Pinned PostgreSQL to v16.6

2025-08-01 13:24:14 -04:00
12 changed files with 23 additions and 191 deletions
--- a/tasks/coturn.yaml
+++ b/tasks/coturn.yaml
@@ -17,9 +17,6 @@
    release_namespace: coturn
    create_namespace: true
    values:
        global:
          security:
            allowInsecureImages: true
        service:
          type: LoadBalancer
          externalTrafficPolicy: Local
@@ -33,14 +30,8 @@
          pullPolicy: Always
        externalDatabase:
          enabled: true
          username: coturn
          password: "{{ coturn_admin_password }}"
          database: coturn
        postgresql:
          enabled: true
          image:
            repository: bitnamilegacy/postgresql
            tag: 17.6.0-debian-12-r0
          global:
            postgresql:
              auth:
@@ -110,6 +101,3 @@
          auth:
            username: coturn
            password: "{{ coturn_admin_password }}"
          extraTurnserverConfiguration: |
            use-auth-secret
            static-auth-secret={{ coturn_shared_secret }}
--- a/tasks/dex.yaml
+++ b/tasks/dex.yaml
@@ -32,6 +32,10 @@
          volumeName: "data"
          size: 256Gi
 - name: Deploy Dex
  kubernetes.core.helm:
    name: dex
@@ -41,12 +45,6 @@
    values:
      config:
        issuer: https://dex.eom.dev/
        staticClients:
          - id: "{{ matrix_dex_oidc_client_id }}"
            name: Matrix Auth Service
            secret: "{{ matrix_dex_oidc_client_secret }}"
            redirectURIs:
              - "https://mas.eom.dev/upstream/callback/01K96AQEZKKABW34PY3R6BVNJ4"
        storage:
          type: postgres
          config:
@@ -64,10 +62,10 @@
            config:
              host: openldap.openldap.svc.cluster.local
              insecureNoSSL: true
-              bindDN: cn=readonly,dc=eom,dc=dev
+              bindDN: cn=readonly,dc=example,dc=com
              bindPW: "{{ openldap_readonly_password }}"
              userSearch:
-                baseDN: dc=eom,dc=dev
+                baseDN: dc=example,dc=com
                filter: "(&(objectClass=posixAccount)(memberOf=cn=Dex Users,ou=Dex,ou=Services,dc=eom,dc=dev))"
                username: uid
                idAttr: uid
@@ -83,14 +81,12 @@
                nameAttr: cn
      ingress:
        enabled: true
        className: nginx
        annotations:
          cert-manager.io/cluster-issuer: ca-issuer
        hosts:
          - host: dex.eom.dev
            paths:
              - path: /
                pathType: ImplementationSpecific
        tls:
          - hosts:
              - dex.eom.dev
--- a/tasks/discourse.yaml
+++ b/tasks/discourse.yaml
@@ -22,8 +22,6 @@
        password: "{{ discourse_admin_password }}"
      image:
        debug: false
        repository: bitnamilegacy/discourse
        tag: 3.4.7-debian-12-r0
      service:
        externalTrafficPolicy: Local
      discourse:
@@ -34,7 +32,6 @@
          - https://github.com/discourse/discourse-activity-pub
          - https://github.com/discourse/discourse-openid-connect
          - https://github.com/jonmbake/discourse-ldap-auth
          - https://github.com/discourse/discourse-math
          - https://github.com/discourse/discourse-post-voting
          - https://github.com/discourse/discourse-prometheus
          - https://github.com/discourse/discourse-reactions
@@ -61,8 +58,6 @@
        tls: true
      postgresql:
        enabled: true
        image:
          repository: bitnamilegacy/postgresql
        auth:
          enablePostgresUser: true
          postgresPassword: "{{ discourse_admin_password }}"
@@ -72,7 +67,5 @@
            size: 2Ti
      redis:
        enabled: true
        image:
          repository: bitnamilegacy/redis
        auth:
          password: "{{ discourse_admin_password }}"
--- a/tasks/gitea.yaml
+++ b/tasks/gitea.yaml
@@ -79,9 +79,9 @@
          APP_NAME: "Gitea"
          service:
            DISABLE_REGISTRATION: false
-            SHOW_REGISTRATION_BUTTON: true
+            SHOW_REGISTRATION_BUTTON: false
            DEFAULT_ALLOW_CREATE_ORGANIZATION: false
-            ALLOW_ONLY_EXTERNAL_REGISTRATION: false
+            ALLOW_ONLY_EXTERNAL_REGISTRATION: true
          oauth2_client:
            ENABLE_AUTO_REGISTRATION: true
            UPDATE_AVATAR: true
--- a/tasks/grafana-matrix-forwarder.yaml
