add k8s_cluster_name variable and bump gitea helm chart to 12.0.0

knot: backup config
fix dns integration via external-dns deployment
2025-05-23 13:05:30 +03:00 · 2025-05-23 13:05:14 +03:00 · 2025-05-23 13:05:08 +03:00 · 2025-05-23 13:05:03 +03:00
16 changed files with 273 additions and 344 deletions
--- a/inventory/ghp/sample/group_vars/all/all.yaml
+++ b/inventory/ghp/sample/group_vars/all/all.yaml
@ -1,4 +1,5 @@
 # Common #
 k8s_cluster_name: mycluster
 namespace: ghp
 docker_registry: gitea.geekhome.org/ghp
 domain: example.com
--- a/inventory/ghp/sample/group_vars/all/versions.yaml
+++ b/inventory/ghp/sample/group_vars/all/versions.yaml
@ -44,7 +44,7 @@ bitwarden_version: 2.0.37
 # Gitea
 gitea_ingress_nginx_version: 4.12.1
 gitea_dns_version: 6.31.0
-gitea_version: 11.0.1
+gitea_version: 12.0.0
 # Gitea Act Runner
 gitea_act_runner_version: 0.1.12
--- a/inventory/ghp/sample/group_vars/knot_dns.yaml
+++ b/inventory/ghp/sample/group_vars/knot_dns.yaml
@ -12,20 +12,14 @@ knot_conf: |
      any: debug
  key:
-    - id: k8s
+    - id: k8s-{{ k8s_cluster_name }}-{{ namespace }}
      algorithm: hmac-sha512
      secret: {{ k8s_tsig }}
-    - id: vps
+    - id: ddclient-{{ k8s_cluster_name }}-{{ namespace }}
      algorithm: hmac-sha512
      secret: {{ ddclient_tsig }}
  remote:
  #  - id: slave
  #    address: 192.168.1.1@53
  #
  #  - id: master
  #    address: 192.168.2.1@53
  remote:
    - id: dns_server
      address: 127.0.0.1@53
@ -34,24 +28,15 @@ knot_conf: |
    - id: dns_zone_sbm
      parent: [dns_server]
  acl:
    - id: deny_all
      deny: on # no action specified and deny on implies denial of all actions
    - id: key_rule
-      key: [vps, k8s]                # Access based just on TSIG key
+      key: [k8s-{{ k8s_cluster_name }}-{{ namespace }},ddclient-{{ k8s_cluster_name }}-{{ namespace }}] # Access based just on TSIG key
      address: 192.168.0.0/16
      action: [transfer, notify, update]
  #  - id: acl_slave
  #    address: 192.168.1.1
  #    action: transfer
  #  - id: acl_master
  #    address: 192.168.2.1
  #    action: notify
  template:
    - id: default
      storage: "/var/lib/knot"
@ -73,14 +58,3 @@ knot_conf: |
      dnssec-signing: on
      dnssec-policy: rsa
      zonefile-load: difference
  #    # Master zone
  #  - domain: example.com
  #    notify: slave
  #    acl: acl_slave
  #    # Slave zone
  #  - domain: example.net
  #    master: master
  #    acl: acl_master
--- a/roles/external-dns/defaults/main.yaml
+++ b/roles/external-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 external_dns_chart_ref: "bitnami/external-dns"
 external_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 external_dns_tsigSecretAlg: "hmac-sha512"
 external_dns_default_values:
  fullnameOverride: "{{ external_dns_name | default(namespace + '-external-dns') }}"
  ingressClassFilters: ["{{ external_ingress_class }}"]
@ -9,8 +11,8 @@ external_dns_default_values:
    port: 53
    zone: "{{ external_domain | default(domain) }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ external_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ external_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ external_dns_tsigKeyname | default('k8s') }}"
+    tsigKeyname: "{{ external_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/gitea/defaults/main.yaml
+++ b/roles/gitea/defaults/main.yaml
@ -32,7 +32,7 @@ gitea_default_values:
        hosts:
          - "{{ gitea_short_name }}.{{ domain }}"
-  redis-cluster:
+  valkey-cluster:
    enabled: false
  postgresql-ha:
@ -153,6 +153,8 @@ gitea_ingress_nginx_default_values:
 gitea_dns_chart_ref: "bitnami/external-dns"
 gitea_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 gitea_dns_tsigSecretAlg: "hmac-sha512"
 gitea_dns_default_values:
  fullnameOverride: "{{ gitea_dns_name | default(namespace + '-gitea-internal-dns') }}"
  ingressClassFilters: ["{{ gitea_ingress_class }}"]
@ -163,8 +165,8 @@ gitea_dns_default_values:
    port: 53
    zone: "{{ domain }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ gitea_dns_tsigKeyname | default('k8s') }}"
+    tsigKeyname: "{{ gitea_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/internal-dns/defaults/main.yaml
+++ b/roles/internal-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 internal_dns_chart_ref: "bitnami/external-dns"
 internal_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 internal_dns_tsigSecretAlg: "hmac-sha512"
 internal_dns_default_values:
  fullnameOverride: "{{ internal_dns_name | default(namespace + '-internal-dns') }}"
  ingressClassFilters: ["{{ internal_ingress_class }}"]
@ -9,8 +11,8 @@ internal_dns_default_values:
    port: 53
    zone: "{{ internal_domain | default(domain) }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ internal_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ internal_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ internal_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ internal_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/knot/tasks/main.yaml
