DevOps/ansible-role-eom
1
0
Fork 0
Code Issues 20 Pull Requests Actions Packages Projects Releases Wiki Activity

Commit recent work...

Browse Source
This commit is contained in:
Eric Meehan 2025-01-12 21:58:14 -05:00
parent 811c3b01a0
commit 81b3f78277
15 changed files with 811 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
files/matterbridge.toml Normal file
View File

@ -0,0 +1,130 @@
#This is configuration for matterbridge.
#WARNING: as this file contains credentials, be sure to set correct file permissions
###################################################################
# NCTalk (Nextcloud Talk)
###################################################################
[nctalk.bridge]
# Url of your Nextcloud server
Server = "https://nextcloud.eom.dev"
# Enable to not verify the certificate on your Nextcloud server.
# e.g. when using selfsigned certificates
# OPTIONAL (default false)
SkipTLSVerify=false
# Username of the bot
Login = "minecraft"
# Password of the bot
Password = "{{ minecraft_admin_password }}"
# Suffix for Guest Users
GuestSuffix = " (Guest)"
# Separate display name (Note: needs to be configured from Nextcloud Talk to work)
SeparateDisplayName=false
###################################################################
#API
###################################################################
[api]
#You can configure multiple API hooks
#In this example we use [api.minecraft]
#REQUIRED
[api.minecraft]
#Address to listen on for API
#REQUIRED
BindAddress="0.0.0.0:4242"
#Amount of messages to keep in memory
Buffer=1000
#Bearer token used for authentication
#curl -H "Authorization: Bearer token" http://localhost:4242/api/messages
#OPTIONAL (no authorization if token is empty)
Token=""
#extra label that can be used in the RemoteNickFormat
#optional (default empty)
Label="minecraft"
#RemoteNickFormat defines how remote users appear on this bridge
#The string "{NICK}" (case sensitive) will be replaced by the actual nick / username.
#The string "{BRIDGE}" (case sensitive) will be replaced by the sending bridge
#The string "{PROTOCOL}" (case sensitive) will be replaced by the protocol used by the bridge
#OPTIONAL (default empty)
RemoteNickFormat="{NICK}"
###################################################################
#General configuration
###################################################################
# Settings here are defaults that each protocol can override
[general]
#RemoteNickFormat defines how remote users appear on this bridge
#The string "{NICK}" (case sensitive) will be replaced by the actual nick / username.
#The string "{BRIDGE}" (case sensitive) will be replaced by the sending bridge
#The string "{PROTOCOL}" (case sensitive) will be replaced by the protocol used by the bridge
#OPTIONAL (default empty)
RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
#StripNick only allows alphanumerical nicks. See https://github.com/42wim/matterbridge/issues/285
#It will strip other characters from the nick
#OPTIONAL (default false)
StripNick=false
#MediaServerUpload and MediaServerDownload are used for uploading images/files/video to
#a remote "mediaserver" (a webserver like caddy for example).
#When configured images/files uploaded on bridges like mattermost,slack, telegram will be downloaded
#and uploaded again to MediaServerUpload URL
#The MediaServerDownload will be used so that bridges without native uploading support:
#gitter, irc and xmpp will be shown links to the files on MediaServerDownload
#
#More information https://github.com/42wim/matterbridge/wiki/Mediaserver-setup-%5Badvanced%5D
#OPTIONAL (default empty)
#MediaServerUpload="https://user:pass@yourserver.com/upload"
#OPTIONAL (default empty)
#MediaServerDownload="https://youserver.com/download"
#MediaDownloadSize is the maximum size of attachments, videos, images
#matterbridge will download and upload this file to bridges that also support uploading files.
#eg downloading from slack to upload it to mattermost
#
#It will only download from bridges that don't have public links available, which are for the moment
#slack, telegram, matrix and mattermost
#
#Optional (default 1000000 (1 megabyte))
MediaDownloadSize=1000000
###################################################################
#Gateway configuration
###################################################################
#You can specify multiple gateways using [[gateway]]
#Each gateway has a [[gateway.in]] and a [[gateway.out]]
#[[gateway.in]] specifies the account and channels we will receive messages from.
#[[gateway.out]] specifies the account and channels we will send the messages
#from [[gateway.in]] to.
#
#Most of the time [[gateway.in]] and [[gateway.out]] are the same if you
#want bidirectional bridging. You can then use [[gateway.inout]]
#
[[gateway]]
#REQUIRED and UNIQUE
name="minecraft"
#Enable enables this gateway
##OPTIONAL (default false)
enable=true
# API
[[gateway.inout]]
account="api.minecraft"
channel="api"
[[gateway.inout]]
account="nctalk.bridge"
token="wgo6vovu"

