GHP publish

2021-01-09 20:54:42 +03:00
commit b4b740a239
173 changed files with 5392 additions and 0 deletions
--- a/roles/roundcube/defaults/main.yaml
+++ b/roles/roundcube/defaults/main.yaml
@ -0,0 +1,83 @@
+roundcube_enabled: true
+roundcube_publish: false
+roundcube_use_external_db: true
+roundcube_default_values:
+  env: 
+    - name: ROUNDCUBEMAIL_DB_TYPE
+      value: "pgsql"
+    - name: ROUNDCUBEMAIL_DB_HOST
+      value: "{{ postgres_db_team | default(namespace) }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local"
+    - name: ROUNDCUBEMAIL_DB_USER
+      value: "{{ roundcube_db_username }}"
+    - name: ROUNDCUBEMAIL_DB_PASSWORD
+      value: "{{ roundcube_db_password }}"
+    - name: ROUNDCUBEMAIL_DB_NAME
+      value: roundcube
+    - name: ROUNDCUBEMAIL_DEFAULT_HOST
+      value: "ssl://mail.{{ domain }}"
+    - name: ROUNDCUBEMAIL_DEFAULT_PORT
+      value: "993"
+    - name: ROUNDCUBEMAIL_SMTP_SERVER
+      value: "ssl://mail.{{ domain }}"
+    - name: ROUNDCUBEMAIL_SMTP_PORT
+      value: "465"
+    - name: ROUNDCUBEMAIL_SKIN
+      value: elastic
+    - name: ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE
+      value: "25M"
+    - name: ROUNDCUBEMAIL_PLUGINS
+      value: "archive,zipdownload,managesieve"
+  ingress:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      cert-manager.io/acme-dns01-provider: "rfc2136"
+      cert-manager.io/acme-challenge-type: "dns01"
+      kubernetes.io/ingress.class: "{{ external_ingress_class if roundcube_publish else internal_ingress_class }}" 
+      kubernetes.io/tls-acme: "true"
+    path: /
+    hosts:
+      - webmail.{{ domain }}
+    tls: 
+      - secretName: webmail.{{ domain }}-tls
+        hosts:
+          - webmail.{{ domain }}
+  persistence:
+    enabled: true
+    storageClass: "{{ roundcube_storage | default('nfs-hdd') }}"
+    accessMode: "{{ roundcube_storage_mode | default('ReadWriteMany') }}"
+    size: "{{ roundcube_size | default('8Gi') }}"
+  configs:
+    myconfig.inc.php: |
+      <?php
+        $config['mail_domain'] = '%d';
+        $config['username_domain'] = '%d';
+        $config['managesieve_port'] = '4190';
+        $config['managesieve_host'] = 'ssl://dovecot.{{ namespace }}.svc.cluster.local';
+        $config['managesieve_usetls'] = false;
+        $config['managesieve_debug']  = true;
+        $config['managesieve_conn_options'] = array(
+          'ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true)
+        );
+        // Enables separate management interface for vacation responses (out-of-office)
+        // 0 - no separate section (default),
+        // 1 - add Vacation section,
+        // 2 - add Vacation section, but hide Filters section
+        $config['managesieve_vacation'] = 1;
+        $config['imap_conn_options'] = array(
+            'ssl' => array(
+              'verify_peer'       => false,
+              'allow_self_signed' => true,
+              'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
+            ),
+        );
+        // For STARTTLS SMTP
+        $config['smtp_conn_options'] = array(
+            'ssl' => array(
+              'verify_peer'       => false,
+              'allow_self_signed' => true,
+              'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
+            ),
+        );
+      ?>
+
--- a/roles/roundcube/tasks/main.yaml
+++ b/roles/roundcube/tasks/main.yaml
@ -0,0 +1,19 @@
+- name: Import secret.yaml to obtain secrets
+  include_tasks: secrets.yaml
+  when:
+    - roundcube_use_external_db
+    - postgres_enable
+
+- set_fact:
+    roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values, recursive=true) }}"
+
+- name: Deploy RoundCube
+  community.kubernetes.helm:
+    create_namespace: true
+    release_namespace: "{{ roundcube_namespace | default(mail_namespace) | default(namespace) }}"
+    release_name: "{{ roundcube_name | default('roundcube') }}"
+    chart_ref: "{{ roundcube_chart | default('ghp/roundcube') }}"
+    chart_version: "{{ roundcube_version | default(omit) }}"
+    release_values: "{{ roundcube_combined_values | from_yaml }}"
+    wait: true
+
--- a/roles/roundcube/tasks/secrets.yaml
+++ b/roles/roundcube/tasks/secrets.yaml
@ -0,0 +1,25 @@
+- block:
+  - name: Set DB namespace for secret lookup
+    set_fact:
+      db_namespace: "{{ roundcube_db_namespace | default(postgres_db_namespace) | default(postgres_namespace) | default(postgres_operator_namespace) | default(namespace) }}"
+
+  - name: Set DB secret name for lookup
+    set_fact:
+      db_secret_name: "roundcube.{{ postgres_db_team | default(namespace) }}-postgres.credentials.postgresql.acid.zalan.do"
+
+  - name: Lookup Roundcube DB secret
+    set_fact:
+      roundcube_db_secret: "{{ lookup('k8s', kind='Secret', namespace=db_namespace, resource_name=db_secret_name) }}"
+
+  - debug:
+      msg: "{{ roundcube_db_secret }}"
+      verbosity: 2
+
+  - name: Set Roundcube DB username
+    set_fact:
+      roundcube_db_username: "{{ roundcube_db_secret.data.username | b64decode }}"
+
+  - name: Set Roundcube DB password
+    set_fact:
+      roundcube_db_password: "{{ roundcube_db_secret.data.password | b64decode }}"
+