From a30ac9c55fb5f0287bf8c59c598132c3997cf625 Mon Sep 17 00:00:00 2001 From: eric o meehan Date: Thu, 14 Nov 2024 10:26:22 -0500 Subject: [PATCH] v1.0.1 --- tasks/auth.yaml | 78 +++++++++++++++++++++ tasks/git.yaml | 125 ++++++++++++++++++--------------- tasks/mail.yaml | 167 +++++++++++++++++++++++++++++++++++++++++++++ tasks/main.yaml | 14 +--- tasks/monitor.yaml | 42 ++++++++++-- tasks/www.yaml | 2 + 6 files changed, 352 insertions(+), 76 deletions(-) create mode 100644 tasks/mail.yaml diff --git a/tasks/auth.yaml b/tasks/auth.yaml index 4df269a..791c200 100644 --- a/tasks/auth.yaml +++ b/tasks/auth.yaml @@ -106,3 +106,81 @@ - port: 636 name: ldaps type: ClusterIP + +- name: Create Deployment for phpLDAPadmin + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: phpldapadmin + namespace: auth + spec: + replicas: 1 + selector: + matchLabels: + app: phpldapadmin + template: + metadata: + labels: + app: phpldapadmin + spec: + containers: + - name: phpldapadmin + image: osixia/phpldapadmin + env: + - name: PHPLDAPADMIN_LDAP_HOSTS + value: "openldap" + - name: PHPLDAPADMIN_SERVER_ADMIN + value: "eric@mail.eom.dev" + - name: PHPLDAPADMIN_SERVER_PATH + value: "/" + - name: PHPLDAPADMIN_HTTPS + value: "false" + ports: + - containerPort: 80 + +- name: Create Service for phpLDAPadmin + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: phpldapadmin + namespace: auth + spec: + selector: + app: phpldapadmin + ports: + - port: 80 + name: http + type: ClusterIP + +- name: Create Ingress + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + cert-manager.io/cluster-issuer: ca-issuer + name: phpldapadmin + namespace: auth + spec: + ingressClassName: nginx + rules: + - host: auth.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: phpldapadmin + port: + number: 80 + tls: + - hosts: + - auth.eom.dev + secretName: phpldapadmin diff --git a/tasks/git.yaml b/tasks/git.yaml index 2ba4d0b..f8fd6cd 100644 --- a/tasks/git.yaml +++ b/tasks/git.yaml @@ -1,5 +1,5 @@ --- -# tasks file for gitea +# tasks file for gitlab - name: Create git namespace k8s: state: present @@ -9,14 +9,14 @@ metadata: name: git -- name: Create PVC for MySQL +- name: Create PVC for PostgreSQL k8s: state: present definition: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: mysql + name: postgres namespace: git spec: accessModes: @@ -25,74 +25,74 @@ requests: storage: 64Gi -- name: Create Deployment for MySQL +- name: Create Deployment for PostgreSQL k8s: state: present definition: apiVersion: v1 kind: Deployment metadata: - name: mysql + name: postgres namespace: git labels: - app: mysql + app: postgres spec: replicas: 1 selector: matchLabels: - app: mysql + app: postgres template: metadata: labels: - app: mysql + app: postgres spec: containers: - - name: mysql - image: mysql + - name: postgres + image: postgres volumeMounts: - name: data - mountPath: /var/lib/mysql + mountPath: /var/lib/postgresql/data ports: - - containerPort: 3306 + - containerPort: 5432 env: - - name: MYSQL_DATABASE - value: gitea - - name: MYSQL_ROOT_PASSWORD - value: "{{ mysql_root_password }}" - - name: MYSQL_USER - value: gitea - - name: MYSQL_PASSWORD - value: "{{ gitea_mysql_password }}" + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + - name: POSTGRES_DB + value: gitlabhq_production + - name: POSTGRES_USER + value: gitlab + - name: POSTGRES_PASSWORD + value: "{{ gitlab_postgres_password }}" volumes: - name: data persistentVolumeClaim: - claimName: mysql + claimName: postgres -- name: Create Service for MySQL +- name: Create Service for PostgreSQL k8s: state: present definition: apiVersion: v1 kind: Service metadata: - name: mysql + name: postgres namespace: git spec: selector: - app: mysql + app: postgres ports: - - port: 3306 - name: mysql + - port: 5432 + name: postgres type: ClusterIP -- name: Create PVC for Gitea +- name: Create PVC for GitLab k8s: state: present definition: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: gitea + name: gitlab namespace: git spec: accessModes: @@ -101,71 +101,84 @@ requests: storage: 128Gi -- name: Create Deployment for Gitea +- name: Create Deployment for GitLab k8s: state: present definition: apiVersion: v1 kind: Deployment metadata: - name: gitea + name: gitlab namespace: git labels: - app: gitea + app: gitlab spec: replicas: 1 selector: matchLabels: - app: gitea + app: gitlab template: metadata: labels: - app: gitea + app: gitlab spec: containers: - - name: gitea - image: gitea/gitea + - name: gitlab + image: gitlab/gitlab-ce volumeMounts: - name: data - mountPath: /data + mountPath: /var/opt/gitlab ports: - - containerPort: 3000 + - containerPort: 80 - containerPort: 22 env: - - name: GITEA__database__DB_TYPE - value: mysql - - name: GITEA__database__HOST - value: mysql - - name: GITEA__database__NAME - value: gitea - - name: GITEA__database__USER - value: gitea - - name: GITEA__database__DB_PASSWD - value: "{{ gitea_mysql_password }}" + - name: GITLAB_OMNIBUS_CONFIG + value: > + external_url 'https://git.eom.dev/'; + postgresql['enable'] = false; + gitlab_rails['lfs_enabled'] = true; + gitlab_rails['db_adapter'] = 'postgresql'; + gitlab_rails['db_host'] = 'postgres'; + gitlab_rails['db_password'] = '{{ gitlab_postgres_password }}'; + nginx['listen_port'] = 80; + nginx['listen_https'] = false; + gitlab_rails['ldap_enabled'] = true; + gitlab_rails['ldap_servers'] = { + 'main' => { + 'label' => 'OpenLDAP', + 'host' => 'openldap.auth.svc.cluster.local', + 'port' => 389, + 'encryption' => 'plain', + 'uid' => 'uid', + 'bind_dn' => 'cn=readonly,dc=eom,dc=dev', + 'password' => '{{ ldap_readonly_password }}', + 'base' => 'dc=eom,dc=dev', + 'user_filter' => '(|(objectclass=inetOrgPerson))' + } + } volumes: - name: data persistentVolumeClaim: - claimName: gitea + claimName: gitlab -- name: Create Service for Gitea +- name: Create Service for GitLab k8s: state: present definition: apiVersion: v1 kind: Service metadata: - name: gitea + name: gitlab namespace: git spec: selector: - app: gitea + app: gitlab ports: - port: 22 name: ssh - port: 80 - targetPort: 3000 name: http - type: ClusterIP + type: LoadBalancer - name: Create Ingress k8s: @@ -176,7 +189,7 @@ metadata: annotations: cert-manager.io/cluster-issuer: ca-issuer - name: gitea + name: gitlab namespace: git spec: ingressClassName: nginx @@ -188,10 +201,10 @@ path: / backend: service: - name: gitea + name: gitlab port: number: 80 tls: - hosts: - git.eom.dev - secretName: gitea + secretName: gitlab diff --git a/tasks/mail.yaml b/tasks/mail.yaml new file mode 100644 index 0000000..8bb4719 --- /dev/null +++ b/tasks/mail.yaml @@ -0,0 +1,167 @@ +--- +# tasks file for mail +- name: Create Mail namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: mail + +- name: Request a certificate for mail + k8s: + state: present + definition: + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: mail + namespace: mail + spec: + secretName: mail + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + duration: 2160h # 90d + renewBefore: 360h # 15d + isCA: false + usages: + - server auth + - client auth + subject: + organizations: + - EOM + commonName: mail.eom.dev + dnsNames: + - mail.eom.dev + issuerRef: + name: ca-issuer + kind: ClusterIssuer + +- name: Create a persistent volume claim for mail + k8s: + state: present + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: mail + namespace: mail + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 128Gi + +- name: Create a deployment + k8s: + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: mail + namespace: mail + spec: + replicas: 1 + selector: + matchLabels: + app: mail + template: + metadata: + labels: + app: mail + spec: + containers: + - name: mail + image: mailserver/docker-mailserver + volumeMounts: + - name: ssl + mountPath: /etc/letsencrypt + - name: mail + mountPath: /var/mail + ports: + - containerPort: 25 + - containerPort: 465 + - containerPort: 587 + - containerPort: 993 + env: + - name: OVERRIDE_HOSTNAME + value: "mail.eom.dev" + - name: POSTMASTER_ADDRESS + value: "eric@mail.eom.dev" + - name: ACCOUNT_PROVISIONER + value: "LDAP" + - name: LDAP_SERVER_HOST + value: "ldap://openldap.auth.svc.cluster.local/" + - name: LDAP_SEARCH_BASE + value: "dc=eom,dc=dev" + - name: LDAP_BIND_DN + value: "cn=readonly,dc=eom,dc=dev" + - name: LDAP_BIND_PW + value: "{{ ldap_readonly_password }}" + - name: LDAP_QUERY_FILTER_DOMAIN + value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))" + - name: LDAP_QUERY_FILTER_USER + value: "(|(objectClass=inetOrgPerson))" + - name: LDAP_QUERY_FILTER_ALIAS + value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))" + - name: LDAP_QUERY_FILTER_GROUP + value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))" + - name: LDAP_QUERY_FILTER_SENDERS + value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))" + - name: SPOOF_PROTECTION + value: "1" + - name: DOVECOT_AUTH_BIND + value: "yes" + - name: DOVECOT_DEFAULT_PASS_SCHEME + value: "MD5-CRYPT" + - name: DOVECOT_USER_FILTER + value: "(|(objectClass=inetOrgPerson))" + - name: DOVECOT_PASS_ATTRS + value: "=user=%{ldap:uid},=password=%{ldap:userPassword}" + - name: DOVECOT_USER_ATTRS + value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid" + - name: ENABLE_SASLAUTHD + value: "1" + - name: SASLAUTHD_MECHANISMS + value: "ldap" + - name: SASLAUTHD_LDAP_FILTER + value: "(|(objectClass=inetOrgPerson))" + - name: SSL_TYPE + value: "manual" + - name: SSL_CERT_PATH + value: "/etc/letsencrypt/tls.crt" + - name: SSL_KEY_PATH + value: "/etc/letsencrypt/tls.key" + volumes: + - name: ssl + secret: + secretName: mail + - name: mail + persistentVolumeClaim: + claimName: mail + +- name: Expose deployment as a service + k8s: + definition: + apiVersion: v1 + kind: Service + metadata: + name: mail + namespace: mail + spec: + selector: + app: mail + ports: + - port: 25 + name: smtp-a + - port: 465 + name: smtp-b + - port: 587 + name: smtps + - port: 993 + name: imap + type: LoadBalancer diff --git a/tasks/main.yaml b/tasks/main.yaml index f77ded2..d821304 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,16 +1,4 @@ --- # tasks file for eom -- name: Deploy Auth - include_tasks: auth.yaml - -- name: Deploy Cloud - include_tasks: cloud.yaml - -- name: Deploy Git +- name: Deploy include_tasks: git.yaml - -- name: Deploy Wiki - include_tasks: wiki.yaml - -- name: Deploy Redmine - include_tasks: org.yaml diff --git a/tasks/monitor.yaml b/tasks/monitor.yaml index c5cae6f..abe2965 100644 --- a/tasks/monitor.yaml +++ b/tasks/monitor.yaml @@ -55,6 +55,8 @@ ports: - containerPort: 3306 env: + - name: MYSQL_ROOT_PASSWORD + value: "{{ mysql_root_password }}" - name: MYSQL_DATABASE value: grafana - name: MYSQL_USER @@ -174,7 +176,7 @@ spec: containers: - name: grafana - image: grafana + image: grafana/grafana ports: - containerPort: 3000 env: @@ -200,11 +202,9 @@ selector: app: grafana ports: - - port: 22 - name: ssh - port: 80 targetPort: 3000 - name: http + name: grafana type: ClusterIP - name: Create Ingress @@ -221,7 +221,7 @@ spec: ingressClassName: nginx rules: - - host: git.eom.dev + - host: monitor.eom.dev http: paths: - pathType: Prefix @@ -231,7 +231,35 @@ name: grafana port: number: 80 + - pathType: Prefix + path: /influxdb + backend: + service: + name: influxdb + port: + number: 80 tls: - hosts: - - git.eom.dev - secretName: grafana + - monitor.eom.dev + secretName: monitor + +- name: Create Network Policy + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: networkpolicy + namespace: monitor + spec: + podSelector: + matchLabels: + app: monitor + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 192.168.1.0/24 + diff --git a/tasks/www.yaml b/tasks/www.yaml index 24b0292..8c6d931 100644 --- a/tasks/www.yaml +++ b/tasks/www.yaml @@ -55,6 +55,8 @@ ports: - containerPort: 3306 env: + - name: MYSQL_ROOT_PASSWORD + value: "{{ mysql_root_password }}" - name: MYSQL_DATABASE value: wordpress - name: MYSQL_USER