Compare commits
52 Commits
4a74d0649e
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
c669ac9e36
|
|||
|
cce620dca0
|
|||
|
8bc72c25d6
|
|||
|
4cd0b9b606
|
|||
|
dd02301ecf
|
|||
|
e380042c04
|
|||
|
55fd39b008
|
|||
|
7ed4837d00
|
|||
|
a85d4b1c04
|
|||
|
160fdef1cf
|
|||
|
ab2040d287
|
|||
|
8a727e5dbf
|
|||
|
f6e52e1f65
|
|||
|
74ae2c4694
|
|||
|
e67b5702d5
|
|||
|
cfbdf9cc99
|
|||
|
ee7630d087
|
|||
|
2b2d7369ed
|
|||
|
d5d7e94c44
|
|||
|
b46b8db671
|
|||
|
a97fca288f
|
|||
|
66e627144f
|
|||
|
b561d64770
|
|||
|
e2201d03f7
|
|||
|
ee0305870a
|
|||
|
d8f13a79d4
|
|||
|
53334d338a
|
|||
|
9efcd2ffa1
|
|||
|
9a390d4637
|
|||
|
d32fd50715
|
|||
|
9309c4de87
|
|||
|
f4646f1a49
|
|||
|
1fd0d78314
|
|||
|
5adaf91a44
|
|||
|
4db7240f5a
|
|||
|
526bc6c2c0
|
|||
|
70a50a5c15
|
|||
|
4c0646972c
|
|||
|
e221d7fa65
|
|||
|
bc214c1763
|
|||
|
21614ffc2e
|
|||
|
2a83565d59
|
|||
|
87d7312099
|
|||
|
7d4b66a777
|
|||
|
e05607693a
|
|||
|
c16ab291dd
|
|||
|
5a980d28ad
|
|||
|
4bdaff7cca
|
|||
|
2991123422
|
|||
|
e9c70618f6
|
|||
|
6b2f7f716d
|
|||
|
d057e60ea4
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
.venv
|
||||
@@ -1,4 +1,5 @@
|
||||
# Common #
|
||||
k8s_cluster_name: mycluster
|
||||
namespace: ghp
|
||||
docker_registry: gitea.geekhome.org/ghp
|
||||
domain: example.com
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# MetalLB balancer
|
||||
metallb_version: 0.14.5
|
||||
metallb_version: 0.14.9
|
||||
|
||||
# NFS provisioners
|
||||
nfs_client_provisioner_hdd_version: 4.0.18
|
||||
@@ -12,7 +12,7 @@ ceph_csi_rbd_version: 3.8.0
|
||||
ceph_csi_cephfs_version: 3.8.0
|
||||
|
||||
# Cert-manager
|
||||
cert_manager_version: 1.14.5
|
||||
cert_manager_version: 1.18.2
|
||||
|
||||
# External-DNS
|
||||
external_dns_version: 6.31.0
|
||||
@@ -21,13 +21,13 @@ internal_dns_version: 6.31.0
|
||||
service_dns_version: 6.31.0
|
||||
|
||||
# Ingress Nginx
|
||||
external_ingress_nginx_version: 4.2.3
|
||||
internal_ingress_nginx_version: 4.2.3
|
||||
local_ingress_nginx_version: 4.2.3
|
||||
external_ingress_nginx_version: 4.12.1
|
||||
internal_ingress_nginx_version: 4.12.1
|
||||
local_ingress_nginx_version: 4.12.1
|
||||
|
||||
# PostgreSQL operator
|
||||
postgres_operator_version: 1.11.0
|
||||
postgres_operator_ui_version: 1.11.0
|
||||
postgres_operator_version: 1.13.0
|
||||
postgres_operator_ui_version: 1.13.0
|
||||
|
||||
# OpenLDAP
|
||||
openldap_version: 1.2.7
|
||||
@@ -36,42 +36,42 @@ openldap_version: 1.2.7
|
||||
minio_version: 5.0.13
|
||||
|
||||
# Adguard Home
|
||||
adguard_version: 2.3.24
|
||||
adguard_version: 2.3.33
|
||||
|
||||
# Bitwarden (aka Vaultwarden)
|
||||
bitwarden_version: 2.0.25
|
||||
bitwarden_version: 2.0.40
|
||||
|
||||
# Gitea
|
||||
gitea_ingress_nginx_version: 4.2.3
|
||||
gitea_ingress_nginx_version: 4.12.1
|
||||
gitea_dns_version: 6.31.0
|
||||
gitea_version: 10.1.4
|
||||
gitea_version: 12.1.2
|
||||
|
||||
# Gitea Act Runner
|
||||
gitea_act_runner_version: 0.1.10
|
||||
gitea_act_runner_version: 0.1.13
|
||||
|
||||
# Docker and Helm chart registries
|
||||
harbor_version: 1.12.4
|
||||
|
||||
# Mastodon
|
||||
mastodon_version: 4.0.1
|
||||
mastodon_version: 6.5.1
|
||||
|
||||
# Nextcloud
|
||||
nextcloud_version: 4.6.4
|
||||
nextcloud_version: 5.0.2
|
||||
|
||||
# Email
|
||||
dovecot_version: 0.1.6
|
||||
postfix_version: 0.1.5
|
||||
roundcube_version: 0.4.1
|
||||
rspamd_version: 0.5.2
|
||||
dovecot_version: 0.1.8
|
||||
postfix_version: 0.1.7
|
||||
roundcube_version: 0.4.6
|
||||
rspamd_version: 0.5.7
|
||||
|
||||
# Pypi server
|
||||
pypiserver_version: 2.5.0
|
||||
|
||||
# WikiJS
|
||||
wikijs_version: 2.3.14
|
||||
wikijs_version: 2.3.19
|
||||
|
||||
# PeerTube
|
||||
peertube_version: 0.3.4
|
||||
peertube_version: 0.4.5
|
||||
|
||||
# Playmaker android APK repository
|
||||
playmaker_version: 0.1.3
|
||||
|
||||
@@ -12,20 +12,14 @@ knot_conf: |
|
||||
any: debug
|
||||
|
||||
key:
|
||||
- id: k8s
|
||||
- id: k8s-{{ k8s_cluster_name }}-{{ namespace }}
|
||||
algorithm: hmac-sha512
|
||||
secret: {{ k8s_tsig }}
|
||||
|
||||
- id: vps
|
||||
- id: ddclient-{{ k8s_cluster_name }}-{{ namespace }}
|
||||
algorithm: hmac-sha512
|
||||
secret: {{ ddclient_tsig }}
|
||||
|
||||
remote:
|
||||
# - id: slave
|
||||
# address: 192.168.1.1@53
|
||||
#
|
||||
# - id: master
|
||||
# address: 192.168.2.1@53
|
||||
remote:
|
||||
- id: dns_server
|
||||
address: 127.0.0.1@53
|
||||
@@ -34,24 +28,15 @@ knot_conf: |
|
||||
- id: dns_zone_sbm
|
||||
parent: [dns_server]
|
||||
|
||||
|
||||
acl:
|
||||
- id: deny_all
|
||||
deny: on # no action specified and deny on implies denial of all actions
|
||||
|
||||
- id: key_rule
|
||||
key: [vps, k8s] # Access based just on TSIG key
|
||||
key: [k8s-{{ k8s_cluster_name }}-{{ namespace }},ddclient-{{ k8s_cluster_name }}-{{ namespace }}] # Access based just on TSIG key
|
||||
address: 192.168.0.0/16
|
||||
action: [transfer, notify, update]
|
||||
|
||||
# - id: acl_slave
|
||||
# address: 192.168.1.1
|
||||
# action: transfer
|
||||
|
||||
# - id: acl_master
|
||||
# address: 192.168.2.1
|
||||
# action: notify
|
||||
|
||||
template:
|
||||
- id: default
|
||||
storage: "/var/lib/knot"
|
||||
@@ -73,14 +58,3 @@ knot_conf: |
|
||||
dnssec-signing: on
|
||||
dnssec-policy: rsa
|
||||
zonefile-load: difference
|
||||
|
||||
# # Master zone
|
||||
# - domain: example.com
|
||||
# notify: slave
|
||||
# acl: acl_slave
|
||||
|
||||
# # Slave zone
|
||||
# - domain: example.net
|
||||
# master: master
|
||||
# acl: acl_master
|
||||
|
||||
|
||||
@@ -1,15 +1,18 @@
|
||||
---
|
||||
- hosts: web_proxy
|
||||
become: true
|
||||
roles:
|
||||
- nginx
|
||||
tags: web-proxy
|
||||
|
||||
- hosts: mail_proxy
|
||||
become: true
|
||||
roles:
|
||||
- haproxy
|
||||
tags: mail-proxy
|
||||
|
||||
- hosts: ddclient
|
||||
become: true
|
||||
roles:
|
||||
- { role: docker, when: ddclient_container_engine == "docker" }
|
||||
- { role: podman, when: ddclient_container_engine == "podman" }
