DevOps/ansible-role-eom
1
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.1

Browse Source
This commit is contained in:
Eric Meehan 2024-11-14 10:26:22 -05:00
parent be231a9031
commit a30ac9c55f
6 changed files with 352 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
tasks/auth.yaml
View File

@ -106,3 +106,81 @@
- port: 636
name: ldaps
type: ClusterIP
- name: Create Deployment for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: phpldapadmin
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: phpldapadmin
template:
metadata:
labels:
app: phpldapadmin
spec:
containers:
- name: phpldapadmin
image: osixia/phpldapadmin
env:
- name: PHPLDAPADMIN_LDAP_HOSTS
value: "openldap"
- name: PHPLDAPADMIN_SERVER_ADMIN
value: "eric@mail.eom.dev"
- name: PHPLDAPADMIN_SERVER_PATH
value: "/"
- name: PHPLDAPADMIN_HTTPS
value: "false"
ports:
- containerPort: 80
- name: Create Service for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: phpldapadmin
namespace: auth
spec:
selector:
app: phpldapadmin
ports:
- port: 80
name: http
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: phpldapadmin
namespace: auth
spec:
ingressClassName: nginx
rules:
- host: auth.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: phpldapadmin
port:
number: 80
tls:
- hosts:
- auth.eom.dev
secretName: phpldapadmin

125
tasks/git.yaml
View File

@ -1,5 +1,5 @@
---
# tasks file for gitea
# tasks file for gitlab
- name: Create git namespace
k8s:
state: present
@ -9,14 +9,14 @@
metadata:
name: git
- name: Create PVC for MySQL
- name: Create PVC for PostgreSQL
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql
name: postgres
namespace: git
spec:
accessModes:
@ -25,74 +25,74 @@
requests:
storage: 64Gi
- name: Create Deployment for MySQL
- name: Create Deployment for PostgreSQL
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mysql
name: postgres
namespace: git
labels:
app: mysql
app: postgres
spec:
replicas: 1
selector:
matchLabels:
app: mysql
app: postgres
template:
metadata:
labels:
app: mysql
app: postgres
spec:
containers:
- name: mysql
image: mysql
- name: postgres
image: postgres
volumeMounts:
- name: data
mountPath: /var/lib/mysql
mountPath: /var/lib/postgresql/data
ports:
- containerPort: 3306
- containerPort: 5432
env:
- name: MYSQL_DATABASE
value: gitea
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_USER
value: gitea
- name: MYSQL_PASSWORD
value: "{{ gitea_mysql_password }}"
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
- name: POSTGRES_DB
value: gitlabhq_production
- name: POSTGRES_USER
value: gitlab
- name: POSTGRES_PASSWORD
value: "{{ gitlab_postgres_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql
claimName: postgres
- name: Create Service for MySQL
- name: Create Service for PostgreSQL
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: mysql
name: postgres
namespace: git
spec:
selector:
app: mysql
app: postgres
ports:
- port: 3306
name: mysql
- port: 5432
name: postgres
type: ClusterIP
- name: Create PVC for Gitea
- name: Create PVC for GitLab
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea
name: gitlab
namespace: git
spec:
accessModes:
@ -101,71 +101,84 @@
requests:
storage: 128Gi
- name: Create Deployment for Gitea
- name: Create Deployment for GitLab
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: gitea
name: gitlab
namespace: git
labels:
app: gitea
app: gitlab
spec:
replicas: 1
selector:
matchLabels:
app: gitea
app: gitlab
template:
metadata:
labels:
app: gitea
app: gitlab
spec:
containers:
- name: gitea
image: gitea/gitea
- name: gitlab
image: gitlab/gitlab-ce
volumeMounts:
- name: data
mountPath: /data
mountPath: /var/opt/gitlab
ports:
- containerPort: 3000
- containerPort: 80
- containerPort: 22
env:
- name: GITEA__database__DB_TYPE
value: mysql
- name: GITEA__database__HOST
value: mysql
- name: GITEA__database__NAME
value: gitea
- name: GITEA__database__USER
value: gitea
- name: GITEA__database__DB_PASSWD
value: "{{ gitea_mysql_password }}"
- name: GITLAB_OMNIBUS_CONFIG
value: >
external_url 'https://git.eom.dev/';
postgresql['enable'] = false;
gitlab_rails['lfs_enabled'] = true;
gitlab_rails['db_adapter'] = 'postgresql';
gitlab_rails['db_host'] = 'postgres';
gitlab_rails['db_password'] = '{{ gitlab_postgres_password }}';
nginx['listen_port'] = 80;
nginx['listen_https'] = false;
gitlab_rails['ldap_enabled'] = true;
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'OpenLDAP',
'host' => 'openldap.auth.svc.cluster.local',
'port' => 389,
'encryption' => 'plain',
'uid' => 'uid',
'bind_dn' => 'cn=readonly,dc=eom,dc=dev',
'password' => '{{ ldap_readonly_password }}',
'base' => 'dc=eom,dc=dev',
'user_filter' => '(|(objectclass=inetOrgPerson))'
}
}
volumes:
- name: data
persistentVolumeClaim:
claimName: gitea
claimName: gitlab
- name: Create Service for Gitea
- name: Create Service for GitLab
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: gitea
name: gitlab
namespace: git
spec:
selector:
app: gitea
app: gitlab
ports:
- port: 22
name: ssh
- port: 80
targetPort: 3000
name: http
type: ClusterIP
type: LoadBalancer
- name: Create Ingress
k8s:
@ -176,7 +189,7 @@
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: gitea
name: gitlab
namespace: git
spec:
ingressClassName: nginx
@ -188,10 +201,10 @@
path: /
backend:
service:
name: gitea
name: gitlab
port:
number: 80
tls:
- hosts:
- git.eom.dev
secretName: gitea
secretName: gitlab

