GHP publish

inventory/ghp/sample/group_vars/all/all.yaml

@@ -0,0 +1,128 @@
+# Common #
+namespace: ghp
+docker_registry: registry.ghp.0xace.cc
+domain: example.com
+mail_domain: "{{ domain }}"
+local_domain: lan
+dns_ip: YOUR_RFC2136_DNS_IP
+mail_proxy_public_ip: PUBLIC_VPS_IP
+mail_proxy_private_ip: "{{ dns_ip }}"
+web_proxy_internal_ip: INTERNAL_VPS_IP
+
+# Core infrastructure #
+## Nginx Ingress ##
+### Internal ###
+internal_ingress_class: "ghp-internal-nginx"
+internal_loadbalancer_ip: "192.168.250.0"
+### External ###
+internal_ingress_class: "ghp-external-nginx"
+external_loadbalancer_ip: "192.168.250.10"
+### Local ###
+internal_ingress_class: "ghp-local-nginx"
+local_loadbalancer_ip: "192.168.250.20"
+
+## External-dns ##
+dns_namespace: dns
+
+# Shared infrastructure #
+## PostgreSQL ##
+postgres_enable: true
+postgres_db_namespace: "{{ namespace }}"
+
+## OpenLDAP ##
+openldap_enabled: true
+#openldap_size: "10Gi"
+#openldap_storage: "nfs-ssd"
+openldap_loadbalancer_ip: "192.168.250.2"
+openldap_domain: "dc=example,dc=com"
+openldap_custom_users:
+  - { name: myuser1 }
+  - { name: myuser2 }
+openldap_simple_users:
+  - { name: testuser1, sn: 6001, uid: 6001, gid: 6001 }
+  - { name: testuser2, sn: 6002, uid: 6002, gid: 6002 }
+
+## Docker-registry ##
+registry_enabled: true
+#registry_size: "100Gi"
+#registry_storage: "nfs-hdd"
+registry_publish: false
+
+## ChartMuseum ##
+chartmuseum_enabled: true
+#chartmuseum_size: "10Gi"
+#chartmuseum_storage: "nfs-hdd"
+#chartmuseum_publish: false
+#chartmuseum_login: admin
+#chartmuseum_pass:
+
+# End User Applications #
+## Email ##
+mail_enabled: true
+#mailbox_size: "50Gi"
+#mailbox_storage: "nfs-hdd"
+roundcube_enabled: true
+roundcube_publish: false
+postfix_loadbalancer_ip: "192.168.250.3"
+dovecot_loadbalancer_ip: "192.168.250.4"
+
+## Nextcloud ##
+nextcloud_enabled: true
+#nextcloud_size: "20Gi"
+#nextcloud_storage: "nfs-ssd"
+#nextcloud_pass:
+#nextcloud_mail_pass:
+nextcloud_publish: true
+
+## Bitwarden Password Manager ##
+bitwarden_enabled: true
+#bitwarden_size: "8Gi"
+#bitwarden_storage: "nfs-ssd"
+#bitwarden_smtp_pass: 
+bitwarden_publish: false
+
+## Gitea ##
+gitea_enabled: true
+#gitea_size: "20Gi"
+#gitea_storage: "nfs-ssd"
+#gitea_lfs: true
+#gitea_lfs_size: "50Gi"
+#gitea_lfs_storage: "nfs-hdd"
+gitea_publish_web: false
+gitea_publish_ssh: false
+gitea_loadbalancer_ip: "192.168.250.5"
+
+## Drone ##
+drone_enabled: true
+#drone_size: "10Gi"
+#drone_storage: "nfs-ssd"
+#drone_gitea_client_id:
+#drone_gitea_client_secret:
+drone_publish: false
+
+### WikiJS ###
+wikijs_enabled: true 
+wikijs_publish: false
+
+### Playmaker ###
+playmaker_enabled: false
+playmaker_publish: false
+
+### Pypiserver ###
+pypiserver_enabled: false
+pypiserver_publish: false
+
+### PeerTube ###
+peertube_enabled: false
+peertube_publish: false
+#peertube_size: "100Gi"
+#peertube_storage: "nfs-hdd"
+
+### Adguard Home ###
+adguard_enabled: false
+adguard_publish: false
+adguard_loadbalancer_ip: "192.168.250.6"
+#adguard_config_size: "20Mi"
+#adguard_config_storage: "nfs-ssd"
+#adguard_work_size: "10Gi"
+#adguard_work_storage: "nfs-ssd"