+++ b/roles/knot/tasks/main.yaml
@ -29,6 +29,7 @@
    owner: "root"
    group: "knot"
    validate: "knotc -c %s conf-check"
    backup: true
  notify: Restart knot
 - name: Enable and start knot
--- a/roles/local-dns/defaults/main.yaml
+++ b/roles/local-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 local_dns_chart_ref: "bitnami/external-dns"
 local_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 local_dns_tsigSecretAlg: "hmac-sha512"
 local_dns_default_values:
  fullnameOverride: "{{ local_dns_name | default(namespace + '-local-dns') }}"
  ingressClassFilters: ["{{ local_ingress_class }}"]
@ -9,8 +11,8 @@ local_dns_default_values:
    port: 53
    zone: "{{ local_domain }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ local_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ local_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ local_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ local_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/pwgen/tasks/dkim.yaml
+++ b/roles/pwgen/tasks/dkim.yaml
@ -1,11 +1,6 @@
- name: Test if DKIM private key exists
+- name: Generate DKIM keys
-  shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords['dkim_public_key_base64'] is not defined or passwords['dkim_private_key_base64'] is not defined
-  register: dkim_private_key_test_grep
+  block:
 - name: Test if DKIM public key exists
  shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: dkim_public_key_test_grep
    - name: Create DKIM keys
      docker_container:
        name: ddclient
@ -15,33 +10,27 @@
        container_default_behavior: no_defaults
        command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
      register: dkim_container_output
  when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
- name: Set ddclient_key
+    - name: Set dkim_keys
      set_fact:
        dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
  when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
    - name: Show DKIM private key
      debug:
        msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
        verbosity: 2
  when: dkim_private_key_test_grep.stdout == '0' 
    - name: Show DKIM public key
      debug:
        msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
        verbosity: 2
  when: dkim_public_key_test_grep.stdout == '0' 
    - name: Write DKIM private key
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
  when: dkim_private_key_test_grep.stdout == '0' 
    - name: Write DKIM public key
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
  when: dkim_public_key_test_grep.stdout == '0' 
--- a/roles/pwgen/tasks/htpasswd.yaml
+++ b/roles/pwgen/tasks/htpasswd.yaml
@ -1,21 +1,14 @@
- name: Test if password exists in file for {{ item.name }}
+- name: Generate htpasswd for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_password'] is not defined or passwords[item.name + '_htpasswd_hash'] is not defined
-  register: password_test_grep
+  block:
 - name: Test if password htpasswd hash exists in file for {{ item.name }}
  shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: htpasswd_hash_test_grep
    - name: Create password for {{ item.name }}
      shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
      register: password
  when: password_test_grep.stdout == '0'
    - name: Show password json for {{ item.name }}
      debug:
        msg: "{{ password }}"
        verbosity: 2
  when: password_test_grep.stdout == '0'
    - name: Create bcrypt hash from password for {{ item.name }}
      docker_container:
@ -26,7 +19,6 @@
        container_default_behavior: no_defaults
        command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
      register: docker_container_output
  when: htpasswd_hash_test_grep.stdout == '0'
    - name: Show docker_container_output for {{ item.name }}
      debug:
@ -37,10 +29,8 @@
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_password: \"{{ password.stdout }}\""
  when: password_test_grep.stdout == '0'
    - name: Write htpasswd hash for {{ item.name }}
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
  when: htpasswd_hash_test_grep.stdout == '0'
--- a/roles/pwgen/tasks/main.yaml
+++ b/roles/pwgen/tasks/main.yaml
@ -1,7 +1,22 @@
- name: Create passwords.yaml file
+- name: Check that passwords.yaml exists
  stat:
    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
  register: passwords_file
 - name: Create passwords.yaml file if not exists
  file: 
    name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
    state: touch
  when: not passwords_file.stat.exists
 - name: Read passwords.yaml file
  slurp:
    src: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
  register: passwords_b64
 - name: Set facts about passwords
  set_fact:
    passwords: "{{ passwords_b64['content'] | b64decode | from_yaml }}"
