DevOps/ansible-role-eom
2
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.4

Browse Source
This commit is contained in:
Eric Meehan
2024-11-23 17:23:12 -05:00
parent 81b3f9b324
commit e004e99884
10 changed files with 485 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
tasks/grafana.yaml Normal file
View File

@@ -0,0 +1,193 @@
---
# tasks file for grafana
- name: Create Grafana namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: grafana
- name: Create PVC for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql
namespace: grafana
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi
- name: Create Deployment for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mysql
namespace: grafana
labels:
app: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql
volumeMounts:
- name: data
mountPath: /var/lib/mysql
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE
value: grafana
- name: MYSQL_USER
value: grafana
- name: MYSQL_PASSWORD
value: "{{ grafana_mysql_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql
- name: Create Service for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: grafana
spec:
selector:
app: mysql
ports:
- port: 3306
name: mysql
type: ClusterIP
- name: Create a config map for grafana
k8s:
state: present
api_version: v1
kind: ConfigMap
name: grafana
namespace: grafana
definition:
data:
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
- name: Create Deployment for Grafana
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: grafana
namespace: grafana
labels:
app: grafana
spec:
replicas: 1
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
containers:
- name: grafana
image: grafana/grafana
ports:
- containerPort: 3000
env:
- name: GF_DATABASE_TYPE
value: mysql
- name: GF_DATABASE_HOST
value: mysql
- name: GF_DATABASE_USER
value: grafana
- name: GF_DATABASE_PASSWORD
value: "{{ grafana_mysql_password }}"
- name: GF_AUTH_LDAP_ENABLED
value: "true"
- name: GF_AUTH_LDAP_CONFIG_FILE
value: /etc/grafana/cm/ldap.toml
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
value: "true"
volumeMounts:
- name: config
mountPath: /etc/grafana/cm
volumes:
- name: config
configMap:
name: grafana
- name: Create Service for Grafana
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: grafana
spec:
selector:
app: grafana
ports:
- port: 80
targetPort: 3000
name: grafana
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: grafana
namespace: grafana
spec:
ingressClassName: nginx
rules:
- host: grafana.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: grafana
port:
number: 80
tls:
- hosts:
- grafana.eom.dev
secretName: grafana

105
tasks/influxdb.yaml
View File

@@ -1,32 +1,15 @@
---
# tasks file for influxdb
- name: Create persistent volume for influxdb
# tasks file for grafana
- name: Create InfluxDB namespace
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolume
kind: Namespace
metadata:
name: "eom-{{ target_namespace }}-influxdb"
spec:
capacity:
storage: 32Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: standard
hostPath:
path: "/data/store-0/eom-{{ target_namespace }}/influxdb"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- alpha-worker-0
name: influxdb
- name: Create a persistent volume claim for influxdb
- name: Create PVC for InfluxDB
k8s:
state: present
definition:
@@ -34,24 +17,25 @@
kind: PersistentVolumeClaim
metadata:
name: influxdb
namespace: "eom-{{ target_namespace }}"
namespace: influxdb
spec:
accessModes:
- ReadWriteMany
- ReadWriteOnce
resources:
requests:
storage: 32Gi
storageClassName: standard
volumeName: "eom-{{ target_namespace }}-influxdb"
storage: 128Gi
- name: Create a deployment
- name: Create Deployment for InfluxDB
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: influxdb
namespace: "eom-{{ target_namespace }}"
namespace: influxdb
labels:
app: influxdb
spec:
replicas: 1
selector:
@@ -64,32 +48,75 @@
spec:
containers:
- name: influxdb
image: bitnami/influxdb
image: influxdb
env:
- name: DOCKER_INFLUXDB_INIT_MODE
value: setup
- name: DOCKER_INFLUXDB_INIT_USERNAME
value: influxdb
- name: DOCKER_INFLUXDB_INIT_PASSWORD
value: "{{ influxdb_admin_password }}"
- name: DOCKER_INFLUXDB_INIT_ORG
value: DevOps
- name: DOCKER_INFLUXDB_INIT_BUCKET
value: default
- name: DOCKER_INFLUXDB_INIT_RETENTION
value: 1w
- name: DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
value: "{{ influxdb_admin_token }}"
volumeMounts:
- name: data
mountPath: /var/lib/mysql
mountPath: /var/lib/influxdb
ports:
- containerPort: 3306
env:
key: INFLUXDB_ADMIN_USER_PASSWORD
value: "{{ influxdb_root_password }}"
- containerPort: 8086
volumes:
- name: data
persistentVolumeClaim:
claimName: influxdb
- name: Expose deployment as a service
- name: Create Service for InfluxDB
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: influxdb
namespace: "eom-{{ target_namespace }}"
namespace: influxdb
spec:
selector:
app: influxdb
ports:
- port: 3306
name: influxdb-3306
- port: 80
targetPort: 8086
name: influxdb
type: ClusterIP
- name: Create Ingress for InfluxDB
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: influxdb
namespace: influxdb
spec:
ingressClassName: nginx
rules:
- host: influxdb.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: influxdb
port:
number: 80
tls:
- hosts:
- influxdb.eom.dev
secretName: influxdb

