom.dev - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: grafana - port: - number: 80 - tls: - - hosts: - - grafana.eom.dev - secretName: grafana + tls: true + datasources: + secretDefinition: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://prometheus-server.prometheus.svc.cluster.local + version: 1 + editable: true + isDefault: true + - name: Alertmanager + uid: alertmanager + type: alertmanager + access: proxy + orgId: 1 + url: http://prometheus-alertmanager.prometheus.svc.cluster.local:9093 + version: 1 + editable: true diff --git a/tasks/jupyter.yaml b/tasks/jupyterhub.yaml similarity index 78% rename from tasks/jupyter.yaml rename to tasks/jupyterhub.yaml index 21dbc11..a8fe584 100644 --- a/tasks/jupyter.yaml +++ b/tasks/jupyterhub.yaml @@ -4,17 +4,18 @@ kubernetes.core.helm_repository: name: jupyterhub repo_url: https://hub.jupyter.org/helm-chart/ + register: repo - name: Update Helm repos command: helm repo update + when: repo.changed - name: Deploy Jupyter Hub kubernetes.core.helm: - name: jupyter + name: jupyterhub chart_ref: jupyterhub/jupyterhub - release_namespace: jupyter + release_namespace: jupyterhub create_namespace: true - timeout: 2h values: prePuller: hook: @@ -31,20 +32,21 @@ admin_access: true authenticator_class: ldapauthenticator.LDAPAuthenticator LDAPAuthenticator: - server_address: openldap.auth.svc.cluster.local + server_address: openldap.openldap.svc.cluster.local server_port: 389 use_ssl: false tls_strategy: insecure lookup_dn: true lookup_dn_search_user: cn=readonly,dc=eom,dc=dev - lookup_dn_search_password: "{{ ldap_readonly_password }}" - lookup_dn_search_filter: ({login_attr}={login}) + lookup_dn_search_password: "{{ openldap_readonly_password }}" + lookup_dn_search_filter: (&(objectClass=posixAccount)({login_attr}={login})(memberOf=cn=JupyterHub Users,ou=JupyterHub,ou=Services,dc=eom,dc=dev)) lookup_dn_user_dn_attribute: cn - user_search_base: ou=People,dc=eom,dc=dev + user_search_base: dc=eom,dc=dev user_attribute: uid db: - pvc: - storage: 16Gi + type: postgres + url: "postgresql://jupyterhub:{{ jupyterhub_admin_password }}@postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local:5432/jupyterhub" + password: "{{ jupyterhub_admin_password }}" singleuser: extraFiles: jupyter_notebook_config.json: @@ -58,7 +60,7 @@ cull_connected: true cull_busy: false storage: - capacity: 32Gi + capacity: 64Gi image: name: jupyter/minimal-notebook tag: latest @@ -91,10 +93,10 @@ cert-manager.io/cluster-issuer: ca-issuer ingressClassName: nginx hosts: - - jupyter.eom.dev + - jupyterhub.eom.dev pathSuffix: pathType: Prefix tls: - hosts: - - jupyter.eom.dev + - jupyterhub.eom.dev secretName: jupyterhub diff --git a/tasks/main.yaml b/tasks/main.yaml index d821304..eb0c73b 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,4 +1,6 @@ --- # tasks file for eom - name: Deploy - include_tasks: git.yaml + include_tasks: "{{ item }}" + loop: + - owncast.yaml diff --git a/tasks/mastodon.yaml b/tasks/mastodon.yaml index f26eb17..b1ede46 100644 --- a/tasks/mastodon.yaml +++ b/tasks/mastodon.yaml @@ -8,55 +8,64 @@ create_namespace: true timeout: 600s values: - adminUser: "mastodon" - adminEmail: "mastodon@mail.eom.dev" - adminPassword: "{{ mastodon_admin_password }}" - otpSecret: "" - secretKeyBase: "" - vapidPrivateKey: "" - vapidPublicKey: "" - activeRecordEncryptionDeterministicKey: "" - activeRecordEncryptionKeyDerivationSalt: "" - activeRecordEncryptionPrimaryKey: "" - extraConfig: - LDAP_ENABLED: "true" - LDAP_HOST: openldap.auth.svc.cluster.local - LDAP_PORT: "389" - LDAP_METHOD: plain - LDAP_BASE: ou=People,dc=eom,dc=dev - LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev - LDAP_PASSWORD: "{{ ldap_readonly_password }}" - LDAP_UID: uid - LDAP_SEARCH_FILTER: "(&(objectClass=inetOrgPerson)(uid=%{uid}))" - LDAP_MAIL: mail - enableS3: false - localDomain: "mastodon.eom.dev" - smtp: - server: "mail.eom.dev" - port: 587 - from_address: "mastodon@mail.eom.dev" - domain: "mail.eom.dev" - reply_to: "mastodon@mail.eom.dev" - delivery_method: smtp - ca_file: /etc/ssl/certs/ca-certificates.crt - openssl_verify_mode: none - enable_starttls_auto: true - tls: true - auth_method: starttls - login: "mastodon" - password: "{{ mastodon_mail_password }}" - persistence: + metrics: enabled: true - size: 128Gi initJob: precompileAssets: - resourcesPreset: "micro" + resources: + requests: + cpu: 0m + memory: 0Mi + limits: + cpu: 1.5 + memory: 3072Mi + adminUser: mastodon + adminEmail: mastodon@postfix.eom.dev + adminPassword: "{{ mastodon_admin_password }}" + extraConfig: + LDAP_ENABLED: "true" + LDAP_HOST: openldap.openldap.svc.cluster.local + LDAP_PORT: "389" + LDAP_METHOD: plain + LDAP_BASE: dc=eom,dc=dev + LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev + LDAP_PASSWORD: "{{ openldap_readonly_password }}" + LDAP_UID: uid + LDAP_SEARCH_FILTER: (&(objectClass=posixAccount)(|(%{uid}=%{username})(%{mail}=%{email}))(memberOf=cn=Mastodon Users,ou=Mastodon,ou=Services,dc=eom,dc=dev)) + LDAP_MAIL: mail + enableS3: false + localDomain: mastodon.eom.dev + smtp: + server: postfix.eom.dev + port: 587 + from_address: mastodon@postfix.eom.dev + domain: postfix.eom.dev + reply_to: mastodon@postfix.eom.dev + delivery_method: smtp + tls: true + auth_method: starttls + login: mastodon + password: "{{ mastodon_admin_password }}" + persistence: + enabled: true + size: 8Ti redis: + enabled: true auth: - password: "{{ mastodon_redis_password }}" + password: "{{ redis_auth_password }}" postgresql: - auth: - password: "{{ mastodon_postgres_password }}" + enabled: false + externalDatabase: + host: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local + user: mastodon + password: "{{ mastodon_admin_password }}" + database: mastodon + port: 5432 + elasticsearch: + enabled: false + externalElasticsearch: + host: elasticsearch.elasticsearch.svc.cluster.local + port: 9200 minio: enabled: false apache: @@ -66,7 +75,7 @@ http: 80 ingress: enabled: true - hostname: "mastodon.eom.dev" + hostname: mastodon.eom.dev annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: ca-issuer diff --git a/tasks/mediawiki.yaml b/tasks/mediawiki.yaml index 0ae9dc7..87d1ca4 100644 --- a/tasks/mediawiki.yaml +++ b/tasks/mediawiki.yaml @@ -9,37 +9,31 @@ values: mediawikiUser: mediawiki mediawikiPassword: "{{ mediawiki_admin_password }}" - mediawikiEmail: mediawiki@mail.eom.dev + mediawikiEmail: mediawiki@postfix.eom.dev mediawikiName: MediaWiki - mediawikiHost: https://wiki.eom.dev/ - smtpHost: mail.eom.dev + mediawikiHost: https://postfix.eom.dev/ + smtpHost: postfix.eom.dev smtpPort: 587 smtpUser: mediawiki - smtpPassword: "{{ mediawiki_mail_password }}" + smtpPassword: "{{ mediawiki_admin_password }}" persistence: size: 32Gi service: type: ClusterIP + externalDatabase: + host: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local + port: 5432 + database: mediawiki + user: mediawiki + password: "{{ mediawiki_admin_password }}" ingress: enabled: true annotations: cert-manager.io/clusteer-issuer: ca-issuer ingressClassName: nginx pathType: Prefix - hostname: wiki.eom.dev - extraHosts: - - mediawiki.eom.dev + hostname: mediawiki.eom.dev path: / tls: true - extraTls: - - hosts: - - wiki.eom.dev - - mediawiki.eom.dev - secretName: mediawiki mariadb: - auth: - rootPassword: "{{ mariadb_root_password }}" - password: "{{ mediawiki_mariadb_password }}" - primary: - persistence: - size: 128Gi + enabled: false diff --git a/tasks/nextcloud.yaml b/tasks/nextcloud.yaml new file mode 100644 index 0000000..1ad7446 --- /dev/null +++ b/tasks/nextcloud.yaml @@ -0,0 +1,69 @@ +--- +# tasks file for nextcloud +- name: Add NextCloud repo + kubernetes.core.helm_repository: + name: nextcloud + repo_url: https://nextcloud.github.io/helm/ + register: repo + +- name: Update Helm repos + command: helm repo update + when: repo.changed + +- name: Deploy NextCloud + kubernetes.core.helm: + name: nextcloud + chart_ref: nextcloud/nextcloud + release_namespace: nextcloud + create_namespace: true + values: + nextcloud: + host: nextcloud.eom.dev + username: nextcloud + password: "{{ nextcloud_admin_password }}" + configs: + proxy.config.php: |- + array( + 0 => '127.0.0.1', + 1 => '10.0.0.0/8', + ), + 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), + ); + mail: + enabled: true + fromAddress: nextcloud + domain: postfix.eom.dev + smtp: + host: postfix.eom.dev + secure: ssl + port: 587 + authtype: LOGIN + name: nextcloud + password: "{{ nextcloud_admin_password }}" + internalDatabase: + enabled: false + externalDatabase: + enabled: true + type: postgresql + host: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local + user: nextcloud + password: "{{ nextcloud_admin_password }}" + database: nextcloud + persistence: + enabled: true + size: 8Ti + metrics: + enabled: true + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" + cert-manager.io/cluster-issuer: ca-issuer + tls: + - hosts: + - nextcloud.eom.dev + secretName: nextcloud-tls diff --git a/tasks/auth.yaml b/tasks/openldap.yaml similarity index 50% rename from tasks/auth.yaml rename to tasks/openldap.yaml index 791c200..a6ed595 100644 --- a/tasks/auth.yaml +++ b/tasks/openldap.yaml @@ -1,13 +1,13 @@ --- -# tasks file for openldap -- name: Create auth namespace +# Tasks file for OpenLDAP +- name: Create OpenLDAP namespace k8s: state: present definition: apiVersion: v1 kind: Namespace metadata: - name: auth + name: openldap - name: Create PVC for OpenLDAP data k8s: @@ -17,13 +17,13 @@ kind: PersistentVolumeClaim metadata: name: data - namespace: auth + namespace: openldap spec: accessModes: - ReadWriteOnce resources: requests: - storage: 2Gi + storage: 16Gi - name: Create PVC for OpenLDAP configuration k8s: @@ -33,13 +33,13 @@ kind: PersistentVolumeClaim metadata: name: config - namespace: auth + namespace: openldap spec: accessModes: - ReadWriteOnce resources: requests: - storage: 2Gi + storage: 16Gi - name: Create Deployment for OpenLDAP k8s: @@ -48,7 +48,7 @@ kind: Deployment metadata: name: openldap - namespace: auth + namespace: openldap spec: replicas: 1 selector: @@ -68,11 +68,11 @@ - name: LDAP_DOMAIN value: "eom.dev" - name: LDAP_ADMIN_PASSWORD - value: "{{ ldap_admin_password }}" + value: "{{ openldap_admin_password }}" - name: LDAP_READONLY_USER value: "true" - name: LDAP_READONLY_USER_PASSWORD - value: "{{ ldap_readonly_password }}" + value: "{{ openldap_readonly_password }}" volumeMounts: - name: config mountPath: /etc/ldap/slapd.d @@ -96,7 +96,7 @@ kind: Service metadata: name: openldap - namespace: auth + namespace: openldap spec: selector: app: openldap @@ -106,81 +106,3 @@ - port: 636 name: ldaps type: ClusterIP - -- name: Create Deployment for phpLDAPadmin - k8s: - definition: - apiVersion: v1 - kind: Deployment - metadata: - name: phpldapadmin - namespace: auth - spec: - replicas: 1 - selector: - matchLabels: - app: phpldapadmin - template: - metadata: - labels: - app: phpldapadmin - spec: - containers: - - name: phpldapadmin - image: osixia/phpldapadmin - env: - - name: PHPLDAPADMIN_LDAP_HOSTS - value: "openldap" - - name: PHPLDAPADMIN_SERVER_ADMIN - value: "eric@mail.eom.dev" - - name: PHPLDAPADMIN_SERVER_PATH - value: "/" - - name: PHPLDAPADMIN_HTTPS - value: "false" - ports: - - containerPort: 80 - -- name: Create Service for phpLDAPadmin - k8s: - definition: - apiVersion: v1 - kind: Service - metadata: - name: phpldapadmin - namespace: auth - spec: - selector: - app: phpldapadmin - ports: - - port: 80 - name: http - type: ClusterIP - -- name: Create Ingress - k8s: - state: present - definition: - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - annotations: - cert-manager.io/cluster-issuer: ca-issuer - name: phpldapadmin - namespace: auth - spec: - ingressClassName: nginx - rules: - - host: auth.eom.dev - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: phpldapadmin - port: - number: 80 - tls: - - hosts: - - auth.eom.dev - secretName: phpldapadmin diff --git a/tasks/stream.yaml b/tasks/owncast.yaml similarity index 92% rename from tasks/stream.yaml rename to tasks/owncast.yaml index db15fa1..e9cefc0 100644 --- a/tasks/stream.yaml +++ b/tasks/owncast.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Namespace metadata: - name: stream + name: owncast - name: Create PVC for OwnCast k8s: @@ -17,7 +17,7 @@ kind: PersistentVolumeClaim metadata: name: owncast - namespace: stream + namespace: owncast spec: accessModes: - ReadWriteOnce @@ -33,7 +33,7 @@ kind: Deployment metadata: name: owncast - namespace: stream + namespace: owncast labels: app: owncast spec: @@ -69,7 +69,7 @@ kind: Service metadata: name: owncast - namespace: stream + namespace: owncast spec: selector: app: owncast @@ -90,11 +90,11 @@ annotations: cert-manager.io/cluster-issuer: ca-issuer name: owncast - namespace: stream + namespace: owncast spec: ingressClassName: nginx rules: - - host: stream.eom.dev + - host: owncast.eom.dev http: paths: - pathType: Prefix @@ -106,5 +106,5 @@ number: 8080 tls: - hosts: - - stream.eom.dev + - owncast.eom.dev secretName: owncast diff --git a/tasks/phpldapadmin.yaml b/tasks/phpldapadmin.yaml new file mode 100644 index 0000000..d0cccfe --- /dev/null +++ b/tasks/phpldapadmin.yaml @@ -0,0 +1,88 @@ +--- +# tasks file for phpLDAPadmin +- name: Create phpLDAPadmin namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: phpldapadmin + +- name: Create Deployment for phpLDAPadmin + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: phpldapadmin + namespace: phpldapadmin + spec: + replicas: 1 + selector: + matchLabels: + app: phpldapadmin + template: + metadata: + labels: + app: phpldapadmin + spec: + containers: + - name: phpldapadmin + image: osixia/phpldapadmin + env: + - name: PHPLDAPADMIN_LDAP_HOSTS + value: "openldap.openldap.svc.cluster.local" + - name: PHPLDAPADMIN_SERVER_ADMIN + value: "phpldapadmin@postfix.eom.dev" + - name: PHPLDAPADMIN_SERVER_PATH + value: "/" + - name: PHPLDAPADMIN_HTTPS + value: "false" + ports: + - containerPort: 80 + +- name: Create Service for phpLDAPadmin + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: phpldapadmin + namespace: phpldapadmin + spec: + selector: + app: phpldapadmin + ports: + - port: 80 + name: http + type: ClusterIP + +- name: Create Ingress + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + cert-manager.io/cluster-issuer: ca-issuer + name: phpldapadmin + namespace: phpldapadmin + spec: + ingressClassName: nginx + rules: + - host: phpldapadmin.