Closes #44

This change was made to recover from an update made while attempting to address DevOps/ansible-role-eom#37, which was not solved here.

Reviewed-on: #38

files/matterbridge.toml

@@ -0,0 +1,130 @@
+#This is configuration for matterbridge.
+#WARNING: as this file contains credentials, be sure to set correct file permissions
+###################################################################
+# NCTalk (Nextcloud Talk)
+###################################################################
+
+[nctalk.bridge]
+
+# Url of your Nextcloud server
+Server = "https://nextcloud.eom.dev"
+
+# Enable to not verify the certificate on your Nextcloud server.
+# e.g. when using selfsigned certificates
+# OPTIONAL (default false)
+SkipTLSVerify=false
+
+# Username of the bot
+Login = "minecraft"
+
+# Password of the bot
+Password = "{{ minecraft_admin_password }}"
+
+# Suffix for Guest Users
+GuestSuffix = " (Guest)"
+
+# Separate display name (Note: needs to be configured from Nextcloud Talk to work)
+SeparateDisplayName=false
+
+###################################################################
+#API
+###################################################################
+[api]
+#You can configure multiple API hooks
+#In this example we use [api.minecraft]
+#REQUIRED
+
+[api.minecraft]
+#Address to listen on for API
+#REQUIRED
+BindAddress="0.0.0.0:4242"
+
+#Amount of messages to keep in memory
+Buffer=1000
+
+#Bearer token used for authentication
+#curl -H "Authorization: Bearer token" http://localhost:4242/api/messages
+#OPTIONAL (no authorization if token is empty)
+Token=""
+
+#extra label that can be used in the RemoteNickFormat
+#optional (default empty)
+Label="minecraft"
+
+#RemoteNickFormat defines how remote users appear on this bridge
+#The string "{NICK}" (case sensitive) will be replaced by the actual nick / username.
+#The string "{BRIDGE}" (case sensitive) will be replaced by the sending bridge
+#The string "{PROTOCOL}" (case sensitive) will be replaced by the protocol used by the bridge
+#OPTIONAL (default empty)
+RemoteNickFormat="{NICK}"
+
+###################################################################
+#General configuration
+###################################################################
+# Settings here are defaults that each protocol can override
+[general]
+#RemoteNickFormat defines how remote users appear on this bridge
+#The string "{NICK}" (case sensitive) will be replaced by the actual nick / username.
+#The string "{BRIDGE}" (case sensitive) will be replaced by the sending bridge
+#The string "{PROTOCOL}" (case sensitive) will be replaced by the protocol used by the bridge
+#OPTIONAL (default empty)
+RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+
+#StripNick only allows alphanumerical nicks. See https://github.com/42wim/matterbridge/issues/285
+#It will strip other characters from the nick
+#OPTIONAL (default false)
+StripNick=false
+
+
+#MediaServerUpload and MediaServerDownload are used for uploading images/files/video to
+#a remote "mediaserver" (a webserver like caddy for example).
+#When configured images/files uploaded on bridges like mattermost,slack, telegram will be downloaded
+#and uploaded again to MediaServerUpload URL
+#The MediaServerDownload will be used so that bridges without native uploading support:
+#gitter, irc and xmpp will be shown links to the files on MediaServerDownload
+#
+#More information https://github.com/42wim/matterbridge/wiki/Mediaserver-setup-%5Badvanced%5D
+#OPTIONAL (default empty)
+#MediaServerUpload="https://user:pass@yourserver.com/upload"
+#OPTIONAL (default empty)
+#MediaServerDownload="https://youserver.com/download"
+
+#MediaDownloadSize is the maximum size of attachments, videos, images
+#matterbridge will download and upload this file to bridges that also support uploading files.
+#eg downloading from slack to upload it to mattermost
+#
+#It will only download from bridges that don't have public links available, which are for the moment
+#slack, telegram, matrix and mattermost
+#
+#Optional (default 1000000 (1 megabyte))
+MediaDownloadSize=1000000
+
+###################################################################
+#Gateway configuration
+###################################################################
+
+#You can specify multiple gateways using [[gateway]]
+#Each gateway has a [[gateway.in]] and a [[gateway.out]]
+#[[gateway.in]] specifies the account and channels we will receive messages from.
+#[[gateway.out]] specifies the account and channels we will send the messages
+#from [[gateway.in]] to.
+#
+#Most of the time [[gateway.in]] and [[gateway.out]] are the same if you
+#want bidirectional bridging. You can then use [[gateway.inout]]
+#
+
+[[gateway]]
+#REQUIRED and UNIQUE
+name="minecraft"
+#Enable enables this gateway
+##OPTIONAL (default false)
+enable=true
+
+    # API
+    [[gateway.inout]]
+    account="api.minecraft"
+    channel="api"
+
+    [[gateway.inout]]
+    account="nctalk.bridge"
+    token="wgo6vovu"

files/nextcloud-talk-gitea-webhook.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+message="$(echo $1| sed 's/.*"message":"\(.*\).."}/\1/')"
+
+curl -X POST \
+	-H "Content-Type: application/json" \
+	-H "OCS-APIRequest: true" \
+	https://nextcloud.eom.dev/ocs/v2.php/apps/spreed/api/v1/chat/x3wy62mb \
+	-u Gitea:$GITEA_ADMIN_PASSWORD \
+	-d "{\"token\": \"x3wy62mb\", \"message\": \"$message\"}"

files/nextcloud-talk-grafana-webhook.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+message="$(echo $1| sed 's/.*"message":"\(.*\).."}/\1/')"
+
+curl -X POST \
+	-H "Content-Type: application/json" \
+	-H "OCS-APIRequest: true" \
+	https://nextcloud.eom.dev/ocs/v2.php/apps/spreed/api/v1/chat/x3wy62mb \
+	-u Grafana:$GRAFANA_ADMIN_PASSWORD \
+	-d "{\"token\": \"x3wy62mb\", \"message\": \"$message\"}"

tasks/bridgegate_kitchen.yaml

@@ -0,0 +1,36 @@
+---
+# tasks file for wordpress
+- name: Deploy Wordpress
+  kubernetes.core.helm:
+    name: bridgegate-kitchen
+    chart_ref: bitnami/wordpress
+    release_namespace: bridgegate-kitchen
+    create_namespace: true
+    values:
+      resourcesPreset: small
+      wordpressUsername: wordpress_admin
+      wordpressPassword: "{{ wordpress_admin_password }}"
+      wordpressEmail: wordpress@eom.dev
+      wordpressFirstName: Administrator
+      wordpressLastName: Wordpress
+      wordpressBlogName: Bridgegate Kitchen
+      wordpressScheme: https
+      service:
+        type: ClusterIP
+      ingress:
+        enabled: true
+        ingressClassName: nginx
+        hostname: bridgegate-kitchen.eom.dev
+        annotations:
+          cert-manager.io/cluster-issuer: ca-issuer
+        tls: true
+      persistence:
+        enabled: true
+        size: 128Gi
+      mariadb:
+        enabled: true
+        auth:
+          password: "{{ wordpress_admin_password }}"
+        primary:
+          persistence:
+            size: 256Gi

tasks/cloud.yaml

@@ -1,191 +0,0 @@
----
-# tasks file for nextcloud
-- name: Create NextCloud namespace
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Namespace
-      metadata:
-        name: cloud
-
-- name: Create PVC for MySQL
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
-        name: mysql
-        namespace: cloud
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 64Gi
-
-- name: Create Deployment for MySQL
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Deployment
-      metadata:
-        name: mysql
-        namespace: cloud
-        labels:
-          app: mysql
-      spec:
-        replicas: 1
-        selector:
-          matchLabels:
-            app: mysql
-        template:
-          metadata:
-            labels:
-              app: mysql
-          spec:
-            containers:
-              - name: mysql
-                image: mysql
-                volumeMounts:
-                  - name: data
-                    mountPath: /var/lib/mysql
-                ports:
-                  - containerPort: 3306
-                env:
-                  - name: MYSQL_ROOT_PASSWORD
-                    value: "{{ mysql_root_password }}"
-                  - name: MYSQL_DATABASE
-                    value: nextcloud
-                  - name: MYSQL_USER
-                    value: nextcloud
-                  - name: MYSQL_PASSWORD
-                    value: "{{ nextcloud_mysql_password }}"
-            volumes:
-              - name: data
-                persistentVolumeClaim:
-                  claimName: mysql
-
-- name: Create Service for MySQL
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Service
-      metadata:
-        name: mysql
-        namespace: cloud
-      spec:
-        selector:
-          app: mysql
-        ports:
-          - port: 3306
-            name: mysql
-        type: ClusterIP
-
-- name: Create PVC for NextCloud
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
-        name: nextcloud
-        namespace: cloud
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 128Gi
-
-- name: Create Deployment for NextCloud
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Deployment
-      metadata:
-        name: nextcloud
-        namespace: cloud
-        labels:
-          app: nextcloud
-      spec:
-        replicas: 1
-        selector:
-          matchLabels:
-            app: nextcloud
-        template:
-          metadata:
-            labels:
-              app: nextcloud
-          spec:
-            containers:
-              - name: nextcloud
-                image: nextcloud
-                volumeMounts:
-                  - name: data
-                    mountPath: /var/www/html
-                ports:
-                  - containerPort: 3000
-                env:
-                  - name: MYSQL_HOST
-                    value: mysql
-                  - name: MYSQL_DATABASE
-                    value: nextcloud
-                  - name: MYSQL_USER
-                    value: nextcloud
-                  - name: MYSQL_PASSWORD
-                    value: "{{ nextcloud_mysql_password }}"
-            volumes:
-              - name: data
-                persistentVolumeClaim:
-                  claimName: nextcloud
-
-- name: Create Service for NextCloud
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Service
-      metadata:
-        name: nextcloud
-        namespace: cloud
-      spec:
-        selector:
-          app: nextcloud
-        ports:
-          - port: 80
-            name: http
-        type: ClusterIP
-
-- name: Create Ingress
-  k8s:
-    state: present
-    definition:
-      apiVersion: networking.k8s.io/v1
-      kind: Ingress
-      metadata:
-        annotations:
-          cert-manager.io/cluster-issuer: ca-issuer
-        name: nextcloud
-        namespace: cloud
-      spec:
-        ingressClassName: nginx
-        rules:
-          - host: cloud.eom.dev
-            http:
-              paths:
-                - pathType: Prefix
-                  path: /
-                  backend:
-                    service:
-                      name: nextcloud
-                      port:
-                        number: 80
-        tls:
-          - hosts:
-            - cloud.eom.dev
-            secretName: nextcloud