+++ b/tasks/grafana-matrix-forwarder.yaml
@@ -1,14 +1,5 @@
 ---
 # tasks file for grafana-matrix-forwarder
 - name: Create Grafana Matrix Forwarder namespace
  k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Namespace
      metadata:
        name: grafana-matrix-forwarder
 - name: Create a Deployment for Grafana Matrix Forwarder
  k8s:
    definition:
@@ -16,7 +7,7 @@
      kind: Deployment
      metadata:
        name: matrix-forwarder
-        namespace: grafana-matrix-forwarder
+        namespace: grafana
      spec:
        replicas: 1
        selector:
@@ -38,7 +29,7 @@
                  - name: GMF_MATRIX_PASSWORD
                    value: "{{ grafana_admin_password }}"
                  - name: GMF_MATRIX_HOMESERVER
-                    value: synapse.eom.dev
+                    value: eom.dev
                  - name: GMF_RESOLVE_MODE
                    value: reply
@@ -49,7 +40,7 @@
      kind: Service
      metadata:
        name: matrix-forwarder
-        namespace: grafana-matrix-forwarder
+        namespace: grafana
      spec:
        selector:
          app: matrix-forwarder
--- a/tasks/localai.yaml
+++ b/tasks/localai.yaml
@@ -17,21 +17,12 @@
    release_namespace: localai
    create_namespace: true
    values:
      service:
        type: LoadBalancer
      deployment:
        image:
          tag: latest-gpu-nvidia-cuda-12
        runtimeClassName: nvidia
        secretEnv:
          - name: LOCALAI_DISABLE_WEBUI
            value: "true"
          - name: LOCALAI_API_KEY
            value: "{{ localai_api_keys | join(',') }}"
          - name: LOCALAI_WATCHDOG_IDLE
            value: "true"
          - name: LOCALAI_WATCHDOG_IDLE_TIMEOUT
            value: "5m"
          - name: LOCALAI_WATCHDOG_BUSY
            value: "true"
      resources:
        limits:
          nvidia.com/gpu: 1
@@ -45,17 +36,3 @@
          operator: Equal
          value: GPU
          effect: NoSchedule
      ingress:
        enabled: true
        className: nginx
        annotations:
          cert-manager.io/cluster-issuer: ca-issuer
        hosts:
          - host: localai.eom.dev
            paths:
              - path: /
                pathType: ImplementationSpecific
        tls:
          - secretName: localai-tls
            hosts:
              - localai.eom.dev
--- a/tasks/mail.yaml
+++ b/tasks/mail.yaml
@@ -90,38 +90,6 @@
          requests:
            storage: 2Ti
 - name: Create a ConfigMap for encryption
  k8s:
    state: present
    definition:
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: certs
        namespace: mail
      data:
        privkey.pem: "{{ mail_encryption_privkey }}"
        pubkey.pem: "{{ mail_encryption_pubkey }}"
 - name: Create a ConfigMap for Dovecot
  k8s:
    state: present
    definition:
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: dovecot
        namespace: mail
      data:
        10-encryption.conf: |
          # Enables mail_crypt for all services (pop3, pop3, etc)
          mail_plugins = $mail_plugins mail_crypt
          plugin {
            mail_crypt_global_private_key = </certs/privkey.pem
            mail_crypt_global_public_key = </certs/pubkey.pem
            mail_crypt_save_version = 2
          }
 - name: Create a deployment
  k8s:
    definition:
@@ -173,13 +141,8 @@
                  seccompProfile:
                    type: RuntimeDefault
                volumeMounts:
                  - name: certs
                    mountPath: /certs
                  - name: config
                    mountPath: /tmp/docker-mailserver
                  - name: dovecot
                    mountPath: /etc/dovecot/conf.d/10-encryption.conf
                    subPath: 10-encryption.conf
                  - name: ssl
                    mountPath: /etc/letsencrypt
                  - name: mail
@@ -244,9 +207,6 @@
                  - name: SSL_KEY_PATH
                    value: "/etc/letsencrypt/tls.key"
            volumes:
              - name: certs
                configMap:
                  name: certs
              - name: ssl
                secret:
                  secretName: mail
@@ -259,9 +219,6 @@
              - name: dkim
                persistentVolumeClaim:
                  claimName: dkim
              - name: dovecot
                configMap:
                  name: dovecot
