DevOps/ansible-role-eom
2
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.9

Browse Source
This commit is contained in:
Eric Meehan
2024-11-29 18:37:03 -05:00
parent b599bbae3d
commit 47e4109e4d
31 changed files with 603 additions and 3087 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
tasks/api.yaml
View File

@@ -1,67 +0,0 @@
---
# tasks file for api
- name: Create a config map for api
vars:
httpd_server_name: "api.eom.dev"
httpd_conf_extra:
- httpd-auth.conf
- httpd-wsgi.conf
k8s:
state: present
api_version: v1
kind: ConfigMap
name: api
namespace: "eom-{{ target_namespace }}"
definition:
data:
httpd.conf: "{{ lookup('template', 'httpd.conf.j2') }}"
httpd-auth.conf: "{{ lookup('template', 'httpd-auth.conf.j2') }}"
httpd-wsgi.conf: "{{ lookup('file', 'httpd-wsgi.conf') }}"
mime.types: "{{ lookup('file', 'mime.types') }}"
- name: Create a deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: api
namespace: "eom-{{ target_namespace }}"
spec:
replicas: 1
selector:
matchLabels:
app: api
template:
metadata:
labels:
app: api
spec:
containers:
- name: api
image: ericomeehan/api
volumeMounts:
- name: config
mountPath: /usr/local/apache2/conf
ports:
- containerPort: 80
volumes:
- name: config
configMap:
name: api
- name: Expose deployment as a service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: api
namespace: "eom-{{ target_namespace }}"
spec:
selector:
app: api
ports:
- port: 80
name: api-80
type: ClusterIP

21
tasks/elasticsearch.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
# tasks file for elasticsearch
- name: Deploy Elasticsearch
kubernetes.core.helm:
name: elasticsearch
chart_ref: bitnami/elasticsearch
release_namespace: elasticsearch
create_namespace: true
values:
master:
replicaCount: 1
persistence:
size: 64Gi
coordinating:
replicaCount: 1
data:
replicaCount: 1
persistence:
size: 256Gi
ingest:
replicaCount: 1

35
tasks/full.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
# Tasks file for full deployment
- name: Deploy authentication sources
include_tasks: "{{ item }}"
loop:
- openldap.yaml
- phpldapadmin.yaml
- name: Populate OpenLDAP database
pause:
prompt: "Press Enter to continue..."
- name: Deploy databases
include_tasks: "{{ item }}"
loop:
- postgresql.yaml
- redis.yaml
- elsaticsearch.yaml
- name: Deploy user services
include_tasks: "{{ item }}"
loop:
- postfix.yaml
- nextcloud.yaml
- mastodon.yaml
- jupyterhub.yaml
- gitea.yaml
- owncast.yaml
- mediawiki.yaml
- name: Deploy monitoring
include_tasks: "{{ item }}"
loop:
- prometheus.yaml
- grafana.yaml

96
tasks/git.yaml
View File

@@ -1,96 +0,0 @@
---
# tasks file for gitea
- name: Add gitea repo
kubernetes.core.helm_repository:
name: gitea
repo_url: https://dl.gitea.com/charts/
- name: Update Helm repos
command: helm repo update
- name: Deploy Gitea
kubernetes.core.helm:
name: gitea
chart_ref: gitea/gitea
release_namespace: git
create_namespace: true
values:
service:
ssh:
type: LoadBalancer
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: ca-issuer
hosts:
- host: git.eom.dev
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- git.eom.dev
secretName: gitea-tls
persistence:
size: 128Gi
actions:
enabled: true
provisioning:
enabled: true
gitea:
admin:
username: gitea
password: "{{ gitea_admin_password }}"
email: "gitea@mail.eom.dev"
metrics:
enabled: false
serviceMonitor:
enabled: false
# additionalLabels:
# prometheus-release: prom1
interval: ""
relabelings: []
scheme: ""
scrapeTimeout: ""
tlsConfig: {}
ldap:
- name: OpenLDAP
securityProtocol: unencrypted
host: openldap.auth.svc.cluster.local
port: 389
userSearchBase: ou=People,dc=eom,dc=dev
userFilter: (&(objectClass=inetOrgPerson)(uid=%s))
adminFilter: (&(cn=Gitea Admin,ou=Gitea,ou=Services,dc=eom,dc=dev)(memberUid=%s))
emailAttribute: mail
bindDn: cn=readonly,dc=eom,dc=dev
bindPassword: "{{ ldap_readonly_password }}"
usernameAttribute: uid
publicSSHKeyAttribute: publicSSHKey
config:
APP_NAME: "Gitea"
additionalConfigFromEnvs:
- name: GITEA_DISABLE_REGISTRATION
value: "true"
- name: GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION
value: "false"
redis-cluster:
enabled: false
redis:
enabled: true
global:
redis:
password: "{{ gitea_redis_password }}"
postgresql-ha:
enabled: false
postgresql:
enabled: true
global:
postgresql:
auth:
password: "{{ gitea_postgres_password }}"
database: gitea
username: gitea
primary:
persistence:
size: 128Gi

