Compare commits
14 Commits
e67b5702d5
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
c669ac9e36
|
|||
|
cce620dca0
|
|||
|
8bc72c25d6
|
|||
|
4cd0b9b606
|
|||
|
dd02301ecf
|
|||
|
e380042c04
|
|||
|
55fd39b008
|
|||
|
7ed4837d00
|
|||
|
a85d4b1c04
|
|||
|
160fdef1cf
|
|||
|
ab2040d287
|
|||
|
8a727e5dbf
|
|||
|
f6e52e1f65
|
|||
|
74ae2c4694
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
.venv
|
||||
@@ -1,4 +1,5 @@
|
||||
# Common #
|
||||
k8s_cluster_name: mycluster
|
||||
namespace: ghp
|
||||
docker_registry: gitea.geekhome.org/ghp
|
||||
domain: example.com
|
||||
|
||||
@@ -12,7 +12,7 @@ ceph_csi_rbd_version: 3.8.0
|
||||
ceph_csi_cephfs_version: 3.8.0
|
||||
|
||||
# Cert-manager
|
||||
cert_manager_version: 1.17.1
|
||||
cert_manager_version: 1.18.2
|
||||
|
||||
# External-DNS
|
||||
external_dns_version: 6.31.0
|
||||
@@ -36,24 +36,24 @@ openldap_version: 1.2.7
|
||||
minio_version: 5.0.13
|
||||
|
||||
# Adguard Home
|
||||
adguard_version: 2.3.31
|
||||
adguard_version: 2.3.33
|
||||
|
||||
# Bitwarden (aka Vaultwarden)
|
||||
bitwarden_version: 2.0.37
|
||||
bitwarden_version: 2.0.40
|
||||
|
||||
# Gitea
|
||||
gitea_ingress_nginx_version: 4.12.1
|
||||
gitea_dns_version: 6.31.0
|
||||
gitea_version: 11.0.1
|
||||
gitea_version: 12.1.2
|
||||
|
||||
# Gitea Act Runner
|
||||
gitea_act_runner_version: 0.1.12
|
||||
gitea_act_runner_version: 0.1.13
|
||||
|
||||
# Docker and Helm chart registries
|
||||
harbor_version: 1.12.4
|
||||
|
||||
# Mastodon
|
||||
mastodon_version: 5.1.7
|
||||
mastodon_version: 6.5.1
|
||||
|
||||
# Nextcloud
|
||||
nextcloud_version: 5.0.2
|
||||
@@ -61,8 +61,8 @@ nextcloud_version: 5.0.2
|
||||
# Email
|
||||
dovecot_version: 0.1.8
|
||||
postfix_version: 0.1.7
|
||||
roundcube_version: 0.4.5
|
||||
rspamd_version: 0.5.6
|
||||
roundcube_version: 0.4.6
|
||||
rspamd_version: 0.5.7
|
||||
|
||||
# Pypi server
|
||||
pypiserver_version: 2.5.0
|
||||
@@ -71,7 +71,7 @@ pypiserver_version: 2.5.0
|
||||
wikijs_version: 2.3.19
|
||||
|
||||
# PeerTube
|
||||
peertube_version: 0.4.2
|
||||
peertube_version: 0.4.5
|
||||
|
||||
# Playmaker android APK repository
|
||||
playmaker_version: 0.1.3
|
||||
|
||||
@@ -12,20 +12,14 @@ knot_conf: |
|
||||
any: debug
|
||||
|
||||
key:
|
||||
- id: k8s
|
||||
- id: k8s-{{ k8s_cluster_name }}-{{ namespace }}
|
||||
algorithm: hmac-sha512
|
||||
secret: {{ k8s_tsig }}
|
||||
|
||||
- id: vps
|
||||
- id: ddclient-{{ k8s_cluster_name }}-{{ namespace }}
|
||||
algorithm: hmac-sha512
|
||||
secret: {{ ddclient_tsig }}
|
||||
|
||||
remote:
|
||||
# - id: slave
|
||||
# address: 192.168.1.1@53
|
||||
#
|
||||
# - id: master
|
||||
# address: 192.168.2.1@53
|
||||
remote:
|
||||
- id: dns_server
|
||||
address: 127.0.0.1@53
|
||||
@@ -34,24 +28,15 @@ knot_conf: |
|
||||
- id: dns_zone_sbm
|
||||
parent: [dns_server]
|
||||
|
||||
|
||||
acl:
|
||||
- id: deny_all
|
||||
deny: on # no action specified and deny on implies denial of all actions
|
||||
|
||||
- id: key_rule
|
||||
key: [vps, k8s] # Access based just on TSIG key
|
||||
key: [k8s-{{ k8s_cluster_name }}-{{ namespace }},ddclient-{{ k8s_cluster_name }}-{{ namespace }}] # Access based just on TSIG key
|
||||
address: 192.168.0.0/16
|
||||
action: [transfer, notify, update]
|
||||
|
||||
# - id: acl_slave
|
||||
# address: 192.168.1.1
|
||||
# action: transfer
|
||||
|
||||
# - id: acl_master
|
||||
# address: 192.168.2.1
|
||||
# action: notify
|
||||
|
||||
template:
|
||||
- id: default
|
||||
storage: "/var/lib/knot"
|
||||
@@ -73,14 +58,3 @@ knot_conf: |
|
||||
dnssec-signing: on
|
||||
dnssec-policy: rsa
|
||||
zonefile-load: difference
|
||||
|
||||
# # Master zone
|
||||
# - domain: example.com
|
||||
# notify: slave
|
||||
# acl: acl_slave
|
||||
|
||||
# # Slave zone
|
||||
# - domain: example.net
|
||||
# master: master
|
||||
# acl: acl_master
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
rfc2136:
|
||||
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
|
||||
tsigAlgorithm: HMACSHA512
|
||||
tsigKeyName: k8s
|
||||
tsigKeyName: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
tsigSecretSecretRef:
|
||||
key: tsig-secret-key
|
||||
name: tsig-secret
|
||||
@@ -81,7 +81,7 @@