|
||||
|
||||
@@ -1,28 +1,29 @@
|
||||
ansible==7.6.0
|
||||
ansible-core==2.14.7
|
||||
cachetools==5.3.1
|
||||
certifi==2023.5.7
|
||||
cffi==1.15.1
|
||||
charset-normalizer==3.1.0
|
||||
cryptography==41.0.1
|
||||
google-auth==2.21.0
|
||||
idna==3.4
|
||||
Jinja2==3.1.2
|
||||
kubernetes==26.1.0
|
||||
MarkupSafe==2.1.3
|
||||
ansible==9.5.1
|
||||
ansible-core==2.16.6
|
||||
cachetools==5.3.3
|
||||
certifi==2024.2.2
|
||||
cffi==1.16.0
|
||||
charset-normalizer==3.3.2
|
||||
cryptography==42.0.7
|
||||
google-auth==2.29.0
|
||||
idna==3.7
|
||||
Jinja2==3.1.4
|
||||
kubernetes==29.0.0
|
||||
MarkupSafe==2.1.5
|
||||
netaddr==1.2.1
|
||||
oauthlib==3.2.2
|
||||
openshift==0.13.1
|
||||
packaging==23.1
|
||||
pyasn1==0.5.0
|
||||
pyasn1-modules==0.3.0
|
||||
pycparser==2.21
|
||||
python-dateutil==2.8.2
|
||||
openshift==0.13.2
|
||||
packaging==24.0
|
||||
pyasn1==0.6.0
|
||||
pyasn1_modules==0.4.0
|
||||
pycparser==2.22
|
||||
python-dateutil==2.9.0.post0
|
||||
python-string-utils==1.0.0
|
||||
PyYAML==6.0
|
||||
PyYAML==6.0.1
|
||||
requests==2.31.0
|
||||
requests-oauthlib==1.3.1
|
||||
resolvelib==0.8.1
|
||||
requests-oauthlib==2.0.0
|
||||
resolvelib==1.0.1
|
||||
rsa==4.9
|
||||
six==1.16.0
|
||||
urllib3==1.26.16
|
||||
websocket-client==1.6.1
|
||||
urllib3==2.2.1
|
||||
websocket-client==1.8.0
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
group: cert-manager.io
|
||||
|
||||
- set_fact:
|
||||
adguard_combined_values: "{{ adguard_default_values | combine(adguard_values, recursive=true) }}"
|
||||
adguard_combined_values: "{{ adguard_default_values | combine(adguard_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Adguard Home
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
bitwarden_combined_values: "{{ bitwarden_default_values | combine(bitwarden_values, recursive=true) }}"
|
||||
bitwarden_combined_values: "{{ bitwarden_default_values | combine(bitwarden_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Bitwarden
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
ceph_csi_cephfs_combined_values: "{{ ceph_csi_cephfs_default_values | combine(ceph_csi_cephfs_values, recursive=true) }}"
|
||||
ceph_csi_cephfs_combined_values: "{{ ceph_csi_cephfs_default_values | combine(ceph_csi_cephfs_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy CSI CephFS {{ ceph_csi_cephfs_version }}
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
ceph_csi_rbd_combined_values: "{{ ceph_csi_rbd_default_values | combine(ceph_csi_rbd_values, recursive=true) }}"
|
||||
ceph_csi_rbd_combined_values: "{{ ceph_csi_rbd_default_values | combine(ceph_csi_rbd_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy CSI Ceph RBD {{ ceph_csi_rbd_version }}
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -3,4 +3,5 @@ cert_manager_namespace: "cert-manager"
|
||||
cert_manager_lets_encrypt_mailbox: "admin@{{ domain }}"
|
||||
cert_manager_base64_tsig_key: "{{ k8s_tsig | b64encode }}"
|
||||
cert_manager_default_values:
|
||||
installCRDs: true
|
||||
crds:
|
||||
enabled: true
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values, recursive=true) }}"
|
||||
cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Cert-manager {{ cert_manager_version }}
|
||||
kubernetes.core.helm:
|
||||
@@ -50,7 +50,7 @@
|
||||
rfc2136:
|
||||
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
|
||||
tsigAlgorithm: HMACSHA512
|
||||
tsigKeyName: k8s
|
||||
tsigKeyName: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
tsigSecretSecretRef:
|
||||
key: tsig-secret-key
|
||||
name: tsig-secret
|
||||
@@ -81,7 +81,7 @@
|
||||
rfc2136:
|
||||
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
|
||||
tsigAlgorithm: HMACSHA512
|
||||
tsigKeyName: k8s
|
||||
tsigKeyName: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
tsigSecretSecretRef:
|
||||
key: tsig-secret-key
|
||||
name: tsig-secret
|
||||
|
||||
@@ -51,14 +51,12 @@ dovecot_default_values:
|
||||
auth-ldap: |
|
||||
passdb {
|
||||
driver = ldap
|
||||
|
||||
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
|
||||
args = /etc/dovecot/ldap.conf
|
||||
}
|
||||
userdb {
|
||||
driver = ldap
|
||||
args = /etc/dovecot/ldap.conf
|
||||
|
||||
}
|
||||
10-auth: |
|
||||
auth_default_realm = {{ domain }}
|
||||
@@ -130,7 +128,7 @@ dovecot_default_values:
|
||||
}
|
||||
|
||||
service auth {
|
||||
inet_listener {
|
||||
inet_listener {
|
||||
port = 12345
|
||||
}
|
||||
unix_listener auth-userdb {
|
||||
@@ -158,7 +156,202 @@ dovecot_default_values:
|
||||
ssl = required
|
||||
#verbose_ssl = yes
|
||||
ssl_prefer_server_ciphers = yes
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_min_protocol = TLSv1.3
|
||||
ssl_cert = </tls/tls.crt
|
||||
ssl_key = </tls/tls.key
|
||||
10-logging: |
|
||||
log_path = /dev/stderr
|
||||
info_log_path = /dev/stdout
|
||||
debug_log_path = /dev/stdout
|
||||
15-lda: |
|
||||
postmaster_address = postmaster@{{ domain }}
|
||||
hostname = {{ domain }}
|
||||
rejection_reason = Your message to was automatically rejected:%n%r
|
||||
protocol lda {
|
||||
mail_plugins = virtual sieve
|
||||
}
|
||||
20-lmtp: |
|
||||
protocol lmtp {
|
||||
mail_plugins = virtual sieve
|
||||
postmaster_address = postmaster@{{ domain }}
|
||||
}
|
||||
20-managesieve: |
|
||||
service managesieve-login {
|
||||
inet_listener sieve {
|
||||
port = 4190
|
||||
ssl = yes
|
||||
}
|
||||
service_count = 1
|
||||
vsz_limit = 64M
|
||||
}
|
||||
|
||||
service managesieve {
|
||||
process_limit = 1024
|
||||
}
|
||||
service:
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: "{{ dovecot_loadbalancer_ip | default(omit) }}"
|
||||
|
||||
# WIP
|
||||
dovecot_oidc: false
|
||||
dovecot_oidc_default_values:
|
||||
replicaCount: 1
|
||||
persistence:
|
||||
enabled: true
|
||||
existingClaim: mailboxes
|
||||
tls:
|
||||
enabled: true
|
||||
existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
|
||||
dovecot:
|
||||
configmaps:
|
||||
dovecot:
|
||||
dovecot: |
|
||||
protocols = imap lmtp sieve
|
||||
mail_max_userip_connections = 1000
|
||||
mail_plugins = virtual
|
||||
|
||||
auth_debug = yes
|
||||
auth_verbose = yes
|
||||
#haproxy_trusted_networks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
||||
#haproxy_timeout = 30s
|
||||
dict {
|
||||
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
|
||||
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
|
||||
}
|
||||
|
||||
# Most of the actual configuration gets included below. The filenames are
|
||||
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
|
||||
# in filenames are intended to make it easier to understand the ordering.
|
||||
!include conf.d/*.conf
|
||||
|
||||
# A config file can also tried to be included without giving an error if
|
||||
# it's not found:
|
||||
!include_try local.conf
|
||||
oauth2: |
|
||||
introspection_mode = post
|
||||
introspection_url = https://{{ dovecot_oidc_username }}:{{ dovecot_oidc_password }}@keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token/introspect
|
||||
grant_url = https://keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token
|
||||
#client_id = dovecot
|
||||
#client_secret = X10dQgQprHLxZj8nsvB2fEpJwuBr0hWq
|
||||
tokeninfo_url = https://keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token
|
||||
#tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
rawlog_dir = /tmp/oauth2
|
||||
debug = yes
|
||||
#use_grant_password = no
|
||||
#username_attribute = username
|
||||
#pass_attrs = pass=%{oauth2:access_token}
|
||||
ldap: |
|
||||
confd:
|
||||
auth-ldap: |
|
||||
auth-oauth2: |
|
||||
passdb {
|
||||
driver = oauth2
|
||||
mechanisms = xoauth2 oauthbearer
|
||||
args = /etc/dovecot/oauth2.conf
|
||||
}
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/home/vmail/%u
|
||||
}
|
||||
10-auth: |
|
||||
auth_default_realm = {{ domain }}
|
||||
auth_username_format = %Lu
|
||||
auth_mechanisms = plain login xoauth2 oauthbearer
|
||||
10-mail: |
|
||||
mail_location = maildir:%h
|
||||
namespace inbox {
|
||||
inbox = yes
|
||||
}
|
||||
mail_uid = vmail
|
||||
mail_gid = vmail
|
||||
first_valid_uid = 1000
|
||||
last_valid_uid = 1000
|
||||
first_valid_gid = 1000
|
||||
last_valid_gid = 1000
|
||||
protocol !indexer-worker {
|
||||
}
|
||||
mbox_write_locks = fcntl
|
||||
10-master: |
|
||||
protocol imap {
|
||||
mail_plugins = virtual
|
||||
}
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
#port = 143
|
||||
}
|
||||
inet_listener imaps {
|
||||
#port = 993
|
||||
#ssl = yes
|
||||
}
|
||||
inet_listener imap_haproxy {
|
||||
port = 1109
|
||||
#haproxy = yes
|
||||
}
|
||||
inet_listener imaps_haproxy {
|
||||
port = 10993
|
||||
ssl = yes
|
||||
#haproxy = yes
|
||||
}
|
||||
}
|
||||
|
||||
service pop3-login {
|
||||
inet_listener pop3 {
|
||||
#port = 110
|
||||
}
|
||||
inet_listener pop3s {
|
||||
#port = 995
|
||||
#ssl = yes
|
||||
}
|
||||
}
|
||||
|
||||
service lmtp {
|
||||
inet_listener lmtp {
|
||||
port = 24
|
||||
}
|
||||
unix_listener /var/spool/postfix/private/dovecot-lmtp {
|
||||
mode = 0600
|
||||
group = postfix
|
||||
user = postfix
|
||||
}
|
||||
user = vmail
|
||||
}
|
||||
|
||||
service imap {
|
||||
}
|
||||
|
||||
service pop3 {
|
||||
}
|
||||
|
||||
service auth {
|
||||
inet_listener {
|
||||
port = 12345
|
||||
}
|
||||
unix_listener auth-userdb {
|
||||
mode = 0660
|
||||
user = vmail
|
||||
#group =
|
||||
}
|
||||
|
||||
# Postfix smtp-auth
|
||||
unix_listener /var/spool/postfix/private/auth {
|
||||
mode = 0660
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
|
||||
service auth-worker {
|
||||
}
|
||||
|
||||
service dict {
|
||||
unix_listener dict {
|
||||
}
|
||||
}
|
||||
10-ssl: |
|
||||
ssl = required
|
||||
#verbose_ssl = yes
|
||||
ssl_prefer_server_ciphers = yes
|
||||
ssl_min_protocol = TLSv1.3
|
||||
ssl_cert = </tls/tls.crt
|
||||
ssl_key = </tls/tls.key
|
||||
10-logging: |
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
- set_fact:
|
||||
dovecot_combined_values: "{{ dovecot_default_values | combine(dovecot_values, recursive=true) }}"
|
||||
dovecot_combined_values: "{{ dovecot_default_values | combine(dovecot_values | default({}), recursive=true) }}"
|
||||
when: not mail_oidc
|
||||
|
||||
- set_fact:
|
||||
dovecot_combined_values: "{{ dovecot_oidc_default_values | combine(dovecot_oidc_values | default({}), recursive=true) }}"
|
||||
when: mail_oidc
|
||||
|
||||
- name: Deploy Dovecot
|
||||
kubernetes.core.helm:
|
||||
@@ -9,5 +14,4 @@
|
||||
chart_ref: "{{ dovecot_chart_ref }}"
|
||||
chart_version: "{{ dovecot_version | default(omit) }}"
|
||||
release_values: "{{ dovecot_combined_values | from_yaml }}"
|
||||
wait: true
|
||||
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
external_dns_chart_ref: "bitnami/external-dns"
|
||||
external_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
external_dns_tsigSecretAlg: "hmac-sha512"
|
||||
external_dns_default_values:
|
||||
fullnameOverride: "{{ external_dns_name | default(namespace + '-external-dns') }}"
|
||||
ingressClassFilters: ["{{ external_ingress_class }}"]
|
||||
@@ -9,8 +11,8 @@ external_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ external_domain | default(domain) }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ external_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ external_dns_tsigKeyname | default('k8s') }}"
|
||||
tsigSecretAlg: "{{ external_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ external_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
external_dns_combined_values: "{{ external_dns_default_values | combine(external_dns_values, recursive=true) }}"
|
||||
external_dns_combined_values: "{{ external_dns_default_values | combine(external_dns_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy external DNS
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
external_ingress_nginx_combined_values: "{{ external_ingress_nginx_default_values | combine(external_ingress_nginx_values, recursive=true) }}"
|
||||
external_ingress_nginx_combined_values: "{{ external_ingress_nginx_default_values | combine(external_ingress_nginx_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy external Nginx Ingress
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
gitea_act_runner_combined_values: "{{ gitea_act_runner_default_values | combine(gitea_act_runner_values, recursive=true) }}"
|
||||
gitea_act_runner_combined_values: "{{ gitea_act_runner_default_values | combine(gitea_act_runner_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Gitea Act Runner
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -32,7 +32,7 @@ gitea_default_values:
|
||||
hosts:
|
||||
- "{{ gitea_short_name }}.{{ domain }}"
|
||||
|
||||
redis-cluster:
|
||||
valkey-cluster:
|
||||
enabled: false
|
||||
|
||||
postgresql-ha:
|
||||
@@ -153,6 +153,8 @@ gitea_ingress_nginx_default_values:
|
||||
|
||||
|
||||
gitea_dns_chart_ref: "bitnami/external-dns"
|
||||
gitea_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
gitea_dns_tsigSecretAlg: "hmac-sha512"
|
||||
gitea_dns_default_values:
|
||||
fullnameOverride: "{{ gitea_dns_name | default(namespace + '-gitea-internal-dns') }}"
|
||||
ingressClassFilters: ["{{ gitea_ingress_class }}"]
|
||||
@@ -163,8 +165,8 @@ gitea_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ domain }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ gitea_dns_tsigKeyname | default('k8s') }}"
|
||||
tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ gitea_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -5,20 +5,20 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
gitea_combined_values: "{{ gitea_default_values | combine(gitea_values, recursive=true) }}"
|
||||
gitea_combined_values: "{{ gitea_default_values | combine(gitea_values | default({}), recursive=true) }}"
|
||||
|
||||
- set_fact:
|
||||
gitea_combined_values: "{{ gitea_combined_values | combine(gitea_external_db_values, recursive=true) }}"
|
||||
gitea_combined_values: "{{ gitea_combined_values | combine(gitea_external_db_values | default({}), recursive=true) }}"
|
||||
when: gitea_use_external_db
|
||||