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: phpldapadmin + port: + number: 80 + tls: + - hosts: + - phpldapadmin.eom.dev + secretName: phpldapadmin diff --git a/tasks/mail.yaml b/tasks/postfix.yaml similarity index 69% rename from tasks/mail.yaml rename to tasks/postfix.yaml index 39179e0..6cd2c8b 100644 --- a/tasks/mail.yaml +++ b/tasks/postfix.yaml @@ -1,25 +1,25 @@ --- -# tasks file for mail -- name: Create Mail namespace +# tasks file for postfix +- name: Create Postfix namespace k8s: state: present definition: apiVersion: v1 kind: Namespace metadata: - name: mail + name: postfix -- name: Request a certificate for mail +- name: Request a certificate for postfix k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: mail - namespace: mail + name: postfix + namespace: postfix spec: - secretName: mail + secretName: postfix privateKey: algorithm: RSA encoding: PKCS1 @@ -33,9 +33,10 @@ subject: organizations: - EOM - commonName: mail.eom.dev + commonName: postfix.eom.dev dnsNames: - - mail.eom.dev + - postfix.eom.dev + - dovecot.eom.dev issuerRef: name: ca-issuer kind: ClusterIssuer @@ -47,14 +48,14 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: mail - namespace: mail + name: postfix + namespace: postfix spec: accessModes: - ReadWriteOnce resources: requests: - storage: 128Gi + storage: 1Ti - name: Create a deployment k8s: @@ -62,25 +63,25 @@ apiVersion: v1 kind: Deployment metadata: - name: mail - namespace: mail + name: postfix + namespace: postfix spec: replicas: 1 selector: matchLabels: - app: mail + app: postfix template: metadata: labels: - app: mail + app: postfix spec: containers: - - name: mail + - name: postfix image: mailserver/docker-mailserver volumeMounts: - name: ssl mountPath: /etc/letsencrypt - - name: mail + - name: postfix mountPath: /var/mail ports: - containerPort: 25 @@ -89,29 +90,29 @@ - containerPort: 993 env: - name: OVERRIDE_HOSTNAME - value: "mail.eom.dev" + value: "postfix.eom.dev" - name: POSTMASTER_ADDRESS - value: "eric@mail.eom.dev" + value: "postfix@postfix.eom.dev" - name: ACCOUNT_PROVISIONER value: "LDAP" - name: LDAP_SERVER_HOST - value: "ldap://openldap.auth.svc.cluster.local/" + value: "ldap://openldap.openldap.svc.cluster.local/" - name: LDAP_SEARCH_BASE value: "dc=eom,dc=dev" - name: LDAP_BIND_DN value: "cn=readonly,dc=eom,dc=dev" - name: LDAP_BIND_PW - value: "{{ ldap_readonly_password }}" + value: "{{ openldap_readonly_password }}" - name: LDAP_QUERY_FILTER_DOMAIN value: "(mail=*@%s)" - name: LDAP_QUERY_FILTER_USER - value: "(mail=%s)" + value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))" - name: LDAP_QUERY_FILTER_ALIAS - value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))" + value: "(&(objectClass=posixAccount)(mailAlias=%s))" - name: LDAP_QUERY_FILTER_GROUP - value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))" + value: "(&(objectClass=posixAccount)(mailGroupMember=%s))" - name: LDAP_QUERY_FILTER_SENDERS - value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))" + value: "(&(objectClass=posixAccount)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))" - name: SPOOF_PROTECTION value: "1" - name: DOVECOT_AUTH_BIND @@ -119,17 +120,17 @@ - name: DOVECOT_DEFAULT_PASS_SCHEME value: "MD5-CRYPT" - name: DOVECOT_USER_FILTER - value: "(&(objectClass=inetOrgPerson)(uid=%n))" + value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Dovecot Users,ou=Dovecot,ou=Services,dc=eom,dc=dev))" - name: DOVECOT_PASS_ATTRS value: "uid=user,userPassword=password" - name: DOVECOT_USER_ATTRS - value: "=home=/var/mail/%{ldap:uid},=uid=5000,=gid=5000,=mail=maildir:~/Maildir" + value: "=home=/var/mail/%{ldap:uid},=uid=%{ldap:uidNumber},=gid=%{ldap:gidNumber},=mail=maildir:~/Maildir" - name: ENABLE_SASLAUTHD value: "1" - name: SASLAUTHD_MECHANISMS value: "ldap" - name: SASLAUTHD_LDAP_FILTER - value: "(mail=%U@mail.eom.dev)" + value: "(mail=%U@postfix.eom.dev)" - name: SSL_TYPE value: "manual" - name: SSL_CERT_PATH @@ -139,10 +140,10 @@ volumes: - name: ssl secret: - secretName: mail - - name: mail + secretName: postfix + - name: postfix persistentVolumeClaim: - claimName: mail + claimName: postfix - name: Expose deployment as a service k8s: @@ -150,11 +151,11 @@ apiVersion: v1 kind: Service metadata: - name: mail - namespace: mail + name: postfix + namespace: postfix spec: selector: - app: mail + app: postfix ports: - port: 25 name: smtp-a diff --git a/tasks/postgresql.yaml b/tasks/postgresql.yaml new file mode 100644 index 0000000..05fc8d9 --- /dev/null +++ b/tasks/postgresql.yaml @@ -0,0 +1,38 @@ +--- +# tasks file for postgresql +- name: Deploy PostgreSQL + kubernetes.core.helm: + name: postgresql + chart_ref: bitnami/postgresql-ha + release_namespace: postgresql + create_namespace: true + values: + metrics: + enabled: true + volumePermissions: + enabled: true + pgpool: + adminPassword: "{{ postgresql_admin_password }}" + customUsers: + usernames: gitea,grafana,jupyterhub,mastodon,nextcloud + passwords: "{{ gitea_admin_password }},{{ grafana_admin_password }},{{ jupyterhub_admin_password }},{{ mastodon_admin_password }},{{ nextcloud_admin_password }}" + backup: + enabled: true + persistence: + size: 2Ti + postgresql: + username: postgres + password: "{{ postgresql_admin_password }}" + repmgrPassword: "{{ postgresql_repmgr_password }}" + initdbScripts: + setup.sql: | + CREATE USER gitea WITH PASSWORD '{{ gitea_admin_password }}'; + CREATE DATABASE gitea WITH OWNER gitea; + CREATE USER grafana WITH PASSWORD '{{ grafana_admin_password }}'; + CREATE DATABASE grafana WITH OWNER grafana; + CREATE USER jupyterhub WITH PASSWORD '{{ jupyterhub_admin_password }}'; + CREATE DATABASE jupyterhub WITH OWNER jupyterhub; + CREATE USER mastodon WITH PASSWORD '{{ mastodon_admin_password }}'; + CREATE DATABASE mastodon WITH OWNER mastodon; + CREATE USER nextcloud WITH PASSWORD '{{ nextcloud_admin_password }}'; + CREATE DATABASE nextcloud WITH OWNER nextcloud; diff --git a/tasks/monitoring.yaml b/tasks/prometheus.yaml similarity index 59% rename from tasks/monitoring.yaml rename to tasks/prometheus.yaml index 7f9358d..504c852 100644 --- a/tasks/monitoring.yaml +++ b/tasks/prometheus.yaml @@ -1,31 +1,46 @@ --- -# tasks file for grafana -- name: Create monitoring namespace - k8s: - state: present - definition: - apiVersion: v1 - kind: Namespace - metadata: - name: monitoring - +# tasks file for prometheus - name: Deploy Prometheus kubernetes.core.helm: name: prometheus chart_ref: bitnami/prometheus - release_namespace: monitoring - timeout: 300s + release_namespace: prometheus + create_namespace: true values: server: persistence: - size: 32Gi + size: 256Gi extraScrapeConfigs: + - job_name: apps + static_configs: + - targets: + - gitea.eom.dev + labels: + instance: gitea + - targets: + - grafana.eom.dev + labels: + instance: grafana + - targets: + - jupyterhub.eom.dev + labels: + instance: jupyterhub + - targets: + - mastodon.eom.dev + labels: + instance: mastodon + - targets: + - nextcloud-metrics.nextcloud.svc.cluster.local + labels: + instance: nextcloud + metrics_path: /metrics - job_name: libvirt_exporter static_configs: - targets: - 192.168.1.48:9177 labels: instance: poweredge-t640 + metrics_path: /metrics - job_name: node_exporter static_configs: - targets: @@ -93,55 +108,3 @@ labels: instance: alpha-worker-12 metrics_path: /metrics - -- name: Deploy Grafana - kubernetes.core.helm: - name: grafana - chart_ref: bitnami/grafana - release_namespace: monitoring - timeout: 300s - values: - admin: - user: grafana - password: "{{ grafana_admin_password }}" - persistence: - size: 32Gi - smtp: - enabled: true - user: grafana - password: "{{ grafana_mail_password }}" - host: mail.eom.dev - fromAddress: grafana@mail.eom.dev - fromName: Grafana - ldap: - enabled: true - allowSignUp: true - configuration: "{{ lookup('template', 'ldap.toml.j2') }}" - ingress: - enabled: true - pathType: Prefix - hostname: grafana.eom.dev - annotations: - cert-manager.io/cluster-issuer: ca-issuer - ingressClassName: nginx - tls: true - datasources: - secretDefinition: - apiVersion: 1 - datasources: - - name: Prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://prometheus.monitoring.svc.cluster.local - version: 1 - editable: true - isDefault: true - - name: Alertmanager - uid: alertmanager - type: alertmanager - access: proxy - orgId: 1 - url: http://prometheus-alertmanager.monitoring.svc.cluster.local:9093 - version: 1 - editable: true diff --git a/tasks/redis.yaml b/tasks/redis.yaml new file mode 100644 index 0000000..1ba0ce1 --- /dev/null +++ b/tasks/redis.yaml @@ -0,0 +1,14 @@ +--- +# tasks file for redis +- name: Deploy Redis + kubernetes.core.helm: + name: redis + chart_ref: bitnami/redis-cluster + release_namespace: redis + create_namespace: true + values: + metrics: + enabled: true + password: "{{ redis_auth_password }}" + persistence: + size: 64Gi diff --git a/templates/eric.ldif.j2 b/templates/eric.ldif.j2 deleted file mode 100644 index b65b857..0000000 --- a/templates/eric.ldif.j2 +++ /dev/null @@ -1,14 +0,0 @@ -dn: uid=eric,dc=eom,dc=dev -changetype: add -uid: eric -cn: Eric O'Neill Meehan -sn: 3 -objectClass: top -objectClass: posixAccount -objectClass: inetOrgPerson -loginShell: /bin/zsh -homeDirectory: /home/eric -uidNumber: 10000 -gidNumber: 10000 -userPassword: {{ eric_user_password }} -mail: eric@mail.eom.dev diff --git a/templates/httpd-auth.conf.j2 b/templates/httpd-auth.conf.j2 deleted file mode 100644 index 8137de8..0000000 --- a/templates/httpd-auth.conf.j2 +++ /dev/null @@ -1,38 +0,0 @@ -LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -LoadModule ldap_module modules/mod_ldap.so - -# Base - - AuthType basic - AuthName OpenLDAP - AuthBasicProvider ldap - AuthLDAPBindDN "cn=admin,dc=eom,dc=dev" - AuthLDAPBindPassword "{{ ldap_admin_password }}" - AuthLDAPURL "ldap://openldap/dc=eom,dc=dev?uid" - - Require method GET OPTIONS - Require valid-user - - - -# Users - - AuthType basic - AuthName OpenLDAP - AuthBasicProvider ldap - AuthLDAPBindDN "cn=admin,dc=eom,dc=dev" - AuthLDAPBindPassword "{{ ldap_admin_password }}" - AuthLDAPURL "ldap://openldap/dc=eom,dc=dev?uid??(uid=eric)" - Require valid-user - - -# Git - - AuthType basic - AuthName OpenLDAP - AuthBasicProvider ldap - AuthLDAPBindDN "cn=admin,dc=eom,dc=dev" - AuthLDAPBindPassword "{{ ldap_admin_password }}" - AuthLDAPURL "ldap://openldap/dc=eom,dc=dev?uid" - Require valid-user - diff --git a/templates/httpd.conf.j2 b/templates/httpd.conf.j2 deleted file mode 100644 index 365edaf..0000000 --- a/templates/httpd.conf.j2 +++ /dev/null @@ -1,555 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "logs/access_log" -# with ServerRoot set to "/usr/local/apache2" will be interpreted by the -# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" -# will be interpreted as '/logs/access_log'. - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/usr/local/apache2" - -# -# Mutex: Allows you to set the mutex mechanism and mutex file directory -# for individual mutexes, or change the global defaults -# -# Uncomment and change the directory if mutexes are file-based and the default -# mutex file directory is not on a local disk or is not appropriate for some -# other reason. -# -# Mutex default:logs - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -LoadModule mpm_event_module modules/mod_mpm_event.so -#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so -#LoadModule mpm_worker_module modules/mod_mpm_worker.so -LoadModule authn_file_module modules/mod_authn_file.so -#LoadModule authn_dbm_module modules/mod_authn_dbm.so -#LoadModule authn_anon_module modules/mod_authn_anon.so -#LoadModule authn_dbd_module modules/mod_authn_dbd.so -#LoadModule authn_socache_module modules/mod_authn_socache.so -LoadModule authn_core_module modules/mod_authn_core.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_user_module modules/mod_authz_user.so -#LoadModule authz_dbm_module modules/mod_authz_dbm.so -#LoadModule authz_owner_module modules/mod_authz_owner.so -#LoadModule authz_dbd_module modules/mod_authz_dbd.so -LoadModule authz_core_module modules/mod_authz_core.so -#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so -LoadModule access_compat_module modules/mod_access_compat.so -LoadModule auth_basic_module modules/mod_auth_basic.so -#LoadModule auth_form_module modules/mod_auth_form.so -#LoadModule auth_digest_module modules/mod_auth_digest.so -#LoadModule allowmethods_module modules/mod_allowmethods.so -#LoadModule isapi_module modules/mod_isapi.so -#LoadModule file_cache_module modules/mod_file_cache.so -#LoadModule cache_module modules/mod_cache.so -#LoadModule cache_disk_module modules/mod_cache_disk.so -#LoadModule cache_socache_module modules/mod_cache_socache.so -#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so -#LoadModule socache_dbm_module modules/mod_socache_dbm.so -#LoadModule socache_memcache_module modules/mod_socache_memcache.so -#LoadModule socache_redis_module modules/mod_socache_redis.so -#LoadModule watchdog_module modules/mod_watchdog.so -#LoadModule macro_module modules/mod_macro.so -#LoadModule dbd_module modules/mod_dbd.so -#LoadModule bucketeer_module modules/mod_bucketeer.so -#LoadModule dumpio_module modules/mod_dumpio.so -#LoadModule echo_module modules/mod_echo.so -#LoadModule example_hooks_module modules/mod_example_hooks.so -#LoadModule case_filter_module modules/mod_case_filter.so -#LoadModule case_filter_in_module modules/mod_case_filter_in.so -#LoadModule example_ipc_module modules/mod_example_ipc.so -#LoadModule buffer_module modules/mod_buffer.so -#LoadModule data_module modules/mod_data.so -#LoadModule ratelimit_module modules/mod_ratelimit.so -LoadModule reqtimeout_module modules/mod_reqtimeout.so -#LoadModule ext_filter_module modules/mod_ext_filter.so -#LoadModule request_module modules/mod_request.so -#LoadModule include_module modules/mod_include.so -LoadModule filter_module modules/mod_filter.so -#LoadModule reflector_module modules/mod_reflector.so -#LoadModule substitute_module modules/mod_substitute.so -#LoadModule sed_module modules/mod_sed.so -#LoadModule charset_lite_module modules/mod_charset_lite.so -#LoadModule deflate_module modules/mod_deflate.so -#LoadModule xml2enc_module modules/mod_xml2enc.so -#LoadModule proxy_html_module modules/mod_proxy_html.so -#LoadModule brotli_module modules/mod_brotli.so -LoadModule mime_module modules/mod_mime.so -#LoadModule ldap_module modules/mod_ldap.so -LoadModule log_config_module modules/mod_log_config.so -#LoadModule log_debug_module modules/mod_log_debug.so -#LoadModule log_forensic_module modules/mod_log_forensic.so -#LoadModule logio_module modules/mod_logio.so -#LoadModule lua_module modules/mod_lua.so -LoadModule env_module modules/mod_env.so -#LoadModule mime_magic_module modules/mod_mime_magic.so -#LoadModule cern_meta_module modules/mod_cern_meta.so -#LoadModule expires_module modules/mod_expires.so -LoadModule headers_module modules/mod_headers.so -#LoadModule ident_module modules/mod_ident.so -#LoadModule usertrack_module modules/mod_usertrack.so -#LoadModule unique_id_module modules/mod_unique_id.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule version_module modules/mod_version.so -#LoadModule remoteip_module modules/mod_remoteip.so -#LoadModule proxy_module modules/mod_proxy.so -#LoadModule proxy_connect_module modules/mod_proxy_connect.so -#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so -#LoadModule proxy_http_module modules/mod_proxy_http.so -#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so -#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so -#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so -#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so -#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so -#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so -#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -#LoadModule proxy_express_module modules/mod_proxy_express.so -#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so -#LoadModule session_module modules/mod_session.so -#LoadModule session_cookie_module modules/mod_session_cookie.so -#LoadModule session_crypto_module modules/mod_session_crypto.so -#LoadModule session_dbd_module modules/mod_session_dbd.so -#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so -#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so -#LoadModule ssl_module modules/mod_ssl.so -#LoadModule optional_hook_export_module modules/mod_optional_hook_export.so -#LoadModule optional_hook_import_module modules/mod_optional_hook_import.so -#LoadModule optional_fn_import_module