 - name: Expose deployment as a service
  k8s:
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -3,4 +3,4 @@
 - name: Deploy
  include_tasks: "{{ item }}"
  loop:
-    - gitea.yaml
+    - nextcloud.yaml
--- a/tasks/minio.yaml
+++ b/tasks/minio.yaml
@@ -7,17 +7,13 @@
    release_namespace: minio
    create_namespace: true
    values:
      image:
        repository: bitnamilegacy/minio
      metrics:
        enabled: true
-      console:
+      disableWebUI: true
        enabled: false
      auth:
        rootUser: minio_admin
        rootPassword: "{{ minio_admin_password }}"
      defaultBuckets: default
      defaultInitContainers:
      volumePermissions:
        enabled: true
      mode: standalone
@@ -50,10 +46,13 @@
          value: OpenLDAP
        - name: MINIO_IDENTITY_LDAP_SERVER_INSECURE
          value: "on"
-      ingress:
+      apiIngress:
        enabled: true
        hostname: minio.eom.dev
        ingressClassName: nginx
        annotations:
          cert-manager.io/cluster-issuer: ca-issuer
-        tls: true
+        tls:
          - hosts:
            - minio.eom.dev
            secretName: minio-tls
--- a/tasks/openldap.yaml
+++ b/tasks/openldap.yaml
@@ -41,36 +41,6 @@
          requests:
            storage: 32Gi
 - name: Request a certificate for OpenLDAP
  k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: openldap
        namespace: openldap
      spec:
        secretName: openldap
        privateKey:
          algorithm: RSA
          encoding: PKCS1
          size: 2048
        duration: 2160h # 90d
        renewBefore: 360h # 15d
        isCA: false
        usages:
          - server auth
          - client auth
        subject:
          organizations:
            - EOM
        dnsNames:
          - openldap.eom.dev
        issuerRef:
          name: ca-issuer
          kind: ClusterIssuer
 - name: Create Deployment for OpenLDAP
  k8s:
    definition:
@@ -105,10 +75,6 @@
                    value: "{{ openldap_readonly_password }}"
                  - name: LDAP_TLS_VERIFY_CLIENT
                    value: never
                  - name: LDAP_TLS_CRT_FILENAME
                    value: tls.crt
                  - name: LDAP_TLS_KEY_FILENAME
                    value: tls.key
                volumeMounts:
                  - name: config
                    mountPath: /etc/ldap/slapd.d
--- a/tasks/owncast.yaml
+++ b/tasks/owncast.yaml
@@ -49,9 +49,6 @@
            containers:
              - name: owncast
                image: owncast/owncast:0.2.0
                resources:
                  requests:
                    cpu: 1.5
                volumeMounts:
                  - name: data
                    mountPath: /app/data
@@ -81,7 +78,6 @@
            name: rtmp
          - port: 8080
            name: http
        externalTrafficPolicy: Local
        type: LoadBalancer
 - name: Create Ingress
--- a/tasks/prometheus.yaml
+++ b/tasks/prometheus.yaml
@@ -27,18 +27,7 @@
                  instance: grafana
            metrics_path: /metrics
-          - job_name: owncast
+          - job_name: nextcloud
            scrape_interval: 1m
            metrics_path: /api/admin/prometheus
            scheme: https
            basic_auth:
              username: admin
              password: "{{ owncast_admin_password }}"
            static_config:
              - targets:
                - owncast.eom.dev
          - job_name: local
            static_configs:
              - targets:
                - nextcloud-metrics.nextcloud.svc.cluster.local:9205
@@ -124,24 +113,4 @@
                - 192.168.1.72:9100
                labels:
                  instance: alpha-worker-12
              - targets:
                - 192.168.1.95:9100
                labels:
                  instance: alpha-worker-13
              - targets:
                - 192.168.1.70:9100
                labels:
                  instance: alpha-worker-14
              - targets:
                - 192.168.1.46:9100
                labels:
                  instance: alpha-worker-15
              - targets:
                - 192.168.1.74:9100
                labels:
                  instance: alpha-worker-16
              - targets:
                - 192.168.1.88:9100
                labels:
                  instance: alpha-worker-17
            metrics_path: /metrics