|
||||
- set_fact:
|
||||
gitea_dns_combined_values: "{{ gitea_dns_default_values | combine(gitea_dns_values, recursive=true) }}"
|
||||
gitea_dns_combined_values: "{{ gitea_dns_default_values | combine(gitea_dns_values | default({}), recursive=true) }}"
|
||||
|
||||
- set_fact:
|
||||
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_default_values | combine(gitea_ingress_nginx_values, recursive=true) }}"
|
||||
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_default_values | combine(gitea_ingress_nginx_values | default({}), recursive=true) }}"
|
||||
|
||||
- set_fact:
|
||||
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_combined_values | combine(gitea_publish_ingress_nginx_values, recursive=true) }}"
|
||||
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_combined_values | combine(gitea_publish_ingress_nginx_values | default({}), recursive=true) }}"
|
||||
when: gitea_publish_web
|
||||
|
||||
- name: Deploy Nginx Ingress for Gitea
|
||||
|
||||
@@ -13,6 +13,13 @@
|
||||
- restart haproxy
|
||||
when: haproxy_config is defined
|
||||
|
||||
- name: set haproxy_connect_any flag on and keep it persistent across reboots
|
||||
ansible.posix.seboolean:
|
||||
name: haproxy_connect_any
|
||||
state: yes
|
||||
persistent: yes
|
||||
when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
|
||||
|
||||
- name: start haproxy service
|
||||
systemd:
|
||||
name: haproxy
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
harbor_combined_values: "{{ harbor_default_values | combine(harbor_values, recursive=true) }}"
|
||||
harbor_combined_values: "{{ harbor_default_values | combine(harbor_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Harbor
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
internal_dns_chart_ref: "bitnami/external-dns"
|
||||
internal_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
internal_dns_tsigSecretAlg: "hmac-sha512"
|
||||
internal_dns_default_values:
|
||||
fullnameOverride: "{{ internal_dns_name | default(namespace + '-internal-dns') }}"
|
||||
ingressClassFilters: ["{{ internal_ingress_class }}"]
|
||||
@@ -9,8 +11,8 @@ internal_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ internal_domain | default(domain) }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ internal_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ internal_dns_tsigKeyname | default(namespace) }}"
|
||||
tsigSecretAlg: "{{ internal_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ internal_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
internal_dns_combined_values: "{{ internal_dns_default_values | combine(internal_dns_values, recursive=true) }}"
|
||||
internal_dns_combined_values: "{{ internal_dns_default_values | combine(internal_dns_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy internal DNS
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
internal_ingress_nginx_combined_values: "{{ internal_ingress_nginx_default_values | combine(internal_ingress_nginx_values, recursive=true) }}"
|
||||
internal_ingress_nginx_combined_values: "{{ internal_ingress_nginx_default_values | combine(internal_ingress_nginx_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy internal Nginx Ingress
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values, recursive=true) }}"
|
||||
keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Keycloak
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
owner: "root"
|
||||
group: "knot"
|
||||
validate: "knotc -c %s conf-check"
|
||||
backup: true
|
||||
notify: Restart knot
|
||||
|
||||
- name: Enable and start knot
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
local_dns_chart_ref: "bitnami/external-dns"
|
||||
local_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
local_dns_tsigSecretAlg: "hmac-sha512"
|
||||
local_dns_default_values:
|
||||
fullnameOverride: "{{ local_dns_name | default(namespace + '-local-dns') }}"
|
||||
ingressClassFilters: ["{{ local_ingress_class }}"]
|
||||
@@ -9,8 +11,8 @@ local_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ local_domain }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ local_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ local_dns_tsigKeyname | default(namespace) }}"
|
||||
tsigSecretAlg: "{{ local_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ local_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
local_dns_combined_values: "{{ local_dns_default_values | combine(local_dns_values, recursive=true) }}"
|
||||
local_dns_combined_values: "{{ local_dns_default_values | combine(local_dns_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy local DNS
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
local_ingress_nginx_combined_values: "{{ local_ingress_nginx_default_values | combine(local_ingress_nginx_values, recursive=true) }}"
|
||||
local_ingress_nginx_combined_values: "{{ local_ingress_nginx_default_values | combine(local_ingress_nginx_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy local Nginx Ingress
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1 +1,4 @@
|
||||
mail_short_name: "mail"
|
||||
|
||||
# WIP
|
||||
mail_oidc: false
|
||||
|
||||
@@ -37,11 +37,15 @@
|
||||
storageClassName: "{{ mailbox_storage | default('nfs-hdd') }}"
|
||||
|
||||
- name: Deploy Postfix
|
||||
vars:
|
||||
postfix_oidc: "{{ mail_oidc }}"
|
||||
import_role:
|
||||
name: postfix
|
||||
tags: postfix
|
||||
|
||||
- name: Deploy Dovecot
|
||||
vars:
|
||||
dovecot_oidc: "{{ mail_oidc }}"
|
||||
import_role:
|
||||
name: dovecot
|
||||
tags: dovecot
|
||||
|
||||
@@ -26,42 +26,25 @@ mastodon_default_values:
|
||||
- "{{ mastodon_short_name }}.{{ domain }}"
|
||||
|
||||
mastodon:
|
||||
# create an initial administrator user; the password is autogenerated and will
|
||||
# have to be reset
|
||||
createAdmin:
|
||||
enabled: true
|
||||
username: "{{ mastodon_admin_user | default(mastodon_admin_username) | default('mastodon') }}"
|
||||
password: "{{ mastodon_admin_pass | default(mastodon_admin_password) }}"
|
||||
email: "{{ mastodon_admin_email }}"
|
||||
|
||||
# available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
|
||||
locale: en
|
||||
local_domain: "{{ mastodon_short_name }}.{{ domain }}"
|
||||
|
||||
cron:
|
||||
# run `tootctl media remove` every week
|
||||
removeMedia:
|
||||
enabled: true
|
||||
schedule: "0 0 * * 0"
|
||||
|
||||
web:
|
||||
port: 3000
|
||||
streaming:
|
||||
port: 4000
|
||||
# this should be set manually since os.cpus() returns the number of CPUs on
|
||||
# the node running the pod, which is unrelated to the resources allocated to
|
||||
# the pod by k8s
|
||||
workers: 2
|
||||
sidekiq:
|
||||
concurrency: 25
|
||||
|
||||
# these must be set manually; autogenerated keys are rotated on each upgrade
|
||||
secrets:
|
||||
secret_key_base: "{{ mastodon_vapid_public_key_base64 | hash('sha256') }}"
|
||||
otp_secret: "{{ mastodon_vapid_public_key_base64 | hash('sha256') | hash('sha256') }}"
|
||||
vapid:
|
||||
private_key: "{{ mastodon_vapid_private_key_base64 | b64decode }}"
|
||||
public_key: "{{ mastodon_vapid_public_key_base64 | b64decode }}"
|
||||
activeRecordEncryption:
|
||||
primaryKey: "{{ mastodon_primary_key_secret }}"
|
||||
deterministicKey: "{{ mastodon_deterministic_key_secret }}"
|
||||
keyDerivationSalt: "{{ mastodon_key_derivation_salt_secret }}"
|
||||
|
||||
smtp:
|
||||
auth_method: login
|
||||
@@ -95,11 +78,6 @@ mastodon_default_values:
|
||||
storage: "{{ mastodon_system_size | default('100Gi') }}"
|
||||
|
||||
elasticsearch:
|
||||
# `false` will disable full-text search
|
||||
#
|
||||
# if you enable ES after the initial install, you will need to manually run
|
||||
# RAILS_ENV=production bundle exec rake chewy:sync
|
||||
# (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
|
||||
enabled: "{{ mastodon_enable_elasticsearch }}"
|
||||
master:
|
||||
name: master
|
||||
@@ -116,20 +94,14 @@ mastodon_default_values:
|
||||
##
|
||||
replicas: 1
|
||||
|
||||
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
|
||||
postgresql:
|
||||
# Disable for external PostgreSQL
|
||||
enabled: false
|
||||