modules/mod_optional_fn_import.so -#LoadModule optional_fn_export_module modules/mod_optional_fn_export.so -#LoadModule dialup_module modules/mod_dialup.so -#LoadModule http2_module modules/mod_http2.so -#LoadModule proxy_http2_module modules/mod_proxy_http2.so -#LoadModule md_module modules/mod_md.so -#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so -#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so -#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so -#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so -LoadModule unixd_module modules/mod_unixd.so -#LoadModule heartbeat_module modules/mod_heartbeat.so -#LoadModule heartmonitor_module modules/mod_heartmonitor.so -#LoadModule dav_module modules/mod_dav.so -LoadModule status_module modules/mod_status.so -LoadModule autoindex_module modules/mod_autoindex.so -#LoadModule asis_module modules/mod_asis.so -#LoadModule info_module modules/mod_info.so -#LoadModule suexec_module modules/mod_suexec.so - - #LoadModule cgid_module modules/mod_cgid.so - - - #LoadModule cgi_module modules/mod_cgi.so - -#LoadModule dav_fs_module modules/mod_dav_fs.so -#LoadModule dav_lock_module modules/mod_dav_lock.so -#LoadModule vhost_alias_module modules/mod_vhost_alias.so -#LoadModule negotiation_module modules/mod_negotiation.so -LoadModule dir_module modules/mod_dir.so -#LoadModule imagemap_module modules/mod_imagemap.so -#LoadModule actions_module modules/mod_actions.so -#LoadModule speling_module modules/mod_speling.so -#LoadModule userdir_module modules/mod_userdir.so -LoadModule alias_module modules/mod_alias.so -#LoadModule rewrite_module modules/mod_rewrite.so - - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User www-data -Group www-data - - - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin admin@mail.eom.dev - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -ServerName {{ httpd_server_name }}:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/usr/local/apache2/htdocs" - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # AllowOverride FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog /proc/self/fd/2 - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - CustomLog /proc/self/fd/1 common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - #CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" - - - - - # - # ScriptSock: On threaded servers, designate the path to the UNIX - # socket used to communicate with the CGI daemon of mod_cgid. - # - #Scriptsock cgisock - - -# -# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied - # backend servers which have lingering "httpoxy" defects. - # 'Proxy' request header is undefined by the IETF, not listed by IANA - # - RequestHeader unset Proxy early - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig conf/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - #AddType text/html .shtml - #AddOutputFilter INCLUDES .shtml - - -# -# The mod_mime_magic module allows the server to use various hints from the -# contents of the file itself to determine its type. The MIMEMagicFile -# directive tells the module where the hint definitions are located. -# -#MIMEMagicFile conf/magic - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# MaxRanges: Maximum number of Ranges in a request before -# returning the entire resource, or one of the special -# values 'default', 'none' or 'unlimited'. -# Default setting is to accept 200 Ranges. -#MaxRanges unlimited - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -#EnableSendfile on - -# Supplemental configuration -# -# The configuration files in the conf/extra/ directory can be -# included to add extra features or to modify the default configuration of -# the server, or you may simply copy their contents here and change as -# necessary. - -# Server-pool management (MPM specific) -#Include conf/extra/httpd-mpm.conf - -# Multi-language error messages -#Include conf/extra/httpd-multilang-errordoc.conf - -# Fancy directory listings -#Include conf/extra/httpd-autoindex.conf - -# Language settings -#Include conf/extra/httpd-languages.conf - -# User home directories -#Include conf/extra/httpd-userdir.conf - -# Real-time info on requests and configuration -#Include conf/extra/httpd-info.conf - -# Virtual hosts -#Include conf/extra/httpd-vhosts.conf - -# Local access to the Apache HTTP Server Manual -#Include conf/extra/httpd-manual.conf - -# Distributed authoring and versioning (WebDAV) -#Include conf/extra/httpd-dav.conf - -# Various default settings -#Include conf/extra/httpd-default.conf - -{% for config in httpd_conf_extra %} -Include conf/{{ config }} -{% endfor %} - -# Configure mod_proxy_html to understand HTML4/XHTML1 - -Include conf/extra/proxy-html.conf - - -# Secure (SSL/TLS) connections -#Include conf/extra/httpd-ssl.conf -# -# Note: The following must must be present to support -# starting without SSL on platforms with no /dev/random equivalent -# but a statically compiled-in mod_ssl. -# - -SSLRandomSeed startup builtin -SSLRandomSeed connect builtin - - diff --git a/templates/ldap.toml.j2 b/templates/ldap.toml.j2 index 63abf56..2e3321e 100644 --- a/templates/ldap.toml.j2 +++ b/templates/ldap.toml.j2 @@ -1,6 +1,6 @@ [[servers]] # Ldap server host (specify multiple hosts space separated) -host = "openldap.auth.svc.cluster.local" +host = "openldap.openldap.svc.cluster.local" # Default port is 389 or 636 if use_ssl = true port = 389 # Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS) @@ -25,7 +25,7 @@ ssl_skip_verify = false bind_dn = "cn=readonly,dc=eom,dc=dev" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" -bind_password = "{{ ldap_readonly_password }}" +bind_password = "{{ openldap_readonly_password }}" # We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion # bind_password = '$__env{LDAP_BIND_PASSWORD}' @@ -34,30 +34,31 @@ timeout = 30 # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" # Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))" -search_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%s))" +search_filter = "(&(objectClass=posixAccount)(uid=%s)(memberOf=cn=Grafana Users,ou=Grafana,ou=Services,dc=eom,dc=dev))" # An array of base dns to search through search_base_dns = ["dc=eom,dc=dev"] -group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" -group_search_filter_user_attribute = "uid" -group_search_base_dns = ["dc=eom,dc=dev"] - # Specify names of the LDAP attributes your LDAP uses [servers.attributes] username = "uid" email = "mail" name = "givenName" surname = "sn" +member_of = "memberOf" + +[[servers.group_mappings]] +group_dn = "cn=Grafana Administrators,ou=Grafana,ou=Services,dc=eom,dc=dev" +org_id = 1 +org_role = "Admin" +grafana_admin = true + +[[servers.group_mappings]] +group_dn = "cn=Grafana Users,ou=Grafana,ou=Services,dc=eom,dc=dev" +org_id = 1 +org_role = "Viewer" [[servers.group_mappings]] group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev" org_id = 2 org_role = "Admin" -grafana_admin = true - -[[servers.group_mappings]] -group_dn = "cn=DevOps Members,ou=DevOps,ou=Organizations,dc=eom,dc=dev" -org_id = 2 -org_role = "Viewer" -grafana_admin = true diff --git a/templates/psql.sh.j2 b/templates/psql.sh.j2 new file mode 100644 index 0000000..4e74404 --- /dev/null +++ b/templates/psql.