inventory/ghp/sample/group_vars/ddclient.yaml

@@ -0,0 +1,36 @@
+ddclient_conf: |
+  daemon=300
+  syslog=yes
+  mail-failure=root
+  pid=/var/run/ddclient/ddclient.pid
+  ssl=yes
+  debug=yes
+  verbose=yes
+  
+  {% for host in ddclient_hosts %}
+  {% if host != 'omitme' %}
+  use=web
+  web=checkip.dyndns.org
+  protocol=nsupdate
+  server={{ external_dns_ip | default(dns_ip) }}
+  login=/usr/bin/nsupdate
+  password=/config/Kvps.key
+  zone={{ domain }}
+  ttl=60
+  {{ host }}
+  
+  {% endif %}
+  {% endfor %}
+
+ddclient_hosts:
+  - "{% if nextcloud_publish | default(false) %}nextcloud.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if drone_publish | default(false) %}drone.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if gitea_publish | default(false) %}gitea.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if bitwarden_publish | default(false) %}bitwarden.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if wikijs_publish | default(false) %}wikijs.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if chartmuseum_publish | default(false) %}charts.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if registry_publish | default(false) %}registry.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if peertube_publish | default(false) %}peertube.{{ domain }}{% else %}omitme{% endif %}"
+  - "{{ registry_readonly_ingress | default('omitme') }}"
+  - "{{ chartmuseum_readonly_ingress | default('omitme') }}"
+  - "{{ wikijs_readonly_ingress | default('omitme') }}"

inventory/ghp/sample/group_vars/k8s/adguard.yaml

@@ -0,0 +1 @@
+adguard_values: {}

inventory/ghp/sample/group_vars/k8s/bitwarden.yaml

@@ -0,0 +1 @@
+bitwarden_values: {}

inventory/ghp/sample/group_vars/k8s/cert-manager.yaml

@@ -0,0 +1 @@
+cert_manager_values: {}

inventory/ghp/sample/group_vars/k8s/chartmuseum.yaml

@@ -0,0 +1 @@
+chartmuseum_values: {}

inventory/ghp/sample/group_vars/k8s/dovecot.yaml

@@ -0,0 +1 @@
+dovecot_values: {}

inventory/ghp/sample/group_vars/k8s/drone.yaml

@@ -0,0 +1,2 @@
+drone_values: {}
+drone_runner_kube_values: {}

inventory/ghp/sample/group_vars/k8s/external-dns.yaml

@@ -0,0 +1 @@
+external_dns_values: {}

inventory/ghp/sample/group_vars/k8s/external-ingress-nginx.yaml

@@ -0,0 +1 @@
+external_ingress_nginx_values: {}

inventory/ghp/sample/group_vars/k8s/gitea.yaml

@@ -0,0 +1,3 @@
+gitea_values: {}
+gitea_ingress_nginx_values: {}
+gitea_dns_values: {}

inventory/ghp/sample/group_vars/k8s/internal-dns.yaml

@@ -0,0 +1 @@
+internal_dns_values: {}

inventory/ghp/sample/group_vars/k8s/internal-ingress-nginx.yaml

@@ -0,0 +1 @@
+internal_ingress_nginx_values: {}

inventory/ghp/sample/group_vars/k8s/local-dns.yaml

@@ -0,0 +1 @@
+local_dns_values: {}

inventory/ghp/sample/group_vars/k8s/local-ingress-nginx.yaml

@@ -0,0 +1 @@
+local_ingress_nginx_values: {}

inventory/ghp/sample/group_vars/k8s/metallb.yaml

@@ -0,0 +1,13 @@
+metallb_values:
+  configInline:
+    peers:
+    - peer-address: 192.168.5.1
+      peer-asn: 64601
+      my-asn: 65500
+    address-pools:
+    - name: default
+      protocol: bgp
+      bgp-advertisements:
+      - aggregation-length: 24
+      addresses:
+      - 192.168.250.0/24

