DevOps/ansible-role-eom
1
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.1

Browse Source
This commit is contained in:
Eric Meehan 2024-11-14 10:26:22 -05:00
parent be231a9031
commit a30ac9c55f
6 changed files with 352 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
tasks/auth.yaml
View File

@ -106,3 +106,81 @@
- port: 636 - port: 636
name: ldaps name: ldaps
type: ClusterIP type: ClusterIP
- name: Create Deployment for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: phpldapadmin
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: phpldapadmin
template:
metadata:
labels:
app: phpldapadmin
spec:
containers:
- name: phpldapadmin
image: osixia/phpldapadmin
env:
- name: PHPLDAPADMIN_LDAP_HOSTS
value: "openldap"
- name: PHPLDAPADMIN_SERVER_ADMIN
value: "eric@mail.eom.dev"
- name: PHPLDAPADMIN_SERVER_PATH
value: "/"
- name: PHPLDAPADMIN_HTTPS
value: "false"
ports:
- containerPort: 80
- name: Create Service for phpLDAPadmin
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: phpldapadmin
namespace: auth
spec:
selector:
app: phpldapadmin
ports:
- port: 80
name: http
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: phpldapadmin
namespace: auth
spec:
ingressClassName: nginx
rules:
- host: auth.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: phpldapadmin
port:
number: 80
tls:
- hosts:
- auth.eom.dev
secretName: phpldapadmin

125
tasks/git.yaml
View File

@ -1,5 +1,5 @@
--- ---
# tasks file for gitea # tasks file for gitlab
- name: Create git namespace - name: Create git namespace
k8s: k8s:
state: present state: present
@ -9,14 +9,14 @@
metadata: metadata:
name: git name: git
- name: Create PVC for MySQL - name: Create PVC for PostgreSQL
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: mysql name: postgres
namespace: git namespace: git
spec: spec:
accessModes: accessModes:
@ -25,74 +25,74 @@
requests: requests:
storage: 64Gi storage: 64Gi
- name: Create Deployment for MySQL - name: Create Deployment for PostgreSQL
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: Deployment kind: Deployment
metadata: metadata:
name: mysql name: postgres
namespace: git namespace: git
labels: labels:
app: mysql app: postgres
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: mysql app: postgres
template: template:
metadata: metadata:
labels: labels:
app: mysql app: postgres
spec: spec:
containers: containers:
- name: mysql - name: postgres
image: mysql image: postgres
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /var/lib/mysql mountPath: /var/lib/postgresql/data
ports: ports:
- containerPort: 3306 - containerPort: 5432
env: env:
- name: MYSQL_DATABASE - name: PGDATA
value: gitea value: /var/lib/postgresql/data/pgdata
- name: MYSQL_ROOT_PASSWORD - name: POSTGRES_DB
value: "{{ mysql_root_password }}" value: gitlabhq_production
- name: MYSQL_USER - name: POSTGRES_USER
value: gitea value: gitlab
- name: MYSQL_PASSWORD - name: POSTGRES_PASSWORD
value: "{{ gitea_mysql_password }}" value: "{{ gitlab_postgres_password }}"
volumes: volumes:
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: mysql claimName: postgres
- name: Create Service for MySQL - name: Create Service for PostgreSQL