90
tasks/gitea.yaml Normal file
View File

@@ -0,0 +1,90 @@
---
# tasks file for gitea
- name: Add gitea repo
kubernetes.core.helm_repository:
name: gitea
repo_url: https://dl.gitea.com/charts/
register: repo_update
- name: Update Helm repos
command: helm repo update
when: repo_update.changed
- name: Deploy Gitea
kubernetes.core.helm:
name: gitea
chart_ref: gitea/gitea
release_namespace: gitea
create_namespace: true
values:
service:
ssh:
type: LoadBalancer
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: ca-issuer
hosts:
- host: gitea.eom.dev
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- gitea.eom.dev
secretName: gitea-tls
persistence:
size: 2Ti
actions:
enabled: true
provisioning:
enabled: true
gitea:
metrics:
enabled: true
admin:
username: gitea
password: "{{ gitea_admin_password }}"
email: gitea@postfix.eom.dev
ldap:
- name: OpenLDAP
securityProtocol: unencrypted
host: openldap.openldap.svc.cluster.local
port: 389
userSearchBase: dc=eom,dc=dev
userFilter: (&(objectClass=posixAccount)(uid=%s)(memberOf=cn=Gitea Users,ou=Gitea,ou=Services,dc=eom,dc=dev))
adminFilter: (memberOf=cn=Gitea Administrators,ou=Gitea,ou=Services,dc=eom,dc=dev)
emailAttribute: mail
bindDn: cn=readonly,dc=eom,dc=dev
bindPassword: "{{ openldap_readonly_password }}"
usernameAttribute: uid
publicSSHKeyAttribute: sshPublicKey
config:
APP_NAME: "Gitea"
service:
DISABLE_REGISTRATION: true
DEFAULT_ALLOW_CREATE_ORGANIZATION: false
database:
DB_TYPE: postgres
HOST: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local
NAME: gitea
USER: gitea
PASSWD: "{{ gitea_admin_password }}"
session:
PROVIDER: redis
PROVIDER_CONFIG: "redis+cluster://:{{ redis_auth_password }}@redis-redis-cluster.redis.svc.cluster.local:6379"
cache:
ADAPTER: redis
HOST: "redis+cluster://:{{ redis_auth_password }}@redis-redis-cluster.redis.svc.cluster.local:6379"
queue:
TYPE: redis
CONN_STR: "redis+cluster://:{{ redis_auth_password }}@redis-redis-cluster.redis.svc.cluster.local:6379"
redis:
enabled: false
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false