tasks/coturn.yaml

@@ -0,0 +1,115 @@
+---
+# tasks file for coturn
+- name: Add Small Hack repo
+  kubernetes.core.helm_repository:
+    name: small-hack-coturn
+    repo_url: https://small-hack.github.io/coturn-chart
+  register: repo
+
+- name: Update Helm repos
+  command: helm repo update
+  when: repo.changed
+
+- name: Deploy Coturn
+  kubernetes.core.helm:
+    name: coturn
+    chart_ref: small-hack-coturn/coturn
+    release_namespace: coturn
+    create_namespace: true
+    values:
+        global:
+          security:
+            allowInsecureImages: true
+        service:
+          type: LoadBalancer
+          externalTrafficPolicy: Local
+        certificate:
+          enabled: true
+          host: coturn.eom.dev
+          issuerName: ca-issuer
+        sharedSecret: "{{ coturn_shared_secret }}"
+        image:
+          tag: latest
+          pullPolicy: Always
+        externalDatabase:
+          enabled: true
+          username: coturn
+          password: "{{ coturn_admin_password }}"
+          database: coturn
+        postgresql:
+          enabled: true
+          image:
+            repository: bitnamilegacy/postgresql
+            tag: 17.6.0-debian-12-r0
+          global:
+            postgresql:
+              auth:
+                password: "{{ coturn_admin_password }}"
+          primary:
+            initdb:
+              scripts:
+                schema.sql: |
+                  CREATE TABLE turnusers_lt (
+                      realm varchar(127) default '',
+                      name varchar(512),
+                      hmackey char(128),
+                      PRIMARY KEY (realm,name)
+                  );
+
+                  CREATE TABLE turn_secret (
+                      realm varchar(127) default '',
+                      value varchar(256),
+                      primary key (realm,value)
+                  );
+
+                  CREATE TABLE allowed_peer_ip (
+                      realm varchar(127) default '',
+                      ip_range varchar(256),
+                      primary key (realm,ip_range)
+                  );
+
+                  CREATE TABLE denied_peer_ip (
+                      realm varchar(127) default '',
+                      ip_range varchar(256),
+                      primary key (realm,ip_range)
+                  );
+
+                  CREATE TABLE turn_origin_to_realm (
+                      origin varchar(127),
+                      realm varchar(127),
+                      primary key (origin)
+                  );
+
+                  CREATE TABLE turn_realm_option (
+                      realm varchar(127) default '',
+                      opt varchar(32),
+                      value varchar(128),
+                      primary key (realm,opt)
+                  );
+
+                  CREATE TABLE oauth_key (
+                      kid varchar(128),
+                      ikm_key varchar(256),
+                      timestamp bigint default 0,
+                      lifetime integer default 0,
+                      as_rs_alg varchar(64) default '',
+                      realm varchar(127),
+                      primary key (kid)
+                  );
+
+                  CREATE TABLE admin_user (
+                      name varchar(32),
+                      realm varchar(127),
+                      password varchar(127),
+                      primary key (name)
+                  );
+            persistence:
+              size: 256Gi
+        coturn:
+          realm: coturn.eom.dev
+          auth:
+            username: coturn
+            password: "{{ coturn_admin_password }}"
+          extraTurnserverConfiguration: |
+            use-auth-secret
+            static-auth-secret={{ coturn_shared_secret }}

tasks/dex.yaml

@@ -0,0 +1,97 @@
+---
+# tasks file for dex
+- name: Add Dex repo
+  kubernetes.core.helm_repository:
+    name: dex
+    repo_url: https://charts.dexidp.io
+  register: repo
+
+- name: Update Helm repos
+  command: helm repo update
+  when: repo.changed
+
+- name: Deploy PostgreSQL
+  kubernetes.core.helm:
+    name: postgresql
+    chart_ref: bitnami/postgresql
+    release_namespace: dex
+    create_namespace: true
+    values:
+      auth:
+        enablePostgresUser: true
+        postgresPassword: "{{ postgresql_admin_password }}"
+        username: "dex"
+        password: "{{ dex_admin_password }}"
+        database: "dex"
+      primary:
+        name: primary
+        initdb:
+          scripts: {}
+        persistence:
+          enabled: true
+          volumeName: "data"
+          size: 256Gi
+
+- name: Deploy Dex
+  kubernetes.core.helm:
+    name: dex
+    chart_ref: dex/dex
+    release_namespace: dex
+    create_namespace: true
+    values:
+      config:
+        issuer: https://dex.eom.dev/
+        staticClients:
+          - id: "{{ matrix_dex_oidc_client_id }}"
+            name: Matrix Auth Service
+            secret: "{{ matrix_dex_oidc_client_secret }}"
+            redirectURIs:
+              - "https://mas.eom.dev/upstream/callback/01K96AQEZKKABW34PY3R6BVNJ4"
+        storage:
+          type: postgres
+          config:
+            host: postgresql
+            port: 5432
+            databbase: dex
+            user: dex
+            password: "{{ dex_admin_password }}"
+            ssl:
+              mode: disable
+        connectors:
+          - type: ldap
+            id: ldap
+            name: LDAP
+            config:
+              host: openldap.openldap.svc.cluster.local
+              insecureNoSSL: true
+              bindDN: cn=readonly,dc=eom,dc=dev
+              bindPW: "{{ openldap_readonly_password }}"
+              userSearch:
+                baseDN: dc=eom,dc=dev
+                filter: "(&(objectClass=posixAccount)(memberOf=cn=Dex Users,ou=Dex,ou=Services,dc=eom,dc=dev))"
+                username: uid
+                idAttr: uid
+                emailAttr: mail
+                nameAttr: givenName
+                preferredUsernameAttr: uid
+              groupSearch:
+                baseDN: dc=eom,dc=dev
+                filter: "(objectClass=groupOfUniqueNames)"
+                userMatchers:
+                - userAttr: cn
+                  groupAttr: uniqueMember
+                nameAttr: cn
+      ingress:
+        enabled: true
+        className: nginx
+        annotations:
+          cert-manager.io/cluster-issuer: ca-issuer
+        hosts:
+          - host: dex.eom.dev
+            paths:
+              - path: /
+                pathType: ImplementationSpecific
+        tls:
+          - hosts:
+              - dex.eom.dev
+            secretName: dex

tasks/discourse.yaml

@@ -0,0 +1,78 @@
+---
+# tasks file for discourse
+- name: Deploy Discourse
+  kubernetes.core.helm:
+    name: discourse
+    chart_ref: bitnami/discourse
+    release_namespace: discourse
+    create_namespace: true
+    values:
+      auth:
+        email: discourse@eom.dev
+        username: discourse_admin
+        password: "{{ discourse_admin_password }}"
+      host: "https://discourse.eom.dev"
+      siteName: 'Discourse'
+      smtp:
+        enabled: true
+        host: "postfix.eom.dev"
+        port: "587"
+        protocol: "tls"
+        user: "discourse"
+        password: "{{ discourse_admin_password }}"
+      image:
+        debug: false
+        repository: bitnamilegacy/discourse
+        tag: 3.4.7-debian-12-r0
+      service:
+        externalTrafficPolicy: Local
+      discourse:
+        skipInstall: false
+        plugins:
+          - https://github.com/discourse/discourse-adplugin
+          - https://github.com/discourse/discourse-subscriptions
+          - https://github.com/discourse/discourse-activity-pub
+          - https://github.com/discourse/discourse-openid-connect
+          - https://github.com/jonmbake/discourse-ldap-auth
+          - https://github.com/discourse/discourse-math
+          - https://github.com/discourse/discourse-post-voting
+          - https://github.com/discourse/discourse-prometheus
+          - https://github.com/discourse/discourse-reactions
+        command:
+          - /bin/bash
+        args:
+          - -c
+          - |
+            rm -r /opt/bitnami/discourse/plugins/chat
+            chown -R discourse:root /opt/bitnami/discourse/plugins
+            /opt/bitnami/scripts/discourse/entrypoint.sh /opt/bitnami/scripts/discourse/run.sh
+        persistPlugins: false
+        compatiblePlugins: true
+        resourcesPreset: none
+      persistence:
+        size: 2Ti
+      ingress:
+        enabled: true
+        ingressClassName: "nginx"
+        hostname: discourse.eom.dev
+        annotations: 
+          cert-manager.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/proxy-set-header: "X-Forwarded-Proto $scheme"
+        tls: true
+      postgresql:
+        enabled: true
+        image:
+          repository: bitnamilegacy/postgresql
+        auth:
+          enablePostgresUser: true
+          postgresPassword: "{{ discourse_admin_password }}"
+          password: "{{ discourse_admin_password }}"
+        primary:
+          persistence:
+            size: 2Ti
+      redis:
+        enabled: true
+        image:
+          repository: bitnamilegacy/redis
+        auth:
+          password: "{{ discourse_admin_password }}"