|
||||
rfc2136:
|
||||
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
|
||||
tsigAlgorithm: HMACSHA512
|
||||
tsigKeyName: k8s
|
||||
tsigKeyName: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
tsigSecretSecretRef:
|
||||
key: tsig-secret-key
|
||||
name: tsig-secret
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
external_dns_chart_ref: "bitnami/external-dns"
|
||||
external_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
external_dns_tsigSecretAlg: "hmac-sha512"
|
||||
external_dns_default_values:
|
||||
fullnameOverride: "{{ external_dns_name | default(namespace + '-external-dns') }}"
|
||||
ingressClassFilters: ["{{ external_ingress_class }}"]
|
||||
@@ -9,8 +11,8 @@ external_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ external_domain | default(domain) }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ external_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ external_dns_tsigKeyname | default('k8s') }}"
|
||||
tsigSecretAlg: "{{ external_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ external_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -32,7 +32,7 @@ gitea_default_values:
|
||||
hosts:
|
||||
- "{{ gitea_short_name }}.{{ domain }}"
|
||||
|
||||
redis-cluster:
|
||||
valkey-cluster:
|
||||
enabled: false
|
||||
|
||||
postgresql-ha:
|
||||
@@ -153,6 +153,8 @@ gitea_ingress_nginx_default_values:
|
||||
|
||||
|
||||
gitea_dns_chart_ref: "bitnami/external-dns"
|
||||
gitea_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
gitea_dns_tsigSecretAlg: "hmac-sha512"
|
||||
gitea_dns_default_values:
|
||||
fullnameOverride: "{{ gitea_dns_name | default(namespace + '-gitea-internal-dns') }}"
|
||||
ingressClassFilters: ["{{ gitea_ingress_class }}"]
|
||||
@@ -163,8 +165,8 @@ gitea_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ domain }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ gitea_dns_tsigKeyname | default('k8s') }}"
|
||||
tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ gitea_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
internal_dns_chart_ref: "bitnami/external-dns"
|
||||
internal_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
internal_dns_tsigSecretAlg: "hmac-sha512"
|
||||
internal_dns_default_values:
|
||||
fullnameOverride: "{{ internal_dns_name | default(namespace + '-internal-dns') }}"
|
||||
ingressClassFilters: ["{{ internal_ingress_class }}"]
|
||||
@@ -9,8 +11,8 @@ internal_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ internal_domain | default(domain) }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ internal_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ internal_dns_tsigKeyname | default(namespace) }}"
|
||||
tsigSecretAlg: "{{ internal_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ internal_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
owner: "root"
|
||||
group: "knot"
|
||||
validate: "knotc -c %s conf-check"
|
||||
backup: true
|
||||
notify: Restart knot
|
||||
|
||||
- name: Enable and start knot
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
local_dns_chart_ref: "bitnami/external-dns"
|
||||
local_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
local_dns_tsigSecretAlg: "hmac-sha512"
|
||||
local_dns_default_values:
|
||||
fullnameOverride: "{{ local_dns_name | default(namespace + '-local-dns') }}"
|
||||
ingressClassFilters: ["{{ local_ingress_class }}"]
|
||||
@@ -9,8 +11,8 @@ local_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ local_domain }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ local_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ local_dns_tsigKeyname | default(namespace) }}"
|
||||
tsigSecretAlg: "{{ local_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ local_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
@@ -1,11 +1,6 @@
|
||||
- name: Test if DKIM private key exists
|
||||
shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: dkim_private_key_test_grep
|
||||
|
||||
- name: Test if DKIM public key exists
|
||||
shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: dkim_public_key_test_grep
|
||||
|
||||
- name: Generate DKIM keys
|
||||
when: passwords['dkim_public_key_base64'] is not defined or passwords['dkim_private_key_base64'] is not defined