250
tasks/grafana.yaml
View File

@@ -1,193 +1,69 @@
---
# tasks file for grafana
- name: Create Grafana namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: grafana
- name: Create PVC for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql
namespace: grafana
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi
- name: Create Deployment for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mysql
namespace: grafana
labels:
app: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql
volumeMounts:
- name: data
mountPath: /var/lib/mysql
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE
value: grafana
- name: MYSQL_USER
value: grafana
- name: MYSQL_PASSWORD
value: "{{ grafana_mysql_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql
- name: Create Service for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: grafana
spec:
selector:
app: mysql
ports:
- port: 3306
name: mysql
type: ClusterIP
- name: Create a config map for grafana
k8s:
state: present
api_version: v1
kind: ConfigMap
- name: Deploy Grafana
kubernetes.core.helm:
name: grafana
namespace: grafana
definition:
data:
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
- name: Create Deployment for Grafana
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: grafana
namespace: grafana
labels:
app: grafana
spec:
replicas: 1
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
containers:
- name: grafana
image: grafana/grafana
ports:
- containerPort: 3000
env:
- name: GF_DATABASE_TYPE
value: mysql
- name: GF_DATABASE_HOST
value: mysql
- name: GF_DATABASE_USER
value: grafana
- name: GF_DATABASE_PASSWORD
value: "{{ grafana_mysql_password }}"
- name: GF_AUTH_LDAP_ENABLED
value: "true"
- name: GF_AUTH_LDAP_CONFIG_FILE
value: /etc/grafana/cm/ldap.toml
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
value: "true"
volumeMounts:
- name: config
mountPath: /etc/grafana/cm
volumes:
- name: config
configMap:
name: grafana
- name: Create Service for Grafana
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: grafana
spec:
selector:
app: grafana
ports:
- port: 80
targetPort: 3000
name: grafana
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
chart_ref: bitnami/grafana
release_namespace: grafana
create_namespace: true
values:
metrics:
enabled: true
admin:
user: grafana
password: "{{ grafana_admin_password }}"
persistence:
size: 32Gi
grafana:
extraEnvVars:
- name: GF_DATABASE_TYPE
value: postgres
- name: GF_DATABASE_HOST
value: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local
- name: GF_DATABASE_NAME
value: grafana
- name: GF_DATABASE_USER
value: grafana
- name: GF_DATABASE_PASSWORD
value: "{{ grafana_admin_password }}"
- name: GF_DATABASE_URL
value: "postgres://grafana:{{ grafana_admin_password }}@postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local:5432/grafana"
smtp:
enabled: true
user: grafana
password: "{{ grafana_admin_password }}"
host: postfix.eom.dev
fromAddress: grafana@postfix.eom.dev
fromName: Grafana
ldap:
enabled: true
allowSignUp: true
configuration: "{{ lookup('template', 'ldap.toml.j2') }}"
ingress:
enabled: true
pathType: Prefix
hostname: grafana.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: grafana
namespace: grafana
spec:
ingressClassName: nginx
rules:
- host: grafana.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: grafana
port:
number: 80
tls:
- hosts:
- grafana.eom.dev
secretName: grafana
tls: true
datasources:
secretDefinition:
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
access: proxy
orgId: 1
url: http://prometheus-server.prometheus.svc.cluster.local
version: 1
editable: true
isDefault: true
- name: Alertmanager
uid: alertmanager
type: alertmanager
access: proxy
orgId: 1
url: http://prometheus-alertmanager.prometheus.svc.cluster.local:9093
version: 1
editable: true

26
tasks/jupyter.yaml → tasks/jupyterhub.yaml
View File

@@ -4,17 +4,18 @@
kubernetes.core.helm_repository:
name: jupyterhub
repo_url: https://hub.jupyter.org/helm-chart/
register: repo
- name: Update Helm repos
command: helm repo update
when: repo.changed
- name: Deploy Jupyter Hub
kubernetes.core.helm:
name: jupyter
name: jupyterhub
chart_ref: jupyterhub/jupyterhub
release_namespace: jupyter
release_namespace: jupyterhub
create_namespace: true
timeout: 2h
values:
prePuller:
hook:
@@ -31,20 +32,21 @@
admin_access: true
authenticator_class: ldapauthenticator.LDAPAuthenticator
LDAPAuthenticator:
server_address: openldap.auth.svc.cluster.local
server_address: openldap.openldap.svc.cluster.local
server_port: 389
use_ssl: false
tls_strategy: insecure
lookup_dn: true
lookup_dn_search_user: cn=readonly,dc=eom,dc=dev
lookup_dn_search_password: "{{ ldap_readonly_password }}"
lookup_dn_search_filter: ({login_attr}={login})
lookup_dn_search_password: "{{ openldap_readonly_password }}"
lookup_dn_search_filter: (&(objectClass=posixAccount)({login_attr}={login})(memberOf=cn=JupyterHub Users,ou=JupyterHub,ou=Services,dc=eom,dc=dev))
lookup_dn_user_dn_attribute: cn
user_search_base: ou=People,dc=eom,dc=dev
user_search_base: dc=eom,dc=dev
user_attribute: uid
db:
pvc:
storage: 16Gi
type: postgres
url: "postgresql://jupyterhub:{{ jupyterhub_admin_password }}@postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local:5432/jupyterhub"
password: "{{ jupyterhub_admin_password }}"
singleuser:
extraFiles:
jupyter_notebook_config.json:
@@ -58,7 +60,7 @@
cull_connected: true
cull_busy: false
storage:
capacity: 32Gi
capacity: 64Gi
image:
name: jupyter/minimal-notebook
tag: latest
@@ -91,10 +93,10 @@
cert-manager.io/cluster-issuer: ca-issuer
ingressClassName: nginx
hosts:
- jupyter.eom.dev
- jupyterhub.eom.dev
pathSuffix:
pathType: Prefix
tls:
- hosts:
- jupyter.eom.dev
- jupyterhub.eom.dev
secretName: jupyterhub