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash +psql -U postgres <<-EOSQL + CREATE DATABASE {{ db }}; + CREATE USER {{ user }} WITH ENCRYPTED PASSWORD '{{ pwd }}'; + GRANT ALL PRIVILEGES ON {{ db }} TO {{ user }}; + EOSQL diff --git a/templates/values.yaml.j2 b/templates/values.yaml.j2 deleted file mode 100644 index db52ca2..0000000 --- a/templates/values.yaml.j2 +++ /dev/null @@ -1,783 +0,0 @@ -image: - repository: ghcr.io/mastodon/mastodon - # https://github.com/mastodon/mastodon/pkgs/container/mastodon - # - # alternatively, use `latest` for the latest release or `edge` for the image - # built from the most recent commit - # - # tag: latest - tag: null - # use `Always` when using `latest` tag - pullPolicy: IfNotPresent - -mastodon: - # Labels added to every Mastodon-related object - labels: {} - - # -- create an initial administrator user; the password is autogenerated and will - # have to be reset - createAdmin: - # @ignored - enabled: false - # @ignored - username: not_gargron - # @ignored - email: not@example.com - hooks: - dbMigrate: - enabled: true - assetsPrecompile: - enabled: true - # Upload website assets to S3 before deploying using rclone. - # Whenever there is an update to Mastodon, sometimes there are assets files - # that are renamed. As the pods are getting redeployed, and old/new pods are - # present simultaneously, there is a chance that old asset files are - # requested from pods that don't have them anymore, or new asset files are - # requested from old pods. Uploading asset files to S3 in this manner solves - # this potential conflict. - # Note that you will need to CDN/proxy to send all requests to /assets and - # /packs to this bucket. - s3Upload: - enabled: false - endpoint: - bucket: - acl: public-read - secretRef: - name: - keys: - accesKeyId: acces-key-id - secretAccessKey: secret-access-key - rclone: - # Any additional environment variables to pass to rclone. - env: {} - # Custom labels to add to kubernetes resources - #labels: - cron: - # -- run `tootctl media remove` every week - removeMedia: - # @ignored - enabled: true - # @ignored - schedule: "0 0 * * 0" - # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 - locale: en - local_domain: mastodon.eom.dev - # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation - # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described - # Example: mastodon.example.com - web_domain: null - # -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize - # itself when users are addressed using those other domains. - alternate_domains: [] - # -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers - # Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip - # trusted_proxy_ip: - # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. - singleUserMode: false - # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch - authorizedFetch: false - # -- Enables "Limited Federation Mode" for more details see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode - limitedFederationMode: false - persistence: - assets: - # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits - # scalability, since it requires the Rails and Sidekiq pods to run on the - # same node. - accessMode: ReadWriteOnce - resources: - requests: - storage: 10Gi - # -- name of existing persistent volume claim to use for assets - existingClaim: - system: - accessMode: ReadWriteOnce - resources: - requests: - storage: 100Gi - # -- name of existing persistent volume claim to use for system - existingClaim: - s3: - enabled: false - access_key: "" - access_secret: "" - # -- you can also specify the name of an existing Secret - # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - existingSecret: "" - bucket: "" - endpoint: "" - hostname: "" - region: "" - permission: "" - # -- If you have a caching proxy, enter its base URL here. - alias_host: "" - # When uploading data to S3, if the number of bytes to send exceedes - # multipart_threshold then a multi part session is automatically started - # and the data is sent up in chunks. Defaults to 16777216 (16MB). - multipart_threshold: "" - # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming - # override_path_style: "true" - deepl: - enabled: false - plan: - apiKeySecretRef: - name: - key: - hcaptcha: - enabled: false - siteId: - secretKeySecretRef: - name: - key: - # these must be set manually; autogenerated keys are rotated on each upgrade - secrets: - secret_key_base: "" - otp_secret: "" - vapid: - private_key: "" - public_key: "" - activeRecordEncryption: - primaryKey: "" - deterministicKey: "" - keyDerivationSalt: "" - # -- you can also specify the name of an existing Secret - # with keys: - # - SECRET_KEY_BASE - # - OTP_SECRET - # - VAPID_PRIVATE_KEY - # - VAPID_PUBLIC_KEY - # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY - # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY - # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT - existingSecret: "" - - # -- The number of old revisions to keep for each Deployment in Kubernetes. - # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy - revisionHistoryLimit: 2 - - sidekiq: - # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext - podSecurityContext: {} - # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext - securityContext: {} - # -- Resources for all Sidekiq Deployments unless overwritten - resources: {} - # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity - affinity: {} - # -- Annotations to apply to the deployment object(s) for sidekiq. - # -- These are applied in addition to deploymentAnnotations. - annotations: {} - # -- Labels to apply to the deployment object(s) for sidekiq. - # -- These are applied in addition to mastodon.labels. - labels: {} - # -- Annotations to apply to the sidekiq pods. - # -- These are applied in addition to the global podAnnotations. - podAnnotations: {} - # -- Labels to apply to the sidekiq pods. - # -- These are applied in addition to mastodon.labels. - podLabels: {} - # Rollout strategy to use when updating pods. - # Recreate will help reduce the number of retried jobs when updating when - # the code introduces a new job as the pods are all replaced immediately. - # RollingUpdate can help with larger clusters if job retries aren't an - # issue, as it will reduce strain by replacing pods more slowly. It is - # strongly recommended to enable the readinessProbe when using RollingUpdate. - # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - updateStrategy: - type: Recreate - # Readiness probe configuration - # NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10. - readinessProbe: - enabled: false - path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs - initialDelaySeconds: 10 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - # -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints - topologySpreadConstraints: {} - # limits: - # cpu: "1" - # memory: 768Mi - # requests: - # cpu: 250m - # memory: 512Mi - - # Open Telemetry configuration for sidekiq pods. Overrides global settings. - otel: - enabled: - exporterUri: - namePrefix: - nameSeparator: - - workers: - - name: all-queues - # -- Number of threads / parallel sidekiq jobs that are executed per Pod - concurrency: 25 - # -- Number of Pod replicas deployed by the Deployment - replicas: 1 - # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources - resources: {} - # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity - affinity: {} - # -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints - topologySpreadConstraints: {} - # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency - # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument - queues: - - default,8 - - push,6 - - ingress,4 - - mailers,2 - - pull - - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. - image: - repository: - tag: - # allows you to mount a custom database.yml from a configmap - # please note that we do not advise using a read-only replica for sidekiq workers - customDatabaseConfigYml: - configMapRef: - name: - key: - #- name: push-pull - # concurrency: 50 - # resources: {} - # replicas: 2 - # queues: - # - push - # - pull - #- name: mailers - # concurrency: 25 - # replicas: 2 - # queues: - # - mailers - #- name: default - # concurrency: 25 - # replicas: 2 - # queues: - # - default - smtp: - auth_method: plain - ca_file: /etc/ssl/certs/ca-certificates.crt - delivery_method: smtp - domain: mail.eom.dev - enable_starttls: "auto" - from_address: mastodon@mail.eom.dev - return_path: - openssl_verify_mode: peer - port: 587 - reply_to: - server: mail.eom.dev - tls: true - login: mastodon - password: {{ mastodon_mail_password }} - # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and - # password must be located in keys named `login` and `password` respectively. - existingSecret: - streaming: - image: - repository: - tag: - port: 4000 - # -- this should be set manually since os.cpus() returns the number of CPUs on - # the node running the pod, which is unrelated to the resources allocated to - # the pod by k8s - workers: 1 - # -- The base url for streaming can be set if the streaming API is deployed to - # a different domain/subdomain. - base_url: null - # -- Number of Streaming Pods running - replicas: 1 - # -- Affinity for Streaming Pods, overwrites .Values.affinity - affinity: {} - # -- Annotations to apply to the deployment object for streaming. - # -- These are applied in addition to deploymentAnnotations. - annotations: {} - # -- Labels to apply to the deployment object for streaming. - # -- These are applied in addition to mastodon.labels. - labels: {} - # -- Annotations to apply to the streaming pods. - # -- These are applied in addition to the global podAnnotations. - podAnnotations: {} - # -- Labels to apply to the streaming pods. - # -- These are applied in addition to mastodon.labels. - podLabels: {} - # Rollout strategy to use when updating pods - # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 10% - maxUnavailable: 25% - # -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints - topologySpreadConstraints: {} - # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext - podSecurityContext: {} - # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext - securityContext: {} - # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources - resources: {} - # limits: - # cpu: "500m" - # memory: 512Mi - # requests: - # cpu: 250m - # memory: 128Mi - # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - pdb: - enable: false - # minAvailable: 1 - # maxUnavailable: 1 - # -- Puma-specific options. Below values are based on default behavior in - # config/puma.rb when no custom values are provided. - # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database - extraCerts: {} - # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format - # existingSecret: - # -- Optional volume name for mounting the .crt file, defaults to "extra-certs" - # name: - # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify" - # sslMode: - - # Specify extra environment variables to be added to streaming pods. - extraEnvVars: {} - - web: - port: 3000 - # -- Number of Web Pods running - replicas: 1 - # -- Affinity for Web Pods, overwrites .Values.affinity - affinity: {} - # -- Annotations to apply to the deployment object for web. - # -- These are applied in addition to deploymentAnnotations. - annotations: {} - # -- Labels to apply to the deployment object for web. - # -- These are applied in addition to mastodon.labels. - labels: {} - # -- Annotations to apply to the web pods. - # -- These are applied in addition to the global podAnnotations. - podAnnotations: {} - # -- Labels to apply to the web pods. - # -- These are applied in addition to mastodon.labels. - podLabels: {} - # Rollout strategy to use when updating pods - # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 10% - maxUnavailable: 25% - # -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints - topologySpreadConstraints: {} - # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext - podSecurityContext: {} - # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext - securityContext: {} - # -- (Web Container) Resources for Web Pods, overwrites .Values.resources - resources: {} - # limits: - # cpu: "1" - # memory: 1280Mi - # requests: - # cpu: 250m - # memory: 768Mi - # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - pdb: - enable: false - # minAvailable: 1 - # maxUnavailable: 1 - # -- Puma-specific options. Below values are based on default behavior in - # config/puma.rb when no custom values are provided. - minThreads: "5" - maxThreads: "5" - workers: "2" - persistentTimeout: "20" - image: - repository: - tag: - # allows you to mount a custom database.yml from a configmap - # for example if you want to use a read-only replica - customDatabaseConfigYml: - configMapRef: - name: - key: - - # Open Telemetry configuration for web pods. Overrides global settings. - otel: - enabled: - exporterUri: - namePrefix: - nameSeparator: - - # HTTP cache buster configuration. - # See the documentation for more information about this feature: - # https://docs.joinmastodon.org/admin/config/#http-cache-buster - cacheBuster: - enabled: false - httpMethod: "GET" - # If the cache service requires authentication, specify the header name and - # secret/token here. - authHeader: - authToken: - existingSecret: - - metrics: - statsd: - # -- Enable statsd publishing via STATSD_ADDR environment variable - address: "" - # -- Alternatively, you can use this to have a statsd_exporter sidecar container running along all Mastodon containers and exposing metrics in OpenMetric/Prometheus format on each pod - # Please note the exporter will not be enabled if metrics.statsd.address is not empty - exporter: - enabled: false - port: 9102 - - # Open Telemetry configuration for all deployments. Component-specific - # configuration will override these values. - otel: - enabled: false - exporterUri: - namePrefix: mastodon - nameSeparator: "-" - - # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements - preparedStatements: true - - - # Specify extra environment variables to be added to all Mastodon pods. - # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.) - extraEnvVars: {} - - # Alternatively specify extra environment variables stored in a ConfigMap. - # The specified ConfigMap should contain the additional environment variables in key-value format. - # extraEnvFrom: - - -ingress: - enabled: true - annotations: - # For choosing an ingress ingressClassName is preferred over annotations - # kubernetes.io/ingress.class: nginx - # - # To automatically request TLS certificates use one of the following - # kubernetes.io/tls-acme: "true" - cert-manager.io/cluster-issuer: ca-issuer - # - # ensure that NGINX's upload size matches Mastodon's - # for the K8s ingress controller: - # nginx.ingress.kubernetes.io/proxy-body-size: 40m - # for the NGINX ingress controller: - nginx.org/client-max-body-size: 40m - # -- you can specify the ingressClassName if it differs from the default - ingressClassName: nginx - hosts: - - host: mastodon.eom.dev - paths: - - path: "/" - tls: - - secretName: mastodon-tls - hosts: - - mastodon.eom.dev - - # This allows you to have a separate ingress for streaming - # When enabled, the main ingress will no longer handle streaming requests. - # You will also need to configure mastodon.streaming.base_url accordingly - streaming: - enabled: false - annotations: - ingressClassName: - hosts: - - host: streaming.mastodon.eom.dev - paths: - - path: "/" - tls: - - secretName: mastodon-tls - hosts: - - streaming.mastodon.eom.dev - -# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters -elasticsearch: - # Elasticsearch is powering full-text search. It is optional. - - # `false` will not install Elasticsearch as part of this chart - # - # if you enable ES after the initial install, you will need to manually run - # RAILS_ENV=production bundle exec rake chewy:sync - # (https://docs.joinmastodon.org/admin/optional/elasticsearch/) - enabled: true - # @ignored - image: - tag: 7 - - # If you are using an external ES cluster, use `enabled: false` and set the hostname, port, - # and whether the cluster uses TLS. - # hostname: - # port: 9200 - # tls: true - # preset: single_node_cluster - - # This is optional, use it if you ES cluster requires authentication - # user: - # Name of an existing secret with a password key - # existingSecret: - -# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters -postgresql: - # -- disable if you want to use an existing db; in which case the values below - # must match those of that external postgres instance - enabled: true - # postgresqlHostname: preexisting-postgresql - # postgresqlPort: 5432 - auth: - database: mastodon_production - username: mastodon - # you must set a password; the password generated by the postgresql chart will - # be rotated on each upgrade: - # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade - password: "{{ mastodon_postgres_password }}" - # Set the password for the "postgres" admin user - # set this to the same value as above if you've previously installed - # this chart and you're having problems getting mastodon to connect to the DB - # postgresPassword: "" - # you can also specify the name of an existing Secret - # with a key of password set to the password you want - existingSecret: "" - - # Options for a read-only replica. - # If enabled, mastodon uses existing defaults for postgres for these values as well. - # NOTE: This feature is only available on Mastodon v4.2+ - # Documentation for more information on this feature: - # https://docs.joinmastodon.org/admin/scaling/#read-replicas - readReplica: - hostname: - port: - auth: - database: - username: - password: - existingSecret: - -# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters -redis: - # disable if you want to use an existing redis instance; in which case the - # values below must match those of that external redis instance - enabled: true - hostname: "" - port: 6379 - auth: - # -- you must set a password; the password generated by the redis chart will be - # rotated on each upgrade: - password: "{{ mastodon_redis_password }}" - # setting password for an existing redis instance will store it in a new Secret - # you can also specify the name of an existing Secret - # with a key of redis-password set to the password you want - # existingSecret: "" - replica: - replicaCount: 0 - - # Configuration for a separate redis instance only for sidekiq processing. - # If enabled, any values not specified will be copied from the base config. - # If set to false, the main redis instance will be used, and all values will - # be ignored. - sidekiq: - enabled: false - hostname: "" - port: 6379 - auth: - password: "" - # you can also specify the name of an existing Secret - # with a key of redis-password set to the password you want - existingSecret: "" - - # Configuration for a separate redis instance only for cache. - # If enabled, any values not specified will be copied from the base config. - # If set to false, the main redis instance will be used, and all values will - # be ignored. - cache: - enabled: false - hostname: "" - port: 6379 - auth: - password: "" - # you can also specify the name of an existing Secret - # with a key of redis-password set to the password you want - existingSecret: "" - -# @ignored -service: - type: ClusterIP - port: 80 - -externalAuth: - oidc: - # -- OpenID Connect support is proposed in PR #16221 and awaiting merge. - enabled: false - # display_name: "example-label" - # issuer: https://login.example.space/auth/realms/example-space - # discovery: true - # scope: "openid,profile" - # uid_field: uid - # client_id: mastodon - # client_secret: SECRETKEY - # redirect_uri: https://example.com/auth/auth/openid_connect/callback - # assume_email_is_verified: true - # client_auth_method: - # response_type: - # response_mode: - # display: - # prompt: - # send_nonce: - # send_scope_to_token_endpoint: - # idp_logout_redirect_uri: - # http_scheme: - # host: - # port: - # jwks_uri: - # auth_endpoint: - # token_endpoint: - # user_info_endpoint: - # end_session_endpoint: - saml: - enabled: false - # acs_url: http://mastodon.example.com/auth/auth/saml/callback - # issuer: mastodon - # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml - # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----' - # idp_cert_fingerprint: - # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - # cert: - # private_key: - # want_assertion_signed: true - # want_assertion_encrypted: true - # assume_email_is_verified: true - # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1" - # attributes_statements: - # uid: "urn:oid:0.9.2342.19200300.100.1.1" - # email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" - # full_name: "urn:oid:2.16.840.1.113730.3.1.241" - # first_name: "urn:oid:2.5.4.42" - # last_name: "urn:oid:2.5.4.4" - # verified: - # verified_email: - oauth_global: - # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In - omniauth_only: false - cas: - enabled: false - # url: https://sso.myserver.com - # host: sso.myserver.com - # port: 443 - # ssl: true - # validate_url: - # callback_url: - # logout_url: - # login_url: - # uid_field: 'user' - # ca_path: - # disable_ssl_verification: false - # assume_email_is_verified: true - # keys: - # uid: 'user' - # name: 'name' - # email: 'email' - # nickname: 'nickname' - # first_name: 'firstname' - # last_name: 'lastname' - # location: 'location' - # image: 'image' - # phone: 'phone' - pam: - enabled: false - # email_domain: example.com - # default_service: rpam - # controlled_service: rpam - ldap: - enabled: true - host: openldap.auth.svc.cluster.local - port: 389 - method: plain - tls_no_verify: true - base: dc=eom,dc=dev - bind_dn: cn=readonly,dc=eom,dc=dev - password: {{ ldap_readonly_password }} - uid: uid - mail: mail - search_filter: "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%{uid}))" - # uid_conversion: - # enabled: true - # search: "., -" - # replace: _ - -# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 -# -# if you manually change the UID/GID environment variables, ensure these values -# match: -podSecurityContext: - runAsUser: 991 - runAsGroup: 991 - fsGroup: 991 - -# @ignored -securityContext: {} - -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -# Custom annotations to apply to all created deployment objects. These can be -# used to help mastodon interact with other services in the cluster. -deploymentAnnotations: {} - -# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might -# need to apply different annotations to the two different sets of pods. The annotations -# set with podAnnotations will be added to all deployment-managed pods. -podAnnotations: {} - -# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will -# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. -revisionPodAnnotation: true - -# The annotations set with jobAnnotations will be added to all job pods. -jobAnnotations: {} - -# -- Default resources for all Deployments and jobs unless overwritten -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# @ignored -nodeSelector: {} - -# @ignored -tolerations: [] - -# -- Affinity for all pods unless overwritten -affinity: {} - -# -- Timezone for all pods unless overwritten -timezone: UTC - -# -- Topology Spread Constraints for all pods unless overwritten -# Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you -# want to spread each deployment independently, or override topologySpreadConstraints -# for each deployment -topologySpreadConstraints: {} - -# Default volume mounts for all pods -volumeMounts: [] - -# Default volumes for all pods -volumes: []