inventory/ghp/sample/group_vars/k8s/metrics-server.yaml

@@ -0,0 +1 @@
+metrics_server_values: {}

inventory/ghp/sample/group_vars/k8s/nextcloud.yaml

@@ -0,0 +1,43 @@
+nextcloud_values:
+  nextcloud:
+    configs:
+      mail.fix.config.php: |-
+        <?php
+        $CONFIG = array (
+          "mail_smtptimeout"  => 60,
+        );
+      fix.config.php: |-
+        <?php
+        $CONFIG = array (
+          'trusted_proxies' => ['{{ web_proxy_internal_ip }}'],
+          'overwriteprotocol' => 'https',
+          'overwrite.cli.url' => 'https://nextcloud.{{ domain }}',
+          'mail_smtpstreamoptions' =>
+          array (
+            'ssl' =>
+            array (
+              'allow_self_signed' => true,
+              'verify_peer' => false,
+              'verify_peer_name' => false,
+            ),
+          ),
+        );
+      rgw.config.php: |-
+        <?php
+        $CONFIG = array (
+          'objectstore_multibucket' => array(
+            'class' => '\\OC\\Files\\ObjectStore\\S3',
+            'arguments' => array(
+                    'bucket' => 'nextcloud',
+                    'autocreate' => true,
+                    'key'    => 'K4PNZLSTLIDQJMZUV27P',
+                    'secret' => 'iPScsni8RS2aT9MFymfQYLPD7W8dVrRqFpafBKDc',
+                    'hostname' => 'sds1-osd1.lan',
+                    'port' => 8080,
+                    'use_ssl' => false,
+                    'num_buckets' => 16,
+                    'region' => 'us-east-1',
+                    'use_path_style' => true
+            ),
+          ),
+        );

inventory/ghp/sample/group_vars/k8s/nfs-client-provisioner.yaml

@@ -0,0 +1,15 @@
+nfs_client_provisioner_hdd_values:
+  replicaCount: 1
+  strategyType: Recreate
+  nfs:
+    server: <nfs server dns or ip>
+    path: <full path from exportfs>
+    defaultClass: false
+
+nfs_client_provisioner_ssd_values:
+  replicaCount: 1
+  strategyType: Recreate
+  nfs:
+    server: <nfs server dns or ip>
+    path: <full path from exportfs>
+    defaultClass: true

inventory/ghp/sample/group_vars/k8s/opendkim.yaml

@@ -0,0 +1 @@
+opendkim_values: {}

inventory/ghp/sample/group_vars/k8s/opendmarc.yaml

@@ -0,0 +1 @@
+opendmarc_values: {}

inventory/ghp/sample/group_vars/k8s/openldap.yaml

@@ -0,0 +1,58 @@
+openldap_values:
+  customLdifFiles:
+    04-custom-users.ldif: |-
+      dn: uid=myuser1,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: myuser1
+      cn: myuser1
+      sn: 5001
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/myuser1
+      uidNumber: 5001
+      gidNumber: 5001
+      userPassword: {{ myuser1_pbkdf2_sha512_hash }}
+      mail: myuser1@{{ domain }}
+      mail: myuser1_second_mail@{{ domain }}
+      gecos: myuser1 description
+
+      dn: uid=myuser2,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: myuser2
+      cn: myuser2
+      sn: 5002
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/myuser2
+      uidNumber: 5002
+      gidNumber: 5002
+      userPassword: {{ myuser2_pbkdf2_sha512_hash }}
+      mail: myuser2@{{ domain }}
+      mail: myuser2_second_mail@{{ domain }}
+      gecos: myuser2 description
+
+
+    05-autogen-simple-users.ldif: |-
+      {% for user in openldap_simple_users %}
+      dn: uid={{ user.name }},ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: {{ user.name }}
+      cn: {{ user.name }}
+      sn: {{ user.sn }}
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/{{ user.name }}
+      uidNumber: {{ user.uid }}
+      gidNumber: {{ user.gid }}
+      userPassword: {{ hostvars[inventory_hostname][user.name + '_pbkdf2_sha512_hash'] | default('nopass') }}
+      mail: {{ user.name }}@{{ domain }}
+      gecos: {{ user.name }} user
+
+      {% endfor %}
+