48
tasks/coturn.yaml Normal file
View File

@ -0,0 +1,48 @@
---
# tasks file for coturn
- name: Add Small Hack repo
kubernetes.core.helm_repository:
name: small-hack-coturn
repo_url: https://small-hack.github.io/coturn-chart
register: repo
- name: Update Helm repos
command: helm repo update
when: repo.changed
- name: Deploy Coturn
kubernetes.core.helm:
name: coturn
chart_ref: small-hack-coturn/coturn
release_namespace: coturn
create_namespace: true
values:
certificate:
enabled: true
host: coturn.eom.dev
issuer: ca-issuer
uris:
- turns:coturn.eom.dev?transport=udp
allowGuests: true
sharedSecret: "{{ coturn_shared_secret }}"
service:
type: NodePort
image:
tag: latest
pullPolicy: Always
externalDatabase:
enabled: true
postgresql:
enabled: false
global:
postgresql:
auth:
password: "{{ coturn_admin_password }}"
primary:
persistence:
size: 256Gi
coturn:
realm: coturn.eom.dev
auth:
username: coturn
password: "{{ coturn_admin_password }}"

12
tasks/gitea.yaml
View File

@ -18,7 +18,7 @@
create_namespace: true create_namespace: true
values: values:
image: image:
pullPolicy: Always pullPolicy: IfNotPresent
service: service:
ssh: ssh:
type: LoadBalancer type: LoadBalancer
@ -65,11 +65,17 @@
config: config:
APP_NAME: "Gitea" APP_NAME: "Gitea"
service: service:
DISABLE_REGISTRATION: true DISABLE_REGISTRATION: false
SHOW_REGISTRATION_BUTTON: false
DEFAULT_ALLOW_CREATE_ORGANIZATION: false DEFAULT_ALLOW_CREATE_ORGANIZATION: false
ALLOW_ONLY_EXTERNAL_REGISTRATION: true
oauth2_client:
ENABLE_AUTO_REGISTRATION: true
UPDATE_AVATAR: true
ACCOUNT_LINKING: auto
mailer: mailer:
ENABLED: true ENABLED: true
SMTP_ADDR: mail.eom.dev SMTP_ADDR: postfix.eom.dev
SMTP_PORT: 587 SMTP_PORT: 587
USER: gitea USER: gitea
PASSWD: "{{ gitea_admin_password }}" PASSWD: "{{ gitea_admin_password }}"

51
tasks/grafana-matrix-forwarder.yaml Normal file
View File

@ -0,0 +1,51 @@
---
# tasks file for grafana-matrix-forwarder
- name: Create a Deployment for Grafana Matrix Forwarder
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: matrix-forwarder
namespace: grafana
spec:
replicas: 1
selector:
matchLabels:
app: matrix-forwarder
template:
metadata:
labels:
app: matrix-forwarder
spec:
containers:
- name: matrix-forwarder
image: registry.gitlab.com/hctrdev/grafana-matrix-forwarder
ports:
- containerPort: 6000
env:
- name: GMF_MATRIX_USER
value: grafana
- name: GMF_MATRIX_PASSWORD
value: "{{ grafana_admin_password }}"
- name: GMF_MATRIX_HOMESERVER
value: synapse.eom.dev
- name: GMF_RESOLVE_MODE
value: reply
- name: Expose GMF Deployment as a Service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: matrix-forwarder
namespace: grafana
spec:
selector:
app: matrix-forwarder
ports:
- port: 80
targetPort: 6000
name: http
type: ClusterIP