12
tasks/mail.yaml
View File

@@ -103,9 +103,9 @@
- name: LDAP_BIND_PW
value: "{{ ldap_readonly_password }}"
- name: LDAP_QUERY_FILTER_DOMAIN
value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))"
value: "(mail=*@%s)"
- name: LDAP_QUERY_FILTER_USER
value: "(|(objectClass=inetOrgPerson))"
value: "(mail=%s)"
- name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP
@@ -119,17 +119,17 @@
- name: DOVECOT_DEFAULT_PASS_SCHEME
value: "MD5-CRYPT"
- name: DOVECOT_USER_FILTER
value: "(|(objectClass=inetOrgPerson))"
value: "(&(objectClass=inetOrgPerson)(uid=%n))"
- name: DOVECOT_PASS_ATTRS
value: "=user=%{ldap:uid},=password=%{ldap:userPassword}"
value: "uid=user,userPassword=password"
- name: DOVECOT_USER_ATTRS
value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
value: "=home=/var/mail/%{ldap:uid},=uid=5000,=gid=5000,=mail=maildir:~/Maildir"
- name: ENABLE_SASLAUTHD
value: "1"
- name: SASLAUTHD_MECHANISMS
value: "ldap"
- name: SASLAUTHD_LDAP_FILTER
value: "(|(objectClass=inetOrgPerson))"
value: "(mail=%U@mail.eom.dev)"
- name: SSL_TYPE
value: "manual"
- name: SSL_CERT_PATH

2
tasks/main.yaml
View File

@@ -1,4 +1,4 @@
---
# tasks file for eom
- name: Deploy
include_tasks: git.yaml
include_tasks: mastodon.yaml

80
tasks/mastodon.yaml Normal file
View File

@@ -0,0 +1,80 @@
---
# tasks file for mastodon
- name: Add bitnami repository
kubernetes.core.helm_repository:
name: bitnami
repo_url: https://charts.bitnami.com/bitnami
- name: Update Helm repos
command: helm repo update
- name: Deploy Mastodon
kubernetes.core.helm:
name: mastodon
chart_ref: bitnami/mastodon
release_namespace: mastodon
create_namespace: true
timeout: 300s
values:
adminUser: "mastodon"
adminEmail: "mastodon@mail.eom.dev"
adminPassword: "{{ mastodon_admin_password }}"
otpSecret: ""
secretKeyBase: ""
vapidPrivateKey: ""
vapidPublicKey: ""
activeRecordEncryptionDeterministicKey: ""
activeRecordEncryptionKeyDerivationSalt: ""
activeRecordEncryptionPrimaryKey: ""
extraConfig:
LDAP_ENABLED: "true"
LDAP_HOST: openldap.auth.svc.cluster.local
LDAP_PORT: "387"
LDAP_METHOD: plain
LDAP_BASE: dc=eom,dc=dev
LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev
LDAP_PASSWORD: "{{ ldap_readonly_password }}"
LDAP_UID: uid
LDAP_SEARCH_FILTER: "(&(objectClass=posixAccount)(uid=%{uid}))"
LDAP_MAIL: mail
enableS3: false
localDomain: "mastodon.eom.dev"
smtp:
server: "mail.eom.dev"
port: 587
from_address: "mastodon@mail.eom.dev"
domain: "mail.eom.dev"
reply_to: "mastodon@mail.eom.dev"
delivery_method: smtp
ca_file: /etc/ssl/certs/ca-certificates.crt
openssl_verify_mode: none
enable_starttls_auto: true
tls: true
auth_method: starttls
login: "mastodon"
password: "{{ mastodon_mail_password }}"
persistence:
enabled: true
size: 64Gi
redis:
auth:
password: "{{ mastodon_redis_password }}"
postgresql:
auth:
password: "{{ mastodon_postgres_password }}"
minio:
enabled: false
apache:
service:
type: ClusterIP
ports:
http: 80
ingress:
enabled: true
hostname: "mastodon.eom.dev"
annotations:
cert-manager.io/cluster-issuer: ca-issuer
tls:
- hosts:
- mastodon.eom.dev
secretName: mastodon-tls