|
||||
block:
|
||||
- name: Create DKIM keys
|
||||
docker_container:
|
||||
name: ddclient
|
||||
@@ -15,33 +10,27 @@
|
||||
container_default_behavior: no_defaults
|
||||
command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
|
||||
register: dkim_container_output
|
||||
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Set ddclient_key
|
||||
- name: Set dkim_keys
|
||||
set_fact:
|
||||
dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
|
||||
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Show DKIM private key
|
||||
debug:
|
||||
msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: dkim_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Show DKIM public key
|
||||
debug:
|
||||
msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: dkim_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write DKIM private key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
|
||||
when: dkim_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write DKIM public key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
|
||||
when: dkim_public_key_test_grep.stdout == '0'
|
||||
|
||||
@@ -1,21 +1,14 @@
|
||||
- name: Test if password exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: password_test_grep
|
||||
|
||||
- name: Test if password htpasswd hash exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: htpasswd_hash_test_grep
|
||||
|
||||
- name: Generate htpasswd for {{ item.name }}
|
||||
when: passwords[item.name + '_password'] is not defined or passwords[item.name + '_htpasswd_hash'] is not defined
|
||||
block:
|
||||
- name: Create password for {{ item.name }}
|
||||
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
|
||||
register: password
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Show password json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ password }}"
|
||||
verbosity: 2
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Create bcrypt hash from password for {{ item.name }}
|
||||
docker_container:
|
||||
@@ -26,7 +19,6 @@
|
||||
container_default_behavior: no_defaults
|
||||
command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
|
||||
register: docker_container_output
|
||||
when: htpasswd_hash_test_grep.stdout == '0'
|
||||
|
||||
- name: Show docker_container_output for {{ item.name }}
|
||||
debug:
|
||||
@@ -37,10 +29,8 @@
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Write htpasswd hash for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
|
||||
when: htpasswd_hash_test_grep.stdout == '0'
|
||||
|
||||
@@ -1,7 +1,22 @@
|
||||
- name: Create passwords.yaml file
|
||||
- name: Check that passwords.yaml exists
|
||||
stat:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
register: passwords_file
|
||||
|
||||
- name: Create passwords.yaml file if not exists
|
||||
file:
|
||||
name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
state: touch
|
||||
when: not passwords_file.stat.exists
|
||||
|
||||
- name: Read passwords.yaml file
|
||||
slurp:
|
||||
src: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
register: passwords_b64
|
||||
|
||||
- name: Set facts about passwords
|
||||
set_fact:
|
||||
passwords: "{{ passwords_b64['content'] | b64decode | from_yaml }}"
|
||||
|
||||
- name: Create files directory for ddclient tsig
|
||||
file:
|
||||
|
||||
@@ -1,22 +1,23 @@
|
||||
- name: Test if password exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: password_test_grep
|
||||
|
||||
- name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: pbkdf2_sha512_hash_test_grep
|
||||
|
||||
- name: Generate password for {{ item.name }}
|
||||
when: passwords[item.name + '_password'] is not defined
|
||||
block:
|
||||
- name: Create password for {{ item.name }}
|
||||
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
|
||||
register: password
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Show password json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ password }}"
|
||||
verbosity: 2
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Write password for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
|
||||
- name: Generate password for {{ item.name }}