4
tasks/main.yaml
View File

@@ -1,4 +1,6 @@
---
# tasks file for eom
- name: Deploy
include_tasks: git.yaml
include_tasks: "{{ item }}"
loop:
- owncast.yaml

97
tasks/mastodon.yaml
View File

@@ -8,55 +8,64 @@
create_namespace: true
timeout: 600s
values:
adminUser: "mastodon"
adminEmail: "mastodon@mail.eom.dev"
adminPassword: "{{ mastodon_admin_password }}"
otpSecret: ""
secretKeyBase: ""
vapidPrivateKey: ""
vapidPublicKey: ""
activeRecordEncryptionDeterministicKey: ""
activeRecordEncryptionKeyDerivationSalt: ""
activeRecordEncryptionPrimaryKey: ""
extraConfig:
LDAP_ENABLED: "true"
LDAP_HOST: openldap.auth.svc.cluster.local
LDAP_PORT: "389"
LDAP_METHOD: plain
LDAP_BASE: ou=People,dc=eom,dc=dev
LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev
LDAP_PASSWORD: "{{ ldap_readonly_password }}"
LDAP_UID: uid
LDAP_SEARCH_FILTER: "(&(objectClass=inetOrgPerson)(uid=%{uid}))"
LDAP_MAIL: mail
enableS3: false
localDomain: "mastodon.eom.dev"
smtp:
server: "mail.eom.dev"
port: 587
from_address: "mastodon@mail.eom.dev"
domain: "mail.eom.dev"
reply_to: "mastodon@mail.eom.dev"
delivery_method: smtp
ca_file: /etc/ssl/certs/ca-certificates.crt
openssl_verify_mode: none
enable_starttls_auto: true
tls: true
auth_method: starttls
login: "mastodon"
password: "{{ mastodon_mail_password }}"
persistence:
metrics:
enabled: true
size: 128Gi
initJob:
precompileAssets:
resourcesPreset: "micro"
resources:
requests:
cpu: 0m
memory: 0Mi
limits:
cpu: 1.5
memory: 3072Mi
adminUser: mastodon
adminEmail: mastodon@postfix.eom.dev
adminPassword: "{{ mastodon_admin_password }}"
extraConfig:
LDAP_ENABLED: "true"
LDAP_HOST: openldap.openldap.svc.cluster.local
LDAP_PORT: "389"
LDAP_METHOD: plain
LDAP_BASE: dc=eom,dc=dev
LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev
LDAP_PASSWORD: "{{ openldap_readonly_password }}"
LDAP_UID: uid
LDAP_SEARCH_FILTER: (&(objectClass=posixAccount)(|(%{uid}=%{username})(%{mail}=%{email}))(memberOf=cn=Mastodon Users,ou=Mastodon,ou=Services,dc=eom,dc=dev))
LDAP_MAIL: mail
enableS3: false
localDomain: mastodon.eom.dev
smtp:
server: postfix.eom.dev
port: 587
from_address: mastodon@postfix.eom.dev
domain: postfix.eom.dev
reply_to: mastodon@postfix.eom.dev
delivery_method: smtp
tls: true
auth_method: starttls
login: mastodon
password: "{{ mastodon_admin_password }}"
persistence:
enabled: true
size: 8Ti
redis:
enabled: true
auth:
password: "{{ mastodon_redis_password }}"
password: "{{ redis_auth_password }}"
postgresql:
auth:
password: "{{ mastodon_postgres_password }}"
enabled: false
externalDatabase:
host: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local
user: mastodon
password: "{{ mastodon_admin_password }}"
database: mastodon
port: 5432
elasticsearch:
enabled: false
externalElasticsearch:
host: elasticsearch.elasticsearch.svc.cluster.local
port: 9200
minio:
enabled: false
apache:
@@ -66,7 +75,7 @@
http: 80
ingress:
enabled: true
hostname: "mastodon.eom.dev"
hostname: mastodon.eom.dev
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: ca-issuer

