DevOps/ansible-role-eom
2
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: DevOps:460fdedf50740c57bef69f131cee361eb3c018c9
Branches Tags
DevOps:main
..
compare: DevOps:main
Branches Tags
DevOps:main

5 Commits
460fdedf50 ... main

Author SHA1 Message Date
Eric Meehan
259c4aa83f Closes #44 2026-01-25 11:30:35 -05:00
Eric Meehan
69b989a112 Gitea, MinIO, and Prometheus changes 2026-01-06 19:06:46 -05:00
Eric Meehan
92a024d744 Misc. changes 2025-11-06 11:35:51 -05:00
Eric Meehan
055c92f3f7 Closes #15 2025-11-06 11:33:41 -05:00
Eric Meehan
71d0491236 Closes #33 2025-11-03 22:59:41 -05:00
10 changed files with 156 additions and 21 deletions
Expand all files Collapse all files

12
tasks/coturn.yaml
View File

@@ -17,6 +17,9 @@
release_namespace: coturn release_namespace: coturn
create_namespace: true create_namespace: true
values: values:
global:
security:
allowInsecureImages: true
service: service:
type: LoadBalancer type: LoadBalancer
externalTrafficPolicy: Local externalTrafficPolicy: Local
@@ -30,8 +33,14 @@
pullPolicy: Always pullPolicy: Always
externalDatabase: externalDatabase:
enabled: true enabled: true
username: coturn
password: "{{ coturn_admin_password }}"
database: coturn
postgresql: postgresql:
enabled: true enabled: true
image:
repository: bitnamilegacy/postgresql
tag: 17.6.0-debian-12-r0
global: global:
postgresql: postgresql:
auth: auth:
@@ -101,3 +110,6 @@
auth: auth:
username: coturn username: coturn
password: "{{ coturn_admin_password }}" password: "{{ coturn_admin_password }}"
extraTurnserverConfiguration: |
use-auth-secret
static-auth-secret={{ coturn_shared_secret }}

16
tasks/dex.yaml
View File

@@ -32,10 +32,6 @@
volumeName: "data" volumeName: "data"
size: 256Gi size: 256Gi
- name: Deploy Dex - name: Deploy Dex
kubernetes.core.helm: kubernetes.core.helm:
name: dex name: dex
@@ -45,6 +41,12 @@
values: values:
config: config:
issuer: https://dex.eom.dev/ issuer: https://dex.eom.dev/
staticClients:
- id: "{{ matrix_dex_oidc_client_id }}"
name: Matrix Auth Service
secret: "{{ matrix_dex_oidc_client_secret }}"
redirectURIs:
- "https://mas.eom.dev/upstream/callback/01K96AQEZKKABW34PY3R6BVNJ4"
storage: storage:
type: postgres type: postgres
config: config:
@@ -62,10 +64,10 @@
config: config:
host: openldap.openldap.svc.cluster.local host: openldap.openldap.svc.cluster.local
insecureNoSSL: true insecureNoSSL: true
bindDN: cn=readonly,dc=example,dc=com bindDN: cn=readonly,dc=eom,dc=dev
bindPW: "{{ openldap_readonly_password }}" bindPW: "{{ openldap_readonly_password }}"
userSearch: userSearch:
baseDN: dc=example,dc=com baseDN: dc=eom,dc=dev
filter: "(&(objectClass=posixAccount)(memberOf=cn=Dex Users,ou=Dex,ou=Services,dc=eom,dc=dev))" filter: "(&(objectClass=posixAccount)(memberOf=cn=Dex Users,ou=Dex,ou=Services,dc=eom,dc=dev))"
username: uid username: uid
idAttr: uid idAttr: uid
@@ -81,12 +83,14 @@
nameAttr: cn nameAttr: cn
ingress: ingress:
enabled: true enabled: true
className: nginx
annotations: annotations:
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
hosts: hosts:
- host: dex.eom.dev - host: dex.eom.dev
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific
tls: tls:
- hosts: - hosts:
- dex.eom.dev - dex.eom.dev