tasks/gitea.yaml

@@ -17,6 +17,8 @@
     release_namespace: gitea
     create_namespace: true
     values:
+      image:
+        pullPolicy: IfNotPresent
       service:
         ssh:
           type: LoadBalancer
@@ -40,6 +42,19 @@
         enabled: true
         provisioning:
           enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:                                                                                                                            
+                level: debug                                                                                                                  
+              cache:                                                                                                                          
+                enabled: false                                                                                                                
+              runner:
+                labels:
+                  - "ubuntu-latest:docker://node:16-bullseye"
+                  - "ubuntu-22.04:docker://node:16-bullseye"
+                  - "ubuntu-20.04:docker://node:16-bullseye"
+                  - "ubuntu-18.04:docker://node:16-buster"
       gitea:
         metrics:
           enabled: true
@@ -63,8 +78,22 @@
         config:
           APP_NAME: "Gitea"
           service:
-            DISABLE_REGISTRATION: true
+            DISABLE_REGISTRATION: false
+            SHOW_REGISTRATION_BUTTON: true
             DEFAULT_ALLOW_CREATE_ORGANIZATION: false
+            ALLOW_ONLY_EXTERNAL_REGISTRATION: false
+          oauth2_client:
+            ENABLE_AUTO_REGISTRATION: true
+            UPDATE_AVATAR: true
+            ACCOUNT_LINKING: auto
+          mailer:
+            ENABLED: true
+            SMTP_ADDR: postfix.eom.dev
+            SMTP_PORT: 587
+            USER: gitea
+            PASSWD: "{{ gitea_admin_password }}"
+            FROM: Gitea <gitea@eom.dev>
+            ENVELOPE_FROM: gitea@eom.dev
       redis:
         enabled: true
         global:

tasks/grafana-matrix-forwarder.yaml

@@ -0,0 +1,60 @@
+---
+# tasks file for grafana-matrix-forwarder
+- name: Create Grafana Matrix Forwarder namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: grafana-matrix-forwarder
+
+- name: Create a Deployment for Grafana Matrix Forwarder
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: matrix-forwarder
+        namespace: grafana-matrix-forwarder
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: matrix-forwarder
+        template:
+          metadata:
+            labels:
+              app: matrix-forwarder
+          spec:
+            containers:
+              - name: matrix-forwarder
+                image: registry.gitlab.com/hctrdev/grafana-matrix-forwarder
+                ports:
+                  - containerPort: 6000
+                env:
+                  - name: GMF_MATRIX_USER
+                    value: grafana
+                  - name: GMF_MATRIX_PASSWORD
+                    value: "{{ grafana_admin_password }}"
+                  - name: GMF_MATRIX_HOMESERVER
+                    value: synapse.eom.dev
+                  - name: GMF_RESOLVE_MODE
+                    value: reply
+
+- name: Expose GMF Deployment as a Service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: matrix-forwarder
+        namespace: grafana-matrix-forwarder
+      spec:
+        selector:
+          app: matrix-forwarder
+        ports:
+          - port: 80
+            targetPort: 6000
+            name: http
+        type: ClusterIP

tasks/grafana.yaml

@@ -24,8 +24,8 @@
         enabled: true
         user: grafana
         password: "{{ grafana_admin_password }}"
-        host: postfix.eom.dev
+        host: mail.eom.dev:587
-        fromAddress: grafana@postfix.eom.dev
+        fromAddress: grafana@eom.dev
         fromName: Grafana
       ldap:
         enabled: true

tasks/lemmy.yaml

@@ -0,0 +1,131 @@
+---
+# tasks file for lemmy
+- name: Create lemmy namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: lemmy
+
+- name: Create a persistent volume claim for lemmy
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: config
+        namespace: lemmy
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 2Ti
+
+- name: Create a persistent volume claim for lemmy
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: lemmy
+        namespace: lemmy
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 2Ti
+
+- name: Create a deployment for lemmy
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: lemmy
+        namespace: lemmy
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: lemmy
+        template:
+          metadata:
+            labels:
+              app: lemmy
+          spec:
+            containers:
+              - name: lemmy
+                image: dessalines/lemmy:0.19.11
+                volumeMounts:
+                  - name: config
+                    mountPath: /tmp/docker-lemmyserver
+                  - name: ssl
+                    mountPath: /etc/letsencrypt
+                  - name: lemmy
+                    mountPath: /var/lemmy
+                ports:
+                  - containerPort: 25
+                env:
+                  - name: OVERRIDE_HOSTNAME
+                    value: "postfix.eom.dev"
+            volumes:
+              - name: lemmy
+                persistentVolumeClaim:
+                  claimName: lemmy
+
+- name: Create a deployment for lemmy-ui
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: lemmy-ui
+        namespace: lemmy
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: lemmy-ui
+        template:
+          metadata:
+            labels:
+              app: lemmy-ui
+          spec:
+            containers:
+              - name: lemmy-ui
+                image: dessalines/lemmy-ui:0.19.11
+                volumeMounts:
+                  - name: lemmy
+                    mountPath: /var/lemmy
+                ports:
+                  - containerPort: 25
+                env:
+                  - name: OVERRIDE_HOSTNAME
+                    value: "postfix.eom.dev"
+            volumes:
+              - name: lemmy
+                persistentVolumeClaim:
+                  claimName: lemmy
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: lemmy
+        namespace: lemmy
+      spec:
+        selector:
+          app: lemmy
+        ports:
+          - port: 25
+            name: smtp-a
+        type: LoadBalancer
+        externalTrafficPolicy: Local

tasks/localai.yaml

@@ -0,0 +1,61 @@
+---
+# tasks file for localai
+- name: Add skynet repo
+  kubernetes.core.helm_repository:
+    name: go-skynet
+    repo_url: https://go-skynet.github.io/helm-charts/
+  register: repo_update
+
+- name: Update Helm repos
+  command: helm repo update
+  when: repo_update.changed
+
+- name: Deploy LocalAI
+  kubernetes.core.helm:
+    name: localai
+    chart_ref: go-skynet/local-ai
+    release_namespace: localai
+    create_namespace: true
+    values:
+      deployment:
+        image:
+          tag: latest-gpu-nvidia-cuda-12
+        runtimeClassName: nvidia
+        secretEnv:
+          - name: LOCALAI_DISABLE_WEBUI
+            value: "true"
+          - name: LOCALAI_API_KEY
+            value: "{{ localai_api_keys | join(',') }}"
+          - name: LOCALAI_WATCHDOG_IDLE
+            value: "true"
+          - name: LOCALAI_WATCHDOG_IDLE_TIMEOUT
+            value: "5m"
+          - name: LOCALAI_WATCHDOG_BUSY
+            value: "true"
+      resources:
+        limits:
+          nvidia.com/gpu: 1
+      persistence:
+        models:
+          size: 256Gi
+        output:
+          size: 128Gi
+      tolerations:
+        - key: specialResources
+          operator: Equal
+          value: GPU
+          effect: NoSchedule
+      ingress:
+        enabled: true
+        className: nginx
+        annotations:
+          cert-manager.io/cluster-issuer: ca-issuer
+        hosts:
+          - host: localai.eom.dev
+            paths:
+              - path: /
+                pathType: ImplementationSpecific
+        tls:
+          - secretName: localai-tls
+            hosts:
+              - localai.eom.dev

tasks/luanti.yaml

@@ -0,0 +1,20 @@
+---
+# tasks file for luanti
+- name: Deploy Luanti
+  kubernetes.core.helm:
+    name: luanti
+    chart_ref: oci://tccr.io/truecharts/minetest
+    release_namespace: luanti
+    create_namespace: true
+    values:
+      service:
+        main:
+          type: LoadBalancer
+          externalTrafficPolicy: Local
+      workload:
+        main:
+          podSpec:
+            containers:
+              main:
+                env:
+                  CLI_ARGS: --gameid minetest_game

tasks/mail.yaml

@@ -33,14 +33,47 @@
         subject:
           organizations:
             - EOM
-        commonName: mail.eom.dev
+        commonName: eom.dev
         dnsNames:
-          - mail.eom.dev
           - eom.dev
+          - postfix.eom.dev
+          - dovecot.eom.dev
         issuerRef:
           name: ca-issuer
           kind: ClusterIssuer
 
+- name: Create a persistent volume claim for mail
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: dkim
+        namespace: mail
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 512Mi
+
+- name: Create a persistent volume claim for mail
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: config
+        namespace: mail
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 2Gi
+
 - name: Create a persistent volume claim for mail
   k8s:
     state: present
@@ -57,6 +90,38 @@
           requests:
             storage: 2Ti
 