postgresqlHostname: "{{ namespace }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local"
|
||||
# you must set a password; the password generated by the postgresql chart will
|
||||
# be rotated on each upgrade:
|
||||
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
|
||||
auth:
|
||||
database: mastodon
|
||||
username: "{{ mastodon_db_username }}"
|
||||
password: "{{ mastodon_db_password }}"
|
||||
|
||||
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
|
||||
redis:
|
||||
architecture: standalone
|
||||
enabled: true
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
mastodon_combined_values: "{{ mastodon_default_values | combine(mastodon_values, recursive=true) }}"
|
||||
mastodon_combined_values: "{{ mastodon_default_values | combine(mastodon_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Mastodon
|
||||
kubernetes.core.helm:
|
||||
@@ -15,38 +15,3 @@
|
||||
chart_ref: "{{ mastodon_chart_ref }}"
|
||||
chart_version: "{{ mastodon_version | default(omit) }}"
|
||||
release_values: "{{ mastodon_combined_values | from_yaml }}"
|
||||
|
||||
|
||||
- name: Search for mastodon web pod
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Pod
|
||||
namespace: "{{ mastodon_namespace | default(namespace) }}"
|
||||
label_selectors:
|
||||
- app.kubernetes.io/component=web
|
||||
- app.kubernetes.io/instance=mastodon
|
||||
register: mastodon_web_pod_name
|
||||
|
||||
- name: Remove mastodon web pod for restart
|
||||
kubernetes.core.k8s:
|
||||
state: absent
|
||||
api_version: v1
|
||||
kind: Pod
|
||||
namespace: "{{ mastodon_namespace | default(namespace) }}"
|
||||
name: "{{ mastodon_web_pod_name.resources[0].metadata.name }}"
|
||||
|
||||
- name: Search for mastodon streaming pod
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Pod
|
||||
namespace: "{{ mastodon_namespace | default(namespace) }}"
|
||||
label_selectors:
|
||||
- app.kubernetes.io/component=streaming
|
||||
- app.kubernetes.io/instance=mastodon
|
||||
register: mastodon_streaming_pod_name
|
||||
|
||||
- name: Remove mastodon streaming pod for restart
|
||||
kubernetes.core.k8s:
|
||||
state: absent
|
||||
api_version: v1
|
||||
kind: Pod
|
||||
namespace: "{{ mastodon_namespace | default(namespace) }}"
|
||||
name: "{{ mastodon_streaming_pod_name.resources[0].metadata.name }}"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
metallb_combined_values: "{{ metallb_default_values | combine(metallb_values, recursive=true) }}"
|
||||
metallb_combined_values: "{{ metallb_default_values | combine(metallb_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy MetalLB
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
metrics_server_combined_values: "{{ metrics_server_default_values | combine(metrics_server_values, recursive=true) }}"
|
||||
metrics_server_combined_values: "{{ metrics_server_default_values | combine(metrics_server_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Metrics server
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
minio_combined_values: "{{ minio_default_values | combine(minio_values, recursive=true) }}"
|
||||
minio_combined_values: "{{ minio_default_values | combine(minio_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy MinIO
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
nextcloud_combined_values: "{{ nextcloud_default_values | combine(nextcloud_values, recursive=true) }}"
|
||||
nextcloud_combined_values: "{{ nextcloud_default_values | combine(nextcloud_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Nextcloud
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
nfs_client_provisioner_hdd_combined_values: "{{ nfs_client_provisioner_hdd_default_values | combine(nfs_client_provisioner_hdd_values, recursive=true) }}"
|
||||
nfs_client_provisioner_hdd_combined_values: "{{ nfs_client_provisioner_hdd_default_values | combine(nfs_client_provisioner_hdd_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy NFS client provisioner for HDD storage
|
||||
kubernetes.core.helm:
|
||||
@@ -12,7 +12,7 @@
|
||||
wait: true
|
||||
|
||||
- set_fact:
|
||||
nfs_client_provisioner_ssd_combined_values: "{{ nfs_client_provisioner_ssd_default_values | combine(nfs_client_provisioner_ssd_values, recursive=true) }}"
|
||||
nfs_client_provisioner_ssd_combined_values: "{{ nfs_client_provisioner_ssd_default_values | combine(nfs_client_provisioner_ssd_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy NFS client provisioner for SSD storage
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -10,3 +10,17 @@
|
||||
register: install_nginx_result
|
||||
tags:
|
||||
- nginx-install
|
||||
|
||||
- name: set httpd_can_network_connect flag on and keep it persistent across reboots
|
||||
ansible.posix.seboolean:
|
||||
name: httpd_can_network_connect
|
||||
state: yes
|
||||
persistent: yes
|
||||
when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
|
||||
|
||||
- name: set httpd_can_network_relay flag on and keep it persistent across reboots
|
||||
ansible.posix.seboolean:
|
||||
name: httpd_can_network_relay
|
||||
state: yes
|
||||
persistent: yes
|
||||
when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
group: cert-manager.io
|
||||
|
||||
- set_fact:
|
||||
openldap_combined_values: "{{ openldap_default_values | combine(openldap_values, recursive=true) }}"
|
||||
openldap_combined_values: "{{ openldap_default_values | combine(openldap_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy OpenLDAP
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
peertube_combined_values: "{{ peertube_default_values | combine(peertube_values, recursive=true) }}"
|
||||
peertube_combined_values: "{{ peertube_default_values | combine(peertube_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy PeerTube
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
playmaker_combined_values: "{{ playmaker_default_values | combine(playmaker_values, recursive=true) }}"
|
||||
playmaker_combined_values: "{{ playmaker_default_values | combine(playmaker_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Docker playmaker
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -287,6 +287,290 @@ postfix_default_values:
|
||||
query_filter = mail=%s
|
||||
result_attribute = cn
|
||||
cache = no
|
||||
|
||||
service:
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: "{{ postfix_loadbalancer_ip | default(omit) }}"
|
||||
|
||||
# WIP
|
||||
postfix_oidc: false
|
||||
postfix_oidc_default_values:
|
||||
replicaCount: 1
|
||||
persistence:
|
||||
enabled: true
|
||||
existingClaim: mailboxes
|
||||
tls:
|
||||
enabled: true
|
||||
existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
|
||||
postfix:
|
||||
configmaps:
|
||||
main: |
|
||||
#smtp_host_lookup = native
|
||||
compatibility_level = 2
|
||||
maillog_file = /dev/stdout
|
||||
# Use ipv4 and listen on all interfaces
|
||||
inet_protocols = ipv4
|
||||
inet_interfaces = all
|
||||
|
||||
queue_directory = /var/spool/postfix
|
||||
command_directory = /usr/sbin
|
||||
daemon_directory = /usr/libexec/postfix
|
||||
data_directory = /var/lib/postfix
|
||||
mail_owner = postfix
|
||||
|
||||
# Postfix full server name for mail send/recieve
|
||||
myhostname = {{ mail_short_name | default('mail') }}.{{ domain }}
|
||||
|
||||
# Set domain name
|
||||
mydomain = {{ domain }}
|
||||
|
||||
# Local name for mail send
|
||||
myorigin = $mydomain
|
||||
|
||||
# Local mail delivery
|
||||
mydestination = $myhostname, localhost.$mydomain, localhost
|
||||
|
||||
# Transport type
|
||||
local_transport = virtual
|
||||
|
||||
# Local users map
|
||||
#local_recipient_maps = $virtual_mailbox_maps
|
||||
|
||||
# Reject code
|
||||
unknown_local_recipient_reject_code = 550
|
||||
|
||||
# Virtual domain list
|
||||
virtual_mailbox_domains = {{ domain }}
|
||||
virtual_mailbox_base = /var/mail/vhosts
|
||||
|
||||
# Allowed users map
|
||||
#virtual_mailbox_maps = ldap:/etc/postfix/ldap-local-recipients.cf
|
||||
|
||||
# Dovecot socket for mail delivery
|
||||
#virtual_transport = lmtp:unix:private/dovecot-lmtp
|
||||
virtual_transport = lmtp:inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:24
|
||||
|
||||
