diff --git a/files/matterbridge.toml b/files/matterbridge.toml new file mode 100644 index 0000000..7d5a640 --- /dev/null +++ b/files/matterbridge.toml @@ -0,0 +1,130 @@ +#This is configuration for matterbridge. +#WARNING: as this file contains credentials, be sure to set correct file permissions +################################################################### +# NCTalk (Nextcloud Talk) +################################################################### + +[nctalk.bridge] + +# Url of your Nextcloud server +Server = "https://nextcloud.eom.dev" + +# Enable to not verify the certificate on your Nextcloud server. +# e.g. when using selfsigned certificates +# OPTIONAL (default false) +SkipTLSVerify=false + +# Username of the bot +Login = "minecraft" + +# Password of the bot +Password = "{{ minecraft_admin_password }}" + +# Suffix for Guest Users +GuestSuffix = " (Guest)" + +# Separate display name (Note: needs to be configured from Nextcloud Talk to work) +SeparateDisplayName=false + +################################################################### +#API +################################################################### +[api] +#You can configure multiple API hooks +#In this example we use [api.minecraft] +#REQUIRED + +[api.minecraft] +#Address to listen on for API +#REQUIRED +BindAddress="0.0.0.0:4242" + +#Amount of messages to keep in memory +Buffer=1000 + +#Bearer token used for authentication +#curl -H "Authorization: Bearer token" http://localhost:4242/api/messages +#OPTIONAL (no authorization if token is empty) +Token="" + +#extra label that can be used in the RemoteNickFormat +#optional (default empty) +Label="minecraft" + +#RemoteNickFormat defines how remote users appear on this bridge +#The string "{NICK}" (case sensitive) will be replaced by the actual nick / username. +#The string "{BRIDGE}" (case sensitive) will be replaced by the sending bridge +#The string "{PROTOCOL}" (case sensitive) will be replaced by the protocol used by the bridge +#OPTIONAL (default empty) +RemoteNickFormat="{NICK}" + +################################################################### +#General configuration +################################################################### +# Settings here are defaults that each protocol can override +[general] +#RemoteNickFormat defines how remote users appear on this bridge +#The string "{NICK}" (case sensitive) will be replaced by the actual nick / username. +#The string "{BRIDGE}" (case sensitive) will be replaced by the sending bridge +#The string "{PROTOCOL}" (case sensitive) will be replaced by the protocol used by the bridge +#OPTIONAL (default empty) +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " + +#StripNick only allows alphanumerical nicks. See https://github.com/42wim/matterbridge/issues/285 +#It will strip other characters from the nick +#OPTIONAL (default false) +StripNick=false + + +#MediaServerUpload and MediaServerDownload are used for uploading images/files/video to +#a remote "mediaserver" (a webserver like caddy for example). +#When configured images/files uploaded on bridges like mattermost,slack, telegram will be downloaded +#and uploaded again to MediaServerUpload URL +#The MediaServerDownload will be used so that bridges without native uploading support: +#gitter, irc and xmpp will be shown links to the files on MediaServerDownload +# +#More information https://github.com/42wim/matterbridge/wiki/Mediaserver-setup-%5Badvanced%5D +#OPTIONAL (default empty) +#MediaServerUpload="https://user:pass@yourserver.com/upload" +#OPTIONAL (default empty) +#MediaServerDownload="https://youserver.com/download" + +#MediaDownloadSize is the maximum size of attachments, videos, images +#matterbridge will download and upload