inventory/ghp/sample/group_vars/k8s/peertube.yaml

@@ -0,0 +1 @@
+peertube_values: {}

inventory/ghp/sample/group_vars/k8s/postfix.yaml

@@ -0,0 +1 @@
+postfix_values: {}

inventory/ghp/sample/group_vars/k8s/postgres.yaml

@@ -0,0 +1,2 @@
+postgres_operator_values: {}
+postgres_operator_ui_values: {}

inventory/ghp/sample/group_vars/k8s/registry.yaml

@@ -0,0 +1 @@
+registry_values: {}

inventory/ghp/sample/group_vars/k8s/roundcube.yaml

@@ -0,0 +1 @@
+roundcube_values: {}

inventory/ghp/sample/group_vars/k8s/rspamd.yaml

@@ -0,0 +1 @@
+rspamd_values: {}

inventory/ghp/sample/group_vars/k8s/service-dns.yaml

@@ -0,0 +1 @@
+service_dns_values: {}

inventory/ghp/sample/group_vars/k8s/wikijs.yaml

@@ -0,0 +1 @@
+wikijs_values: {}

inventory/ghp/sample/group_vars/knot_dns.yaml

@@ -0,0 +1,87 @@
+knot_conf: |
+  # This is a sample of a minimal configuration file for Knot DNS.
+  # See knot.conf(5) or refer to the server documentation.
+  
+  server:
+      rundir: "/run/knot"
+      user: knot:knot
+      listen: [ 0.0.0.0@53, ::@53 ]
+      udp-max-payload: 1232
+  
+  log:
+    - target: syslog
+      any: debug
+  
+  key:
+    - id: k8s
+      algorithm: hmac-sha512
+      secret: {{ k8s_tsig }}
+  
+    - id: vps
+      algorithm: hmac-sha512
+      secret: {{ ddclient_tsig }}
+  
+  remote:
+  #  - id: slave
+  #    address: 192.168.1.1@53
+  #
+  #  - id: master
+  #    address: 192.168.2.1@53
+  remote:
+    - id: dns_server
+      address: 127.0.0.1@53
+  
+  submission:
+    - id: dns_zone_sbm
+      parent: [dns_server]
+  
+  
+  acl:
+    - id: deny_all
+      deny: on # no action specified and deny on implies denial of all actions
+  
+    - id: key_rule
+      key: [vps, k8s]                # Access based just on TSIG key
+      address: 192.168.0.0/16
+      action: [transfer, notify, update]
+  
+  #  - id: acl_slave
+  #    address: 192.168.1.1
+  #    action: transfer
+  
+  #  - id: acl_master
+  #    address: 192.168.2.1
+  #    action: notify
+  
+  template:
+    - id: default
+      storage: "/var/lib/knot"
+      file: "%s.zone"
+  
+  policy:
+    - id: rsa
+      algorithm: RSASHA512
+      ksk-size: 4096
+      zsk-size: 2048
+      nsec3: on
+      ksk-submission: dns_zone_sbm
+  
+  zone:
+    - domain: "{{ domain }}"
+      storage: "/var/lib/knot/zones/"
+      file: "{{ domain }}.zone"
+      acl: [deny_all, key_rule]
+      dnssec-signing: on
+      dnssec-policy: rsa
+      zonefile-load: difference
+  
+  #    # Master zone
+  #  - domain: example.com
+  #    notify: slave
+  #    acl: acl_slave
+  
+  #    # Slave zone
+  #  - domain: example.net
+  #    master: master
+  #    acl: acl_master
+

inventory/ghp/sample/group_vars/mail_proxy.yaml

@@ -0,0 +1,102 @@
+haproxy_config: |
+  global
+    chroot /var/lib/haproxy
+    daemon
+    group haproxy
+    maxconn 200000
+    nbproc {{ ansible_processor_count }}
+    pidfile /var/run/haproxy.pid
+    user haproxy
+    stats socket /var/run/haproxy.stat
+    stats bind-process 1
+    log 127.0.0.1 local0
+  
+  defaults
+    log  global
+    maxconn 200000
+    option redispatch
+    retries 3
+    timeout http-request 10s
+    timeout queue 1m
+    timeout connect 10s
+    timeout client 10m
+    timeout server 10m
+    timeout check 10s
+  
+  frontend ft_smtp
+    bind {{ mail_proxy_public_ip }}:25
+    bind {{ mail_proxy_private_ip }}:25
+    mode tcp
+    timeout client 1m
+    log global
+    option tcplog
+    default_backend bk_smtp
+  
+  backend bk_smtp
+    mode tcp
+    log global
+    option tcplog
+    timeout server 1m
+    timeout connect 7s
+    server postfix {{ postfix_loadbalancer_ip }}:2525 send-proxy
+  
+  frontend ft_submission
+    bind {{ mail_proxy_public_ip }}:587
+    bind {{ mail_proxy_private_ip }}:587
+    mode tcp
+    timeout client 1m
+    log global
+    option tcplog
+    default_backend bk_submission
+  
+  backend bk_submission
+    mode tcp
+    log global
+    option tcplog
+    timeout server 1m
+    timeout connect 7s
+    server postfix {{ postfix_loadbalancer_ip }}:10587 send-proxy
+  
+  frontend ft_submissions
+    bind {{ mail_proxy_public_ip }}:465
+    bind {{ mail_proxy_private_ip }}:465
+    mode tcp
+    timeout client 1m
+    log global
+    option tcplog
+    default_backend bk_submissions
+  
+  backend bk_submissions
+    mode tcp
+    log global
+    option tcplog
+    timeout server 1m
+    timeout connect 7s
+    server postfix {{ postfix_loadbalancer_ip }}:10465 send-proxy
+  
+  frontend ft_imap
+    bind {{ mail_proxy_public_ip }}:143
+    bind {{ mail_proxy_private_ip }}:143
+    mode tcp
+    default_backend bk_imap
+  
+  backend bk_imap
+    mode tcp
+    balance leastconn
+    stick store-request src
+    stick-table type ip size 200k expire 30m
+    server imap1 {{ dovecot_loadbalancer_ip }}:1109 send-proxy-v2
+  
+  frontend ft_imaps
+    bind {{ mail_proxy_public_ip }}:993
+    bind {{ mail_proxy_private_ip }}:993
+    mode tcp
+    default_backend bk_imaps
+  
+  backend bk_imaps
+    mode tcp
+    balance leastconn
+    stick store-request src
+    stick-table type ip size 200k expire 30m
+    server imaps1 {{ dovecot_loadbalancer_ip }}:10993 send-proxy-v2
+