 - name: Create files directory for ddclient tsig
  file: 
--- a/roles/pwgen/tasks/passwords.yaml
+++ b/roles/pwgen/tasks/passwords.yaml
@ -1,22 +1,23 @@
- name: Test if password exists in file for {{ item.name }}
+- name: Generate password for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_password'] is not defined
-  register: password_test_grep
+  block:
 - name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }}
  shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: pbkdf2_sha512_hash_test_grep
    - name: Create password for {{ item.name }}
      shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
      register: password
  when: password_test_grep.stdout == '0'
    - name: Show password json for {{ item.name }}
      debug:
        msg: "{{ password }}"
        verbosity: 2
  when: password_test_grep.stdout == '0'
    - name: Write password for {{ item.name }}
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_password: \"{{ password.stdout }}\""
 - name: Generate password for {{ item.name }}
  when: passwords[item.name + '_pbkdf2_sha512_hash'] is not defined
  block:
    - name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
      docker_container:
        name: slappasswd
@ -26,24 +27,8 @@
        container_default_behavior: no_defaults
        command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
      register: docker_container_output
  when: pbkdf2_sha512_hash_test_grep.stdout == '0'
 - debug:
    msg: "{{ docker_container_output }}"
 - name: Show docker_container_output for {{ item.name }}
  debug:
    msg: "{{ docker_container_output }}"
    verbosity: 2
 - name: Write password for {{ item.name }}
  lineinfile:
    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
    line: "{{ item.name }}_password: \"{{ password.stdout }}\""
  when: password_test_grep.stdout == '0'
    - name: Write PBKDF2-SHA512 hash for {{ item.name }}
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
  when: pbkdf2_sha512_hash_test_grep.stdout == '0'
--- a/roles/pwgen/tasks/secrets.yaml
+++ b/roles/pwgen/tasks/secrets.yaml
@ -1,20 +1,16 @@
- name: Test if secret exists in file for {{ item.name }}
+- name: Create secret for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_secret'] is not defined
-  register: secret_test_grep
+  block:
    - name: Create secret for {{ item.name }}
      shell: "openssl rand -hex 32"
      register: secret
  when: secret_test_grep.stdout == '0'
    - name: Show secret json for {{ item.name }}
      debug:
        msg: "{{ secret }}"
        verbosity: 2
  when: secret_test_grep.stdout == '0'
    - name: Write secret for {{ item.name }}
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
  when: secret_test_grep.stdout == '0'
--- a/roles/pwgen/tasks/tsig.yaml
+++ b/roles/pwgen/tasks/tsig.yaml
@ -1,19 +1,6 @@
- name: Test if k8s TSIG key exists
+- name: Generate K8s TSIG for Knot DNS
-  shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords['k8s_tsig'] is not defined
-  register: k8s_tsig_test_grep
+  block:
 - name: Test if ddclinet TSIG key exists
  shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: ddclient_tsig_test_grep
 - name: Test if ddclinet TSIG key exists
  shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: ddclient_tsig_public_key_test_grep
 - name: Test if ddclinet TSIG key exists
  shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: ddclient_tsig_private_key_test_grep
    - name: Generate k8s TSIG key for Knot DNS
      docker_container:
        name: keymgr
@ -21,26 +8,26 @@
        cleanup: true
        detach: false
        container_default_behavior: no_defaults
-    command: "keymgr -t {{ namespace }} hmac-sha512"
+        command: "keymgr -t k8s-{{ k8s_cluster_name }}-{{ namespace }} hmac-sha512"
      register: knot_container_output
  when: k8s_tsig_test_grep.stdout == '0'
    - name: Set k8s_key
      set_fact:
        k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
  when: k8s_tsig_test_grep.stdout == '0'
    - name: Show k8s TSIG key
      debug:
-    msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}"
+        msg: "Knot k8s key for k8s-{{ k8s_cluster_name }}-{{ namespace }}: {{ k8s_key['key'][0]['secret'] }}"
  when: k8s_tsig_test_grep.stdout == '0'
    - name: Write TSIG for Kubernetes
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
  when: k8s_tsig_test_grep.stdout == '0'
 - name: Generate ddclient private and public TSIG keys for Knot DNS
  when: 
    - passwords['ddclient_tsig_public_key_base64'] is not defined or passwords['ddclient_tsig_private_key_base64'] is not defined
  block:
    - name: Generate TSIG key for ddclient
      docker_container:
        name: ddclient
@ -48,52 +35,44 @@
        cleanup: true
        detach: false
        container_default_behavior: no_defaults
-    command: "bash tsig-key.sh {{ namespace }}"