167
tasks/mail.yaml Normal file
View File

@ -0,0 +1,167 @@
---
# tasks file for mail
- name: Create Mail namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: mail
- name: Request a certificate for mail
k8s:
state: present
definition:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mail
namespace: mail
spec:
secretName: mail
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
duration: 2160h # 90d
renewBefore: 360h # 15d
isCA: false
usages:
- server auth
- client auth
subject:
organizations:
- EOM
commonName: mail.eom.dev
dnsNames:
- mail.eom.dev
issuerRef:
name: ca-issuer
kind: ClusterIssuer
- name: Create a persistent volume claim for mail
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail
namespace: mail
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Gi
- name: Create a deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mail
namespace: mail
spec:
replicas: 1
selector:
matchLabels:
app: mail
template:
metadata:
labels:
app: mail
spec:
containers:
- name: mail
image: mailserver/docker-mailserver
volumeMounts:
- name: ssl
mountPath: /etc/letsencrypt
- name: mail
mountPath: /var/mail
ports:
- containerPort: 25
- containerPort: 465
- containerPort: 587
- containerPort: 993
env:
- name: OVERRIDE_HOSTNAME
value: "mail.eom.dev"
- name: POSTMASTER_ADDRESS
value: "eric@mail.eom.dev"
- name: ACCOUNT_PROVISIONER
value: "LDAP"
- name: LDAP_SERVER_HOST
value: "ldap://openldap.auth.svc.cluster.local/"
- name: LDAP_SEARCH_BASE
value: "dc=eom,dc=dev"
- name: LDAP_BIND_DN
value: "cn=readonly,dc=eom,dc=dev"
- name: LDAP_BIND_PW
value: "{{ ldap_readonly_password }}"
- name: LDAP_QUERY_FILTER_DOMAIN
value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))"
- name: LDAP_QUERY_FILTER_USER
value: "(|(objectClass=inetOrgPerson))"
- name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP
value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))"
- name: LDAP_QUERY_FILTER_SENDERS
value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))"
- name: SPOOF_PROTECTION
value: "1"
- name: DOVECOT_AUTH_BIND
value: "yes"
- name: DOVECOT_DEFAULT_PASS_SCHEME
value: "MD5-CRYPT"
- name: DOVECOT_USER_FILTER
value: "(|(objectClass=inetOrgPerson))"
- name: DOVECOT_PASS_ATTRS
value: "=user=%{ldap:uid},=password=%{ldap:userPassword}"
- name: DOVECOT_USER_ATTRS
value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
- name: ENABLE_SASLAUTHD
value: "1"
- name: SASLAUTHD_MECHANISMS
value: "ldap"
- name: SASLAUTHD_LDAP_FILTER
value: "(|(objectClass=inetOrgPerson))"
- name: SSL_TYPE
value: "manual"
- name: SSL_CERT_PATH
value: "/etc/letsencrypt/tls.crt"
- name: SSL_KEY_PATH
value: "/etc/letsencrypt/tls.key"
volumes:
- name: ssl
secret:
secretName: mail
- name: mail
persistentVolumeClaim:
claimName: mail
- name: Expose deployment as a service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: mail
namespace: mail
spec:
selector:
app: mail
ports:
- port: 25
name: smtp-a
- port: 465
name: smtp-b
- port: 587
name: smtps
- port: 993
name: imap
type: LoadBalancer

14
tasks/main.yaml
View File

@ -1,16 +1,4 @@
---
# tasks file for eom
- name: Deploy Auth
include_tasks: auth.yaml
- name: Deploy Cloud
include_tasks: cloud.yaml
- name: Deploy Git
- name: Deploy
include_tasks: git.yaml
- name: Deploy Wiki
include_tasks: wiki.yaml
- name: Deploy Redmine
include_tasks: org.yaml

42
tasks/monitor.yaml
View File

@ -55,6 +55,8 @@
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE
value: grafana
- name: MYSQL_USER
@ -174,7 +176,7 @@
spec:
containers:
- name: grafana
image: grafana
image: grafana/grafana
ports:
- containerPort: 3000
env:
@ -200,11 +202,9 @@
selector:
app: grafana
ports:
- port: 22
name: ssh
- port: 80
targetPort: 3000
name: http
name: grafana
type: ClusterIP
- name: Create Ingress
@ -221,7 +221,7 @@
spec:
ingressClassName: nginx
rules:
- host: git.eom.dev
- host: monitor.eom.dev
http:
paths:
- pathType: Prefix
@ -231,7 +231,35 @@
name: grafana
port:
number: 80
- pathType: Prefix
path: /influxdb
backend:
service:
name: influxdb
port:
number: 80
tls:
- hosts:
- git.eom.dev
secretName: grafana
- monitor.eom.dev
secretName: monitor
- name: Create Network Policy
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
namespace: monitor
spec:
podSelector:
matchLabels:
app: monitor
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24

2
tasks/www.yaml
View File

@ -55,6 +55,8 @@
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE
value: wordpress
- name: MYSQL_USER