18
tasks/mail.yaml
View File

@ -33,10 +33,11 @@
subject: subject:
organizations: organizations:
- EOM - EOM
commonName: mail.eom.dev commonName: eom.dev
dnsNames: dnsNames:
- mail.eom.dev
- eom.dev - eom.dev
- postfix.eom.dev
- dovecot.eom.dev
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer kind: ClusterIssuer
@ -88,11 +89,14 @@
- containerPort: 465 - containerPort: 465
- containerPort: 587 - containerPort: 587
- containerPort: 993 - containerPort: 993
- containerPort: 995
env: env:
- name: OVERRIDE_HOSTNAME - name: OVERRIDE_HOSTNAME
value: "mail.eom.dev" value: "postfix.eom.dev"
- name: POSTMASTER_ADDRESS - name: POSTMASTER_ADDRESS
value: "postmaster@eom.dev" value: "postfix@eom.dev"
- name: ENABLE_POP3
value: "1"
- name: ACCOUNT_PROVISIONER - name: ACCOUNT_PROVISIONER
value: "LDAP" value: "LDAP"
- name: LDAP_SERVER_HOST - name: LDAP_SERVER_HOST
@ -106,7 +110,7 @@
- name: LDAP_QUERY_FILTER_DOMAIN - name: LDAP_QUERY_FILTER_DOMAIN
value: "(mail=*@%s)" value: "(mail=*@%s)"
- name: LDAP_QUERY_FILTER_USER - name: LDAP_QUERY_FILTER_USER
value: "(&(mail=%s)(memberOf=cn=Mail Users,ou=Mail,ou=Services,dc=eom,dc=dev))" value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))"
- name: LDAP_QUERY_FILTER_ALIAS - name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=posixAccount)(mailAlias=%s))" value: "(&(objectClass=posixAccount)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP - name: LDAP_QUERY_FILTER_GROUP
@ -120,7 +124,7 @@
- name: DOVECOT_DEFAULT_PASS_SCHEME - name: DOVECOT_DEFAULT_PASS_SCHEME
value: "MD5-CRYPT" value: "MD5-CRYPT"
- name: DOVECOT_USER_FILTER - name: DOVECOT_USER_FILTER
value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Mail Users,ou=Mail,ou=Services,dc=eom,dc=dev))" value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Dovecot Users,ou=Dovecot,ou=Services,dc=eom,dc=dev))"
- name: DOVECOT_PASS_ATTRS - name: DOVECOT_PASS_ATTRS
value: "uid=user,userPassword=password" value: "uid=user,userPassword=password"
- name: DOVECOT_USER_ATTRS - name: DOVECOT_USER_ATTRS
@ -165,4 +169,6 @@
name: smtps name: smtps
- port: 993 - port: 993
name: imap name: imap
- port: 995
name: pop3
type: LoadBalancer type: LoadBalancer

2
tasks/main.yaml
View File

@ -3,4 +3,4 @@
- name: Deploy - name: Deploy
include_tasks: "{{ item }}" include_tasks: "{{ item }}"
loop: loop:
- nextcloud.yaml - gitea.yaml

2
tasks/mastodon.yaml
View File

@ -80,7 +80,7 @@
minio: minio:
enabled: false enabled: false
externalS3: externalS3:
host: minio.api.eom.dev host: minio.eom.dev
accessKeyId: mastodon accessKeyId: mastodon
accessKeySecret: "{{ mastodon_admin_password }}" accessKeySecret: "{{ mastodon_admin_password }}"
bucket: mastodon bucket: mastodon