30
tasks/mediawiki.yaml
View File

@@ -9,37 +9,31 @@
values:
mediawikiUser: mediawiki
mediawikiPassword: "{{ mediawiki_admin_password }}"
mediawikiEmail: mediawiki@mail.eom.dev
mediawikiEmail: mediawiki@postfix.eom.dev
mediawikiName: MediaWiki
mediawikiHost: https://wiki.eom.dev/
smtpHost: mail.eom.dev
mediawikiHost: https://postfix.eom.dev/
smtpHost: postfix.eom.dev
smtpPort: 587
smtpUser: mediawiki
smtpPassword: "{{ mediawiki_mail_password }}"
smtpPassword: "{{ mediawiki_admin_password }}"
persistence:
size: 32Gi
service:
type: ClusterIP
externalDatabase:
host: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local
port: 5432
database: mediawiki
user: mediawiki
password: "{{ mediawiki_admin_password }}"
ingress:
enabled: true
annotations:
cert-manager.io/clusteer-issuer: ca-issuer
ingressClassName: nginx
pathType: Prefix
hostname: wiki.eom.dev
extraHosts:
- mediawiki.eom.dev
hostname: mediawiki.eom.dev
path: /
tls: true
extraTls:
- hosts:
- wiki.eom.dev
- mediawiki.eom.dev
secretName: mediawiki
mariadb:
auth:
rootPassword: "{{ mariadb_root_password }}"
password: "{{ mediawiki_mariadb_password }}"
primary:
persistence:
size: 128Gi
enabled: false

69
tasks/nextcloud.yaml Normal file
View File

@@ -0,0 +1,69 @@
---
# tasks file for nextcloud
- name: Add NextCloud repo
kubernetes.core.helm_repository:
name: nextcloud
repo_url: https://nextcloud.github.io/helm/
register: repo
- name: Update Helm repos
command: helm repo update
when: repo.changed
- name: Deploy NextCloud
kubernetes.core.helm:
name: nextcloud
chart_ref: nextcloud/nextcloud
release_namespace: nextcloud
create_namespace: true
values:
nextcloud:
host: nextcloud.eom.dev
username: nextcloud
password: "{{ nextcloud_admin_password }}"
configs:
proxy.config.php: |-
<?php
$CONFIG = array (
'trusted_proxies' => array(
0 => '127.0.0.1',
1 => '10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
);
mail:
enabled: true
fromAddress: nextcloud
domain: postfix.eom.dev
smtp:
host: postfix.eom.dev
secure: ssl
port: 587
authtype: LOGIN
name: nextcloud
password: "{{ nextcloud_admin_password }}"
internalDatabase:
enabled: false
externalDatabase:
enabled: true
type: postgresql
host: postgresql-postgresql-ha-pgpool.postgresql.svc.cluster.local
user: nextcloud
password: "{{ nextcloud_admin_password }}"
database: nextcloud
persistence:
enabled: true
size: 8Ti
metrics:
enabled: true
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
cert-manager.io/cluster-issuer: ca-issuer
tls:
- hosts:
- nextcloud.eom.dev
secretName: nextcloud-tls

