From 78b4b04bdcb01e7ba44ba49b48b989bfbf8ce07e Mon Sep 17 00:00:00 2001 From: eric o meehan Date: Mon, 9 Dec 2024 21:36:13 -0500 Subject: [PATCH] adding collabora --- tasks/collabora.yaml | 44 ++++++++++ tasks/elasticsearch.yaml | 2 +- tasks/gitea.yaml | 18 ++--- tasks/grafana.yaml | 4 +- tasks/jupyterhub.yaml | 2 +- tasks/main.yaml | 2 +- tasks/mastodon.yaml | 45 ++++++----- tasks/mediawiki.yaml | 170 +++++++++++++++++++++++++++++++-------- tasks/minio.yaml | 58 +++++++++++++ tasks/nextcloud.yaml | 18 ++--- tasks/openldap.yaml | 4 +- tasks/postfix.yaml | 2 +- tasks/postgresql.yaml | 8 +- 13 files changed, 290 insertions(+), 87 deletions(-) create mode 100644 tasks/collabora.yaml create mode 100644 tasks/minio.yaml diff --git a/tasks/collabora.yaml b/tasks/collabora.yaml new file mode 100644 index 0000000..9aa400a --- /dev/null +++ b/tasks/collabora.yaml @@ -0,0 +1,44 @@ +--- +# tasks file for collabora +- name: Add Collabora repo + kubernetes.core.helm_repository: + name: collabora + repo_url: https://collaboraonline.github.io/online/ + register: repo + +- name: Update Helm repos + command: helm repo update + when: repo.changed + +- name: Deploy Collabora + kubernetes.core.helm: + name: collabora + chart_ref: collabora/collabora-online + release_namespace: collabora + create_namespace: true + values: + collabora: + server_name: collabora.eom.dev + username: collabora_admin + password: "{{ collabora_admin_password }}" + aliasgroups: + - host: "https://nextcloud.eom.dev:443" + extra_params: --o:ssl.enable=false --o:ssl.termination=true + ingress: + enabled: true + className: "nginx" + annotations: + nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + cert-manager.io/cluster-issuer: ca-issuer + hosts: + - host: collabora.eom.dev + paths: + - path: / + pathType: ImplementationSpecific + tls: + - hosts: + - collabora.eom.dev + secretName: collabora-tls diff --git a/tasks/elasticsearch.yaml b/tasks/elasticsearch.yaml index 7cd0c5f..628c679 100644 --- a/tasks/elasticsearch.yaml +++ b/tasks/elasticsearch.yaml @@ -16,6 +16,6 @@ data: replicaCount: 1 persistence: - size: 256Gi + size: 512Gi ingest: replicaCount: 1 diff --git a/tasks/gitea.yaml b/tasks/gitea.yaml index eae1504..bcde462 100644 --- a/tasks/gitea.yaml +++ b/tasks/gitea.yaml @@ -44,7 +44,7 @@ metrics: enabled: true admin: - username: gitea + username: gitea_admin password: "{{ gitea_admin_password }}" email: gitea@postfix.eom.dev ldap: @@ -70,12 +70,8 @@ global: redis: password: "{{ gitea_admin_password }}" - master: - persistence: - size: 32Gi - replica: - persistence: - size: 32Gi + persistence: + enabled: true redis-cluster: enabled: false postgresql: @@ -83,12 +79,12 @@ global: postgresql: auth: + username: gitea password: "{{ gitea_admin_password }}" + database: gitea primary: persistence: - size: 256Gi - readReplicas: - persistence: - size: 256Gi + enabled: true + size: 2Ti postgresql-ha: enabled: false diff --git a/tasks/grafana.yaml b/tasks/grafana.yaml index 64d6ba3..876001f 100644 --- a/tasks/grafana.yaml +++ b/tasks/grafana.yaml @@ -10,7 +10,7 @@ metrics: enabled: true admin: - user: grafana + user: grafana_admin password: "{{ grafana_admin_password }}" persistence: size: 64Gi @@ -56,6 +56,6 @@ type: alertmanager access: proxy orgId: 1 - url: http://prometheus-alertmanager.prometheus.svc.cluster.local:9093 + url: http://prometheus-alertmanager.prometheus.svc.cluster.local version: 1 editable: true diff --git a/tasks/jupyterhub.yaml b/tasks/jupyterhub.yaml index 1df51b6..8d21b59 100644 --- a/tasks/jupyterhub.yaml +++ b/tasks/jupyterhub.yaml @@ -96,4 +96,4 @@ tls: - hosts: - jupyterhub.eom.dev - secretName: jupyterhub + secretName: jupyterhub-tls diff --git a/tasks/main.yaml b/tasks/main.yaml index eb0c73b..a43ff35 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -3,4 +3,4 @@ - name: Deploy include_tasks: "{{ item }}" loop: - - owncast.yaml + - collabora.yaml diff --git a/tasks/mastodon.yaml b/tasks/mastodon.yaml index a1c0bc9..88c1122 100644 --- a/tasks/mastodon.yaml +++ b/tasks/mastodon.yaml @@ -18,10 +18,17 @@ memory: 0Mi limits: cpu: 1.5 - memory: 3072Mi - adminUser: mastodon - adminEmail: mastodon@postfix.eom.dev + memory: 8192Mi + adminUser: mastodon_admin + adminEmail: mastodon_admin@postfix.eom.dev adminPassword: "{{ mastodon_admin_password }}" + otpSecret: "{{ mastodon_otp_secret }}" + secretKeyBase: "{{ mastodon_secret_key_base }}" + vapidPrivateKey: "{{ mastodon_vapid_private_key }}" + vapidPublicKey: "{{ mastodon_vapid_public_key }}" + activeRecordEncryptionDeterministicKey: "{{ mastodon_active_record_encryption_deterministic_key }}" + activeRecordEncryptionKeyDerivationSalt: "{{ mastodon_active_record_encryption_key_derivation_salt }}" + activeRecordEncryptionPrimaryKey: "{{ mastodon_active_record_encryption_primary_key }}" extraConfig: LDAP_ENABLED: "true" LDAP_HOST: openldap.openldap.svc.cluster.local @@ -33,7 +40,6 @@ LDAP_UID: uid LDAP_SEARCH_FILTER: (&(objectClass=posixAccount)(|(%{uid}=%{email})(%{mail}=%{email}))(memberOf=cn=Mastodon Users,ou=Mastodon,ou=Services,dc=eom,dc=dev)) LDAP_MAIL: mail - enableS3: false localDomain: mastodon.eom.dev smtp: server: postfix.eom.dev @@ -48,39 +54,36 @@ password: "{{ mastodon_admin_password }}" persistence: enabled: true - size: 8Ti + size: 64Gi redis: enabled: true auth: password: "{{ mastodon_admin_password }}" - master: - persistence: - size: 32Gi - replica: - persistence: - size: 32Gi postgresql: enabled: true - global: - postgresql: - auth: - password: "{{ mastodon_admin_password }}" + auth: + username: mastodon + password: "{{ mastodon_admin_password }}" + database: mastodon primary: persistence: - size: 256Gi - readReplicas: - persistence: - size: 256Gi + enabled: true + size: 2Ti elasticsearch: enabled: true master: persistence: - size: 32Gi + size: 64Gi data: persistence: - size: 32Gi + size: 512Gi minio: enabled: false + externalS3: + host: minio.api.eom.dev + accessKeyId: mastodon + accessKeySecret: "{{ mastodon_admin_password }}" + bucket: mastodon apache: service: type: ClusterIP diff --git a/tasks/mediawiki.yaml b/tasks/mediawiki.yaml index c094a25..38f9baf 100644 --- a/tasks/mediawiki.yaml +++ b/tasks/mediawiki.yaml @@ -1,42 +1,144 @@ --- # tasks file for mediawiki -- name: Deploy MediaWiki +- name: Create MediaWiki namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: mediawiki + +- name: Deploy MariaDB kubernetes.core.helm: - name: mediawiki - chart_ref: bitnami/mediawiki + name: mariadb + chart_ref: bitnami/mariadb release_namespace: mediawiki - create_namespace: true values: - mediawikiUser: mediawiki - mediawikiPassword: "{{ mediawiki_admin_password }}" - mediawikiEmail: mediawiki@postfix.eom.dev - mediawikiName: MediaWiki - mediawikiHost: https://mediawiki.eom.dev/ - smtpHost: postfix.eom.dev - smtpPort: 587 - smtpUser: mediawiki - smtpPassword: "{{ mediawiki_admin_password }}" - persistence: - size: 32Gi - service: + auth: + rootPassword: "{{ mediawiki_admin_password }}" + username: mediawiki + password: "{{ mediawiki_admin_password }}" + database: mediawiki + primary: + persistence: + size: 4Ti + +- name: Create Deployment for MediaWiki + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: mediawiki + namespace: mediawiki + spec: + replicas: 1 + selector: + matchLabels: + app: mediawiki + template: + metadata: + labels: + app: mediawiki + spec: + containers: + - name: mediawiki + image: ericomeehan/mediawiki-extended + imagePullPolicy: Always + env: + - name: WIKI_NAME + value: MediaWiki + - name: WIKI_ADMIN + value: mediawiki_admin + - name: WIKI_ADMIN_PASS + value: "{{ mediawiki_admin_password }}" + - name: WIKI_LANG + value: en + - name: WIKI_URL + value: https://mediawiki.eom.dev/ + - name: DB_HOST + value: mariadb + - name: DB_PORT + value: "3306" + - name: DB_NAME + value: mediawiki + - name: DB_USER + value: mediawiki + - name: DB_PASS + value: "{{ mediawiki_admin_password }}" + - name: LDAP_BASE + value: dc=eom,dc=dev + - name: LDAP_SERVER_NAME + value: openldap.openldap.svc.cluster.local + - name: LDAP_SERVER_PORT + value: "389" + - name: LDAP_DOMAINNAME + value: openldap.openldap.svc.cluster.local + - name: LDAP_ENCTYPE + value: clear + - name: LDAP_USER_ATTR + value: uid + - name: LDAP_REAL_NAME_ATTR + value: cn + - name: LDAP_MAIL_ATTR + value: mail + - name: LDAP_BIND_USER + value: cn=readonly,dc=eom,dc=dev + - name: LDAP_BIND_PASS + value: "{{ openldap_readonly_password }}" + - name: LDAP_BUREAUCRAT_GROUP + value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev + - name: LDAP_INTERFACE_ADMIN_GROUP + value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev + - name: LDAP_SYSOP_GROUP + value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev + - name: LDAP_SEARCH_FILTER + value: (&(objectClass=posixAccount)(uid=%1$s)(memberOf=cn=Mediawiki Users,ou=MediaWiki,ou=Services,dc=eom,dc=dev)) + ports: + - containerPort: 80 + +- name: Create Service for MediaWiki + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: mediawiki + namespace: mediawiki + spec: + selector: + app: mediawiki + ports: + - port: 80 + name: http type: ClusterIP - ingress: - enabled: true + +- name: Create Ingress + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: annotations: - cert-manager.io/clusteer-issuer: ca-issuer + cert-manager.io/cluster-issuer: ca-issuer + name: mediawiki + namespace: mediawiki + spec: ingressClassName: nginx - pathType: Prefix - hostname: mediawiki.eom.dev - path: / - tls: true - mariadb: - db: - name: mediawiki - user: mediawiki - password: "{{ mediawiki_admin_password }}" - master: - persistence: - size: 256Gi - slave: - persistence: - size: 256Gi + rules: + - host: mediawiki.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: mediawiki + port: + number: 80 + tls: + - hosts: + - mediawiki.eom.dev + secretName: mediawiki diff --git a/tasks/minio.yaml b/tasks/minio.yaml new file mode 100644 index 0000000..d2e73ca --- /dev/null +++ b/tasks/minio.yaml @@ -0,0 +1,58 @@ +--- +# tasks file for minio +- name: Deploy MinIO + kubernetes.core.helm: + name: minio + chart_ref: bitnami/minio + release_namespace: minio + create_namespace: true + values: + metrics: + enabled: true + disableWebUI: true + auth: + rootUser: minio_admin + rootPassword: "{{ minio_admin_password }}" + defaultBuckets: default + volumePermissions: + enabled: true + mode: standalone + persistence: + size: 8Ti + extraEnvVars: + - name: MINIO_ROOT_USER + value: minio_admin + - name: MINIO_ROOT_PASSWORD + value: "{{ minio_admin_password }}" + - name: MINIO_SERVER_URL + value: https://minio.eom.dev/ + - name: MINIO_IDENTITY_LDAP_SERVER_ADDR + value: openldap.openldap.svc.cluster.local:389 + - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN + value: cn=readonly,dc=eom,dc=dev + - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD + value: "{{ openldap_readonly_password }}" + - name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN + value: dc=eom,dc=dev + - name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER + value: (&(objectClass=posixAccount)(uid=%s)(memberOf=cn=Minio Users,ou=Minio,ou=Services,dc=eom,dc=dev)) + - name: MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES + value: uid,cn,mail,sshPublicKey + - name: MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER + value: (&(objectclass=groupOfUniqueNames)(uniqueMember=%d)) + - name: MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN + value: dc=eom,dc=dev + - name: MINIO_IDENTITY_LDAP_COMMENT + value: OpenLDAP + - name: MINIO_IDENTITY_LDAP_SERVER_INSECURE + value: "on" + apiIngress: + enabled: true + hostname: minio.eom.dev + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: ca-issuer + tls: + - hosts: + - minio.eom.dev + secretName: minio-tls diff --git a/tasks/nextcloud.yaml b/tasks/nextcloud.yaml index 2ff2b3f..bc9c3ca 100644 --- a/tasks/nextcloud.yaml +++ b/tasks/nextcloud.yaml @@ -19,7 +19,7 @@ values: nextcloud: host: nextcloud.eom.dev - username: nextcloud + username: nextcloud_admin password: "{{ nextcloud_admin_password }}" configs: proxy.config.php: |- @@ -47,15 +47,17 @@ externalDatabase: enabled: true type: postgresql - host: nextcloud-postgresql + host: postgresql user: nextcloud password: "{{ nextcloud_admin_password }}" database: nextcloud persistence: enabled: true - size: 8Ti + size: 4Ti metrics: enabled: true + cronjob: + enabled: true ingress: enabled: true className: nginx @@ -67,19 +69,15 @@ - hosts: - nextcloud.eom.dev secretName: nextcloud-tls - cronjob: - enabled: true - redis: - enabled: true - auth: - password: "{{ nextcloud_admin_password }}" postgresql: enabled: true global: postgresql: auth: + username: nextcloud password: "{{ nextcloud_admin_password }}" + database: nextcloud primary: persistence: enabled: true - size: 256Gi + size: 2Ti diff --git a/tasks/openldap.yaml b/tasks/openldap.yaml index a6ed595..b6bc434 100644 --- a/tasks/openldap.yaml +++ b/tasks/openldap.yaml @@ -23,7 +23,7 @@ - ReadWriteOnce resources: requests: - storage: 16Gi + storage: 128Gi - name: Create PVC for OpenLDAP configuration k8s: @@ -39,7 +39,7 @@ - ReadWriteOnce resources: requests: - storage: 16Gi + storage: 32Gi - name: Create Deployment for OpenLDAP k8s: diff --git a/tasks/postfix.yaml b/tasks/postfix.yaml index 6cd2c8b..a7cfd30 100644 --- a/tasks/postfix.yaml +++ b/tasks/postfix.yaml @@ -55,7 +55,7 @@ - ReadWriteOnce resources: requests: - storage: 1Ti + storage: 2Ti - name: Create a deployment k8s: diff --git a/tasks/postgresql.yaml b/tasks/postgresql.yaml index 05fc8d9..88d259c 100644 --- a/tasks/postgresql.yaml +++ b/tasks/postgresql.yaml @@ -14,12 +14,12 @@ pgpool: adminPassword: "{{ postgresql_admin_password }}" customUsers: - usernames: gitea,grafana,jupyterhub,mastodon,nextcloud - passwords: "{{ gitea_admin_password }},{{ grafana_admin_password }},{{ jupyterhub_admin_password }},{{ mastodon_admin_password }},{{ nextcloud_admin_password }}" + usernames: gitea,grafana,jupyterhub,mastodon,mediawiki,nextcloud + passwords: "{{ gitea_admin_password }},{{ grafana_admin_password }},{{ jupyterhub_admin_password }},{{ mastodon_admin_password }},{{ mediawiki_admin_password }},{{ nextcloud_admin_password }}" backup: enabled: true persistence: - size: 2Ti + size: 4Ti postgresql: username: postgres password: "{{ postgresql_admin_password }}" @@ -34,5 +34,7 @@ CREATE DATABASE jupyterhub WITH OWNER jupyterhub; CREATE USER mastodon WITH PASSWORD '{{ mastodon_admin_password }}'; CREATE DATABASE mastodon WITH OWNER mastodon; + CREATE USER mediawiki WITH PASSWORD '{{ mediawiki_admin_password }}'; + CREATE DATABASE mediawiki WITH OWNER mediawiki; CREATE USER nextcloud WITH PASSWORD '{{ nextcloud_admin_password }}'; CREATE DATABASE nextcloud WITH OWNER nextcloud;