76
tasks/monitor.yaml
View File

@@ -125,6 +125,19 @@
containers:
- name: influxdb
image: influxdb
env:
- name: DOCKER_INFLUXDB_INIT_MODE
value: setup
- name: DOCKER_INFLUXDB_INIT_USERNAME
value: grafana
- name: DOCKER_INFLUXDB_INIT_PASSWORD
value: "{{ grafana_influxdb_password }}"
- name: DOCKER_INFLUXDB_INIT_ORG
value: grafana
- name: DOCKER_INFLUXDB_INIT_BUCKET
value: default
- name: DOCKER_INFLUXDB_INIT_RETENTION
value: 1w
volumeMounts:
- name: data
mountPath: /var/lib/influxdb
@@ -148,10 +161,20 @@
selector:
app: influxdb
ports:
- port: 80
targetPort: 8086
- port: 8086
name: influxdb
type: ClusterIP
type: LoadBalancer
- name: Create a config map for grafana
k8s:
state: present
api_version: v1
kind: ConfigMap
name: grafana
namespace: monitor
definition:
data:
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
- name: Create Deployment for Grafana
k8s:
@@ -188,6 +211,19 @@
value: grafana
- name: GF_DATABASE_PASSWORD
value: "{{ grafana_mysql_password }}"
- name: GF_AUTH_LDAP_ENABLED
value: "true"
- name: GF_AUTH_LDAP_CONFIG_FILE
value: /etc/grafana/cm/ldap.toml
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
value: "true"
volumeMounts:
- name: config
mountPath: /etc/grafana/cm
volumes:
- name: config
configMap:
name: grafana
- name: Create Service for Grafana
k8s:
@@ -221,7 +257,7 @@
spec:
ingressClassName: nginx
rules:
- host: monitor.eom.dev
- host: grafana.eom.dev
http:
paths:
- pathType: Prefix
@@ -231,35 +267,7 @@
name: grafana
port:
number: 80
- pathType: Prefix
path: /influxdb
backend:
service:
name: influxdb
port:
number: 80
tls:
- hosts:
- monitor.eom.dev
secretName: monitor
- name: Create Network Policy
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
namespace: monitor
spec:
podSelector:
matchLabels:
app: monitor
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24
- grafana.eom.dev
secretName: grafana

47
tasks/social.yaml
View File

@@ -1,47 +0,0 @@
---
# tasks file for social
- name: Deploy Mastodon
kubernetes.core.helm:
name: mastodon
chart_ref: oci://registry-1.docker.io/bitnamicharts/mastodon
release_namespace: mastodon
create_namespace: true
values:
localDomain: mastodon.eom.dev
global:
defaultStorageClass: default
web:
extraEnvVars:
- name: LDAP_ENABLED
value: "yes"
- name: LDAP_HOST
value: openldap.auth.svc.cluster.local
- name: LDAP_PORT
value: 389
- name: LDAP_METHOD
value: plain
- name: LDAP_BASE
value: dc=eom,dc=dev
- name: LDAP_BIND_DN
value: cn=readonly,dc=eom,dc=dev
- name: LDAP_PASSWORD
value: "{{ ldap_readonly_password }}"
- name: LDAP_UID
value: uid
- name: LDAP_MAIL
value: mail
- name: LDAP_SEARCH_FILTER
value: (|(objectClass=inetOrgPerson))
apache:
ingress:
enabled: true
hostname: mastodon.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
tls:
- hosts:
- mastodon.eom.dev
secretName: mastodon-tls
postgresql:
auth:
password: "{{ mastodon_postgres_password }}"

29
tasks/www.yaml → tasks/wordpress.yaml
View File

@@ -7,7 +7,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: www
name: wordpress
- name: Create PVC for MySQL
k8s:
@@ -17,7 +17,7 @@
kind: PersistentVolumeClaim
metadata:
name: mysql
namespace: www
namespace: wordpress
spec:
accessModes:
- ReadWriteOnce
@@ -33,7 +33,7 @@
kind: Deployment
metadata:
name: mysql
namespace: www
namespace: wordpress
labels:
app: mysql
spec:
@@ -76,7 +76,7 @@
kind: Service
metadata:
name: mysql
namespace: www
namespace: wordpress
spec:
selector:
app: mysql
@@ -93,7 +93,7 @@
kind: PersistentVolumeClaim
metadata:
name: wordpress
namespace: www
namespace: wordpress
spec:
accessModes:
- ReadWriteOnce
@@ -109,7 +109,7 @@
kind: Deployment
metadata:
name: wordpress
namespace: www
namespace: wordpress
labels:
app: wordpress
spec:
@@ -127,7 +127,7 @@
image: wordpress
volumeMounts:
- name: data
mountPath: /var/www/html
mountPath: /var/wordpress/html
ports:
- containerPort: 3000
env:
@@ -152,7 +152,7 @@
kind: Service
metadata:
name: wordpress
namespace: www
namespace: wordpress
spec:
selector:
app: wordpress
@@ -171,7 +171,7 @@
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: wordpress
namespace: www
namespace: wordpress
spec:
ingressClassName: nginx
rules:
@@ -185,7 +185,18 @@
name: wordpress
port:
number: 80
- host: wordpress.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: wordpress
port:
number: 80
tls:
- hosts:
- www.eom.dev
- wordpress.eom.dev
secretName: wordpress