this file to bridges that also support uploading files. +#eg downloading from slack to upload it to mattermost +# +#It will only download from bridges that don't have public links available, which are for the moment +#slack, telegram, matrix and mattermost +# +#Optional (default 1000000 (1 megabyte)) +MediaDownloadSize=1000000 + +################################################################### +#Gateway configuration +################################################################### + +#You can specify multiple gateways using [[gateway]] +#Each gateway has a [[gateway.in]] and a [[gateway.out]] +#[[gateway.in]] specifies the account and channels we will receive messages from. +#[[gateway.out]] specifies the account and channels we will send the messages +#from [[gateway.in]] to. +# +#Most of the time [[gateway.in]] and [[gateway.out]] are the same if you +#want bidirectional bridging. You can then use [[gateway.inout]] +# + +[[gateway]] +#REQUIRED and UNIQUE +name="minecraft" +#Enable enables this gateway +##OPTIONAL (default false) +enable=true + + # API + [[gateway.inout]] + account="api.minecraft" + channel="api" + + [[gateway.inout]] + account="nctalk.bridge" + token="wgo6vovu" diff --git a/tasks/coturn.yaml b/tasks/coturn.yaml new file mode 100644 index 0000000..cd06a3a --- /dev/null +++ b/tasks/coturn.yaml @@ -0,0 +1,48 @@ +--- +# tasks file for coturn +- name: Add Small Hack repo + kubernetes.core.helm_repository: + name: small-hack-coturn + repo_url: https://small-hack.github.io/coturn-chart + register: repo + +- name: Update Helm repos + command: helm repo update + when: repo.changed + +- name: Deploy Coturn + kubernetes.core.helm: + name: coturn + chart_ref: small-hack-coturn/coturn + release_namespace: coturn + create_namespace: true + values: + certificate: + enabled: true + host: coturn.eom.dev + issuer: ca-issuer + uris: + - turns:coturn.eom.dev?transport=udp + allowGuests: true + sharedSecret: "{{ coturn_shared_secret }}" + service: + type: NodePort + image: + tag: latest + pullPolicy: Always + externalDatabase: + enabled: true + postgresql: + enabled: false + global: + postgresql: + auth: + password: "{{ coturn_admin_password }}" + primary: + persistence: + size: 256Gi + coturn: + realm: coturn.eom.dev + auth: + username: coturn + password: "{{ coturn_admin_password }}" diff --git a/tasks/gitea.yaml b/tasks/gitea.yaml index 08046d8..91d60e8 100644 --- a/tasks/gitea.yaml +++ b/tasks/gitea.yaml @@ -18,7 +18,7 @@ create_namespace: true values: image: - pullPolicy: Always + pullPolicy: IfNotPresent service: ssh: type: LoadBalancer @@ -65,11 +65,17 @@ config: APP_NAME: "Gitea" service: - DISABLE_REGISTRATION: true + DISABLE_REGISTRATION: false + SHOW_REGISTRATION_BUTTON: false DEFAULT_ALLOW_CREATE_ORGANIZATION: false + ALLOW_ONLY_EXTERNAL_REGISTRATION: true + oauth2_client: + ENABLE_AUTO_REGISTRATION: true + UPDATE_AVATAR: true + ACCOUNT_LINKING: auto mailer: ENABLED: true - SMTP_ADDR: mail.eom.dev + SMTP_ADDR: postfix.eom.dev SMTP_PORT: 587 USER: gitea PASSWD: "{{ gitea_admin_password }}" diff --git a/tasks/grafana-matrix-forwarder.yaml b/tasks/grafana-matrix-forwarder.yaml new file mode 100644 index 0000000..2a9dc2a --- /dev/null +++ b/tasks/grafana-matrix-forwarder.yaml @@ -0,0 +1,51 @@ +--- +# tasks file for grafana-matrix-forwarder +- name: Create a Deployment for Grafana Matrix Forwarder + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: matrix-forwarder + namespace: grafana + spec: + replicas: 1 + selector: + matchLabels: + app: matrix-forwarder + template: + metadata: + labels: + app: matrix-forwarder + spec: + containers: + - name: matrix-forwarder + image: registry.gitlab.com/hctrdev/grafana-matrix-forwarder + ports: + - containerPort: 