inventory/ghp/sample/group_vars/web_proxy.yaml

@@ -0,0 +1,97 @@
+nginx:
+  nginx.conf: |
+    user  nginx;
+    worker_processes  {{ ansible_processor_count }};
+    error_log  /var/log/nginx/error.log debug;
+    pid        /var/run/nginx.pid;
+
+    events {
+        worker_connections  4096;
+    }
+    
+    http {
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+    
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+    
+        access_log  /var/log/nginx/access.log  main;
+        sendfile        on;
+        #tcp_nopush     on;
+        keepalive_timeout  65;
+        #gzip  on;
+        include /etc/nginx/conf.d/*.conf;
+    }
+    stream {
+        server {
+            listen 443;
+            proxy_pass $upstream;
+            ssl_preread on;
+            proxy_protocol on;
+        }
+        map $ssl_preread_server_name $upstream {
+            include /etc/nginx/stream.d/*.map;
+        }
+
+        include /etc/nginx/stream.d/*.conf;
+    }
+    
+  stream.d:
+    - name: "k8s-ghp-{{ namespace }}.map"
+      data: |
+        {% if gitea_publish_ssh %}
+        default gitea_ssh_{{ namespace }};
+        {% endif %}
+        {% if gitea_publish_web %}
+        gitea.{{ domain }} gitea_web_{{ namespace }};
+        {% endif %}
+        {% if bitwarden_publish %}
+        bitwarden.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if wikijs_publish %}
+        wikijs.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if drone_publish %}
+        drone.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if nextcloud_publish %}
+        nextcloud.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if registry_publish %}
+        registry.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if registry_readonly_ingress %}
+        {{ registry_readonly_ingress }} https_{{ namespace }};
+        {% endif %}
+        {% if chartmuseum_publish %}
+        charts.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if chartmuseum_readonly_ingress %}
+        {{ chartmuseum_readonly_ingress }} https_{{ namespace }};
+        {% endif %}
+        {% if wikijs_readonly_ingress %}
+        {{ wikijs_readonly_ingress }} https_{{ namespace }};
+        {% endif %}
+        {% if peertube_publish %}
+        peertube.{{ domain }} https_{{ namespace }};
+        {% endif %}
+    - name: "k8s-ghp-{{ namespace }}.conf"
+      data: |-
+        {% if gitea_publish_ssh %}
+        upstream gitea_ssh_{{ namespace }} {
+            server {{ gitea_loadbalancer_ip }}:22;
+        }
+        {% endif %}
+  
+        {% if gitea_publish_web %}
+        upstream gitea_web_{{ namespace }} {
+            server {{ gitea_loadbalancer_ip }}:443;
+        }
+        {% endif %}
+  
+        upstream https_{{ namespace }} {
+            server {{ external_loadbalancer_ip }}:443;
+        }
+    

inventory/ghp/sample/hosts

@@ -0,0 +1,16 @@
+[vps:children]
+knot_dns
+web_proxy
+mail_proxy
+ddclient
+
+[ddclient]
+
+[web_proxy]
+
+[mail_proxy]
+
+[knot_dns]
+
+[k8s]
+localhost ansible_python_interpreter="python"