100
tasks/auth.yaml → tasks/openldap.yaml
View File

@@ -1,13 +1,13 @@
---
# tasks file for openldap
- name: Create auth namespace
# Tasks file for OpenLDAP
- name: Create OpenLDAP namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: auth
name: openldap
- name: Create PVC for OpenLDAP data
k8s:
@@ -17,13 +17,13 @@
kind: PersistentVolumeClaim
metadata:
name: data
namespace: auth
namespace: openldap
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storage: 16Gi
- name: Create PVC for OpenLDAP configuration
k8s:
@@ -33,13 +33,13 @@
kind: PersistentVolumeClaim
metadata:
name: config
namespace: auth
namespace: openldap
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storage: 16Gi
- name: Create Deployment for OpenLDAP
k8s:
@@ -48,7 +48,7 @@
kind: Deployment
metadata:
name: openldap
namespace: auth
namespace: openldap
spec:
replicas: 1
selector:
@@ -68,11 +68,11 @@
- name: LDAP_DOMAIN
value: "eom.dev"
- name: LDAP_ADMIN_PASSWORD
value: "{{ ldap_admin_password }}"
value: "{{ openldap_admin_password }}"
- name: LDAP_READONLY_USER
value: "true"
- name: LDAP_READONLY_USER_PASSWORD
value: "{{ ldap_readonly_password }}"
value: "{{ openldap_readonly_password }}"
volumeMounts:
- name: config
mountPath: /etc/ldap/slapd.d
@@ -96,7 +96,7 @@
kind: Service
metadata:
name: openldap
namespace: auth
namespace: openldap
spec:
selector:
app: openldap
@@ -106,81 +106,3 @@
- port: 636
name: ldaps
type: ClusterIP
- name: Create Deployment for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: phpldapadmin
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: phpldapadmin
template:
metadata:
labels:
app: phpldapadmin
spec:
containers:
- name: phpldapadmin
image: osixia/phpldapadmin
env:
- name: PHPLDAPADMIN_LDAP_HOSTS
value: "openldap"
- name: PHPLDAPADMIN_SERVER_ADMIN
value: "eric@mail.eom.dev"
- name: PHPLDAPADMIN_SERVER_PATH
value: "/"
- name: PHPLDAPADMIN_HTTPS
value: "false"
ports:
- containerPort: 80
- name: Create Service for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: phpldapadmin
namespace: auth
spec:
selector:
app: phpldapadmin
ports:
- port: 80
name: http
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: phpldapadmin
namespace: auth
spec:
ingressClassName: nginx
rules:
- host: auth.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: phpldapadmin
port:
number: 80
tls:
- hosts:
- auth.eom.dev
secretName: phpldapadmin

14
tasks/stream.yaml → tasks/owncast.yaml
View File

@@ -7,7 +7,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: stream
name: owncast
- name: Create PVC for OwnCast
k8s:
@@ -17,7 +17,7 @@
kind: PersistentVolumeClaim
metadata:
name: owncast
namespace: stream
namespace: owncast
spec:
accessModes:
- ReadWriteOnce
@@ -33,7 +33,7 @@
kind: Deployment
metadata:
name: owncast
namespace: stream
namespace: owncast
labels:
app: owncast
spec:
@@ -69,7 +69,7 @@
kind: Service
metadata:
name: owncast
namespace: stream
namespace: owncast
spec:
selector:
app: owncast
@@ -90,11 +90,11 @@
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: owncast
namespace: stream
namespace: owncast
spec:
ingressClassName: nginx
rules:
- host: stream.eom.dev
- host: owncast.eom.dev
http:
paths:
- pathType: Prefix
@@ -106,5 +106,5 @@
number: 8080
tls:
- hosts:
- stream.eom.dev
- owncast.eom.dev
secretName: owncast

88
tasks/phpldapadmin.yaml Normal file
View File

@@ -0,0 +1,88 @@
---
# tasks file for phpLDAPadmin
- name: Create phpLDAPadmin namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: phpldapadmin
- name: Create Deployment for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: phpldapadmin
namespace: phpldapadmin
spec:
replicas: 1
selector:
matchLabels:
app: phpldapadmin
template:
metadata:
labels:
app: phpldapadmin
spec:
containers:
- name: phpldapadmin
image: osixia/phpldapadmin
env:
- name: PHPLDAPADMIN_LDAP_HOSTS
value: "openldap.openldap.svc.cluster.local"
- name: PHPLDAPADMIN_SERVER_ADMIN
value: "phpldapadmin@postfix.eom.dev"
- name: PHPLDAPADMIN_SERVER_PATH
value: "/"
- name: PHPLDAPADMIN_HTTPS
value: "false"
ports:
- containerPort: 80
- name: Create Service for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: phpldapadmin
namespace: phpldapadmin
spec:
selector:
app: phpldapadmin
ports:
- port: 80
name: http
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: phpldapadmin
namespace: phpldapadmin
spec:
ingressClassName: nginx
rules:
- host: phpldapadmin.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: phpldapadmin
port:
number: 80
tls:
- hosts:
- phpldapadmin.eom.dev
secretName: phpldapadmin

