v0.0.1

tasks/git.yaml

@@ -0,0 +1,108 @@
+---
+# tasks file for git
+- name: Create persistent volume for git
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolume
+      metadata:
+        name: "eom-{{ target_namespace }}-git"
+      spec:
+        capacity:
+          storage: 32Gi
+        accessModes:
+          - ReadWriteMany
+        persistentVolumeReclaimPolicy: Retain
+        storageClassName: standard
+        hostPath:
+          path: "/data/store-0/eom/git"
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: In
+                  values:
+                    - alpha-worker-0
+
+- name: Create a persistent volume claim for git
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: git
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        accessModes:
+          - ReadWriteMany
+        resources:
+          requests:
+            storage: 32Gi
+        storageClassName: standard
+        volumeName: "eom-{{ target_namespace }}-git"
+
+- name: Create a config map for httpd
+  k8s:
+    state: present
+    api_version: v1
+    kind: ConfigMap
+    name: git
+    namespace: "eom-{{ target_namespace }}"
+    definition:
+      data:
+        httpd.conf: "{{ lookup('template', 'git-httpd.conf.j2') }}"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: git
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: git
+        template:
+          metadata:
+            labels:
+              app: git
+          spec:
+            containers:
+              - name: cgit
+                image: invokr/cgit
+                volumeMounts:
+                  - name: config
+                    mountPath: /etc/httpd/conf
+                  - name: data
+                    mountPath: /var/www/htdocs/cgit
+                ports:
+                  - containerPort: 80
+            volumes:
+              - name: config
+                configMap:
+                  name: git
+              - name: data
+                persistentVolumeClaim:
+                  claimName: git
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: git
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: git
+        ports:
+          - port: 80
+            name: git-80
+        type: ClusterIP

tasks/mail.yaml

@@ -0,0 +1,169 @@
+---
+# tasks file for mail
+- name: Create ConfigMap for mail
+  k8s:
+    state: present
+    api_version: v1
+    kind: ConfigMap
+    name: mail
+    namespace: "eom-{{ target_namespace }}"
+    definition:
+      data:
+        server.crt: "{{ proxy_server_crt }}"
+        server.key: "{{ proxy_server_key }}"
+
+- name: Create persistent volume for mail
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolume
+      metadata:
+        name: "eom-{{ target_namespace }}-mail"
+      spec:
+        capacity:
+          storage: 32Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        storageClassName: standard
+        hostPath:
+          path: "/data/store-0/eom/mail"
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: In
+                  values:
+                    - alpha-worker-0
+
+- name: Create a persistent volume claim for mail
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: mail
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 32Gi
+        storageClassName: standard
+        volumeName: "eom-{{ target_namespace }}-mail"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: mail
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: mail
+        template:
+          metadata:
+            labels:
+              app: mail
+          spec:
+            containers:
+              - name: mail
+                image: mailserver/docker-mailserver
+                volumeMounts:
+                  - name: ssl
+                    mountPath: /etc/letsencrypt
+                  - name: mail
+                    mountPath: /var/mail
+                ports:
+                  - containerPort: 25
+                  - containerPort: 465
+                  - containerPort: 587
+                  - containerPort: 993
+                env:
+                  - name: OVERRIDE_HOSTNAME
+                    value: "mail.eom.dev"
+                  - name: ACCOUNT_PROVISIONER
+                    value: "LDAP"
+                  - name: LDAP_SERVER_HOST
+                    value: "ldap://openldap/"
+                  - name: LDAP_SEARCH_BASE
+                    value: "dc=eom,dc=dev"
+                  - name: LDAP_BIND_DN
+                    value: "cn=admin,dc=eom,dc=dev"
+                  - name: LDAP_BIND_PW
+                    value: "{{ ldap_admin_password }}"
+                  - name: LDAP_QUERY_FILTER_USER
+                    value: "(&(mail=%s))"
+                  - name: LDAP_QUERY_FILTER_GROUP
+                    value: "(&(mailGroupMember=%s)(mailEnabled=TRUE))"
+                  - name: LDAP_QUERY_FILTER_ALIAS
+                    value: "(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))"
+                  - name: LDAP_QUERY_FILTER_DOMAIN
+                    value: "(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))"
+                  - name: DOVECOT_PASS_FILTER
+                    value: "(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"
+                  - name: DOVECOT_USER_FILTER
+                    value: "(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"
+                  - name: ENABLE_SASLAUTHD
+                    value: "1"
+                  - name: SASLAUTHD_MECHANISMS
+                    value: "ldap"
+                  - name: SASLAUTHD_LDAP_SERVER
+                    value: "ldap://openldap/"
+                  - name: SASLAUTHD_LDAP_BIND_DN
+                    value: "cn=admin,dc=eom,dc=dev"
+                  - name: SASLAUTHD_LDAP_PASSWORD
+                    value: "{{ ldap_admin_password }}"
+                  - name: SASLAUTHD_LDAP_SEARCH_BASE
+                    value: "dc=eom,dc=dev"
+                  - name: SASLAUTHD_LDAP_FILTER
+                    value: "(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%U))"
+                  - name: POSTMASTER_ADDRESS
+                    value: "admin@mail.eom.dev"
+                  - name: SSL_TYPE
+                    value: "manual"
+                  - name: SSL_CERT_PATH
+                    value: "/etc/letsencrypt/server.crt"
+                  - name: SSL_KEY_PATH
+                    value: "/etc/letsencrypt/server.key"
+            volumes:
+              - name: ssl
+                configMap:
+                  name: mail
+              - name: mail
+                persistentVolumeClaim:
+                  claimName: mail
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: mail
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: mail
+        ports:
+          - port: 25
+            name: mail-25
+            nodePort: 30025
+          - port: 465
+            name: mail-465
+            nodePort: 30465
+          - port: 587
+            name: mail-587
+            nodePort: 30587
+          - port: 993
+            name: mail-993
+            nodePort: 30993
+        type: NodePort