4
tasks/gitea.yaml
View File

@@ -79,9 +79,9 @@
APP_NAME: "Gitea" APP_NAME: "Gitea"
service: service:
DISABLE_REGISTRATION: false DISABLE_REGISTRATION: false
SHOW_REGISTRATION_BUTTON: false SHOW_REGISTRATION_BUTTON: true
DEFAULT_ALLOW_CREATE_ORGANIZATION: false DEFAULT_ALLOW_CREATE_ORGANIZATION: false
ALLOW_ONLY_EXTERNAL_REGISTRATION: true ALLOW_ONLY_EXTERNAL_REGISTRATION: false
oauth2_client: oauth2_client:
ENABLE_AUTO_REGISTRATION: true ENABLE_AUTO_REGISTRATION: true
UPDATE_AVATAR: true UPDATE_AVATAR: true

15
tasks/grafana-matrix-forwarder.yaml
View File

@@ -1,5 +1,14 @@
--- ---
# tasks file for grafana-matrix-forwarder # tasks file for grafana-matrix-forwarder
- name: Create Grafana Matrix Forwarder namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: grafana-matrix-forwarder
- name: Create a Deployment for Grafana Matrix Forwarder - name: Create a Deployment for Grafana Matrix Forwarder
k8s: k8s:
definition: definition:
@@ -7,7 +16,7 @@
kind: Deployment kind: Deployment
metadata: metadata:
name: matrix-forwarder name: matrix-forwarder
namespace: grafana namespace: grafana-matrix-forwarder
spec: spec:
replicas: 1 replicas: 1
selector: selector:
@@ -29,7 +38,7 @@
- name: GMF_MATRIX_PASSWORD - name: GMF_MATRIX_PASSWORD
value: "{{ grafana_admin_password }}" value: "{{ grafana_admin_password }}"
- name: GMF_MATRIX_HOMESERVER - name: GMF_MATRIX_HOMESERVER
value: eom.dev value: synapse.eom.dev
- name: GMF_RESOLVE_MODE - name: GMF_RESOLVE_MODE
value: reply value: reply
@@ -40,7 +49,7 @@
kind: Service kind: Service
metadata: metadata:
name: matrix-forwarder name: matrix-forwarder
namespace: grafana namespace: grafana-matrix-forwarder
spec: spec:
selector: selector:
app: matrix-forwarder app: matrix-forwarder

43
tasks/mail.yaml
View File

@@ -90,6 +90,38 @@
requests: requests:
storage: 2Ti storage: 2Ti
- name: Create a ConfigMap for encryption
k8s:
state: present
definition:
apiVersion: v1
kind: ConfigMap
metadata:
name: certs
namespace: mail
data:
privkey.pem: "{{ mail_encryption_privkey }}"
pubkey.pem: "{{ mail_encryption_pubkey }}"
- name: Create a ConfigMap for Dovecot
k8s:
state: present
definition:
apiVersion: v1
kind: ConfigMap
metadata:
name: dovecot
namespace: mail
data:
10-encryption.conf: |
# Enables mail_crypt for all services (pop3, pop3, etc)
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_global_private_key = </certs/privkey.pem
mail_crypt_global_public_key = </certs/pubkey.pem
mail_crypt_save_version = 2
}
- name: Create a deployment - name: Create a deployment
k8s: k8s:
definition: definition:
@@ -141,8 +173,13 @@
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
volumeMounts: volumeMounts:
- name: certs
mountPath: /certs
- name: config - name: config
mountPath: /tmp/docker-mailserver mountPath: /tmp/docker-mailserver
- name: dovecot
mountPath: /etc/dovecot/conf.d/10-encryption.conf
subPath: 10-encryption.conf
- name: ssl - name: ssl
mountPath: /etc/letsencrypt mountPath: /etc/letsencrypt
- name: mail - name: mail
@@ -207,6 +244,9 @@
- name: SSL_KEY_PATH - name: SSL_KEY_PATH
value: "/etc/letsencrypt/tls.key" value: "/etc/letsencrypt/tls.key"
volumes: volumes:
- name: certs
configMap:
name: certs
- name: ssl - name: ssl
secret: secret:
secretName: mail secretName: mail
@@ -219,6 +259,9 @@
- name: dkim - name: dkim
persistentVolumeClaim: persistentVolumeClaim:
claimName: dkim claimName: dkim
- name: dovecot
configMap:
name: dovecot
- name: Expose deployment as a service - name: Expose deployment as a service
k8s: k8s:

2
tasks/main.yaml
View File

@@ -3,4 +3,4 @@
- name: Deploy - name: Deploy
include_tasks: "{{ item }}" include_tasks: "{{ item }}"
loop: loop:
- localai.yaml - gitea.yaml

17
tasks/minio.yaml
View File

@@ -7,15 +7,19 @@
release_namespace: minio release_namespace: minio
create_namespace: true create_namespace: true
values: values:
image:
repository: bitnamilegacy/minio
metrics: metrics:
enabled: true enabled: true
disableWebUI: true console:
enabled: false
auth: auth:
rootUser: minio_admin rootUser: minio_admin
rootPassword: "{{ minio_admin_password }}" rootPassword: "{{ minio_admin_password }}"
defaultBuckets: default defaultBuckets: default
volumePermissions: defaultInitContainers:
enabled: true volumePermissions:
enabled: true
mode: standalone mode: standalone
persistence: persistence:
size: 8Ti size: 8Ti
@@ -46,13 +50,10 @@
value: OpenLDAP value: OpenLDAP
- name: MINIO_IDENTITY_LDAP_SERVER_INSECURE - name: MINIO_IDENTITY_LDAP_SERVER_INSECURE
value: "on" value: "on"
apiIngress: ingress:
enabled: true enabled: true
hostname: minio.eom.dev hostname: minio.eom.dev
ingressClassName: nginx ingressClassName: nginx
annotations: annotations:
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
tls: tls: true
- hosts:
- minio.eom.dev
secretName: minio-tls

34
tasks/openldap.yaml
View File

@@ -41,6 +41,36 @@
requests: requests:
storage: 32Gi storage: 32Gi
- name: Request a certificate for OpenLDAP
k8s:
state: present
definition:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: openldap
namespace: openldap
spec:
secretName: openldap
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
duration: 2160h # 90d
renewBefore: 360h # 15d
isCA: false
usages:
- server auth
- client auth
subject:
organizations:
- EOM
dnsNames:
- openldap.eom.dev
issuerRef:
name: ca-issuer
kind: ClusterIssuer
- name: Create Deployment for OpenLDAP - name: Create Deployment for OpenLDAP
k8s: k8s:
definition: definition:
@@ -75,6 +105,10 @@
value: "{{ openldap_readonly_password }}" value: "{{ openldap_readonly_password }}"
- name: LDAP_TLS_VERIFY_CLIENT - name: LDAP_TLS_VERIFY_CLIENT
value: never value: never
- name: LDAP_TLS_CRT_FILENAME
value: tls.crt
- name: LDAP_TLS_KEY_FILENAME
value: tls.key
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/ldap/slapd.d mountPath: /etc/ldap/slapd.d

1
tasks/owncast.yaml
View File

@@ -81,6 +81,7 @@
name: rtmp name: rtmp
- port: 8080 - port: 8080
name: http name: http
externalTrafficPolicy: Local
type: LoadBalancer type: LoadBalancer
- name: Create Ingress - name: Create Ingress

33
tasks/prometheus.yaml
View File

@@ -27,7 +27,18 @@
instance: grafana instance: grafana
metrics_path: /metrics metrics_path: /metrics
- job_name: nextcloud - job_name: owncast
scrape_interval: 1m
metrics_path: /api/admin/prometheus
scheme: https
basic_auth:
username: admin
password: "{{ owncast_admin_password }}"
static_config:
- targets:
- owncast.eom.dev
- job_name: local
static_configs: static_configs:
- targets: - targets:
- nextcloud-metrics.nextcloud.svc.cluster.local:9205 - nextcloud-metrics.nextcloud.svc.cluster.local:9205
@@ -113,4 +124,24 @@
- 192.168.1.72:9100 - 192.168.1.72:9100
labels: labels:
instance: alpha-worker-12 instance: alpha-worker-12
- targets:
- 192.168.1.95:9100
labels:
instance: alpha-worker-13
- targets:
- 192.168.1.70:9100
labels:
instance: alpha-worker-14
- targets:
- 192.168.1.46:9100
labels:
instance: alpha-worker-15
- targets:
- 192.168.1.74:9100
labels:
instance: alpha-worker-16
- targets:
- 192.168.1.88:9100
labels:
instance: alpha-worker-17
metrics_path: /metrics metrics_path: /metrics