+- name: Create a ConfigMap for encryption
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: certs
+        namespace: mail
+      data:
+        privkey.pem: "{{ mail_encryption_privkey }}"
+        pubkey.pem: "{{ mail_encryption_pubkey }}"
+
+- name: Create a ConfigMap for Dovecot
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: dovecot
+        namespace: mail
+      data:
+        10-encryption.conf: |
+          # Enables mail_crypt for all services (pop3, pop3, etc)
+          mail_plugins = $mail_plugins mail_crypt
+          plugin {
+            mail_crypt_global_private_key = </certs/privkey.pem
+            mail_crypt_global_public_key = </certs/pubkey.pem
+            mail_crypt_save_version = 2
+          }
+
 - name: Create a deployment
   k8s:
     definition:
@@ -78,21 +143,62 @@
             containers:
               - name: mail
                 image: mailserver/docker-mailserver
+                securityContext:
+                  # `allowPrivilegeEscalation: true` is required to support SGID via the `postdrop`
+                  # executable in `/var/mail-state` for Postfix (maildrop + public dirs):
+                  # https://github.com/docker-mailserver/docker-mailserver/pull/3625
+                  allowPrivilegeEscalation: true
+                  readOnlyRootFilesystem: false
+                  runAsUser: 0
+                  runAsGroup: 0
+                  runAsNonRoot: false
+                  privileged: false
+                  capabilities:
+                    add:
+                      # file permission capabilities
+                      - CHOWN
+                      - FOWNER
+                      - MKNOD
+                      - SETGID
+                      - SETUID
+                      - DAC_OVERRIDE
+                      # network capabilities
+                      - NET_ADMIN  # needed for F2B
+                      - NET_RAW    # needed for F2B
+                      - NET_BIND_SERVICE
+                      # miscellaneous  capabilities
+                      - SYS_CHROOT
+                      - KILL
+                    drop: [ALL]
+                  seccompProfile:
+                    type: RuntimeDefault
                 volumeMounts:
+                  - name: certs
+                    mountPath: /certs
+                  - name: config
+                    mountPath: /tmp/docker-mailserver
+                  - name: dovecot
+                    mountPath: /etc/dovecot/conf.d/10-encryption.conf
+                    subPath: 10-encryption.conf
                   - name: ssl
                     mountPath: /etc/letsencrypt
                   - name: mail
                     mountPath: /var/mail
+                  - name: dkim
+                    mountPath: /tmp/docker-mailserver/opendkim
                 ports:
                   - containerPort: 25
                   - containerPort: 465
                   - containerPort: 587
                   - containerPort: 993
+                  - containerPort: 995
                 env:
                   - name: OVERRIDE_HOSTNAME
-                    value: "mail.eom.dev"
+                    value: "postfix.eom.dev"
                   - name: POSTMASTER_ADDRESS
-                    value: "postmaster@eom.dev"
+                    value: "postfix@eom.dev"
+                  - name: ENABLE_POP3
+                    value: "1"
                   - name: ACCOUNT_PROVISIONER
                     value: "LDAP"
                   - name: LDAP_SERVER_HOST
@@ -106,7 +212,7 @@
                   - name: LDAP_QUERY_FILTER_DOMAIN
                     value: "(mail=*@%s)"
                   - name: LDAP_QUERY_FILTER_USER
-                    value: "(&(mail=%s)(memberOf=cn=Mail Users,ou=Mail,ou=Services,dc=eom,dc=dev))"
+                    value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))"
                   - name: LDAP_QUERY_FILTER_ALIAS
                     value: "(&(objectClass=posixAccount)(mailAlias=%s))"
                   - name: LDAP_QUERY_FILTER_GROUP
@@ -120,7 +226,7 @@
                   - name: DOVECOT_DEFAULT_PASS_SCHEME
                     value: "MD5-CRYPT"
                   - name: DOVECOT_USER_FILTER
-                    value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Mail Users,ou=Mail,ou=Services,dc=eom,dc=dev))"
+                    value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Dovecot Users,ou=Dovecot,ou=Services,dc=eom,dc=dev))"
                   - name: DOVECOT_PASS_ATTRS
                     value: "uid=user,userPassword=password"
                   - name: DOVECOT_USER_ATTRS
@@ -138,12 +244,24 @@
                   - name: SSL_KEY_PATH
                     value: "/etc/letsencrypt/tls.key"
             volumes:
+              - name: certs
+                configMap:
+                  name: certs
               - name: ssl
                 secret:
                   secretName: mail
+              - name: config
+                persistentVolumeClaim:
+                  claimName: config
               - name: mail
                 persistentVolumeClaim:
                   claimName: mail
+              - name: dkim
+                persistentVolumeClaim:
+                  claimName: dkim
+              - name: dovecot
+                configMap:
+                  name: dovecot
 
 - name: Expose deployment as a service
   k8s:
@@ -165,4 +283,7 @@
             name: smtps
           - port: 993
             name: imap
+          - port: 995
+            name: pop3
         type: LoadBalancer
+        externalTrafficPolicy: Local

tasks/main.yaml

@@ -3,4 +3,4 @@
 - name: Deploy
   include_tasks: "{{ item }}"
   loop:
-    - mail.yaml
+    - gitea.yaml

tasks/mastodon.yaml

@@ -40,6 +40,15 @@
         LDAP_UID: uid
         LDAP_SEARCH_FILTER: (&(objectClass=posixAccount)(|(%{uid}=%{email})(%{mail}=%{email}))(memberOf=cn=Mastodon Users,ou=Mastodon,ou=Services,dc=eom,dc=dev))
         LDAP_MAIL: mail
+        OIDC_ENABLED: "true"
+        OIDC_DISPLAY_NAME: Google
+        OIDC_ISSUER: https://accounts.google.com
+        OIDC_DISCOVERY: "true"
+        OIDC_SCOPE: openid,profile,email
+        OIDC_UID_FIELD:
+        OIDC_CLIENT_ID: "{{ mastodon_google_oidc_client_id }}"
+        OIDC_CLIENT_SECRET: "{{ mastodon_google_oidc_client_secret }}"
+        OIDC_REDIRECT_URI: https://mastodon.eom.dev/auth/auth/openid_connect/callback
       localDomain: mastodon.eom.dev
       smtp:
         server: postfix.eom.dev
@@ -54,7 +63,7 @@
         password: "{{ mastodon_admin_password }}"
       persistence:
         enabled: true
-        size: 64Gi
+        size: 2Ti
       redis:
         enabled: true
         auth:
@@ -70,7 +79,7 @@
             enabled: true
             size: 2Ti
       elasticsearch:
-        enabled: true
+        enabled: false
         master:
           persistence:
             size: 64Gi
@@ -79,11 +88,6 @@
             size: 512Gi
       minio:
         enabled: false
-      externalS3:
-        host: minio.api.eom.dev
-        accessKeyId: mastodon
-        accessKeySecret: "{{ mastodon_admin_password }}"
-        bucket: mastodon
       apache:
         service:
           type: ClusterIP 

tasks/matrix-auth-service.yaml

@@ -0,0 +1,141 @@
+---
+# tasks file for synapse
+- name: Add Small Hack repo
+  kubernetes.core.helm_repository:
+    name: small-hack-matrix-auth-service
+    repo_url: https://small-hack.github.io/matrix-authentication-service-chart
+  register: repo
+
+- name: Update Helm repos
+  command: helm repo update
+  when: repo.changed
+
+- name: Deploy Matrix Auth Service
+  kubernetes.core.helm:
+    name: matrix-auth-service
+    chart_ref: small-hack-matrix-auth-service/matrix-authentication-service
+    release_namespace: matrix-auth-service
+    create_namespace: true
+    values:
+      fullnameOverride: mas
+      image:
+        pullPolicy: IfNotPresent
+        tag: latest
+      http:
+        public_base: https://matrix-auth-service.eom.dev/
+      ingress:
+        className: nginx
+        annotations:
+          cert-manager.io/cluster-issuer: ca-issuer
+        hosts:
+          - host: matrix-auth-service.eom.dev
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - secretName: mas-tls
+            hosts:
+              - matrix-auth-service.eom.dev
+      postgresql:
+        enabled: true
+        global:
+          auth:
+            password: "{{ matrix_auth_service_admin_password }}"
+      mas:
+        http:
+          public_base: https://matrix-auth-service.eom.dev/
+        policy:
+          client_registration:
+            allow_host_mismatch: false
+            allow_insecure_uris: false
+        clients:
+          - client_id: 0000000000000000000SYNAPSE
+            client_auth_method: client_secret_basic
+            client_secret: 5ZrwKXmKdiQfus2J
+        matrix:
+          homeserver: synapse.eom.dev
+          endpoint: https://synapse.eom.dev
+          secret: SacP5rWpci6GMqb2
+        email:
+          from: Matrix Auth Service <matrix-auth-service@eom.dev>
+          reply_to: Matrix Auth Service <matrix-auth-service@eom.dev>
+          transport: smtp
+          mode: tls
+          hostname: postfix.eom.dev
+          port: 587
+          username: matrix-auth-service
+          password: "{{ matrix_auth_service_admin_password }}"
+        upstream_oauth2:
+          providers:
+            - id: 01JG22H4F0G8PYCZ5HVTQVHBC4
+              issuer: https://google.com/
+              human_name: Google
+              brand_name: google
+              pkce_method: auto
+              client_id: "{{ matrix_google_oidc_client_id }}"
+              client_secret: "{{ matrix_google_oidc_client_secret }}"
+              token_endpoint_auth_method: client_secret_basic
+              scope: "openid email profile"
+              discovery_mode: oidc
+              claims_imports:
+                subject:
+                  template: "{{ '{{ user.sub }}' | quote }}"
+
+                # -- The localpart is the local part of the user's Matrix ID.
+                # For example, on the `example.com` server, if the localpart is `alice`,
+                #  the user's Matrix ID will be `@alice:example.com`.
+                localpart:
+                  action: require
+                  template: "{{ '{{ user.preferred_username }}' | quote }}"
+
+                # -- The display name is the user's display name.
+                displayname:
+                  action: suggest
+                  template: "{{ '{{ user.name }}' | quote }}"
+
+                # -- An email address to import.
+                email:
+                  action: suggest
+                  template: "{{ '{{ user.email }}' | quote }}"
+                  # -- Whether the email address must be marked as verified.
+                  # Possible values are:
+                  #  - `import`: mark the email address as verified if the upstream provider
+                  #     has marked it as verified, using the `email_verified` claim.
+                  #     This is the default.
+                  #   - `always`: mark the email address as verified
+                  #   - `never`: mark the email address as not verified
+                  set_email_verification: import
+#            - id: 01JG2B7DBS6RQRH1TFVZ4BP7H8
+#              issuer: https://github.com/
+#              client_id: "{{ matrix_github_oidc_client_id }}"
+#              client_secret: "{{ matrix_github_oidc_client_secret }}"
+#              token_endpoint_auth_method: client_secret_basic
+#              discovery_mode: oidc
+#              claims_imports:
+#                subject:
+#                  template: "{{ '{{ user.sub }}' | quote }}"
+#
+#                # -- The localpart is the local part of the user's Matrix ID.
+#                # For example, on the `example.com` server, if the localpart is `alice`,
+#                #  the user's Matrix ID will be `@alice:example.com`.
+#                localpart:
+#                  action: require
+#                  template: "{{ '{{ user.preferred_username }}' | quote }}"
+#
+#                # -- The display name is the user's display name.
+#                displayname:
+#                  action: suggest
+#                  template: "{{ '{{ user.name }}' | quote }}"
+#
+#                # -- An email address to import.
+#                email:
+#                  action: suggest
+#                  template: "{{ '{{ user.email }}' | quote }}"
+#                  # -- Whether the email address must be marked as verified.
+#                  # Possible values are:
+#                  #  - `import`: mark the email address as verified if the upstream provider
+#                  #     has marked it as verified, using the `email_verified` claim.
+#                  #     This is the default.
+#                  #   - `always`: mark the email address as verified
+#                  #   - `never`: mark the email address as not verified
+#                  set_email_verification: import