6000 + env: + - name: GMF_MATRIX_USER + value: grafana + - name: GMF_MATRIX_PASSWORD + value: "{{ grafana_admin_password }}" + - name: GMF_MATRIX_HOMESERVER + value: synapse.eom.dev + - name: GMF_RESOLVE_MODE + value: reply + +- name: Expose GMF Deployment as a Service + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: matrix-forwarder + namespace: grafana + spec: + selector: + app: matrix-forwarder + ports: + - port: 80 + targetPort: 6000 + name: http + type: ClusterIP diff --git a/tasks/mail.yaml b/tasks/mail.yaml index 31bf653..9823077 100644 --- a/tasks/mail.yaml +++ b/tasks/mail.yaml @@ -33,10 +33,11 @@ subject: organizations: - EOM - commonName: mail.eom.dev + commonName: eom.dev dnsNames: - - mail.eom.dev - eom.dev + - postfix.eom.dev + - dovecot.eom.dev issuerRef: name: ca-issuer kind: ClusterIssuer @@ -88,11 +89,14 @@ - containerPort: 465 - containerPort: 587 - containerPort: 993 + - containerPort: 995 env: - name: OVERRIDE_HOSTNAME - value: "mail.eom.dev" + value: "postfix.eom.dev" - name: POSTMASTER_ADDRESS - value: "postmaster@eom.dev" + value: "postfix@eom.dev" + - name: ENABLE_POP3 + value: "1" - name: ACCOUNT_PROVISIONER value: "LDAP" - name: LDAP_SERVER_HOST @@ -106,7 +110,7 @@ - name: LDAP_QUERY_FILTER_DOMAIN value: "(mail=*@%s)" - name: LDAP_QUERY_FILTER_USER - value: "(&(mail=%s)(memberOf=cn=Mail Users,ou=Mail,ou=Services,dc=eom,dc=dev))" + value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))" - name: LDAP_QUERY_FILTER_ALIAS value: "(&(objectClass=posixAccount)(mailAlias=%s))" - name: LDAP_QUERY_FILTER_GROUP @@ -120,7 +124,7 @@ - name: DOVECOT_DEFAULT_PASS_SCHEME value: "MD5-CRYPT" - name: DOVECOT_USER_FILTER - value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Mail Users,ou=Mail,ou=Services,dc=eom,dc=dev))" + value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Dovecot Users,ou=Dovecot,ou=Services,dc=eom,dc=dev))" - name: DOVECOT_PASS_ATTRS value: "uid=user,userPassword=password" - name: DOVECOT_USER_ATTRS @@ -165,4 +169,6 @@ name: smtps - port: 993 name: imap + - port: 995 + name: pop3 type: LoadBalancer diff --git a/tasks/main.yaml b/tasks/main.yaml index 92367fb..6b5801e 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -3,4 +3,4 @@ - name: Deploy include_tasks: "{{ item }}" loop: - - nextcloud.yaml + - gitea.yaml diff --git a/tasks/mastodon.yaml b/tasks/mastodon.yaml index 88c1122..81efa6d 100644 --- a/tasks/mastodon.yaml +++ b/tasks/mastodon.yaml @@ -80,7 +80,7 @@ minio: enabled: false externalS3: - host: minio.api.eom.dev + host: minio.eom.dev accessKeyId: mastodon accessKeySecret: "{{ mastodon_admin_password }}" bucket: mastodon diff --git a/tasks/matrix.yaml b/tasks/matrix.yaml new file mode 100644 index 0000000..9798229 --- /dev/null +++ b/tasks/matrix.yaml @@ -0,0 +1,322 @@ +--- +# tasks file for synapse +- name: Add Small Hack repo + kubernetes.core.helm_repository: + name: small-hack-matrix + repo_url: https://small-hack.github.io/matrix-chart + register: repo + +- name: Update Helm repos + command: helm repo update + when: repo.changed + +- name: Deploy Matrix + kubernetes.core.helm: + name: matrix + chart_ref: small-hack-matrix/matrix + release_namespace: matrix + create_namespace: true + values: + matrix: + serverName: eom.dev + hostname: synapse.eom.dev + adminEmail: synapse@eom.dev + encryptByDefault: all + federation: + enabled: true + ingress: + enabled: true + host: eom.dev + className: nginx + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_intercept_errors off; + cert-manager.io/cluster-issuer: ca-issuer + tls: + enabled: true + host: eom.dev + oidc: + enabled: false + providers: + - idp_id: github + idp_name: Github + idp_brand: "github" # optional: styling hint for clients + discover: false + issuer: "https://github.com/" + client_id: "{{ matrix_github_oidc_client_id }}" # TO BE FILLED + client_secret: "{{ matrix_github_oidc_client_secret }}" # TO BE FILLED + authorization_endpoint: "https://github.com/login/oauth/authorize" + token_endpoint: "https://github.com/login/oauth/access_token" + userinfo_endpoint: "https://api.github.com/user" + scopes: ["read:user"] + allow_existing_users: true + enable_registration: false + user_mapping_provider: + config: + subject_claim: "id" + localpart_template: "{{ '{{ user.login }}' | quote }}" + display_name_template: "{{ '{{ user.name }}' | quote }}" + - idp_id: google + idp_name: Google + idp_brand: "google" + issuer: "https://accounts.google.com/" + client_id: "{{ matrix_google_oidc_client_id }}" # TO BE FILLED + client_secret: "{{ matrix_google_oidc_client_secret }}" # TO BE FILLED + scopes: ["openid", "profile", "email"] # email is optional, read below + allow_existing_users: true + enable_registration: false + user_mapping_provider: + config: + localpart_template: "{{ '{{ user.given_name|lower }}' | quote }}" + display_name_template: "{{ '{{ user.name }}' | quote }}" + email_template: "{{ '{{ user.email }}' | quote }}" # needs "email" in scopes above + allow_public_rooms_over_federation: true + allow_public_rooms_without_auth: true + ip_range_blacklist: + - 127.0.0.0/8 + registration: + enabled: false + allowGuests: false + autoJoinRooms: + - #main:eom.dev + - #announcements:eom.dev + - #general:eom.dev + - #help:eom.dev + serve_server_wellknown: true + homeserverExtra: + modules: + - module: "ldap_auth_provider.LdapAuthProviderModule" + config: + enabled: true + uri: "ldap://openldap.openldap.svc.cluster.local:389" + mode: search + start_tls: false + base: "dc=eom,dc=dev" + attributes: + uid: "uid" + mail: "mail" + name: "givenName" + bind_dn: cn=readonly,dc=eom,dc=dev + bind_password: "{{ openldap_readonly_password }}" + filter: "(&(objectClass=posixAccount)(memberOf=cn=Synapse Users,ou=Synapse,ou=Services,dc=eom,dc=dev))" +# experimental_features: +# msc3861: +# enabled: true +# # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration +# issuer: http://localhost:8080/ +# client_id: 0000000000000000000SYNAPSE +# client_auth_method: client_secret_basic +# client_secret: 5ZrwKXmKdiQfus2J +# admin_token: SacP5rWpci6GMqb2 +# account_management_url: "https://matrix-auth-service.eom.dev/" + volumes: + media: + capacity: 2Ti + postgresql: + enabled: true + persistence: + enabled: true + global: + postgresql: + auth: + username: synapse + password: "{{ synapse_admin_password }}" + primary: + persistence: + size: 2Ti + synapse: + ingress: + className: nginx + annotations: + cert-manager.io/cluster-issuer: ca-issuer + nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off; + hosts: + - host: synapse.eom.dev + paths: +# - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*" +# pathType: ImplementationSpecific +# backend: +# service: +# name: mas +# port: +# name: http + - path: / + pathType: Prefix + tls: + - secretName: synapse-tls + hosts: + - synapse.eom.dev + element: + enabled: true + permalinkPrefix: "https://element.eom.dev" + ingress: + host: element.eom.dev + annotations: + cert-manager.io/cluster-issuer: ca-issuer + coturn: + enabled: false + certificate: + enabled: true + host: coturn.eom.dev + issuer: ca-issuer + uris: + - turn:coturn.eom.dev?transport=udp + allowGuests: true + service: + type: NodePort + image: + tag: latest + pullPolicy: IfNotPresent + externalDatabase: + enabled: true + hostname: matrix-postgresql + username: matrix + password: "{{ matrix_admin_password }}" + database: coturn + postgresql: + enabled: false + nameOverride: matrix-coturn-postgresql + global: + postgresql: + auth: + password: "{{ coturn_admin_password }}" + primary: + persistence: + size: 256Gi + coturn: + realm: coturn.eom.dev + auth: + username: coturn + password: "{{ coturn_admin_password }}" + mail: + enabled: true + from: Synapse + elementUrl: https://element.eom.dev + relay: + enabled: false + external: + hostname: postfix.eom.dev + port: "587" + username: synapse + password: "{{ synapse_admin_password }}" + mas: + enabled: false + fullnameOverride: mas + image: + pullPolicy: IfNotPresent + tag: latest + http: + public_base: https://matrix-auth-service.eom.dev/ + ingress: + className: nginx + annotations: + cert-manager.io/cluster-issuer: ca-issuer + hosts: + - host: matrix-auth-service.eom.dev + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: mas-tls + hosts: + - matrix-auth-service.eom.dev + postgresql: + enabled: false + global: + auth: + password: "{{ matrix_auth_service_admin_password }}" + mas: + enabled: false + http: + public_base: https://matrix-auth-service.eom.dev/ + policy: + client_registration: + allow_host_mismatch: true + allow_insecure_uris: false + clients: + - client_id: 0000000000000000000SYNAPSE + client_auth_method: client_secret_basic + client_secret: 5ZrwKXmKdiQfus2J + matrix: + homeserver: synapse.eom.dev + endpoint: https://synapse.eom.dev + secret: SacP5rWpci6GMqb2 + email: + from: Matrix Auth Service + reply_to: No reply + transport: smtp + mode: tls + hostname: postfix.eom.dev + port: 587 + username: matrix-auth-service + password: "{{ matrix_auth_service_admin_password }}" + upstream_oauth2: + providers: + - id: 01JG22H4F0G8PYCZ5HVTQVHBC4 + issuer: https://google.com/ + client_id: "{{ matrix_google_oidc_client_id }}" + client_secret: "{{ matrix_google_oidc_client_secret }}" + token_endpoint_auth_method: client_secret_basic + discovery_mode: oidc + claims_imports: + subject: + template: "{{ '{{ user.sub }}' | quote }}" + + # -- The localpart is the local part of the user's Matrix ID. + # For example, on the `example.com` server, if the localpart is `alice`, + # the user's Matrix ID will be `@alice:example.com`. + localpart: + action: require + template: "{{ '{{ user.preferred_username }}' | quote }}" + + # -- The display name is the user's display name. + displayname: + action: suggest + template: "{{ '{{ user.name }}' | quote }}" + + # -- An email address to import. + email: + action: suggest + template: "{{ '{{ user.email }}' | quote }}" + # -- Whether the email address must be marked as verified. + # Possible values are: + # - `import`: mark the email address as verified if the upstream provider + # has marked it as verified, using the `email_verified` claim. + # This is the default. + # - `always`: mark the email address as verified + # - `never`: mark the email address as not verified + set_email_verification: import + - id: 01JG2B7DBS6RQRH1TFVZ4BP7H8 + issuer: https://github.com/ + client_id: "{{ matrix_github_oidc_client_id }}" + client_secret: "{{ matrix_github_oidc_client_secret }}" + token_endpoint_auth_method: client_secret_basic + discovery_mode: oidc + claims_imports: + subject: + template: "{{ '{{ user.sub }}' | quote }}" + + # -- The localpart is the local part of the user's Matrix ID. + # For example, on the `example.com` server, if the localpart is `alice`, + # the user's Matrix ID will be `@alice:example.com`. + localpart: + action: require + template: "{{ '{{ user.preferred_username }}' | quote }}" + + # -- The display name is the user's display name. + displayname: + action: suggest + template: "{{ '{{ user.name }}' | quote }}" + + # -- An email address to import. + email: + action: suggest + template: "{{ '{{ user.email }}' | quote }}" + # -- Whether the email address must be marked as verified. + # Possible values are: + # - `import`: mark the email address as verified if the upstream provider + # has marked it as verified, using the `email_verified` claim. + # This is the default. + # - `always`: mark the email address as verified + # - `never`: mark the email address as not verified + set_email_verification: import diff --git a/tasks/matterbridge.yaml b/tasks/matterbridge.yaml new file mode 100644 index 0000000..a0e80a1 --- /dev/null +++ b/tasks/matterbridge.yaml @@ -0,0 +1,70 @@ +--- +# Tasks file for Matterbridge +- name: Create Matterbridge namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: matterbridge + +- name: Create ConfigMap for Matterbridge + k8s: + definition: + apiVersion: v1 + kind: ConfigMap + metadata: + name: matterbridge + namespace: matterbridge + data: + matterbridge.toml: "{{ lookup('file', 'matterbridge.toml') }}" + +- name: Create Deployment for Matterbridge + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: matterbridge + namespace: matterbridge + spec: + replicas: 1 + selector: + matchLabels: + app: matterbridge + template: + metadata: + labels: + app: matterbridge + spec: + containers: + - name: matterbridge + image: 42wim/matterbridge + volumeMounts: + - name: config + mountPath: /etc/matterbridge + ports: + - containerPort: 4242 + volumes: + - name: config + configMap: + name: matterbridge + subPath: matterbridge.toml + +- name: Create Service for Matterbridge + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: matterbridge + namespace: matterbridge + spec: + selector: + app: matterbridge + ports: + - port: 80 + targetPort: 4242 + name: http + type: ClusterIP diff --git a/tasks/mediawiki.yaml b/tasks/mediawiki.yaml index 38f9baf..6815efa 100644 --- a/tasks/mediawiki.yaml +++ b/tasks/mediawiki.yaml @@ -45,7 +45,10 @@ containers: - name: mediawiki image: ericomeehan/mediawiki-extended - imagePullPolicy: Always + imagePullPolicy: IfNotPresent + resources: + requests: + memory: 2Gi env: - name: WIKI_NAME value: MediaWiki @@ -88,11 +91,11 @@ - name: LDAP_BIND_PASS value: "{{ openldap_readonly_password }}" - name: LDAP_BUREAUCRAT_GROUP - value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev + value: cn=Mediawiki Bureaucrats,ou=MediaWiki,ou=Services,dc=eom,dc=dev - name: LDAP_INTERFACE_ADMIN_GROUP - value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev + value: cn=Mediawiki Interface Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev - name: LDAP_SYSOP_GROUP - value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev + value: cn=Mediawiki Sysops,ou=MediaWiki,ou=Services,dc=eom,dc=dev - name: LDAP_SEARCH_FILTER value: (&(objectClass=posixAccount)(uid=%1$s)(memberOf=cn=Mediawiki Users,ou=MediaWiki,ou=Services,dc=eom,dc=dev)) ports: diff --git a/tasks/nextcloud.yaml b/tasks/nextcloud.yaml index bd95824..187a976 100644 --- a/tasks/nextcloud.yaml +++ b/tasks/nextcloud.yaml @@ -18,7 +18,7 @@ create_namespace: true values: image: - pullPolicy: Always + pullPolicy: IfNotPresent tag: latest nextcloud: host: nextcloud.eom.dev @@ -46,15 +46,6 @@ authtype: LOGIN name: nextcloud password: "{{ nextcloud_admin_password }}" - internalDatabase: - enabled: false - externalDatabase: - enabled: true - type: postgresql - host: postgresql - user: nextcloud - password: "{{ nextcloud_admin_password }}" - database: nextcloud persistence: enabled: true size: 8Ti @@ -70,13 +61,49 @@ enabled: true className: nginx annotations: - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" + #nginx.ingress.kubernetes.io/enable-cors: "true" + #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" + nginx.ingress.kubernetes.io/proxy-body-size: 4G + kubernetes.io/tls-acme: "true" cert-manager.io/cluster-issuer: ca-issuer + # Keep this in sync with the README.md: + nginx.ingress.kubernetes.io/server-snippet: |- + server_tokens off; + proxy_hide_header X-Powered-By; + rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last; + rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last; + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:autotest|occ|issue|indie|db_|console) { + deny all; + } tls: - hosts: - nextcloud.eom.dev secretName: nextcloud-tls + internalDatabase: + enabled: false + externalDatabase: + enabled: true + type: postgresql + host: postgresql + user: nextcloud + password: "{{ nextcloud_admin_password }}" + database: nextcloud postgresql: enabled: true global: diff --git a/tasks/openldap.yaml b/tasks/openldap.yaml index b6bc434..69b9604 100644 --- a/tasks/openldap.yaml +++ b/tasks/openldap.yaml @@ -73,6 +73,8 @@ value: "true" - name: LDAP_READONLY_USER_PASSWORD value: "{{ openldap_readonly_password }}" + - name: LDAP_TLS_VERIFY_CLIENT + value: never volumeMounts: - name: config mountPath: /etc/ldap/slapd.d diff --git a/tasks/sogo.yaml b/tasks/sogo.yaml new file mode 100644 index 0000000..cdd061a --- /dev/null +++ b/tasks/sogo.yaml @@ -0,0 +1,82 @@ +--- +# tasks file for SOGo +- name: Create SOGo namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: sogo + +- name: Create a deployment + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: sogo + namespace: sogo + spec: + replicas: 1 + selector: + matchLabels: + app: sogo + template: + metadata: + labels: + app: sogo + spec: + containers: + - name: sogo + image: mailcow/sogo + volumeMounts: + - name: mail + mountPath: /var/mail + ports: + - containerPort: 80 + env: + - name: OVERRIDE_HOSTNAME + value: "postfix.eom.dev" + - name: POSTMASTER_ADDRESS + value: "postfix@eom.dev" + - name: ACCOUNT_PROVISIONER + value: "LDAP" + - name: LDAP_SERVER_HOST + value: "ldap://openldap.openldap.svc.cluster.local/" + - name: LDAP_SEARCH_BASE + value: "dc=eom,dc=dev" + - name: LDAP_BIND_DN + value: "cn=readonly,dc=eom,dc=dev" + - name: LDAP_BIND_PW + value: "{{ openldap_readonly_password }}" + - name: LDAP_QUERY_FILTER_DOMAIN + value: "(mail=*@%s)" + - name: LDAP_QUERY_FILTER_USER + value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))" + - name: LDAP_QUERY_FILTER_ALIAS + value: "(&(objectClass=posixAccount)(mailAlias=%s))" + - name: LDAP_QUERY_FILTER_GROUP + value: "(&(objectClass=posixAccount)(mailGroupMember=%s))" + - name: LDAP_QUERY_FILTER_SENDERS + value: "(&(objectClass=posixAccount)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))" + volumes: + - name: mail + persistentVolumeClaim: + claimName: mail + +- name: Expose deployment as a service + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: sogo + namespace: sogo + spec: + selector: + app: sogo + ports: + - port: 80 + name: http + type: LoadBalancer diff --git a/tasks/wordpress.yaml b/tasks/wordpress.yaml index b9e8af1..6043edc 100644 --- a/tasks/wordpress.yaml +++ b/tasks/wordpress.yaml @@ -1,202 +1,40 @@ --- # tasks file for wordpress -- name: Create WordPress namespace - k8s: - state: present - definition: - apiVersion: v1 - kind: Namespace - metadata: - name: wordpress - -- name: Create PVC for MySQL - k8s: - state: present - definition: - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: mysql - namespace: wordpress - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Gi - -- name: Create Deployment for MySQL - k8s: - state: present - definition: - apiVersion: v1 - kind: Deployment - metadata: - name: mysql - namespace: wordpress - labels: - app: mysql - spec: - replicas: 1 - selector: - matchLabels: - app: mysql - template: - metadata: - labels: - app: mysql - spec: - containers: - - name: mysql - image: mysql - volumeMounts: - - name: data - mountPath: /var/lib/mysql - ports: - - containerPort: 3306 - env: - - name: MYSQL_ROOT_PASSWORD - value: "{{ mysql_root_password }}" - - name: MYSQL_DATABASE - value: wordpress - - name: MYSQL_USER - value: wordpress - - name: MYSQL_PASSWORD - value: "{{ wordpress_mysql_password }}" - volumes: - - name: data - persistentVolumeClaim: - claimName: mysql - -- name: Create Service for MySQL - k8s: - state: present - definition: - apiVersion: v1 - kind: Service - metadata: - name: mysql - namespace: wordpress - spec: - selector: - app: mysql - ports: - - port: 3306 - name: mysql +- name: Deploy Wordpress + kubernetes.core.helm: + name: wordpress + chart_ref: bitnami/wordpress + release_namespace: wordpress + create_namespace: true + values: + wordpressUsername: wordpress_admin + wordpressPassword: "{{ wordpress_admin_password }}" + wordpressEmail: wordpress@eom.dev + wordpressFirstName: Administrator + wordpressLastName: Wordpress + wordpressBlogName: Wordpress + wordpressScheme: https + smtpHost: postfix.eom.dev + smtpPort: 587 + smtpUser: wordpress + smtpPassword: "{{ wordpress_admin_password }}" + smtpFromName: Wordpress + service: type: ClusterIP - -- name: Create PVC for WordPress - k8s: - state: present - definition: - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: wordpress - namespace: wordpress - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Gi - -- name: Create Deployment for WordPress - k8s: - state: present - definition: - apiVersion: v1 - kind: Deployment - metadata: - name: wordpress - namespace: wordpress - labels: - app: wordpress - spec: - replicas: 1 - selector: - matchLabels: - app: wordpress - template: - metadata: - labels: - app: wordpress - spec: - containers: - - name: wordpress - image: wordpress - volumeMounts: - - name: data - mountPath: /var/wordpress/html - ports: - - containerPort: 3000 - env: - - name: WORDPRESS_DB_HOST - value: mysql - - name: WORDPRESS_DB_NAME - value: wordpress - - name: WORDPRESS_DB_USER - value: wordpress - - name: WORDPRESS_DB_PASSWORD - value: "{{ wordpress_mysql_password }}" - volumes: - - name: data - persistentVolumeClaim: - claimName: wordpress - -- name: Create Service for WordPress - k8s: - state: present - definition: - apiVersion: v1 - kind: Service - metadata: - name: wordpress - namespace: wordpress - spec: - selector: - app: wordpress - ports: - - port: 80 - name: http - type: ClusterIP - -- name: Create Ingress - k8s: - state: present - definition: - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: + ingress: + enabled: true + ingressClassName: nginx + hostname: wordpress.eom.dev annotations: cert-manager.io/cluster-issuer: ca-issuer - name: wordpress - namespace: wordpress - spec: - ingressClassName: nginx - rules: - - host: www.eom.dev - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: wordpress - port: - number: 80 - - host: wordpress.eom.dev - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: wordpress - port: - number: 80 - tls: - - hosts: - - www.eom.dev - - wordpress.eom.dev - secretName: wordpress + tls: true + persistence: + enabled: true + size: 2Ti + mariadb: + enabled: true + auth: + password: "{{ wordpress_admin_password }}" + primary: + persistence: + size: 2Ti diff --git a/templates/ldap.toml.j2 b/templates/ldap.toml.j2 index 05cb264..219824e 100644 --- a/templates/ldap.toml.j2 +++ b/templates/ldap.toml.j2 @@ -59,11 +59,11 @@ org_id = 1 org_role = "Viewer" [[servers.group_mappings]] -group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev" +group_dn = "cn=DevOps Owners,ou=Teams,dc=eom,dc=dev" org_id = 2 org_role = "Admin" [[servers.group_mappings]] -group_dn = "cn=Finance Owners,ou=Finance,ou=Organizations,dc=eom,dc=dev" +group_dn = "cn=Finance Owners,ou=Teams,dc=eom,dc=dev" org_id = 3 org_role = "Admin"