322
tasks/matrix.yaml Normal file
View File

@ -0,0 +1,322 @@
---
# tasks file for synapse
- name: Add Small Hack repo
kubernetes.core.helm_repository:
name: small-hack-matrix
repo_url: https://small-hack.github.io/matrix-chart
register: repo
- name: Update Helm repos
command: helm repo update
when: repo.changed
- name: Deploy Matrix
kubernetes.core.helm:
name: matrix
chart_ref: small-hack-matrix/matrix
release_namespace: matrix
create_namespace: true
values:
matrix:
serverName: eom.dev
hostname: synapse.eom.dev
adminEmail: synapse@eom.dev
encryptByDefault: all
federation:
enabled: true
ingress:
enabled: true
host: eom.dev
className: nginx
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_intercept_errors off;
cert-manager.io/cluster-issuer: ca-issuer
tls:
enabled: true
host: eom.dev
oidc:
enabled: false
providers:
- idp_id: github
idp_name: Github
idp_brand: "github" # optional: styling hint for clients
discover: false
issuer: "https://github.com/"
client_id: "{{ matrix_github_oidc_client_id }}" # TO BE FILLED
client_secret: "{{ matrix_github_oidc_client_secret }}" # TO BE FILLED
authorization_endpoint: "https://github.com/login/oauth/authorize"
token_endpoint: "https://github.com/login/oauth/access_token"
userinfo_endpoint: "https://api.github.com/user"
scopes: ["read:user"]
allow_existing_users: true
enable_registration: false
user_mapping_provider:
config:
subject_claim: "id"
localpart_template: "{{ '{{ user.login }}' | quote }}"
display_name_template: "{{ '{{ user.name }}' | quote }}"
- idp_id: google
idp_name: Google
idp_brand: "google"
issuer: "https://accounts.google.com/"
client_id: "{{ matrix_google_oidc_client_id }}" # TO BE FILLED
client_secret: "{{ matrix_google_oidc_client_secret }}" # TO BE FILLED
scopes: ["openid", "profile", "email"] # email is optional, read below
allow_existing_users: true
enable_registration: false
user_mapping_provider:
config:
localpart_template: "{{ '{{ user.given_name|lower }}' | quote }}"
display_name_template: "{{ '{{ user.name }}' | quote }}"
email_template: "{{ '{{ user.email }}' | quote }}" # needs "email" in scopes above
allow_public_rooms_over_federation: true
allow_public_rooms_without_auth: true
ip_range_blacklist:
- 127.0.0.0/8
registration:
enabled: false
allowGuests: false
autoJoinRooms:
- #main:eom.dev
- #announcements:eom.dev
- #general:eom.dev
- #help:eom.dev
serve_server_wellknown: true
homeserverExtra:
modules:
- module: "ldap_auth_provider.LdapAuthProviderModule"
config:
enabled: true
uri: "ldap://openldap.openldap.svc.cluster.local:389"
mode: search
start_tls: false
base: "dc=eom,dc=dev"
attributes:
uid: "uid"
mail: "mail"
name: "givenName"
bind_dn: cn=readonly,dc=eom,dc=dev
bind_password: "{{ openldap_readonly_password }}"
filter: "(&(objectClass=posixAccount)(memberOf=cn=Synapse Users,ou=Synapse,ou=Services,dc=eom,dc=dev))"
# experimental_features:
# msc3861:
# enabled: true
# # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
# issuer: http://localhost:8080/
# client_id: 0000000000000000000SYNAPSE
# client_auth_method: client_secret_basic
# client_secret: 5ZrwKXmKdiQfus2J
# admin_token: SacP5rWpci6GMqb2
# account_management_url: "https://matrix-auth-service.eom.dev/"
volumes:
media:
capacity: 2Ti
postgresql:
enabled: true
persistence:
enabled: true
global:
postgresql:
auth:
username: synapse
password: "{{ synapse_admin_password }}"
primary:
persistence:
size: 2Ti
synapse:
ingress:
className: nginx
annotations:
cert-manager.io/cluster-issuer: ca-issuer
nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off;
hosts:
- host: synapse.eom.dev
paths:
# - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*"
# pathType: ImplementationSpecific
# backend:
# service:
# name: mas
# port:
# name: http
- path: /
pathType: Prefix
tls:
- secretName: synapse-tls
hosts:
- synapse.eom.dev
element:
enabled: true
permalinkPrefix: "https://element.eom.dev"
ingress:
host: element.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
coturn:
enabled: false
certificate:
enabled: true
host: coturn.eom.dev
issuer: ca-issuer
uris:
- turn:coturn.eom.dev?transport=udp
allowGuests: true
service:
type: NodePort
image:
tag: latest
pullPolicy: IfNotPresent
externalDatabase:
enabled: true
hostname: matrix-postgresql
username: matrix
password: "{{ matrix_admin_password }}"
database: coturn
postgresql:
enabled: false
nameOverride: matrix-coturn-postgresql
global:
postgresql:
auth:
password: "{{ coturn_admin_password }}"
primary:
persistence:
size: 256Gi
coturn:
realm: coturn.eom.dev
auth:
username: coturn
password: "{{ coturn_admin_password }}"
mail:
enabled: true
from: Synapse <synapse@eom.dev>
elementUrl: https://element.eom.dev
relay:
enabled: false
external:
hostname: postfix.eom.dev
port: "587"
username: synapse
password: "{{ synapse_admin_password }}"
mas:
enabled: false
fullnameOverride: mas
image:
pullPolicy: IfNotPresent
tag: latest
http:
public_base: https://matrix-auth-service.eom.dev/
ingress:
className: nginx
annotations:
cert-manager.io/cluster-issuer: ca-issuer
hosts:
- host: matrix-auth-service.eom.dev
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: mas-tls
hosts:
- matrix-auth-service.eom.dev
postgresql:
enabled: false
global:
auth:
password: "{{ matrix_auth_service_admin_password }}"
mas:
enabled: false
http:
public_base: https://matrix-auth-service.eom.dev/
policy:
client_registration:
allow_host_mismatch: true
allow_insecure_uris: false
clients:
- client_id: 0000000000000000000SYNAPSE
client_auth_method: client_secret_basic
client_secret: 5ZrwKXmKdiQfus2J
matrix:
homeserver: synapse.eom.dev
endpoint: https://synapse.eom.dev
secret: SacP5rWpci6GMqb2
email:
from: Matrix Auth Service <matrix-auth-service@eom.dev>
reply_to: No reply <no-reply@eom.dev>
transport: smtp
mode: tls
hostname: postfix.eom.dev
port: 587
username: matrix-auth-service
password: "{{ matrix_auth_service_admin_password }}"
upstream_oauth2:
providers:
- id: 01JG22H4F0G8PYCZ5HVTQVHBC4
issuer: https://google.com/
client_id: "{{ matrix_google_oidc_client_id }}"
client_secret: "{{ matrix_google_oidc_client_secret }}"
token_endpoint_auth_method: client_secret_basic
discovery_mode: oidc
claims_imports:
subject:
template: "{{ '{{ user.sub }}' | quote }}"
# -- The localpart is the local part of the user's Matrix ID.
# For example, on the `example.com` server, if the localpart is `alice`,
# the user's Matrix ID will be `@alice:example.com`.
localpart:
action: require
template: "{{ '{{ user.preferred_username }}' | quote }}"
# -- The display name is the user's display name.
displayname:
action: suggest
template: "{{ '{{ user.name }}' | quote }}"
# -- An email address to import.
email:
action: suggest
template: "{{ '{{ user.email }}' | quote }}"
# -- Whether the email address must be marked as verified.
# Possible values are:
# - `import`: mark the email address as verified if the upstream provider
# has marked it as verified, using the `email_verified` claim.
# This is the default.
# - `always`: mark the email address as verified
# - `never`: mark the email address as not verified
set_email_verification: import
- id: 01JG2B7DBS6RQRH1TFVZ4BP7H8
issuer: https://github.com/
client_id: "{{ matrix_github_oidc_client_id }}"
client_secret: "{{ matrix_github_oidc_client_secret }}"
token_endpoint_auth_method: client_secret_basic
discovery_mode: oidc
claims_imports:
subject:
template: "{{ '{{ user.sub }}' | quote }}"
# -- The localpart is the local part of the user's Matrix ID.
# For example, on the `example.com` server, if the localpart is `alice`,
# the user's Matrix ID will be `@alice:example.com`.
localpart:
action: require
template: "{{ '{{ user.preferred_username }}' | quote }}"
# -- The display name is the user's display name.
displayname:
action: suggest
template: "{{ '{{ user.name }}' | quote }}"
# -- An email address to import.
email:
action: suggest
template: "{{ '{{ user.email }}' | quote }}"
# -- Whether the email address must be marked as verified.
# Possible values are:
# - `import`: mark the email address as verified if the upstream provider
# has marked it as verified, using the `email_verified` claim.
# This is the default.
# - `always`: mark the email address as verified
# - `never`: mark the email address as not verified
set_email_verification: import