tasks/matrix.yaml

@@ -0,0 +1,377 @@
+---
+# tasks file for synapse
+- name: Add Small Hack repo
+  kubernetes.core.helm_repository:
+    name: small-hack-matrix
+    repo_url: https://small-hack.github.io/matrix-chart
+  register: repo
+
+- name: Update Helm repos
+  command: helm repo update
+  when: repo.changed
+
+- name: Deploy Matrix
+  kubernetes.core.helm:
+    name: matrix
+    chart_ref: small-hack-matrix/matrix
+    release_namespace: matrix
+    create_namespace: true
+    values:
+      matrix:
+        serverName: eom.dev
+        hostname: synapse.eom.dev
+        adminEmail: synapse@eom.dev
+        encryptByDefault: all
+        federation:
+          enabled: true
+          ingress:
+            enabled: true
+            host: eom.dev
+            className: nginx
+            annotations: 
+              nginx.ingress.kubernetes.io/configuration-snippet: |
+                proxy_intercept_errors off;
+              cert-manager.io/cluster-issuer: ca-issuer
+            tls:
+              enabled: true
+            host: eom.dev
+        oidc:
+          enabled: true
+          providers:
+            - idp_id: github
+              idp_name: Github
+              idp_brand: "github"  # optional: styling hint for clients
+              discover: false
+              issuer: "https://github.com/"
+              client_id: "{{ matrix_github_oidc_client_id }}" # TO BE FILLED
+              client_secret: "{{ matrix_github_oidc_client_secret }}" # TO BE FILLED
+              authorization_endpoint: "https://github.com/login/oauth/authorize"
+              token_endpoint: "https://github.com/login/oauth/access_token"
+              userinfo_endpoint: "https://api.github.com/user"
+              scopes: ["read:user"]
+              allow_existing_users: true
+              enable_registration: false
+              user_mapping_provider:
+                config:
+                  subject_claim: "id"
+                  localpart_template: "{{ '{{ user.login }}' | quote }}"
+                  display_name_template: "{{ '{{ user.name }}' | quote }}"
+            - idp_id: google
+              idp_name: Google
+              idp_brand: "google"
+              issuer: "https://accounts.google.com/"
+              client_id: "{{ matrix_google_oidc_client_id }}" # TO BE FILLED
+              client_secret: "{{ matrix_google_oidc_client_secret }}" # TO BE FILLED
+              scopes: ["openid", "profile", "email"] # email is optional, read below
+              allow_existing_users: true
+              enable_registration: false
+              user_mapping_provider:
+                config:
+                  localpart_template: "{{ '{{ user.given_name|lower }}' | quote }}"
+                  display_name_template: "{{ '{{ user.name }}' | quote }}"
+                  email_template: "{{ '{{ user.email }}' | quote }}" # needs "email" in scopes above
+        allow_public_rooms_over_federation: true
+        allow_public_rooms_without_auth: true
+        ip_range_blacklist:
+          - 127.0.0.0/8
+        registration:
+          enabled: false
+          allowGuests: false
+          autoJoinRooms:
+            - #main:eom.dev
+            - #announcements:eom.dev
+            - #general:eom.dev
+            - #help:eom.dev
+        serve_server_wellknown: true
+        homeserverExtra:
+          modules:
+           - module: "ldap_auth_provider.LdapAuthProviderModule"
+             config:
+               enabled: true
+               uri: "ldap://openldap.openldap.svc.cluster.local:389"
+               mode: search
+               start_tls: false
+               base: "dc=eom,dc=dev"
+               attributes:
+                  uid: "uid"
+                  mail: "mail"
+                  name: "givenName"
+               bind_dn: cn=readonly,dc=eom,dc=dev
+               bind_password: "{{ openldap_readonly_password }}"
+               filter: "(&(objectClass=posixAccount)(memberOf=cn=Synapse Users,ou=Synapse,ou=Services,dc=eom,dc=dev))"
+#        experimental_features:
+#          msc3861:
+#            enabled: true
+#            # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
+#            issuer: https://matrix-auth-service.eom.dev/
+#            client_id: 0000000000000000000SYNAPSE
+#            client_auth_method: client_secret_basic
+#            client_secret: 5ZrwKXmKdiQfus2J
+#            admin_token: SacP5rWpci6GMqb2
+#            account_management_url: "https://matrix-auth-service.eom.dev/account"
+      volumes:
+        media:
+          capacity: 2Ti
+      postgresql:
+        enabled: true
+        persistence:
+          enabled: true
+        global:
+          postgresql:
+            auth:
+              username: synapse
+              password: "{{ synapse_admin_password }}"
+        primary:
+          persistence:
+            size: 2Ti
+      synapse:
+        ingress:
+          className: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: ca-issuer
+            nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off;
+          hosts:
+            - host: synapse.eom.dev
+              paths:
+#                - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*"
+#                  pathType: ImplementationSpecific
+#                  backend:
+#                    service:
+#                      name: mas
+#                      port:
+#                        name: http
+                - path: /
+                  pathType: Prefix
+          tls:
+            - secretName: synapse-tls
+              hosts:
+                - synapse.eom.dev
+      element:
+        enabled: true
+        permalinkPrefix: "https://element.eom.dev"
+        ingress:
+          host: element.eom.dev
+          annotations:
+            cert-manager.io/cluster-issuer: ca-issuer
+      coturn:
+        enabled: false
+        external: true
+        uris:
+          - turns:coturn.eom.dev?transport=udp
+          - turns:coturn.eom.dev?transport=tcp
+        allowGuests: false
+        sharedSecret: "{{ coturn_shared_secret }}"
+        service:
+          type: LoadBalancer
+          externalTrafficPolicy: Local
+        certificate:
+          enabled: true
+          host: coturn.eom.dev
+          issuerName: ca-issuer
+        image:
+          tag: latest
+          pullPolicy: Always
+        externalDatabase:
+          enabled: true
+        postgresql:
+          enabled: true
+          global:
+            postgresql:
+              auth:
+                password: "{{ coturn_admin_password }}"
+          primary:
+            initdb:
+              scripts:
+                schema.sql: |
+                  CREATE TABLE turnusers_lt (
+                      realm varchar(127) default '',
+                      name varchar(512),
+                      hmackey char(128),
+                      PRIMARY KEY (realm,name)
+                  );
+
+                  CREATE TABLE turn_secret (
+                      realm varchar(127) default '',
+                      value varchar(256),
+                      primary key (realm,value)
+                  );
+
+                  CREATE TABLE allowed_peer_ip (
+                      realm varchar(127) default '',
+                      ip_range varchar(256),
+                      primary key (realm,ip_range)
+                  );
+
+                  CREATE TABLE denied_peer_ip (
+                      realm varchar(127) default '',
+                      ip_range varchar(256),
+                      primary key (realm,ip_range)
+                  );
+
+                  CREATE TABLE turn_origin_to_realm (
+                      origin varchar(127),
+                      realm varchar(127),
+                      primary key (origin)
+                  );
+
+                  CREATE TABLE turn_realm_option (
+                      realm varchar(127) default '',
+                      opt varchar(32),
+                      value varchar(128),
+                      primary key (realm,opt)
+                  );
+
+                  CREATE TABLE oauth_key (
+                      kid varchar(128),
+                      ikm_key varchar(256),
+                      timestamp bigint default 0,
+                      lifetime integer default 0,
+                      as_rs_alg varchar(64) default '',
+                      realm varchar(127),
+                      primary key (kid)
+                  );
+
+                  CREATE TABLE admin_user (
+                      name varchar(32),
+                      realm varchar(127),
+                      password varchar(127),
+                      primary key (name)
+                  );
+            persistence:
+              size: 256Gi
+        coturn:
+          realm: coturn.eom.dev
+          auth:
+            username: coturn
+            password: "{{ coturn_admin_password }}"
+      mail:
+        enabled: true
+        from: Synapse <synapse@eom.dev>
+        elementUrl: https://element.eom.dev
+        relay:
+          enabled: false
+        external:
+          hostname: postfix.eom.dev
+          port: "587"
+          username: synapse
+          password: "{{ synapse_admin_password }}"
+      mas:
+        enabled: false
+        fullnameOverride: mas
+        image:
+          pullPolicy: IfNotPresent
+          tag: latest
+        http:
+          public_base: https://matrix-auth-service.eom.dev/
+        ingress:
+          className: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: ca-issuer
+          hosts:
+            - host: matrix-auth-service.eom.dev
+              paths:
+                - path: /
+                  pathType: Prefix
+          tls:
+            - secretName: mas-tls
+              hosts:
+                - matrix-auth-service.eom.dev
+        postgresql:
+          enabled: true
+          global:
+            auth:
+              password: "{{ matrix_auth_service_admin_password }}"
+        mas:
+          http:
+            public_base: https://matrix-auth-service.eom.dev/
+          policy:
+            client_registration:
+              allow_host_mismatch: false
+              allow_insecure_uris: false
+          clients:
+            - client_id: 0000000000000000000SYNAPSE
+              client_auth_method: client_secret_basic
+              client_secret: 5ZrwKXmKdiQfus2J
+          matrix:
+            homeserver: synapse.eom.dev
+            endpoint: https://synapse.eom.dev
+            secret: SacP5rWpci6GMqb2
+          email:
+            from: Matrix Auth Service <matrix-auth-service@eom.dev>
+            reply_to: Matrix Auth Service <matrix-auth-service@eom.dev>
+            transport: smtp
+            mode: tls
+            hostname: postfix.eom.dev
+            port: 587
+            username: matrix-auth-service
+            password: "{{ matrix_auth_service_admin_password }}"
+          upstream_oauth2:
+            providers:
+              - id: 01JG22H4F0G8PYCZ5HVTQVHBC4
+                issuer: https://google.com/
+                client_id: "{{ matrix_google_oidc_client_id }}"
+                client_secret: "{{ matrix_google_oidc_client_secret }}"
+                token_endpoint_auth_method: client_secret_basic
+                discovery_mode: oidc
+                claims_imports:
+                  subject:
+                    template: "{{ '{{ user.sub }}' | quote }}"
+
+                  # -- The localpart is the local part of the user's Matrix ID.
+                  # For example, on the `example.com` server, if the localpart is `alice`,
+                  #  the user's Matrix ID will be `@alice:example.com`.
+                  localpart:
+                    action: require
+                    template: "{{ '{{ user.preferred_username }}' | quote }}"
+
+                  # -- The display name is the user's display name.
+                  displayname:
+                    action: suggest
+                    template: "{{ '{{ user.name }}' | quote }}"
+
+                  # -- An email address to import.
+                  email:
+                    action: suggest
+                    template: "{{ '{{ user.email }}' | quote }}"
+                    # -- Whether the email address must be marked as verified.
+                    # Possible values are:
+                    #  - `import`: mark the email address as verified if the upstream provider
+                    #     has marked it as verified, using the `email_verified` claim.
+                    #     This is the default.
+                    #   - `always`: mark the email address as verified
+                    #   - `never`: mark the email address as not verified
+                    set_email_verification: import
+              - id: 01JG2B7DBS6RQRH1TFVZ4BP7H8
+                issuer: https://github.com/
+                client_id: "{{ matrix_github_oidc_client_id }}"
+                client_secret: "{{ matrix_github_oidc_client_secret }}"
+                token_endpoint_auth_method: client_secret_basic
+                discovery_mode: oidc
+                claims_imports:
+                  subject:
+                    template: "{{ '{{ user.sub }}' | quote }}"
+
+                  # -- The localpart is the local part of the user's Matrix ID.
+                  # For example, on the `example.com` server, if the localpart is `alice`,
+                  #  the user's Matrix ID will be `@alice:example.com`.
+                  localpart:
+                    action: require
+                    template: "{{ '{{ user.preferred_username }}' | quote }}"
+
+                  # -- The display name is the user's display name.
+                  displayname:
+                    action: suggest
+                    template: "{{ '{{ user.name }}' | quote }}"
+
+                  # -- An email address to import.
+                  email:
+                    action: suggest
+                    template: "{{ '{{ user.email }}' | quote }}"
+                    # -- Whether the email address must be marked as verified.
+                    # Possible values are:
+                    #  - `import`: mark the email address as verified if the upstream provider
+                    #     has marked it as verified, using the `email_verified` claim.
+                    #     This is the default.
+                    #   - `always`: mark the email address as verified
+                    #   - `never`: mark the email address as not verified
+                    set_email_verification: import