# Certs and TLS options
|
||||
smtpd_tls_cert_file = /tls/tls.crt
|
||||
smtpd_tls_key_file = /tls/tls.key
|
||||
smtpd_use_tls = yes
|
||||
smtpd_tls_auth_only = yes
|
||||
smtpd_tls_security_level = may
|
||||
smtp_tls_loglevel = 1
|
||||
smtpd_tls_loglevel = 1
|
||||
smtpd_tls_received_header = yes
|
||||
smtpd_tls_session_cache_timeout = 3600s
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
tls_random_source = dev:/dev/urandom
|
||||
smtp_tls_security_level = may
|
||||
# DANE-Settings
|
||||
#smtp_dns_support_level=dnssec
|
||||
#smtp_host_lookup=dns
|
||||
#smtp_tls_security_level = dane
|
||||
#smtp_tls_loglevel=1
|
||||
|
||||
# Filters for mail
|
||||
smtpd_helo_required = yes
|
||||
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_unauth_destination
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination
|
||||
smtpd_discard_ehlo_keywords = ''
|
||||
|
||||
# SASL auth with dovecot options
|
||||
smtpd_sasl_auth_enable = yes
|
||||
smtpd_sasl_security_options = noanonymous
|
||||
broken_sasl_auth_clients = yes
|
||||
smtpd_sasl_type = dovecot
|
||||
smtpd_sasl_path = inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
|
||||
smtpd_sasl_local_domain = $myorigin
|
||||
|
||||
milter_protocol = 6
|
||||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
||||
smtpd_milters = inet:{{ rspamd_short_name | default('rspamd') }}.{{ namespace }}.svc.cluster.local:11332
|
||||
non_smtpd_milters = $smtpd_milters
|
||||
milter_default_action = accept
|
||||
|
||||
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
|
||||
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
|
||||
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
||||
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
||||
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
||||
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
||||
|
||||
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
|
||||
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
|
||||
|
||||
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
|
||||
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
|
||||
|
||||
smtp_tls_ciphers = high
|
||||
smtpd_tls_ciphers = high
|
||||
|
||||
sendmail_path = /usr/sbin/sendmail
|
||||
html_directory = no
|
||||
setgid_group = postdrop
|
||||
manpage_directory = /usr/share/man
|
||||
newaliases_path = /usr/bin/newaliases
|
||||
mailq_path = /usr/bin/mailq
|
||||
|
||||
master: |
|
||||
#
|
||||
# Postfix master process configuration file. For details on the format
|
||||
# of the file, see the master(5) manual page (command: "man 5 master").
|
||||
#
|
||||
# Do not forget to execute "postfix reload" after editing this file.
|
||||
#
|
||||
# ==========================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (yes) (never) (100)
|
||||
# ==========================================================================
|
||||
smtp inet n - n - - smtpd
|
||||
#smtp inet n - n - 1 postscreen
|
||||
smtpd pass - - n - - smtpd
|
||||
dnsblog unix - - n - 0 dnsblog
|
||||
tlsproxy unix - - n - 0 tlsproxy
|
||||
submission inet n - n - - smtpd
|
||||
# -o syslog_name=postfix/submission
|
||||
# -o smtpd_tls_security_level=encrypt
|
||||
# -o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
|
||||
# -o milter_macro_daemon_name=ORIGINATING
|
||||
smtps inet n - n - - smtpd
|
||||
# -o syslog_name=postfix/smtps
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
|
||||
# -o milter_macro_daemon_name=ORIGINATING
|
||||
#628 inet n - n - - qmqpd
|
||||
pickup unix n - n 60 1 pickup
|
||||
cleanup unix n - n - 0 cleanup
|
||||
qmgr unix n - n 300 1 qmgr
|
||||
#qmgr unix n - n 300 1 oqmgr
|
||||
tlsmgr unix - - n 1000? 1 tlsmgr
|
||||
rewrite unix - - n - - trivial-rewrite
|
||||
bounce unix - - n - 0 bounce
|
||||
defer unix - - n - 0 bounce
|
||||
trace unix - - n - 0 bounce
|
||||
verify unix - - n - 1 verify
|
||||
flush unix n - n 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - n - - smtp
|
||||
relay unix - - n - - smtp
|
||||
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||
showq unix n - n - - showq
|
||||
error unix - - n - - error
|
||||
retry unix - - n - - error
|
||||
discard unix - - n - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - n - - lmtp
|
||||
anvil unix - - n - 1 anvil
|
||||
scache unix - - n - 1 scache
|
||||
postlog unix-dgram n - n - 1 postlogd
|
||||
2525 inet n - n - 1 postscreen
|
||||
#-o postscreen_upstream_proxy_protocol=haproxy
|
||||
-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache
|
||||
-o syslog_name=postfix/2525
|
||||
10587 inet n - n - - smtpd
|
||||
-o syslog_name=postfix/10587
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_tls_wrappermode=no
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path=inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
|
||||
#-o smtpd_upstream_proxy_protocol=haproxy
|
||||
10465 inet n - n - - smtpd
|
||||
-o syslog_name=postfix/10465
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_sasl_type=dovecot
|
||||
-o smtpd_sasl_path=inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
|
||||
#-o smtpd_upstream_proxy_protocol=haproxy
|
||||
#
|
||||
# ====================================================================
|
||||
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||
# pages of the non-Postfix software to find out what options it wants.
|
||||
#
|
||||
# Many of the following services use the Postfix pipe(8) delivery
|
||||
# agent. See the pipe(8) man page for information about ${recipient}
|
||||
# and other message envelope options.
|
||||
# ====================================================================
|
||||
#
|
||||
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||
#
|
||||
#maildrop unix - n n - - pipe
|
||||
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||
#
|
||||
# Specify in cyrus.conf:
|
||||
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||
#
|
||||
# Specify in main.cf one or more of the following:
|
||||
# mailbox_transport = lmtp:inet:localhost
|
||||
# virtual_transport = lmtp:inet:localhost
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Cyrus 2.1.5 (Amos Gouaux)
|
||||
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||
#
|
||||
#cyrus unix - n n - - pipe
|
||||
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Old example of delivery via Cyrus.
|
||||
#
|
||||
#old-cyrus unix - n n - - pipe
|
||||
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# See the Postfix UUCP_README file for configuration details.
|
||||
#
|
||||
#uucp unix - n n - - pipe
|
||||
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Other external delivery methods.
|
||||
#
|
||||
#ifmail unix - n n - - pipe
|
||||
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||
#
|
||||
#bsmtp unix - n n - - pipe
|
||||
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
|
||||
#
|
||||
#scalemail-backend unix - n n - 2 pipe
|
||||
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
|
||||
# ${nexthop} ${user} ${extension}
|
||||
#
|
||||
#mailman unix - n n - - pipe
|
||||
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
# ${nexthop} ${user}
|
||||
#dane unix - - n - - smtp
|
||||
# -o smtp_dns_support_level=dnssec
|
||||
# -o smtp_tls_security_level=dane
|
||||
#policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
|
||||
ldap-local-recipients: |
|
||||
|
||||
service:
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: "{{ postfix_loadbalancer_ip | default(omit) }}"
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
- set_fact:
|
||||
postfix_combined_values: "{{ postfix_default_values | combine(postfix_values, recursive=true) }}"
|
||||
postfix_combined_values: "{{ postfix_default_values | combine(postfix_values | default({}), recursive=true) }}"
|
||||
when: not mail_oidc
|
||||
|
||||
- set_fact:
|
||||
postfix_combined_values: "{{ postfix_oidc_default_values | combine(postfix_oidc_values | default({}), recursive=true) }}"
|
||||
when: mail_oidc
|
||||
|
||||
- name: Deploy Postfix
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -20,6 +20,7 @@ postgres_operator_ui_default_values:
|
||||
envs:
|
||||
# IMPORTANT: While operator chart and UI chart are idendependent, this is the interface between
|
||||
# UI and operator API. Insert the service name of the operator API here!
|
||||
appUrl: "https://{{ postgres_operator_ui_short_name }}.{{ domain }}"
|
||||
operatorApiUrl: "http://postgres-operator:8080"
|
||||
operatorClusterNameLabel: "cluster-name"
|
||||
resourcesVisible: "False"
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
ALLOW_NOSSL: "true"
|
||||
|
||||
- set_fact:
|
||||
postgres_operator_combined_values: "{{ postgres_operator_default_values | combine(postgres_operator_values, recursive=true) }}"
|
||||
postgres_operator_combined_values: "{{ postgres_operator_default_values | combine(postgres_operator_values | default({}), recursive=true) }}"
|
||||
when: postgres_operator_enabled
|
||||
|
||||
- name: Deploy Postgres Operator
|
||||
@@ -58,7 +58,7 @@
|
||||
when: postgres_operator_enabled
|
||||
|
||||
- set_fact:
|
||||
postgres_operator_ui_combined_values: "{{ postgres_operator_ui_default_values | combine(postgres_operator_ui_values, recursive=true) }}"
|
||||
postgres_operator_ui_combined_values: "{{ postgres_operator_ui_default_values | combine(postgres_operator_ui_values | default({}), recursive=true) }}"
|
||||
when: postgres_operator_ui_enabled
|
||||
|
||||
- name: Deploy Postgres Operator UI
|
||||
|
||||
@@ -20,6 +20,9 @@ default_accounts:
|
||||
secret_keys:
|
||||
- { name: peertube }
|
||||
- { name: harbor }
|
||||
- { name: mastodon_primary_key }
|
||||
- { name: mastodon_deterministic_key }
|
||||
- { name: mastodon_key_derivation_salt }
|
||||
|
||||
htpasswd_accounts:
|
||||
- { name: pypiserver_admin }
|
||||
|
||||
@@ -1,47 +1,36 @@
|
||||
- name: Test if DKIM private key exists
|
||||
shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: dkim_private_key_test_grep
|
||||
- name: Generate DKIM keys
|
||||
when: passwords['dkim_public_key_base64'] is not defined or passwords['dkim_private_key_base64'] is not defined
|
||||
block:
|
||||
- name: Create DKIM keys
|
||||
docker_container:
|
||||
name: ddclient
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
|
||||
register: dkim_container_output
|
||||
|
||||
- name: Test if DKIM public key exists
|
||||
shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: dkim_public_key_test_grep
|
||||
- name: Set dkim_keys
|
||||
set_fact:
|
||||
dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
|
||||
|
||||
- name: Create DKIM keys
|
||||
docker_container:
|
||||
name: ddclient
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
|
||||
register: dkim_container_output
|
||||
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
|
||||
- name: Show DKIM private key
|
||||
debug:
|
||||
msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Set ddclient_key
|
||||
set_fact:
|
||||
dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
|
||||
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
|
||||
- name: Show DKIM public key
|
||||
debug:
|
||||
msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Show DKIM private key
|
||||
debug:
|
||||
msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: dkim_private_key_test_grep.stdout == '0'
|
||||
- name: Write DKIM private key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
|
||||
|
||||
- name: Show DKIM public key
|
||||
debug:
|
||||
msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: dkim_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write DKIM private key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
|
||||
when: dkim_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write DKIM public key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
|
||||
when: dkim_public_key_test_grep.stdout == '0'
|
||||
- name: Write DKIM public key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
|
||||
|
||||
@@ -1,46 +1,36 @@
|
||||
- name: Test if password exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: password_test_grep
|
||||
- name: Generate htpasswd for {{ item.name }}
|
||||
when: passwords[item.name + '_password'] is not defined or passwords[item.name + '_htpasswd_hash'] is not defined
|
||||
block:
|
||||
- name: Create password for {{ item.name }}
|
||||
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
|
||||
register: password
|
||||
|
||||
- name: Test if password htpasswd hash exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: htpasswd_hash_test_grep
|
||||
- name: Show password json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ password }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Create password for {{ item.name }}
|
||||
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
|
||||
register: password
|
||||
when: password_test_grep.stdout == '0'
|
||||
- name: Create bcrypt hash from password for {{ item.name }}
|
||||
docker_container:
|
||||
name: slappasswd
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
|
||||
register: docker_container_output
|
||||
|
||||
- name: Show password json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ password }}"
|
||||
verbosity: 2
|
||||
when: password_test_grep.stdout == '0'
|
||||
- name: Show docker_container_output for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ docker_container_output }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Create bcrypt hash from password for {{ item.name }}
|
||||
docker_container:
|
||||
name: slappasswd
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
|
||||
register: docker_container_output
|
||||
when: htpasswd_hash_test_grep.stdout == '0'
|
||||
- name: Write password for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
|
||||
- name: Show docker_container_output for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ docker_container_output }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Write password for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Write htpasswd hash for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
|
||||
when: htpasswd_hash_test_grep.stdout == '0'
|
||||
- name: Write htpasswd hash for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
|
||||
|
||||
@@ -1,7 +1,22 @@
|
||||
- name: Create passwords.yaml file
|
||||
- name: Check that passwords.yaml exists
|
||||
stat:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
register: passwords_file
|
||||
|
||||
- name: Create passwords.yaml file if not exists
|
||||
file:
|
||||
name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
state: touch
|
||||
when: not passwords_file.stat.exists
|
||||
|
||||
- name: Read passwords.yaml file
|
||||
slurp:
|
||||
src: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
register: passwords_b64
|
||||
|
||||
- name: Set facts about passwords
|
||||
set_fact:
|
||||
passwords: "{{ passwords_b64['content'] | b64decode | from_yaml }}"
|
||||
|
||||
- name: Create files directory for ddclient tsig
|
||||
file:
|
||||
|
||||
@@ -1,49 +1,34 @@
|
||||
- name: Test if password exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: password_test_grep
|
||||
- name: Generate password for {{ item.name }}
|
||||
when: passwords[item.name + '_password'] is not defined
|
||||
block:
|
||||
- name: Create password for {{ item.name }}
|
||||
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
|
||||
register: password
|
||||
|
||||
- name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: pbkdf2_sha512_hash_test_grep
|
||||
- name: Show password json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ password }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Create password for {{ item.name }}
|
||||
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
|
||||
register: password
|
||||
when: password_test_grep.stdout == '0'
|
||||
- name: Write password for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
|
||||
- name: Show password json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ password }}"
|
||||
verbosity: 2
|
||||
when: password_test_grep.stdout == '0'
|
||||
- name: Generate password for {{ item.name }}
|
||||
when: passwords[item.name + '_pbkdf2_sha512_hash'] is not defined
|
||||
block:
|
||||
- name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
|
||||
docker_container:
|
||||
name: slappasswd
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
|
||||
register: docker_container_output
|
||||
|
||||
- name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
|
||||
docker_container:
|
||||
name: slappasswd
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
|
||||
register: docker_container_output
|
||||
when: pbkdf2_sha512_hash_test_grep.stdout == '0'
|
||||
|
||||
- debug:
|
||||
msg: "{{ docker_container_output }}"
|
||||
|
||||
- name: Show docker_container_output for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ docker_container_output }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Write password for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Write PBKDF2-SHA512 hash for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
|
||||
when: pbkdf2_sha512_hash_test_grep.stdout == '0'
|
||||
- name: Write PBKDF2-SHA512 hash for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
|
||||
|
||||
@@ -1,20 +1,16 @@
|
||||
- name: Test if secret exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: secret_test_grep
|
||||
|
||||
- name: Create secret for {{ item.name }}
|
||||
shell: "openssl rand -hex 32"
|
||||
register: secret
|
||||
when: secret_test_grep.stdout == '0'
|
||||
when: passwords[item.name + '_secret'] is not defined
|
||||
block:
|
||||
- name: Create secret for {{ item.name }}
|
||||
shell: "openssl rand -hex 32"
|
||||
register: secret
|
||||
|
||||
- name: Show secret json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ secret }}"
|
||||
verbosity: 2
|
||||
when: secret_test_grep.stdout == '0'
|
||||