70
tasks/matterbridge.yaml Normal file
View File

@ -0,0 +1,70 @@
---
# Tasks file for Matterbridge
- name: Create Matterbridge namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: matterbridge
- name: Create ConfigMap for Matterbridge
k8s:
definition:
apiVersion: v1
kind: ConfigMap
metadata:
name: matterbridge
namespace: matterbridge
data:
matterbridge.toml: "{{ lookup('file', 'matterbridge.toml') }}"
- name: Create Deployment for Matterbridge
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: matterbridge
namespace: matterbridge
spec:
replicas: 1
selector:
matchLabels:
app: matterbridge
template:
metadata:
labels:
app: matterbridge
spec:
containers:
- name: matterbridge
image: 42wim/matterbridge
volumeMounts:
- name: config
mountPath: /etc/matterbridge
ports:
- containerPort: 4242
volumes:
- name: config
configMap:
name: matterbridge
subPath: matterbridge.toml
- name: Create Service for Matterbridge
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: matterbridge
namespace: matterbridge
spec:
selector:
app: matterbridge
ports:
- port: 80
targetPort: 4242
name: http
type: ClusterIP

11
tasks/mediawiki.yaml
View File

@ -45,7 +45,10 @@
containers: containers:
- name: mediawiki - name: mediawiki
image: ericomeehan/mediawiki-extended image: ericomeehan/mediawiki-extended
imagePullPolicy: Always imagePullPolicy: IfNotPresent
resources:
requests:
memory: 2Gi
env: env:
- name: WIKI_NAME - name: WIKI_NAME
value: MediaWiki value: MediaWiki
@ -88,11 +91,11 @@
- name: LDAP_BIND_PASS - name: LDAP_BIND_PASS
value: "{{ openldap_readonly_password }}" value: "{{ openldap_readonly_password }}"
- name: LDAP_BUREAUCRAT_GROUP - name: LDAP_BUREAUCRAT_GROUP
value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev value: cn=Mediawiki Bureaucrats,ou=MediaWiki,ou=Services,dc=eom,dc=dev
- name: LDAP_INTERFACE_ADMIN_GROUP - name: LDAP_INTERFACE_ADMIN_GROUP
value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev value: cn=Mediawiki Interface Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev
- name: LDAP_SYSOP_GROUP - name: LDAP_SYSOP_GROUP
value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev value: cn=Mediawiki Sysops,ou=MediaWiki,ou=Services,dc=eom,dc=dev
- name: LDAP_SEARCH_FILTER - name: LDAP_SEARCH_FILTER
value: (&(objectClass=posixAccount)(uid=%1$s)(memberOf=cn=Mediawiki Users,ou=MediaWiki,ou=Services,dc=eom,dc=dev)) value: (&(objectClass=posixAccount)(uid=%1$s)(memberOf=cn=Mediawiki Users,ou=MediaWiki,ou=Services,dc=eom,dc=dev))
ports: ports:

51
tasks/nextcloud.yaml
View File

@ -18,7 +18,7 @@
create_namespace: true create_namespace: true
values: values:
image: image:
pullPolicy: Always pullPolicy: IfNotPresent
tag: latest tag: latest
nextcloud: nextcloud:
host: nextcloud.eom.dev host: nextcloud.eom.dev
@ -46,15 +46,6 @@
authtype: LOGIN authtype: LOGIN
name: nextcloud name: nextcloud
password: "{{ nextcloud_admin_password }}" password: "{{ nextcloud_admin_password }}"
internalDatabase:
enabled: false
externalDatabase:
enabled: true
type: postgresql
host: postgresql
user: nextcloud
password: "{{ nextcloud_admin_password }}"
database: nextcloud
persistence: persistence:
enabled: true enabled: true
size: 8Ti size: 8Ti
@ -70,13 +61,49 @@
enabled: true enabled: true
className: nginx className: nginx
annotations: annotations:
nginx.ingress.kubernetes.io/enable-cors: "true" #nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
nginx.ingress.kubernetes.io/proxy-body-size: 4G
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
# Keep this in sync with the README.md:
nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off;
proxy_hide_header X-Powered-By;
rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
deny all;
}
tls: tls:
- hosts: - hosts:
- nextcloud.eom.dev - nextcloud.eom.dev
secretName: nextcloud-tls secretName: nextcloud-tls
internalDatabase:
enabled: false
externalDatabase:
enabled: true
type: postgresql
host: postgresql
user: nextcloud
password: "{{ nextcloud_admin_password }}"
database: nextcloud
postgresql: postgresql:
enabled: true enabled: true
global: global:

2
tasks/openldap.yaml
View File

@ -73,6 +73,8 @@
value: "true" value: "true"
- name: LDAP_READONLY_USER_PASSWORD - name: LDAP_READONLY_USER_PASSWORD
value: "{{ openldap_readonly_password }}" value: "{{ openldap_readonly_password }}"
- name: LDAP_TLS_VERIFY_CLIENT
value: never
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/ldap/slapd.d mountPath: /etc/ldap/slapd.d

82
tasks/sogo.yaml Normal file
View File

@ -0,0 +1,82 @@
---
# tasks file for SOGo
- name: Create SOGo namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: sogo
- name: Create a deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: sogo
namespace: sogo
spec:
replicas: 1
selector:
matchLabels:
app: sogo
template:
metadata:
labels:
app: sogo
spec:
containers:
- name: sogo
image: mailcow/sogo
volumeMounts:
- name: mail
mountPath: /var/mail
ports:
- containerPort: 80
env:
- name: OVERRIDE_HOSTNAME
value: "postfix.eom.dev"
- name: POSTMASTER_ADDRESS
value: "postfix@eom.dev"
- name: ACCOUNT_PROVISIONER
value: "LDAP"
- name: LDAP_SERVER_HOST
value: "ldap://openldap.openldap.svc.cluster.local/"
- name: LDAP_SEARCH_BASE
value: "dc=eom,dc=dev"
- name: LDAP_BIND_DN
value: "cn=readonly,dc=eom,dc=dev"
- name: LDAP_BIND_PW
value: "{{ openldap_readonly_password }}"
- name: LDAP_QUERY_FILTER_DOMAIN
value: "(mail=*@%s)"
- name: LDAP_QUERY_FILTER_USER
value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))"
- name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=posixAccount)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP
value: "(&(objectClass=posixAccount)(mailGroupMember=%s))"
- name: LDAP_QUERY_FILTER_SENDERS
value: "(&(objectClass=posixAccount)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))"
volumes:
- name: mail
persistentVolumeClaim:
claimName: mail
- name: Expose deployment as a service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: sogo
namespace: sogo
spec:
selector:
app: sogo
ports:
- port: 80
name: http
type: LoadBalancer