tasks/matterbridge.yaml

@@ -0,0 +1,70 @@
+---
+# Tasks file for Matterbridge
+- name: Create Matterbridge namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: matterbridge
+
+- name: Create ConfigMap for Matterbridge
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: matterbridge
+        namespace: matterbridge
+      data:
+        matterbridge.toml: "{{ lookup('file', 'matterbridge.toml') }}"
+
+- name: Create Deployment for Matterbridge
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: matterbridge
+        namespace: matterbridge
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: matterbridge
+        template:
+          metadata:
+            labels:
+              app: matterbridge
+          spec:
+            containers:
+              - name: matterbridge
+                image: 42wim/matterbridge
+                volumeMounts:
+                  - name: config
+                    mountPath: /etc/matterbridge
+                ports:
+                  - containerPort: 4242
+            volumes:
+              - name: config
+                configMap:
+                  name: matterbridge
+                  subPath: matterbridge.toml
+
+- name: Create Service for Matterbridge
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: matterbridge
+        namespace: matterbridge
+      spec:
+        selector:
+          app: matterbridge
+        ports:
+          - port: 80
+            targetPort: 4242
+            name: http
+        type: ClusterIP

tasks/mediawiki.yaml

@@ -45,7 +45,10 @@
             containers:
               - name: mediawiki
                 image: ericomeehan/mediawiki-extended
-                imagePullPolicy: Always
+                imagePullPolicy: IfNotPresent
+                resources:
+                  requests:
+                    memory: 2Gi
                 env:
                   - name: WIKI_NAME
                     value: MediaWiki
@@ -88,11 +91,11 @@
                   - name: LDAP_BIND_PASS
                     value: "{{ openldap_readonly_password }}"
                   - name: LDAP_BUREAUCRAT_GROUP
-                    value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev
+                    value: cn=Mediawiki Bureaucrats,ou=MediaWiki,ou=Services,dc=eom,dc=dev
                   - name: LDAP_INTERFACE_ADMIN_GROUP
-                    value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev
+                    value: cn=Mediawiki Interface Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev
                   - name: LDAP_SYSOP_GROUP
-                    value: cn=Mediawiki Administrators,ou=MediaWiki,ou=Services,dc=eom,dc=dev
+                    value: cn=Mediawiki Sysops,ou=MediaWiki,ou=Services,dc=eom,dc=dev
                   - name: LDAP_SEARCH_FILTER
                     value: (&(objectClass=posixAccount)(uid=%1$s)(memberOf=cn=Mediawiki Users,ou=MediaWiki,ou=Services,dc=eom,dc=dev))
                 ports:

tasks/minio.yaml

@@ -7,13 +7,17 @@
     release_namespace: minio
     create_namespace: true
     values:
+      image:
+        repository: bitnamilegacy/minio
       metrics:
         enabled: true
-      disableWebUI: true
+      console:
+        enabled: false
       auth:
         rootUser: minio_admin
         rootPassword: "{{ minio_admin_password }}"
       defaultBuckets: default
+      defaultInitContainers:
         volumePermissions:
           enabled: true
       mode: standalone
@@ -46,13 +50,10 @@
           value: OpenLDAP
         - name: MINIO_IDENTITY_LDAP_SERVER_INSECURE
           value: "on"
-      apiIngress:
+      ingress:
         enabled: true
         hostname: minio.eom.dev
         ingressClassName: nginx
         annotations:
           cert-manager.io/cluster-issuer: ca-issuer
-        tls:
+        tls: true
-          - hosts:
-            - minio.eom.dev
-            secretName: minio-tls

tasks/misskey.yaml

@@ -0,0 +1,16 @@
+---
+# tasks file for misskey
+- name: Deploy Misskey
+  kubernetes.core.helm:
+    name: misskey
+    chart_ref: oci://tccr.io/truecharts/misskey
+    release_namespace: misskey
+    create_namespace: true
+    values:
+      service:
+        main:
+          ports:
+            main:
+              port: 3003
+      misskey:
+        url: "https://misskey.eom.dev/"

tasks/nextcloud.yaml

@@ -17,6 +17,12 @@
     release_namespace: nextcloud
     create_namespace: true
     values:
+      image:
+        pullPolicy: IfNotPresent
+      livenessProbe:
+        initialDelaySeconds: 300
+      readinessProbe:
+        initialDelaySeconds: 300
       nextcloud:
         host: nextcloud.eom.dev
         username: nextcloud_admin
@@ -25,6 +31,7 @@
           proxy.config.php: |-
             <?php
             $CONFIG = array (
+              'overwriteprotocol' => 'https',
               'trusted_proxies' => array(
                 0 => '127.0.0.1',
                 1 => '10.0.0.0/8',
@@ -42,6 +49,57 @@
           authtype: LOGIN
           name: nextcloud
           password: "{{ nextcloud_admin_password }}"
+      persistence:
+        enabled: true
+        size: 8Ti
+      metrics:
+        enabled: true
+      cronjob:
+        enabled: true
+      redis:
+        #global:
+            #defaultStorageClass: r720-nfs-client
+        enabled: true
+        auth:
+          password: "{{ redis_auth_password }}"
+      ingress:
+        enabled: true
+        className: nginx
+        annotations:
+          #nginx.ingress.kubernetes.io/enable-cors: "true"
+          #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
+          nginx.ingress.kubernetes.io/proxy-body-size: 4G
+          kubernetes.io/tls-acme: "true"
+          cert-manager.io/cluster-issuer: ca-issuer
+          # Keep this in sync with the README.md:
+          nginx.ingress.kubernetes.io/server-snippet: |-
+            server_tokens off;
+            proxy_hide_header X-Powered-By;
+            rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
+            rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
+            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+            location = /.well-known/carddav {
+              return 301 $scheme://$host/remote.php/dav;
+            }
+            location = /.well-known/caldav {
+              return 301 $scheme://$host/remote.php/dav;
+            }
+            location = /robots.txt {
+              allow all;
+              log_not_found off;
+              access_log off;
+            }
+            location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+              deny all;
+            }
+            location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
+              deny all;
+            }
+        tls:
+          - hosts:
+            - nextcloud.eom.dev
+            secretName: nextcloud-tls
       internalDatabase:
         enabled: false
       externalDatabase:
@@ -51,26 +109,10 @@
         user: nextcloud
         password: "{{ nextcloud_admin_password }}"
         database: nextcloud
-      persistence:
-        enabled: true
-        size: 4Ti
-      metrics:
-        enabled: true
-      cronjob:
-        enabled: true
-      ingress:
-        enabled: true
-        className: nginx
-        annotations:
-          nginx.ingress.kubernetes.io/enable-cors: "true"
-          nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
-          cert-manager.io/cluster-issuer: ca-issuer
-        tls:
-          - hosts:
-            - nextcloud.eom.dev
-            secretName: nextcloud-tls
       postgresql:
         enabled: true
+        image:
+          tag: 16.6.0-debian-12-r2
         global:
           postgresql:
             auth:

tasks/obs-web.yaml

@@ -0,0 +1,51 @@
+---
+# tasks file for obs-web
+- name: Create namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: obs-web
+
+- name: Create a Deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: obs-web
+        namespace: obs-web
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: obs-web
+        template:
+          metadata:
+            labels:
+              app: obs-web
+          spec:
+            containers:
+              - name: obs-web
+                image: ghcr.io/niek/obs-web
+                ports:
+                  - containerPort: 5000
+
+- name: Expose OBS-Web Deployment as a Service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: obs-web
+        namespace: obs-web
+      spec:
+        selector:
+          app: obs-web
+        ports:
+          - port: 80
+            targetPort: 5000
+            name: http
+        type: LoadBalancer

tasks/openldap.yaml

@@ -41,6 +41,36 @@
           requests:
             storage: 32Gi
 
+- name: Request a certificate for OpenLDAP
+  k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: openldap
+        namespace: openldap
+      spec:
+        secretName: openldap
+        privateKey:
+          algorithm: RSA
+          encoding: PKCS1
+          size: 2048
+        duration: 2160h # 90d
+        renewBefore: 360h # 15d
+        isCA: false
+        usages:
+          - server auth
+          - client auth
+        subject:
+          organizations:
+            - EOM
+        dnsNames:
+          - openldap.eom.dev
+        issuerRef:
+          name: ca-issuer
+          kind: ClusterIssuer
+
 - name: Create Deployment for OpenLDAP
   k8s:
     definition:
@@ -73,6 +103,12 @@
                     value: "true"
                   - name: LDAP_READONLY_USER_PASSWORD
                     value: "{{ openldap_readonly_password }}"
+                  - name: LDAP_TLS_VERIFY_CLIENT
+                    value: never
+                  - name: LDAP_TLS_CRT_FILENAME
+                    value: tls.crt
+                  - name: LDAP_TLS_KEY_FILENAME
+                    value: tls.key
                 volumeMounts:
                   - name: config
                     mountPath: /etc/ldap/slapd.d

tasks/owncast.yaml

@@ -48,7 +48,10 @@
           spec:
             containers:
               - name: owncast
-                image: owncast/owncast
+                image: owncast/owncast:0.2.0
+                resources:
+                  requests:
+                    cpu: 1.5
                 volumeMounts:
                   - name: data
                     mountPath: /app/data
@@ -78,6 +81,7 @@
             name: rtmp
           - port: 8080
             name: http
+        externalTrafficPolicy: Local
         type: LoadBalancer
 
 - name: Create Ingress

tasks/pleroma.yaml

@@ -0,0 +1,223 @@
+---
+# tasks file for pleroma
+- name: Create NextCloud namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: pleroma
+
+- name: Create PVC for PostgreSQL
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: postgresql
+        namespace: pleroma
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 2Ti
+
+- name: Create Deployment for PostgreSQL
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: postgresql
+        namespace: pleroma
+        labels:
+          app: postgresql
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: postgresql
+        template:
+          metadata:
+            labels:
+              app: postgresql
+          spec:
+            containers:
+              - name: postgresql
+                image: postgresql
+                volumeMounts:
+                  - name: data
+                    mountPath: /var/lib/postgresql/data
+                ports:
+                  - containerPort: 5432
+                env:
+                  - name: MYSQL_ROOT_PASSWORD
+                    value: "{{ mysql_root_password }}"
+                  - name: MYSQL_DATABASE
+                    value: nextcloud
+                  - name: MYSQL_USER
+                    value: nextcloud
+                  - name: MYSQL_PASSWORD
+                    value: "{{ nextcloud_mysql_password }}"
+            volumes:
+              - name: data
+                persistentVolumeClaim:
+                  claimName: postgresql
+
+- name: Create Service for PostgreSQL
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: postgresql
+        namespace: cloud
+      spec:
+        selector:
+          app: postgresql
+        ports:
+          - port: 3306
+            name: mysql
+        type: ClusterIP
+
+- name: Create PVC for Pleroma
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: pleroma
+        namespace: pleroma
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 128Gi
+
+- name: Create Deployment for Pleroma
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: pleroma
+        namespace: pleroma
+        labels:
+          app: pleroma
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: pleroma
+        template:
+          metadata:
+            labels:
+              app: pleroma
+          spec:
+            containers:
+              - name: pleroma
+                image: pleroma
+                volumeMounts:
+                  - name: data
+                    mountPath: /data/uploads
+                ports:
+                  - containerPort: 4000
+                env:
+                  - name: POSTGRES_PASSWORD
+                    value: "{{ pleroma_admin_password }}"
+                  - name: POSTGRES_USER
+                    value: pleroma
+                  - name: POSTGRES_DB
+                    value: pleroma
+                  - name: ADMIN_EMAIL
+                    value: pleroma@eom.dev
+                  - name: ADMIN_PASSWORD
+                    value: "{{ pleroma_admin_password }}"
+                  - name: DB_HOST
+                    value: postgresql
+                  - name: DB_PORT
+                    value: 5432
+                  - name: DB_USER
+                    value: pleroma
+                  - name: DB_PASS
+                    value: "{{ pleroma_admin_password }}"
+                  - name: DB_NAME
+                    value: pleroma
+                  - name: INSTANCE_NAME
+                    value: Pleroma
+                  - name: DOMAIN
+                    value: pleroma.eom.dev
+                  - name: LDAP_ENABLED
+                    value: true
+                  - name: LDAP_HOST
+                    value: openldap.openldap.svc.cluster.local
+                  - name: LDAP_PORT
+                    value: 389
+                  - name: LDAP_SSL
+                    value: false
+                  - name: LDAP_TLS
+                    value: false
+                  - name: LDAP_BASE
+                    value: dc=eom,dc=dev
+                  - name: LDAP_UID
+                    value: uid
+                  - name: LDAP_MAIL
+                    value: mail
+            volumes:
+              - name: data
+                persistentVolumeClaim:
+                  claimName: pleroma
+
+- name: Create Service for Pleroma
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: pleroma
+        namespace: pleroma
+      spec:
+        selector:
+          app: pleroma
+        ports:
+          - port: 80
+            name: http
+        type: ClusterIP
+
+- name: Create Ingress
+  k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        annotations:
+          cert-manager.io/cluster-issuer: ca-issuer
+        name: pleroma
+        namespace: pleroma
+      spec:
+        ingressClassName: nginx
+        rules:
+          - host: pleroma.eom.dev
+            http:
+              paths:
+                - pathType: Prefix
+                  path: /
+                  backend:
+                    service:
+                      name: pleroma
+                      port:
+                        number: 4000
+        tls:
+          - hosts:
+            - pleroma.eom.dev
+            secretName: pleroma

tasks/prometheus.yaml

@@ -13,6 +13,10 @@
         extraScrapeConfigs:
           - job_name: apps
             static_configs:
+              - targets:
+                - discourse.eom.dev
+                labels:
+                  instance: discourse
               - targets:
                 - gitea.eom.dev
                 labels:
@@ -21,19 +25,31 @@
                 - grafana.eom.dev
                 labels:
                   instance: grafana
+            metrics_path: /metrics
+
+          - job_name: owncast
+            scrape_interval: 1m
+            metrics_path: /api/admin/prometheus
+            scheme: https
+            basic_auth:
+              username: admin
+              password: "{{ owncast_admin_password }}"
+            static_config:
               - targets:
-                - jupyterhub.eom.dev
+                - owncast.eom.dev
-                labels:
+
-                  instance: jupyterhub
+          - job_name: local
+            static_configs:
               - targets:
-                - mastodon.eom.dev
+                - nextcloud-metrics.nextcloud.svc.cluster.local:9205
-                labels:
-                  instance: mastodon
-              - targets:
-                - nextcloud-metrics.nextcloud.svc.cluster.local
                 labels:
                   instance: nextcloud
-            metrics_path: /metrics
+              - targets:
+                - matrix-synapse.matrix.svc.cluster.local:9092
+                labels:
+                  instance: matrix
+            metrics_path: /
+
           - job_name: libvirt_exporter
             static_configs:
               - targets:
@@ -41,6 +57,7 @@
                 labels:
                   instance: poweredge-t640
             metrics_path: /metrics
+
           - job_name: node_exporter
             static_configs:
               - targets:
@@ -60,7 +77,7 @@
                 labels:
                   instance: alpha-worker-0
               - targets:
-                - 192.168.1.71:9100
+                - 192.168.1.70:9100
                 labels:
                   instance: alpha-worker-1
               - targets:
@@ -72,7 +89,7 @@
                 labels:
                   instance: alpha-worker-3
               - targets:
-                - 192.168.1.60:9100
+                - 192.168.1.61:9100
                 labels:
                   instance: alpha-worker-4
               - targets:
@@ -100,11 +117,31 @@
                 labels:
                   instance: alpha-worker-10
               - targets:
-                - 192.168.1.68:9100
+                - 192.168.1.65:9100
                 labels:
                   instance: alpha-worker-11
               - targets:
                 - 192.168.1.72:9100
                 labels:
                   instance: alpha-worker-12
+              - targets:
+                - 192.168.1.95:9100
+                labels:
+                  instance: alpha-worker-13
+              - targets:
+                - 192.168.1.70:9100
+                labels:
+                  instance: alpha-worker-14
+              - targets:
+                - 192.168.1.46:9100
+                labels:
+                  instance: alpha-worker-15
+              - targets:
+                - 192.168.1.74:9100
+                labels:
+                  instance: alpha-worker-16
+              - targets:
+                - 192.168.1.88:9100
+                labels:
+                  instance: alpha-worker-17
             metrics_path: /metrics