71
tasks/mail.yaml → tasks/postfix.yaml
View File

@@ -1,25 +1,25 @@
---
# tasks file for mail
- name: Create Mail namespace
# tasks file for postfix
- name: Create Postfix namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: mail
name: postfix
- name: Request a certificate for mail
- name: Request a certificate for postfix
k8s:
state: present
definition:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mail
namespace: mail
name: postfix
namespace: postfix
spec:
secretName: mail
secretName: postfix
privateKey:
algorithm: RSA
encoding: PKCS1
@@ -33,9 +33,10 @@
subject:
organizations:
- EOM
commonName: mail.eom.dev
commonName: postfix.eom.dev
dnsNames:
- mail.eom.dev
- postfix.eom.dev
- dovecot.eom.dev
issuerRef:
name: ca-issuer
kind: ClusterIssuer
@@ -47,14 +48,14 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail
namespace: mail
name: postfix
namespace: postfix
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Gi
storage: 1Ti
- name: Create a deployment
k8s:
@@ -62,25 +63,25 @@
apiVersion: v1
kind: Deployment
metadata:
name: mail
namespace: mail
name: postfix
namespace: postfix
spec:
replicas: 1
selector:
matchLabels:
app: mail
app: postfix
template:
metadata:
labels:
app: mail
app: postfix
spec:
containers:
- name: mail
- name: postfix
image: mailserver/docker-mailserver
volumeMounts:
- name: ssl
mountPath: /etc/letsencrypt
- name: mail
- name: postfix
mountPath: /var/mail
ports:
- containerPort: 25
@@ -89,29 +90,29 @@
- containerPort: 993
env:
- name: OVERRIDE_HOSTNAME
value: "mail.eom.dev"
value: "postfix.eom.dev"
- name: POSTMASTER_ADDRESS
value: "eric@mail.eom.dev"
value: "postfix@postfix.eom.dev"
- name: ACCOUNT_PROVISIONER
value: "LDAP"
- name: LDAP_SERVER_HOST
value: "ldap://openldap.auth.svc.cluster.local/"
value: "ldap://openldap.openldap.svc.cluster.local/"
- name: LDAP_SEARCH_BASE
value: "dc=eom,dc=dev"
- name: LDAP_BIND_DN
value: "cn=readonly,dc=eom,dc=dev"
- name: LDAP_BIND_PW
value: "{{ ldap_readonly_password }}"
value: "{{ openldap_readonly_password }}"
- name: LDAP_QUERY_FILTER_DOMAIN
value: "(mail=*@%s)"
- name: LDAP_QUERY_FILTER_USER
value: "(mail=%s)"
value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))"
- name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
value: "(&(objectClass=posixAccount)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP
value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))"
value: "(&(objectClass=posixAccount)(mailGroupMember=%s))"
- name: LDAP_QUERY_FILTER_SENDERS
value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))"
value: "(&(objectClass=posixAccount)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))"
- name: SPOOF_PROTECTION
value: "1"
- name: DOVECOT_AUTH_BIND
@@ -119,17 +120,17 @@
- name: DOVECOT_DEFAULT_PASS_SCHEME
value: "MD5-CRYPT"
- name: DOVECOT_USER_FILTER
value: "(&(objectClass=inetOrgPerson)(uid=%n))"
value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Dovecot Users,ou=Dovecot,ou=Services,dc=eom,dc=dev))"
- name: DOVECOT_PASS_ATTRS
value: "uid=user,userPassword=password"
- name: DOVECOT_USER_ATTRS
value: "=home=/var/mail/%{ldap:uid},=uid=5000,=gid=5000,=mail=maildir:~/Maildir"
value: "=home=/var/mail/%{ldap:uid},=uid=%{ldap:uidNumber},=gid=%{ldap:gidNumber},=mail=maildir:~/Maildir"
- name: ENABLE_SASLAUTHD
value: "1"
- name: SASLAUTHD_MECHANISMS
value: "ldap"
- name: SASLAUTHD_LDAP_FILTER
value: "(mail=%U@mail.eom.dev)"
value: "(mail=%U@postfix.eom.dev)"
- name: SSL_TYPE
value: "manual"
- name: SSL_CERT_PATH
@@ -139,10 +140,10 @@
volumes:
- name: ssl
secret:
secretName: mail
- name: mail
secretName: postfix
- name: postfix
persistentVolumeClaim:
claimName: mail
claimName: postfix
- name: Expose deployment as a service
k8s:
@@ -150,11 +151,11 @@
apiVersion: v1
kind: Service
metadata:
name: mail
namespace: mail
name: postfix
namespace: postfix
spec:
selector:
app: mail
app: postfix
ports:
- port: 25
name: smtp-a