- name: Show secret json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ secret }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Write secret for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
|
||||
when: secret_test_grep.stdout == '0'
|
||||
- name: Write secret for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
|
||||
|
||||
@@ -1,99 +1,78 @@
|
||||
- name: Test if k8s TSIG key exists
|
||||
shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: k8s_tsig_test_grep
|
||||
- name: Generate K8s TSIG for Knot DNS
|
||||
when: passwords['k8s_tsig'] is not defined
|
||||
block:
|
||||
- name: Generate k8s TSIG key for Knot DNS
|
||||
docker_container:
|
||||
name: keymgr
|
||||
image: "{{ docker_registry }}/tsig"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "keymgr -t k8s-{{ k8s_cluster_name }}-{{ namespace }} hmac-sha512"
|
||||
register: knot_container_output
|
||||
|
||||
- name: Test if ddclinet TSIG key exists
|
||||
shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: ddclient_tsig_test_grep
|
||||
- name: Set k8s_key
|
||||
set_fact:
|
||||
k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
|
||||
|
||||
- name: Test if ddclinet TSIG key exists
|
||||
shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: ddclient_tsig_public_key_test_grep
|
||||
- name: Show k8s TSIG key
|
||||
debug:
|
||||
msg: "Knot k8s key for k8s-{{ k8s_cluster_name }}-{{ namespace }}: {{ k8s_key['key'][0]['secret'] }}"
|
||||
|
||||
- name: Test if ddclinet TSIG key exists
|
||||
shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: ddclient_tsig_private_key_test_grep
|
||||
- name: Write TSIG for Kubernetes
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
|
||||
|
||||
- name: Generate k8s TSIG key for Knot DNS
|
||||
docker_container:
|
||||
name: keymgr
|
||||
image: "{{ docker_registry }}/tsig"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "keymgr -t {{ namespace }} hmac-sha512"
|
||||
register: knot_container_output
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
- name: Generate ddclient private and public TSIG keys for Knot DNS
|
||||
when:
|
||||
- passwords['ddclient_tsig_public_key_base64'] is not defined or passwords['ddclient_tsig_private_key_base64'] is not defined
|
||||
block:
|
||||
- name: Generate TSIG key for ddclient
|
||||
docker_container:
|
||||
name: ddclient
|
||||
image: "{{ docker_registry }}/tsig"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "bash tsig-key.sh ddclient-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
register: ddclient_container_output
|
||||
|
||||
- name: Set k8s_key
|
||||
set_fact:
|
||||
k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
- name: Set ddclient_key
|
||||
set_fact:
|
||||
ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
|
||||
|
||||
- name: Show k8s TSIG key
|
||||
debug:
|
||||
msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}"
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
- name: Show ddclient TSIG public key file
|
||||
debug:
|
||||
msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Write TSIG for Kubernetes
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
- name: Show ddclient TSIG private key file
|
||||
debug:
|
||||
msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Generate TSIG key for ddclient
|
||||
docker_container:
|
||||
name: ddclient
|
||||
image: "{{ docker_registry }}/tsig"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "bash tsig-key.sh {{ namespace }}"
|
||||
register: ddclient_container_output
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
- name: Write ddclient TSIG public key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
|
||||
|
||||
- name: Set ddclient_key
|
||||
set_fact:
|
||||
ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
- name: Show ddclient TSIG key
|
||||
debug:
|
||||
msg: "{{ ddclient_tsig_key }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Show ddclient TSIG public key file
|
||||
debug:
|
||||
msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0'
|
||||
- name: Write ddclient TSIG key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
|
||||
|
||||
- name: Show ddclient TSIG private key file
|
||||
debug:
|
||||
msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
- name: Write ddclient TSIG private key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
|
||||
|
||||
- name: Write ddclient TSIG public key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0'
|
||||
- name: Set ddclient TSIG key
|
||||
set_fact:
|
||||
ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
|
||||
|
||||
- name: Write ddclient TSIG private key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
|
||||
when: ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Set ddclient TSIG key
|
||||
set_fact:
|
||||
ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
|
||||
when: ddclient_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Show ddclient TSIG key
|
||||
debug:
|
||||
msg: "{{ ddclient_tsig_key }}"
|
||||
verbosity: 2
|
||||
when: ddclient_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Write ddclient TSIG key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
|
||||
when: ddclient_tsig_test_grep.stdout == '0'
|
||||
|
||||
@@ -1,47 +1,36 @@
|
||||
- name: Test if VAPID private key exists
|
||||
shell: grep -c "^{{ item.name }}_vapid_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: vapid_private_key_test_grep
|
||||
- name: Generate VAPID keys
|
||||
when: passwords[item.name + '_vapid_public_key_base64'] is not defined or passwords[item.name + '_vapid_private_key_base64'] is not defined
|
||||
block:
|
||||
- name: Create VAPID keys
|
||||
docker_container:
|
||||
name: vapid
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "/vapid"
|
||||
register: vapid_container_output
|
||||
|
||||
- name: Test if VAPID public key exists
|
||||
shell: grep -c "^{{ item.name }}_vapid_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: vapid_public_key_test_grep
|
||||
- name: Set VAPID keys fact
|
||||
set_fact:
|
||||
vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
|
||||
|
||||
- name: Create VAPID keys
|
||||
docker_container:
|
||||
name: vapid
|
||||
image: "{{ docker_registry }}/pwgen"
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "/vapid"
|
||||
register: vapid_container_output
|
||||
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
|
||||
- name: Show VAPID private key
|
||||
debug:
|
||||
msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Set VAPID keys fact
|
||||
set_fact:
|
||||
vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
|
||||
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
|
||||
- name: Show VAPID public key
|
||||
debug:
|
||||
msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Show VAPID private key
|
||||
debug:
|
||||
msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
|
||||
verbosity: 2
|
||||
when: vapid_private_key_test_grep.stdout == '0'
|
||||
- name: Write VAPID private key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
|
||||
|
||||
- name: Show VAPID public key
|
||||
debug:
|
||||
msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
|
||||
verbosity: 2
|
||||
when: vapid_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write VAPID private key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
|
||||
when: vapid_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write VAPID public key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
|
||||
when: vapid_public_key_test_grep.stdout == '0'
|
||||
- name: Write VAPID public key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
pypiserver_combined_values: "{{ pypiserver_default_values | combine(pypiserver_values, recursive=true) }}"
|
||||
pypiserver_combined_values: "{{ pypiserver_default_values | combine(pypiserver_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy pypiserver
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values, recursive=true) }}"
|
||||
roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy RoundCube
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
rspamd_combined_values: "{{ rspamd_default_values | combine(rspamd_values, recursive=true) }}"
|
||||
rspamd_combined_values: "{{ rspamd_default_values | combine(rspamd_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy Rspamd
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
service_dns_chart_ref: "bitnami/external-dns"
|
||||
service_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
service_dns_tsigSecretAlg: "hmac-sha512"
|
||||
service_dns_default_values:
|
||||
fullnameOverride: "{{ service_dns_name | default(namespace + '-service-dns') }}"
|
||||
domainFilters: ["{{ service_domain | default(domain) }}"]
|
||||
@@ -9,8 +11,8 @@ service_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ service_domain | default(domain) }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ service_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ service_dns_tsigKeyname | default(namespace) }}"
|
||||
tsigSecretAlg: "{{ service_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ service_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- set_fact:
|
||||
service_dns_combined_values: "{{ service_dns_default_values | combine(service_dns_values, recursive=true) }}"
|
||||
service_dns_combined_values: "{{ service_dns_default_values | combine(service_dns_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy service DNS
|
||||
kubernetes.core.helm:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- postgres_enabled is defined and postgres_enabled
|
||||
|
||||
- set_fact:
|
||||
wikijs_combined_values: "{{ wikijs_default_values | combine(wikijs_values, recursive=true) }}"
|
||||
wikijs_combined_values: "{{ wikijs_default_values | combine(wikijs_values | default({}), recursive=true) }}"
|
||||
|
||||
- name: Deploy WikiJS
|
||||
kubernetes.core.helm:
|
||||
|
||||
Reference in New Issue
Block a user