+        command: "bash tsig-key.sh ddclient-{{ k8s_cluster_name }}-{{ namespace }}"
      register: ddclient_container_output
  when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
    - name: Set ddclient_key
      set_fact:
        ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
  when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
    - name: Show ddclient TSIG public key file
      debug:
-    msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
+        msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
        verbosity: 2
  when: ddclient_tsig_public_key_test_grep.stdout == '0'
    - name: Show ddclient TSIG private key file
      debug:
-    msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
+        msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
        verbosity: 2
  when: ddclient_tsig_private_key_test_grep.stdout == '0'
    - name: Write ddclient TSIG public key file in base64
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
  when: ddclient_tsig_public_key_test_grep.stdout == '0'
 - name: Write ddclient TSIG private key file in base64
  lineinfile:
    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
    line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
  when: ddclient_tsig_private_key_test_grep.stdout == '0'
 - name: Set ddclient TSIG key
  set_fact:
    ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
  when: ddclient_tsig_test_grep.stdout == '0'
    - name: Show ddclient TSIG key
      debug:
        msg: "{{ ddclient_tsig_key }}"
        verbosity: 2
  when: ddclient_tsig_test_grep.stdout == '0'
    - name: Write ddclient TSIG key
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
-  when: ddclient_tsig_test_grep.stdout == '0'
+
    - name: Write ddclient TSIG private key file in base64
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
    - name: Set ddclient TSIG key
      set_fact:
        ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
--- a/roles/pwgen/tasks/vapid.yaml
+++ b/roles/pwgen/tasks/vapid.yaml
@ -1,11 +1,6 @@
- name: Test if VAPID private key exists
+- name: Generate VAPID keys
-  shell: grep -c "^{{ item.name }}_vapid_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_vapid_public_key_base64'] is not defined or passwords[item.name + '_vapid_private_key_base64'] is not defined
-  register: vapid_private_key_test_grep
+  block:
 - name: Test if VAPID public key exists
  shell: grep -c "^{{ item.name }}_vapid_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
  register: vapid_public_key_test_grep
    - name: Create VAPID keys
      docker_container:
        name: vapid
@ -15,33 +10,27 @@
        container_default_behavior: no_defaults
        command: "/vapid"
      register: vapid_container_output
  when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
    - name: Set VAPID keys fact
      set_fact:
        vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
  when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
    - name: Show VAPID private key
      debug:
        msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
        verbosity: 2
  when: vapid_private_key_test_grep.stdout == '0' 
    - name: Show VAPID public key
      debug:
        msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
        verbosity: 2
  when: vapid_public_key_test_grep.stdout == '0' 
    - name: Write VAPID private key
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
  when: vapid_private_key_test_grep.stdout == '0' 
    - name: Write VAPID public key
      lineinfile:
        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
        line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
  when: vapid_public_key_test_grep.stdout == '0' 
--- a/roles/service-dns/defaults/main.yaml
+++ b/roles/service-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 service_dns_chart_ref: "bitnami/external-dns"
 service_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 service_dns_tsigSecretAlg: "hmac-sha512"
 service_dns_default_values:
  fullnameOverride: "{{ service_dns_name | default(namespace + '-service-dns') }}"
  domainFilters: ["{{ service_domain | default(domain) }}"]
@ -9,8 +11,8 @@ service_dns_default_values:
    port: 53
    zone: "{{ service_domain | default(domain) }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ service_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ service_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ service_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ service_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
Author	SHA1	Message	Date
ace	ab2040d287	add k8s_cluster_name variable and bump gitea helm chart to 12.0.0	2025-05-23 13:05:30 +03:00
ace	8a727e5dbf	knot: backup config	2025-05-23 13:05:14 +03:00
ace	f6e52e1f65	fix dns integration via external-dns deployment	2025-05-23 13:05:08 +03:00
ace	74ae2c4694	pwgen: rewrite checks and passwords generation	2025-05-23 13:05:03 +03:00