38
tasks/postgresql.yaml Normal file
View File

@@ -0,0 +1,38 @@
---
# tasks file for postgresql
- name: Deploy PostgreSQL
kubernetes.core.helm:
name: postgresql
chart_ref: bitnami/postgresql-ha
release_namespace: postgresql
create_namespace: true
values:
metrics:
enabled: true
volumePermissions:
enabled: true
pgpool:
adminPassword: "{{ postgresql_admin_password }}"
customUsers:
usernames: gitea,grafana,jupyterhub,mastodon,nextcloud
passwords: "{{ gitea_admin_password }},{{ grafana_admin_password }},{{ jupyterhub_admin_password }},{{ mastodon_admin_password }},{{ nextcloud_admin_password }}"
backup:
enabled: true
persistence:
size: 2Ti
postgresql:
username: postgres
password: "{{ postgresql_admin_password }}"
repmgrPassword: "{{ postgresql_repmgr_password }}"
initdbScripts:
setup.sql: |
CREATE USER gitea WITH PASSWORD '{{ gitea_admin_password }}';
CREATE DATABASE gitea WITH OWNER gitea;
CREATE USER grafana WITH PASSWORD '{{ grafana_admin_password }}';
CREATE DATABASE grafana WITH OWNER grafana;
CREATE USER jupyterhub WITH PASSWORD '{{ jupyterhub_admin_password }}';
CREATE DATABASE jupyterhub WITH OWNER jupyterhub;
CREATE USER mastodon WITH PASSWORD '{{ mastodon_admin_password }}';
CREATE DATABASE mastodon WITH OWNER mastodon;
CREATE USER nextcloud WITH PASSWORD '{{ nextcloud_admin_password }}';
CREATE DATABASE nextcloud WITH OWNER nextcloud;

93
tasks/monitoring.yaml → tasks/prometheus.yaml
View File

@@ -1,31 +1,46 @@
---
# tasks file for grafana
- name: Create monitoring namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
# tasks file for prometheus
- name: Deploy Prometheus
kubernetes.core.helm:
name: prometheus
chart_ref: bitnami/prometheus
release_namespace: monitoring
timeout: 300s
release_namespace: prometheus
create_namespace: true
values:
server:
persistence:
size: 32Gi
size: 256Gi
extraScrapeConfigs:
- job_name: apps
static_configs:
- targets:
- gitea.eom.dev
labels:
instance: gitea
- targets:
- grafana.eom.dev
labels:
instance: grafana
- targets:
- jupyterhub.eom.dev
labels:
instance: jupyterhub
- targets:
- mastodon.eom.dev
labels:
instance: mastodon
- targets:
- nextcloud-metrics.nextcloud.svc.cluster.local
labels:
instance: nextcloud
metrics_path: /metrics
- job_name: libvirt_exporter
static_configs:
- targets:
- 192.168.1.48:9177
labels:
instance: poweredge-t640
metrics_path: /metrics
- job_name: node_exporter
static_configs:
- targets:
@@ -93,55 +108,3 @@
labels:
instance: alpha-worker-12
metrics_path: /metrics
- name: Deploy Grafana
kubernetes.core.helm:
name: grafana
chart_ref: bitnami/grafana
release_namespace: monitoring
timeout: 300s
values:
admin:
user: grafana
password: "{{ grafana_admin_password }}"
persistence:
size: 32Gi
smtp:
enabled: true
user: grafana
password: "{{ grafana_mail_password }}"
host: mail.eom.dev
fromAddress: grafana@mail.eom.dev
fromName: Grafana
ldap:
enabled: true
allowSignUp: true
configuration: "{{ lookup('template', 'ldap.toml.j2') }}"
ingress:
enabled: true
pathType: Prefix
hostname: grafana.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
ingressClassName: nginx
tls: true
datasources:
secretDefinition:
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
access: proxy
orgId: 1
url: http://prometheus.monitoring.svc.cluster.local
version: 1
editable: true
isDefault: true
- name: Alertmanager
uid: alertmanager
type: alertmanager
access: proxy
orgId: 1
url: http://prometheus-alertmanager.monitoring.svc.cluster.local:9093
version: 1
editable: true

14
tasks/redis.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
# tasks file for redis
- name: Deploy Redis
kubernetes.core.helm:
name: redis
chart_ref: bitnami/redis-cluster
release_namespace: redis
create_namespace: true
values:
metrics:
enabled: true
password: "{{ redis_auth_password }}"
persistence:
size: 64Gi