sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2026-06-19 17:12:38 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: sheppy/no-secrets-athq-ansible:61e28b4caecb932f73e6dbc93774568a6b40ccd3
Branches Tags
sheppy/no-secrets-athq-ansible:master
..
compare: sheppy/no-secrets-athq-ansible:cf9efd55b50b5fd5c9735011abbadf17a0be252a
Branches Tags
sheppy/no-secrets-athq-ansible:master

1 Commits
61e28b4cae .. cf9efd55b5

Author SHA1 Message Date
sheppy cf9efd55b5 initial: no secrets 2024-02-12 17:01:18 +01:00
140 changed files with 508 additions and 3101 deletions
Expand all files Collapse all files
.gitignore
-3
View File
@@ -2,10 +2,7 @@
ansible.log
files/icinga_master_hosts.conf
files/nsca_server.conf
templates/nsca_server.conf
files/async-icinga-config-dynamic.json
files/async-icinga-services-dynamic.conf
hosts.ini
files/atlantis-hub-content/
join-k8s-command
vault.secret
ansible.cfg
-1
View File
@@ -1,4 +1,3 @@
[defaults]
inventory = hosts.ini
log_path = ansible.log
vault_password_file = vault.secret
get-os-version.yaml
-46
View File
@@ -1,46 +0,0 @@
---
- hosts: all
gather_facts: yes
become: false
tasks:
- name: Distribution major version
debug:
msg: "{{ ansible_distribution_major_version }}"
# - name: Upgrade
# block:
#
# - name: Update apt repo and cache on all Debian/Ubuntu boxes
# apt:
# update_cache: yes
# force_apt_get: yes
# cache_valid_time: 0
#
# - name: Prepare. Autoremove old packages
# apt:
# autoremove: true
# autoclean: true
#
# - name: Update sources
# shell:
# cmd: |
# sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
#
# - name: Update apt repo and cache on all Debian/Ubuntu boxes
# apt:
# update_cache: yes
# force_apt_get: yes
# cache_valid_time: 0
#
# - name: Upgrade all packages on servers
# apt:
# upgrade: dist
# force_apt_get: yes
#
# - name: Prepare. Autoremove old packages
# apt:
# autoremove: true
# autoclean: true
#
# when: ansible_distribution_major_version == "11"
group_vars/all.yaml
+61 -225
View File
@@ -1,77 +1,25 @@
---
checks:
extra_sheppy_pubkeys:
nsca_server: 192.168.122.107
ldap_server: 192.168.122.112
nsca_password: HISTORY_PURGED_SECRET
nsca_report_to_rudi_password: HISTORY_PURGED_SECRET
RSYSLOG_SERVER: internal.monitoring.atlantishq.de
influxdb_telegraf_password: HISTORY_PURGED_SECRET
code_server_password: HISTORY_PURGED_SECRET
nsca_server: ""
ldap_server: ""
nsca_password: ""
RSYSLOG_SERVER: ""
influxdb_telegraf_password: ""
nextcloud_ssl_enabled: false
nextcloud_cert_name: nextcloud.atlantishq.de
nextcloud_instance_id: HISTORY_PURGED_SECRET
nextcloud_password_salt: HISTORY_PURGED_SECRET
nextcloud_instance_secret: HISTORY_PURGED_SECRET
nextcloud_master_domain: nextcloud.atlantishq.de
nextcloud_db_password: HISTORY_PURGED_SECRET
tor_bridge_name: HISTORY_PURGED_SECRET
tor_bridge_email: nobody@HISTORY_PURGED_SECRET.com
signal_sender_number: +HISTORY_PURGED_SECRET
atlantis_array_action_pw: jeanswochenendegeschichte
money_balancer_jwt_secret: HISTORY_PURGED_SECRET
hedgedoc_db_password: HISTORY_PURGED_SECRET
paperless_secret_key: HISTORY_PURGED_SECRET
kube_adm_token: HISTORY_PURGED_SECRET
storagebox_u244665_sub2_password: HISTORY_PURGED_SECRET
slapd_backup_submit_token: HISTORY_PURGED_SECRET
tube_archivist_elasticsearch_password: HISTORY_PURGED_SECRET
keep_journal_for_days: 3
michy_email: HISTORY_PURGED_SECRET
sheppy_email: HISTORY_PURGED_SECRET
reactive_resume_postgres_password: HISTORY_PURGED_SECRET
reactive_resume_minio_password: HISTORY_PURGED_SECRET
reactive_resume_refresh_token: HISTORY_PURGED_SECRET
reactive_resume_access_token: HISTORY_PURGED_SECRET
icinga_api_user: "mobile"
icinga_api_pass: "HISTORY_PURGED_SECRET"
icinga_api_url: "https://192.168.122.107:5665"
icinga_api_user: ""
icinga_api_pass: ""
icinga_api_url: "https://XXXXXXXXXXXXXXX:5665"
icinga_web_url: "https://icinga.atlantishq.de/"
backup_vsyncdir_password: HISTORY_PURGED_SECRET
icinga_web_db_password: HISTORY_PURGED_SECRET
icinga_ido_password: HISTORY_PURGED_SECRET
event_dispatcher_host: dispatcher.atlantishq.de
event_dispatcher_proto: https
event_dispatcher_port: 443
event_dispatcher_address: "{{ event_dispatcher_proto }}://{{ event_dispatcher_host }}"
event_dispatcher_user: dispatch
event_dispatcher_pass: HISTORY_PURGED_SECRET
notification_settings_access_token: HISTORY_PURGED_SECRET
event_dispatcher_user: ""
event_dispatcher_pass: ""
ntfy_api_target: https://p.athq.de