tasks/main.yml

@@ -0,0 +1,51 @@
+---
+# tasks file for eom
+- name: Create eom namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "eom-{{ target_namespace }}"
+
+- name: Deploy eom openldap
+  include_tasks: openldap.yaml
+
+- name: Deploy eom mail
+  include_tasks: mail.yaml
+
+- name: Deploy eom git
+  include_tasks: git.yaml
+
+- name: Deploy eom media
+  include_tasks: media.yaml
+
+- name: Deploy eom www
+  include_tasks: www.yaml
+
+- name: Deploy eom proxy
+  include_tasks: proxy.yaml
+
+- name: Create network policy
+  k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: restrict-external-access
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        podSelector:
+          matchExpressions:
+            - key: app
+              operator: In
+              values:
+                - proxy
+        policyTypes:
+        - Ingress
+        ingress:
+        - from:
+          - ipBlock:
+              cidr: 192.168.1.0/24

tasks/media.yaml

@@ -0,0 +1,110 @@
+---
+# tasks file for media
+- name: Create persistent volume for media
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolume
+      metadata:
+        name: "eom-{{ target_namespace }}-media"
+      spec:
+        capacity:
+          storage: 1024Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        storageClassName: standard
+        hostPath:
+          path: "/data/store-0/eom/media"
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: In
+                  values:
+                    - alpha-worker-0
+
+- name: Create a persistent volume claim for media
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: media
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1024Gi
+        storageClassName: standard
+        volumeName: "eom-{{ target_namespace }}-media"
+
+- name: Create a config map for httpd
+  k8s:
+    state: present
+    api_version: v1
+    kind: ConfigMap
+    name: media
+    namespace: "eom-{{ target_namespace }}"
+    definition:
+      data:
+        httpd.conf: "{{ lookup('file', 'media-httpd.conf') }}"
+        httpd-dav.conf: "{{ lookup('template', 'httpd-dav.conf.j2') }}"
+        mime.types: "{{ lookup('file', 'mime.types') }}"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: media
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: media
+        template:
+          metadata:
+            labels:
+              app: media
+          spec:
+            containers:
+              - name: httpd
+                image: httpd
+                volumeMounts:
+                  - name: config
+                    mountPath: /usr/local/apache2/conf
+                  - name: media
+                    mountPath: /usr/local/apache2/htdocs/
+                ports:
+                  - containerPort: 80
+            volumes:
+              - name: config
+                configMap:
+                  name: media
+              - name: media
+                persistentVolumeClaim:
+                  claimName: media
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: media
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: media
+        ports:
+          - port: 80
+            name: media-80
+        type: ClusterIP

tasks/mongodb.yaml

@@ -0,0 +1,97 @@
+---
+# tasks file for mongodb
+- name: Create persistent volume for mongodb
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolume
+      metadata:
+        name: "eom-{{ target_namespace }}-mongodb"
+      spec:
+        capacity:
+          storage: 32Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        storageClassName: standard
+        hostPath:
+          path: "/data/store-0/eom/mongodb"
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: In
+                  values:
+                    - alpha-worker-0
+
+- name: Create a persistent volume claim for mongodb
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: mongodb
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 32Gi
+        storageClassName: standard
+        volumeName: "eom-{{ target_namespace }}-mongodb"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: mongodb
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: mongodb
+        template:
+          metadata:
+            labels:
+              app: mongodb
+          spec:
+            containers:
+              - name: mongo
+                image: mongo
+                volumeMounts:
+                  - name: mongodb
+                    mountPath: /data/db
+                ports:
+                  - containerPort: 8081
+                env:
+                  - name: MONGO_INITDB_ROOT_USERNAME
+                    value: "root"
+                  - name: MONGO_INITDB_ROOT_PASSWORD
+                    value: "{{ mongodb_root_password }}"
+            volumes:
+              - name: mongodb
+                persistentVolumeClaim:
+                  claimName: mongodb
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: mongodb
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: mongodb
+        ports:
+          - port: 8081
+            name: mongodb-8081
+        type: ClusterIP