tasks/tes3mp.yaml

@@ -0,0 +1,81 @@
+---
+# tasks file for mail
+- name: Create tes3mp namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: tes3mp
+
+- name: Create a persistent volume claim
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: config
+        namespace: tes3mp
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 16Gi
+
+- name: Create a deployment
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: tes3mp
+        namespace: tes3mp
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: tes3mp
+        template:
+          metadata:
+            labels:
+              app: tes3mp
+          spec:
+            containers:
+              - name: tes3mp
+                image: tes3mp/server
+                volumeMounts:
+                  - name: data
+                    mountPath: /server/data
+                ports:
+                  - containerPort: 25565
+                env:
+                  - name: TES3MP_SERVER_GENERAL_HOSTNAME
+                    value: tes3.eom.dev
+                  - name: TES3MP_SERVER_GENERAL_PASSWORD
+                    value: "{{ tes3mp_password }}"
+            volumes:
+              - name: data
+                persistentVolumeClaim:
+                  claimName: data
+
+- name: Expose deployment as a service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: tes3mp
+        namespace: tes3mp
+      spec:
+        selector:
+          app: tes3mp
+        ports:
+          - port: 25566
+            targetPort: 25565
+            name: tes3mp
+            protocol: UDP
+        type: LoadBalancer
+        externalTrafficPolicy: Local

tasks/webhookd.yaml

@@ -0,0 +1,68 @@
+---
+# tasks file for webhookd
+- name: Create ConfigMap for Webhookd scripts
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: scripts
+        namespace: webhookd
+      data:
+        nextcloud-talk-gitea-webhook.sh: "{{ lookup('file', 'nextcloud-talk-gitea-webhook.sh') }}"
+        nextcloud-talk-grafana-webhook.sh: "{{ lookup('file', 'nextcloud-talk-grafana-webhook.sh') }}"
+        nextcloud-talk-minecraft-webhook.sh: "{{ lookup('file', 'nextcloud-talk-minecraft-webhook.sh') }}"
+
+- name: Create a Deployment for Webhookd
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Deployment
+      metadata:
+        name: webhookd
+        namespace: webhookd
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: webhookd
+        template:
+          metadata:
+            labels:
+              app: webhookd
+          spec:
+            containers:
+              - name: webhookd
+                image: ncarlier/webhookd
+                volumeMounts:
+                  - name: scripts
+                    mountPath: /scripts
+                ports:
+                  - containerPort: 8080
+                env:
+                  - name: GITEA_ADMIN_PASSWORD
+                    value: "{{ gitea_admin_password }}"
+                  - name: GRAFANA_ADMIN_PASSWORD
+                    value: "{{ grafana_admin_password }}"
+            volumes:
+              - name: scripts
+                configMap:
+                  name: scripts
+                  defaultMode: 0777
+
+- name: Expose Webhookd Deployment as a Service
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: webhookd
+        namespace: webhookd
+      spec:
+        selector:
+          app: webhookd
+        ports:
+          - port: 80
+            targetPort: 8080
+            name: http
+        type: ClusterIP

tasks/wordpress.yaml

@@ -1,202 +1,40 @@
 ---
 # tasks file for wordpress
-- name: Create WordPress namespace
+- name: Deploy Wordpress
-  k8s:
+  kubernetes.core.helm:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Namespace
-      metadata:
     name: wordpress
-
+    chart_ref: bitnami/wordpress
-- name: Create PVC for MySQL
+    release_namespace: wordpress
-  k8s:
+    create_namespace: true
-    state: present
+    values:
-    definition:
+      wordpressUsername: wordpress_admin
-      apiVersion: v1
+      wordpressPassword: "{{ wordpress_admin_password }}"
-      kind: PersistentVolumeClaim
+      wordpressEmail: wordpress@eom.dev
-      metadata:
+      wordpressFirstName: Administrator
-        name: mysql
+      wordpressLastName: Wordpress
-        namespace: wordpress
+      wordpressBlogName: Wordpress
-      spec:
+      wordpressScheme: https
-        accessModes:
+      smtpHost: postfix.eom.dev
-          - ReadWriteOnce
+      smtpPort: 587
-        resources:
+      smtpUser: wordpress
-          requests:
+      smtpPassword: "{{ wordpress_admin_password }}"
-            storage: 64Gi
+      smtpFromName: Wordpress
-
+      service:
-- name: Create Deployment for MySQL
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Deployment
-      metadata:
-        name: mysql
-        namespace: wordpress
-        labels:
-          app: mysql
-      spec:
-        replicas: 1
-        selector:
-          matchLabels:
-            app: mysql
-        template:
-          metadata:
-            labels:
-              app: mysql
-          spec:
-            containers:
-              - name: mysql
-                image: mysql
-                volumeMounts:
-                  - name: data
-                    mountPath: /var/lib/mysql
-                ports:
-                  - containerPort: 3306
-                env:
-                  - name: MYSQL_ROOT_PASSWORD
-                    value: "{{ mysql_root_password }}"
-                  - name: MYSQL_DATABASE
-                    value: wordpress
-                  - name: MYSQL_USER
-                    value: wordpress
-                  - name: MYSQL_PASSWORD
-                    value: "{{ wordpress_mysql_password }}"
-            volumes:
-              - name: data
-                persistentVolumeClaim:
-                  claimName: mysql
-
-- name: Create Service for MySQL
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Service
-      metadata:
-        name: mysql
-        namespace: wordpress
-      spec:
-        selector:
-          app: mysql
-        ports:
-          - port: 3306
-            name: mysql
         type: ClusterIP
-
+      ingress:
-- name: Create PVC for WordPress
+        enabled: true
-  k8s:
+        ingressClassName: nginx
-    state: present
+        hostname: wordpress.eom.dev
-    definition:
-      apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
-        name: wordpress
-        namespace: wordpress
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 128Gi
-
-- name: Create Deployment for WordPress
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Deployment
-      metadata:
-        name: wordpress
-        namespace: wordpress
-        labels:
-          app: wordpress
-      spec:
-        replicas: 1
-        selector:
-          matchLabels:
-            app: wordpress
-        template:
-          metadata:
-            labels:
-              app: wordpress
-          spec:
-            containers:
-              - name: wordpress
-                image: wordpress
-                volumeMounts:
-                  - name: data
-                    mountPath: /var/wordpress/html
-                ports:
-                  - containerPort: 3000
-                env:
-                  - name: WORDPRESS_DB_HOST
-                    value: mysql
-                  - name: WORDPRESS_DB_NAME
-                    value: wordpress
-                  - name: WORDPRESS_DB_USER
-                    value: wordpress
-                  - name: WORDPRESS_DB_PASSWORD
-                    value: "{{ wordpress_mysql_password }}"
-            volumes:
-              - name: data
-                persistentVolumeClaim:
-                  claimName: wordpress
-
-- name: Create Service for WordPress
-  k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Service
-      metadata:
-        name: wordpress
-        namespace: wordpress
-      spec:
-        selector:
-          app: wordpress
-        ports:
-          - port: 80
-            name: http
-        type: ClusterIP
-
-- name: Create Ingress
-  k8s:
-    state: present
-    definition:
-      apiVersion: networking.k8s.io/v1
-      kind: Ingress
-      metadata:
         annotations:
           cert-manager.io/cluster-issuer: ca-issuer
-        name: wordpress
+        tls: true
-        namespace: wordpress
+      persistence:
-      spec:
+        enabled: true
-        ingressClassName: nginx
+        size: 2Ti
-        rules:
+      mariadb:
-          - host: www.eom.dev
+        enabled: true
-            http:
+        auth:
-              paths:
+          password: "{{ wordpress_admin_password }}"
-                - pathType: Prefix
+        primary:
-                  path: /
+          persistence:
-                  backend:
+            size: 2Ti
-                    service:
-                      name: wordpress
-                      port:
-                        number: 80
-          - host: wordpress.eom.dev
-            http:
-              paths:
-                - pathType: Prefix
-                  path: /
-                  backend:
-                    service:
-                      name: wordpress
-                      port:
-                        number: 80
-        tls:
-          - hosts:
-            - www.eom.dev
-            - wordpress.eom.dev
-            secretName: wordpress

templates/ldap.toml.j2

@@ -59,11 +59,11 @@ org_id = 1
 org_role = "Viewer"
 
 [[servers.group_mappings]]
-group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
+group_dn = "cn=DevOps Owners,ou=Teams,dc=eom,dc=dev"
 org_id = 2
 org_role = "Admin"
 
 [[servers.group_mappings]]
-group_dn = "cn=Finance Owners,ou=Finance,ou=Organizations,dc=eom,dc=dev"
+group_dn = "cn=Finance Owners,ou=Teams,dc=eom,dc=dev"
 org_id = 3
 org_role = "Admin"