232
tasks/wordpress.yaml
View File

@ -1,202 +1,40 @@
--- ---
# tasks file for wordpress # tasks file for wordpress
- name: Create WordPress namespace - name: Deploy Wordpress
k8s: kubernetes.core.helm:
state: present name: wordpress
definition: chart_ref: bitnami/wordpress
apiVersion: v1 release_namespace: wordpress
kind: Namespace create_namespace: true
metadata: values:
name: wordpress wordpressUsername: wordpress_admin
wordpressPassword: "{{ wordpress_admin_password }}"
- name: Create PVC for MySQL wordpressEmail: wordpress@eom.dev
k8s: wordpressFirstName: Administrator
state: present wordpressLastName: Wordpress
definition: wordpressBlogName: Wordpress
apiVersion: v1 wordpressScheme: https
kind: PersistentVolumeClaim smtpHost: postfix.eom.dev
metadata: smtpPort: 587
name: mysql smtpUser: wordpress
namespace: wordpress smtpPassword: "{{ wordpress_admin_password }}"
spec: smtpFromName: Wordpress
accessModes: service:
- ReadWriteOnce
resources:
requests:
storage: 64Gi
- name: Create Deployment for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mysql
namespace: wordpress
labels:
app: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql
volumeMounts:
- name: data
mountPath: /var/lib/mysql
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE
value: wordpress
- name: MYSQL_USER
value: wordpress
- name: MYSQL_PASSWORD
value: "{{ wordpress_mysql_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql
- name: Create Service for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: wordpress
spec:
selector:
app: mysql
ports:
- port: 3306
name: mysql
type: ClusterIP type: ClusterIP
ingress:
- name: Create PVC for WordPress enabled: true
k8s: ingressClassName: nginx
state: present hostname: wordpress.eom.dev
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wordpress
namespace: wordpress
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Gi
- name: Create Deployment for WordPress
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: wordpress
namespace: wordpress
labels:
app: wordpress
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: wordpress
image: wordpress
volumeMounts:
- name: data
mountPath: /var/wordpress/html
ports:
- containerPort: 3000
env:
- name: WORDPRESS_DB_HOST
value: mysql
- name: WORDPRESS_DB_NAME
value: wordpress
- name: WORDPRESS_DB_USER
value: wordpress
- name: WORDPRESS_DB_PASSWORD
value: "{{ wordpress_mysql_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: wordpress
- name: Create Service for WordPress
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: wordpress
namespace: wordpress
spec:
selector:
app: wordpress
ports:
- port: 80
name: http
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
name: wordpress tls: true
namespace: wordpress persistence:
spec: enabled: true
ingressClassName: nginx size: 2Ti
rules: mariadb:
- host: www.eom.dev enabled: true
http: auth:
paths: password: "{{ wordpress_admin_password }}"
- pathType: Prefix primary:
path: / persistence:
backend: size: 2Ti
service:
name: wordpress
port:
number: 80
- host: wordpress.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: wordpress
port:
number: 80
tls:
- hosts:
- www.eom.dev
- wordpress.eom.dev
secretName: wordpress

4
templates/ldap.toml.j2
View File

@ -59,11 +59,11 @@ org_id = 1
org_role = "Viewer" org_role = "Viewer"
[[servers.group_mappings]] [[servers.group_mappings]]
group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev" group_dn = "cn=DevOps Owners,ou=Teams,dc=eom,dc=dev"
org_id = 2 org_id = 2
org_role = "Admin" org_role = "Admin"
[[servers.group_mappings]] [[servers.group_mappings]]
group_dn = "cn=Finance Owners,ou=Finance,ou=Organizations,dc=eom,dc=dev" group_dn = "cn=Finance Owners,ou=Teams,dc=eom,dc=dev"
org_id = 3 org_id = 3
org_role = "Admin" org_role = "Admin"