tasks/openldap.yaml

@@ -0,0 +1,153 @@
+---
+# tasks file for openldap
+- name: Create persistent volume for openldap-config
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolume
+      metadata:
+        name: "eom-{{ target_namespace }}-openldap-config"
+      spec:
+        capacity:
+          storage: 1024Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        storageClassName: standard
+        hostPath:
+          path: "/data/store-0/eom/openldap-config"
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: In
+                  values:
+                    - alpha-worker-0
+
+- name: Create a persistent volume claim for openldap-config
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: openldap-config
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1024Gi
+        storageClassName: standard
+        volumeName: "eom-{{ target_namespace }}-openldap-config"
+
+- name: Create persistent volume for openldap-data
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolume
+      metadata:
+        name: "eom-{{ target_namespace }}-openldap-data"
+      spec:
+        capacity:
+          storage: 1024Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        storageClassName: standard
+        hostPath:
+          path: "/data/store-0/eom/openldap-data"
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: In
+                  values:
+                    - alpha-worker-0
+
+- name: Create a persistent volume claim for openldap-data
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: openldap-data
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1024Gi
+        storageClassName: standard
+        volumeName: "eom-{{ target_namespace }}-openldap-data"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: openldap
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: openldap
+        template:
+          metadata:
+            labels:
+              app: openldap
+          spec:
+            containers:
+              - name: openldap
+                image: osixia/openldap
+                env:
+                  - name: LDAP_ORGANISATION
+                    value: "EOM"
+                  - name: LDAP_DOMAIN
+                    value: "eom.dev"
+                  - name: LDAP_ADMIN_PASSWORD
+                    value: "{{ ldap_admin_password }}"
+                  - name: LDAP_READONLY_USER
+                    value: "true"
+                  - name: LDAP_READONLY_USER_PASSWORD
+                    value: "{{ ldap_readonly_password }}"
+                volumeMounts:
+                  - name: config
+                    mountPath: /etc/ldap/slapd.d
+                  - name: data
+                    mountPath: /var/lib/ldap
+                ports:
+                  - containerPort: 389
+                  - containerPort: 636
+            volumes:
+              - name: config
+                persistentVolumeClaim:
+                  claimName: openldap-config
+              - name: data
+                persistentVolumeClaim:
+                  claimName: openldap-data
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: openldap
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: openldap
+        ports:
+          - port: 389
+            name: openldap-389
+        type: ClusterIP

tasks/proxy.yaml

@@ -0,0 +1,71 @@
+---
+# tasks file for deploy-reverse-proxy.yml
+- name: Create ConfigMap for httpd
+  k8s:
+    state: present
+    api_version: v1
+    kind: ConfigMap
+    name: proxy
+    namespace: "eom-{{ target_namespace }}"
+    definition:
+      data:
+        httpd.conf: "{{ lookup('file', 'proxy-httpd.conf') }}"
+        httpd-proxy.conf: "{{ lookup('file', 'httpd-proxy.conf') }}"
+        httpd-ssl.conf: "{{ lookup('file', 'httpd-ssl.conf') }}"
+        mime.types: "{{ lookup('file', 'mime.types') }}"
+        server.crt: "{{ proxy_server_crt }}"
+        server.key: "{{ proxy_server_key }}"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: proxy
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: proxy
+        template:
+          metadata:
+            labels:
+              app: proxy
+          spec:
+            containers:
+              - name: proxy
+                image: httpd
+                volumeMounts:
+                  - name: config
+                    mountPath: /usr/local/apache2/conf
+                ports:
+                  - containerPort: 80
+                  - containerPort: 443 
+            volumes:
+              - name: config
+                configMap:
+                  name: proxy
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: proxy
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: proxy
+        ports:
+          - port: 80
+            protocol: TCP
+            nodePort: 30080
+            name: proxy-80
+          - port: 443
+            protocol: TCP
+            nodePort: 30443
+            name: proxy-443
+        type: NodePort

tasks/www.yaml

@@ -0,0 +1,60 @@
+---
+# tasks file for www
+- name: Create a config map for www
+  k8s:
+    state: present
+    api_version: v1
+    kind: ConfigMap
+    name: www
+    namespace: "eom-{{ target_namespace }}"
+    definition:
+      data:
+        httpd.conf: "{{ lookup('template', 'www-httpd.conf.j2') }}"
+        mime.types: "{{ lookup('file', 'mime.types') }}"
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: www
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: www
+        template:
+          metadata:
+            labels:
+              app: www
+          spec:
+            containers:
+              - name: httpd
+                image: httpd
+                volumeMounts:
+                  - name: config
+                    mountPath: /usr/local/apache2/conf
+                ports:
+                  - containerPort: 80
+            volumes:
+              - name: config
+                configMap:
+                  name: www
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: www
+        namespace: "eom-{{ target_namespace }}"
+      spec:
+        selector:
+          app: www
+        ports:
+          - port: 80
+            name: www-80
+        type: ClusterIP