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: mysql name: postgres
namespace: git namespace: git
spec: spec:
selector: selector:
app: mysql app: postgres
ports: ports:
- port: 3306 - port: 5432
name: mysql name: postgres
type: ClusterIP type: ClusterIP
- name: Create PVC for Gitea - name: Create PVC for GitLab
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: gitea name: gitlab
namespace: git namespace: git
spec: spec:
accessModes: accessModes:
@ -101,71 +101,84 @@
requests: requests:
storage: 128Gi storage: 128Gi
- name: Create Deployment for Gitea - name: Create Deployment for GitLab
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: Deployment kind: Deployment
metadata: metadata:
name: gitea name: gitlab
namespace: git namespace: git
labels: labels:
app: gitea app: gitlab
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: gitea app: gitlab
template: template:
metadata: metadata:
labels: labels:
app: gitea app: gitlab
spec: spec:
containers: containers:
- name: gitea - name: gitlab
image: gitea/gitea image: gitlab/gitlab-ce
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /data mountPath: /var/opt/gitlab
ports: ports:
- containerPort: 3000 - containerPort: 80
- containerPort: 22 - containerPort: 22
env: env:
- name: GITEA__database__DB_TYPE - name: GITLAB_OMNIBUS_CONFIG
value: mysql value: >
- name: GITEA__database__HOST external_url 'https://git.eom.dev/';
value: mysql postgresql['enable'] = false;
- name: GITEA__database__NAME gitlab_rails['lfs_enabled'] = true;
value: gitea gitlab_rails['db_adapter'] = 'postgresql';
- name: GITEA__database__USER gitlab_rails['db_host'] = 'postgres';
value: gitea gitlab_rails['db_password'] = '{{ gitlab_postgres_password }}';
- name: GITEA__database__DB_PASSWD nginx['listen_port'] = 80;
value: "{{ gitea_mysql_password }}" nginx['listen_https'] = false;
gitlab_rails['ldap_enabled'] = true;
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'OpenLDAP',
'host' => 'openldap.auth.svc.cluster.local',
'port' => 389,
'encryption' => 'plain',
'uid' => 'uid',
'bind_dn' => 'cn=readonly,dc=eom,dc=dev',
'password' => '{{ ldap_readonly_password }}',
'base' => 'dc=eom,dc=dev',
'user_filter' => '(|(objectclass=inetOrgPerson))'
}
}
volumes: volumes:
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: gitea claimName: gitlab
- name: Create Service for Gitea - name: Create Service for GitLab
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: gitea name: gitlab
namespace: git namespace: git
spec: spec:
selector: selector:
app: gitea app: gitlab
ports: ports:
- port: 22 - port: 22
name: ssh name: ssh
- port: 80 - port: 80
targetPort: 3000
name: http name: http
type: ClusterIP type: LoadBalancer
- name: Create Ingress - name: Create Ingress
k8s: k8s:
@ -176,7 +189,7 @@
metadata: metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
name: gitea name: gitlab
namespace: git namespace: git
spec: spec:
ingressClassName: nginx ingressClassName: nginx
@ -188,10 +201,10 @@
path: / path: /
backend: backend:
service: service:
name: gitea name: gitlab
port: port:
number: 80 number: 80
tls: tls:
- hosts: - hosts:
- git.eom.dev - git.eom.dev
secretName: gitea secretName: gitlab