|
||||
when: passwords[item.name + '_pbkdf2_sha512_hash'] is not defined
|
||||
block:
|
||||
- name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
|
||||
docker_container:
|
||||
name: slappasswd
|
||||
@@ -26,24 +27,8 @@
|
||||
container_default_behavior: no_defaults
|
||||
command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
|
||||
register: docker_container_output
|
||||
when: pbkdf2_sha512_hash_test_grep.stdout == '0'
|
||||
|
||||
- debug:
|
||||
msg: "{{ docker_container_output }}"
|
||||
|
||||
- name: Show docker_container_output for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ docker_container_output }}"
|
||||
verbosity: 2
|
||||
|
||||
- name: Write password for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
|
||||
when: password_test_grep.stdout == '0'
|
||||
|
||||
- name: Write PBKDF2-SHA512 hash for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
|
||||
when: pbkdf2_sha512_hash_test_grep.stdout == '0'
|
||||
|
||||
@@ -1,20 +1,16 @@
|
||||
- name: Test if secret exists in file for {{ item.name }}
|
||||
shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: secret_test_grep
|
||||
|
||||
- name: Create secret for {{ item.name }}
|
||||
when: passwords[item.name + '_secret'] is not defined
|
||||
block:
|
||||
- name: Create secret for {{ item.name }}
|
||||
shell: "openssl rand -hex 32"
|
||||
register: secret
|
||||
when: secret_test_grep.stdout == '0'
|
||||
|
||||
- name: Show secret json for {{ item.name }}
|
||||
debug:
|
||||
msg: "{{ secret }}"
|
||||
verbosity: 2
|
||||
when: secret_test_grep.stdout == '0'
|
||||
|
||||
- name: Write secret for {{ item.name }}
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
|
||||
when: secret_test_grep.stdout == '0'
|
||||
|
||||
@@ -1,19 +1,6 @@
|
||||
- name: Test if k8s TSIG key exists
|
||||
shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: k8s_tsig_test_grep
|
||||
|
||||
- name: Test if ddclinet TSIG key exists
|
||||
shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: ddclient_tsig_test_grep
|
||||
|
||||
- name: Test if ddclinet TSIG key exists
|
||||
shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: ddclient_tsig_public_key_test_grep
|
||||
|
||||
- name: Test if ddclinet TSIG key exists
|
||||
shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: ddclient_tsig_private_key_test_grep
|
||||
|
||||
- name: Generate K8s TSIG for Knot DNS
|
||||
when: passwords['k8s_tsig'] is not defined
|
||||
block:
|
||||
- name: Generate k8s TSIG key for Knot DNS
|
||||
docker_container:
|
||||
name: keymgr
|
||||
@@ -21,26 +8,26 @@
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "keymgr -t {{ namespace }} hmac-sha512"
|
||||
command: "keymgr -t k8s-{{ k8s_cluster_name }}-{{ namespace }} hmac-sha512"
|
||||
register: knot_container_output
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Set k8s_key
|
||||
set_fact:
|
||||
k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Show k8s TSIG key
|
||||
debug:
|
||||
msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}"
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
msg: "Knot k8s key for k8s-{{ k8s_cluster_name }}-{{ namespace }}: {{ k8s_key['key'][0]['secret'] }}"
|
||||
|
||||
- name: Write TSIG for Kubernetes
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
|
||||
when: k8s_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Generate ddclient private and public TSIG keys for Knot DNS
|
||||
when:
|
||||
- passwords['ddclient_tsig_public_key_base64'] is not defined or passwords['ddclient_tsig_private_key_base64'] is not defined
|
||||
block:
|
||||
- name: Generate TSIG key for ddclient
|
||||
docker_container:
|
||||
name: ddclient
|
||||
@@ -48,52 +35,44 @@
|
||||
cleanup: true
|
||||
detach: false
|
||||
container_default_behavior: no_defaults
|
||||
command: "bash tsig-key.sh {{ namespace }}"
|
||||
command: "bash tsig-key.sh ddclient-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
register: ddclient_container_output
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Set ddclient_key
|
||||
set_fact:
|
||||
ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Show ddclient TSIG public key file
|
||||
debug:
|
||||
msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
|
||||
msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Show ddclient TSIG private key file
|
||||
debug:
|
||||
msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
|
||||
msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
|
||||
verbosity: 2
|
||||
when: ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write ddclient TSIG public key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
|
||||
when: ddclient_tsig_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write ddclient TSIG private key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
|
||||
when: ddclient_tsig_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Set ddclient TSIG key
|
||||
set_fact:
|
||||
ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
|
||||
when: ddclient_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Show ddclient TSIG key
|
||||
debug:
|
||||
msg: "{{ ddclient_tsig_key }}"
|
||||
verbosity: 2
|
||||
when: ddclient_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Write ddclient TSIG key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
|
||||
when: ddclient_tsig_test_grep.stdout == '0'
|
||||
|
||||
- name: Write ddclient TSIG private key file in base64
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
|
||||
|
||||
- name: Set ddclient TSIG key
|
||||
set_fact:
|
||||
ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
|
||||
|
||||
|
||||
@@ -1,11 +1,6 @@
|
||||
- name: Test if VAPID private key exists
|
||||
shell: grep -c "^{{ item.name }}_vapid_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: vapid_private_key_test_grep
|
||||
|
||||
- name: Test if VAPID public key exists
|
||||
shell: grep -c "^{{ item.name }}_vapid_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
|
||||
register: vapid_public_key_test_grep
|
||||
|
||||
- name: Generate VAPID keys
|
||||
when: passwords[item.name + '_vapid_public_key_base64'] is not defined or passwords[item.name + '_vapid_private_key_base64'] is not defined
|
||||
block:
|
||||
- name: Create VAPID keys
|
||||
docker_container:
|
||||
name: vapid
|
||||
@@ -15,33 +10,27 @@
|
||||
container_default_behavior: no_defaults
|
||||
command: "/vapid"
|
||||
register: vapid_container_output
|
||||
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Set VAPID keys fact
|
||||
set_fact:
|
||||
vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
|
||||
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Show VAPID private key
|
||||
debug:
|
||||
msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
|
||||
verbosity: 2
|
||||
when: vapid_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Show VAPID public key
|
||||
debug:
|
||||
msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
|
||||
verbosity: 2
|
||||
when: vapid_public_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write VAPID private key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
|
||||
when: vapid_private_key_test_grep.stdout == '0'
|
||||
|
||||
- name: Write VAPID public key
|
||||
lineinfile:
|
||||
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
|
||||
line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
|
||||
when: vapid_public_key_test_grep.stdout == '0'
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
service_dns_chart_ref: "bitnami/external-dns"
|
||||
service_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
|
||||
service_dns_tsigSecretAlg: "hmac-sha512"
|
||||
service_dns_default_values:
|
||||
fullnameOverride: "{{ service_dns_name | default(namespace + '-service-dns') }}"
|
||||
domainFilters: ["{{ service_domain | default(domain) }}"]
|
||||
@@ -9,8 +11,8 @@ service_dns_default_values:
|
||||
port: 53
|
||||
zone: "{{ service_domain | default(domain) }}"
|
||||
tsigSecret: "{{ k8s_tsig }}"
|
||||
tsigSecretAlg: "{{ service_dns_tsigSecretAlg | default('hmac-sha512') }}"
|
||||
tsigKeyname: "{{ service_dns_tsigKeyname | default(namespace) }}"
|
||||
tsigSecretAlg: "{{ service_dns_tsigSecretAlg }}"
|
||||
tsigKeyname: "{{ service_dns_tsigKeyname }}"
|
||||
tsigAxfr: true
|
||||
## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
|
||||
minTTL: "30s"
|
||||
|
||||
Reference in New Issue
Block a user