167
tasks/mail.yaml Normal file
View File

@ -0,0 +1,167 @@
---
# tasks file for mail
- name: Create Mail namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: mail
- name: Request a certificate for mail
k8s:
state: present
definition:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mail
namespace: mail
spec:
secretName: mail
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
duration: 2160h # 90d
renewBefore: 360h # 15d
isCA: false
usages:
- server auth
- client auth
subject:
organizations:
- EOM
commonName: mail.eom.dev
dnsNames:
- mail.eom.dev
issuerRef:
name: ca-issuer
kind: ClusterIssuer
- name: Create a persistent volume claim for mail
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail
namespace: mail
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Gi
- name: Create a deployment
k8s:
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mail
namespace: mail
spec:
replicas: 1
selector:
matchLabels:
app: mail
template:
metadata:
labels:
app: mail
spec:
containers:
- name: mail
image: mailserver/docker-mailserver
volumeMounts:
- name: ssl
mountPath: /etc/letsencrypt
- name: mail
mountPath: /var/mail
ports:
- containerPort: 25
- containerPort: 465
- containerPort: 587
- containerPort: 993
env:
- name: OVERRIDE_HOSTNAME
value: "mail.eom.dev"
- name: POSTMASTER_ADDRESS
value: "eric@mail.eom.dev"
- name: ACCOUNT_PROVISIONER
value: "LDAP"
- name: LDAP_SERVER_HOST
value: "ldap://openldap.auth.svc.cluster.local/"
- name: LDAP_SEARCH_BASE
value: "dc=eom,dc=dev"
- name: LDAP_BIND_DN
value: "cn=readonly,dc=eom,dc=dev"
- name: LDAP_BIND_PW
value: "{{ ldap_readonly_password }}"
- name: LDAP_QUERY_FILTER_DOMAIN
value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))"
- name: LDAP_QUERY_FILTER_USER
value: "(|(objectClass=inetOrgPerson))"
- name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP
value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))"
- name: LDAP_QUERY_FILTER_SENDERS
value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))"
- name: SPOOF_PROTECTION
value: "1"
- name: DOVECOT_AUTH_BIND
value: "yes"
- name: DOVECOT_DEFAULT_PASS_SCHEME
value: "MD5-CRYPT"
- name: DOVECOT_USER_FILTER
value: "(|(objectClass=inetOrgPerson))"
- name: DOVECOT_PASS_ATTRS
value: "=user=%{ldap:uid},=password=%{ldap:userPassword}"
- name: DOVECOT_USER_ATTRS
value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
- name: ENABLE_SASLAUTHD
value: "1"
- name: SASLAUTHD_MECHANISMS
value: "ldap"
- name: SASLAUTHD_LDAP_FILTER
value: "(|(objectClass=inetOrgPerson))"
- name: SSL_TYPE
value: "manual"
- name: SSL_CERT_PATH
value: "/etc/letsencrypt/tls.crt"
- name: SSL_KEY_PATH
value: "/etc/letsencrypt/tls.key"
volumes:
- name: ssl
secret:
secretName: mail
- name: mail
persistentVolumeClaim:
claimName: mail
- name: Expose deployment as a service
k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: mail
namespace: mail
spec:
selector:
app: mail
ports:
- port: 25
name: smtp-a
- port: 465
name: smtp-b
- port: 587
name: smtps
- port: 993
name: imap
type: LoadBalancer

14
tasks/main.yaml
View File

@ -1,16 +1,4 @@
--- ---
# tasks file for eom # tasks file for eom
- name: Deploy Auth - name: Deploy
include_tasks: auth.yaml
- name: Deploy Cloud
include_tasks: cloud.yaml
- name: Deploy Git
include_tasks: git.yaml include_tasks: git.yaml
- name: Deploy Wiki
include_tasks: wiki.yaml
- name: Deploy Redmine
include_tasks: org.yaml

42
tasks/monitor.yaml
View File

@ -55,6 +55,8 @@
ports: ports:
- containerPort: 3306 - containerPort: 3306
env: env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE - name: MYSQL_DATABASE
value: grafana value: grafana
- name: MYSQL_USER - name: MYSQL_USER
@ -174,7 +176,7 @@
spec: spec:
containers: containers:
- name: grafana - name: grafana
image: grafana image: grafana/grafana
ports: ports:
- containerPort: 3000 - containerPort: 3000
env: env:
@ -200,11 +202,9 @@
selector: selector:
app: grafana app: grafana
ports: ports:
- port: 22
name: ssh
- port: 80 - port: 80
targetPort: 3000 targetPort: 3000
name: http name: grafana
type: ClusterIP type: ClusterIP
- name: Create Ingress - name: Create Ingress
@ -221,7 +221,7 @@
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: git.eom.dev - host: monitor.eom.dev
http: http:
paths: paths:
- pathType: Prefix - pathType: Prefix
@ -231,7 +231,35 @@
name: grafana name: grafana
port: port:
number: 80 number: 80
- pathType: Prefix
path: /influxdb
backend:
service:
name: influxdb
port:
number: 80
tls: tls:
- hosts: - hosts:
- git.eom.dev - monitor.eom.dev
secretName: grafana secretName: monitor
- name: Create Network Policy
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
namespace: monitor
spec:
podSelector:
matchLabels:
app: monitor
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24

2
tasks/www.yaml
View File

@ -55,6 +55,8 @@
ports: ports:
- containerPort: 3306 - containerPort: 3306
env: env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE - name: MYSQL_DATABASE
value: wordpress value: wordpress
- name: MYSQL_USER - name: MYSQL_USER