ntfy_push_target: https://push.atlantishq.de
ntfy_api_access_token: HISTORY_PURGED_SECRET
ldap_password: flanigan
ldap_root_pw: HISTORY_PURGED_SECRET
ldap_password: ""
ldap_dc: "atlantishq"
ldap_org: "atlantishq de"
ldap_suffix: "dc=atlantishq,dc=de"
@@ -81,77 +29,49 @@ ldap_group_dn: "ou=groups,dc=atlantishq,dc=de"
ldap_connection_url: ldap://192.168.122.112
ldap_connection_url_ext: "ldaps://ldap.atlantishq.de"
nsca_server_password: HISTORY_PURGED_SECRET
immich_pg_password: HISTORY_PURGED_SECRET
event_dispatcher_token: "HISTORY_PURGED_SECRET"
opensearch_logstash_password: "HISTORY_PURGED_SECRET"
opensearch_admin_password: "HISTORY_PURGED_SECRET"
opensearch_seed_hosts:
- ipv4.atlantishq.de:9300
- ipv4.atlantishq.de:9301
opensearch_manager_nodes:
- opensearch-data-1
- opensearch-data-2
event_dispatcher_token: ""
extra_root_keys:
- "# no extra keys"
smtp_user_domain: atlantishq.de
smtp_internal_host: mail.atlantishq.de
smtp_internal_host_port: 8025
smtp_service_user: noreply
smtp_service_pass: HISTORY_PURGED_SECRET
smtp_service_user: ""
smtp_service_pass: ""
pki_domain: pki.atlantishq.de
SOUNDLIB_AWS_ACCESS_KEY_ID: HISTORY_PURGED_SECRET
SOUNDLIB_AWS_SECRET_ACCESS_KEY: HISTORY_PURGED_SECRET
SOUNDLIB_S3_ENDPOINT: HISTORY_PURGED_SECRET
SOUNDLIB_AWS_ACCESS_KEY_ID: ""
SOUNDLIB_AWS_SECRET_ACCESS_KEY: ""
SOUNDLIB_S3_ENDPOINT: ""
# gotify #
gotify_user: admin
gotify_password: HISTORY_PURGED_SECRET
gotify_password: ""
# overwritten in monitoring master group var
monitoring_master: false
async_icinga_static_services:
- { "name" : "ths_auftragsdatenbank", "timeout" : "5h", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "apt_atlantis_laptop", "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "apt_atlantis_pc", "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "backup_atlantis_laptop", "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "backup_ths_storrage_box", "timeout" : "30d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "mail_atlantishq", "timeout" : "1h", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "ths_caldav_backup", "timeout" : "2d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "slapd_backup", "timeout" : "2d", "owner" : "sheppy", "token" : "HISTORY_PURGED_SECRET" }
- { "name" : "service_names", "timeout" : "5h", "owner" : "sheppy", "token" : "" }
keycloak_admin_password: HISTORY_PURGED_SECRET
keycloak_postgres_password: HISTORY_PURGED_SECRET
keycloak_admin_password: ""
keycloak_postgres_password: ""
keycloak_address: keycloak.atlantishq.de
harbor_http_secret: HISTORY_PURGED_SECRET
harbor_core_secret: HISTORY_PURGED_SECRET
harbor_jobservice_secret: HISTORY_PURGED_SECRET
harbor_postgres_pass: HISTORY_PURGED_SECRET
harbor_http_secret: ""
harbor_core_secret: ""
harbor_jobservice_secret: ""
harbor_postgres_pass: ""
harbor_registry_user: harbor
harbor_registry_password: HISTORY_PURGED_SECRET
harbor_admin_password: 20Dino00
ferchau_sftp_user: dkeipp
ferchau_sftp_password: HISTORY_PURGED_SECRET
gitea_postgres_pw: HISTORY_PURGED_SECRET
gitea_runner_registration_token: HISTORY_PURGED_SECRET
harbor_registry_password: ""
harbor_admin_password: ""
keycloak_clients:
python-flask-picture-factory:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : "" # pwgen -s 16
client_id: z_images
client_secret: "HISTORY_PURGED_SECRET"
client_secret: "" # pwgen -s 32
redirect_uris:
- "https://images.atlantishq.de/*"
- "https://images.athq.de/*"
@@ -169,9 +89,9 @@ keycloak_clients:
- "/pictures/"
simple-log-server:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_sls
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://sls.atlantishq.de/*"
description: "Simple Log Server"
@@ -182,9 +102,9 @@ keycloak_clients:
- "/submit"
soundlib-interface:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_soundlib
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://sounds.atlantishq.de/*"
description: "Soundlib interface"
@@ -194,9 +114,9 @@ keycloak_clients:
skips:
pki:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_hashicorp_vault
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://pki.atlantishq.de/*"
description: "PKI Vault"
@@ -206,9 +126,9 @@ keycloak_clients:
skips:
cert-manager:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_cert_manager
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://vpn.atlantishq.de/*"
description: "AtlantisHQ Certificate Manager"
@@ -218,9 +138,9 @@ keycloak_clients:
skips:
tmnf-replay-server:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_trackmania
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://trackmania.atlantishq.de/*"
description: "AtlantisHQ Trackmania Replays"
@@ -231,9 +151,9 @@ keycloak_clients:
- "/open-info"
atlantis-hub:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_atlantishub
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://hub.atlantishq.de/*"
description: "AtlantisHQ Hub"
@@ -243,9 +163,9 @@ keycloak_clients:
skips:
paperless:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_paperless
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://paperless.atlantishq.de/*"
description: "AtlantisHQ Paperless Archiving"
@@ -255,9 +175,9 @@ keycloak_clients:
skips:
icinga:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_icinga
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://icinga.atlantishq.de/*"
description: "Icinga Web"
@@ -267,9 +187,9 @@ keycloak_clients:
skips:
grafana:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_grafana
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://stats.atlantishq.de/*"
description: "Grafana"
@@ -279,9 +199,9 @@ keycloak_clients:
skips:
async-icinga:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_async_icinga
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://async-icinga.atlantishq.de/*"
description: "Icinga Web"
@@ -292,9 +212,9 @@ keycloak_clients:
- "/report"
hedgedoc:
party_secret : "HISTORY_PURGED_SECRET"
party_secret : ""
client_id: z_hedgedoc
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://hedgedoc.atlantishq.de/*"
description: "Hedgedoc"
@@ -303,9 +223,9 @@ keycloak_clients:
master_address: "https://hedgedoc.atlantishq.de"
harbor:
party_secret: "iHISTORY_PURGED_SECRET"
party_secret: ""
client_id: z_harbor
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://harbor-registry.atlantishq.de/*"
description: "Harbor Registry"
@@ -314,9 +234,9 @@ keycloak_clients:
master_address: "https://harbor-registry.atlantishq.de"
atlantis-verify:
party_secret: "3HISTORY_PURGED_SECRET"
party_secret: ""
client_id: z_at_verify
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://verify.atlantishq.de/*"
description: "Atlantis Verification"
@@ -325,9 +245,9 @@ keycloak_clients:
master_address: "https://verify.atlantishq.de"
reactive-resume:
party_secret: "RHISTORY_PURGED_SECRET"
party_secret: ""
client_id: z_reactive_resume
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://resume.atlantishq.de/*"
description: "Reactive Resume"
@@ -338,9 +258,9 @@ keycloak_clients:
- "/logo/light.svg"
money-balancer:
party_secret: "YHISTORY_PURGED_SECRET"
party_secret: ""
client_id: z_money_balancer
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://money-balancer.atlantishq.de/*"
description: "Money Balancer"
@@ -349,96 +269,12 @@ keycloak_clients:
master_address: "https://money-balancer.atlantishq.de"
atlantis-web-check:
party_secret: "CHISTORY_PURGED_SECRET"
party_secret: ""
client_id: z_web_check
client_secret: "HISTORY_PURGED_SECRET"
client_secret: ""
redirect_uris:
- "https://smartchecks.atlantishq.de/*"
description: "SMART Web-Checks"
keycloak_id: "00000000-0000-0000-0000-000000000017"
groups:
master_address: "https://smartchecks.atlantishq.de"
ferchau-wscad:
party_secret: "aHISTORY_PURGED_SECRET"
client_id: z_guenter
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://wscad.atlantishq.de/*"
description: "WSCAD"
keycloak_id: "00000000-0000-0000-0000-000000000018"
groups: "guenter"
master_address: "https://wscad.atlantishq.de"
immich:
party_secret: "0HISTORY_PURGED_SECRET"
client_id: immich
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://immich.atlantishq.de/*"
- "https://i.athq.de/*"
- "app.immich:/"
description: "Immich Pictures"
keycloak_id: "00000000-0000-0000-0000-000000000019"
groups: ""
master_address: "https://i.athq.de"
gitea:
party_secret: "SHISTORY_PURGED_SECRET"
client_id: gitea
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://git.atlantishq.de/*"
- "https://git.athq.de/*"
description: "Gitea"
keycloak_id: "00000000-0000-0000-0000-000000000020"
groups: ""
master_address: "https://git.atlantishq.de"
olive-tin:
party_secret: "QHISTORY_PURGED_SECRET"
client_id: olive-tin
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://olive.atlantishq.de/*"
description: "Olive-Tin"
keycloak_id: "00000000-0000-0000-0000-000000000021"
groups: "pki"
master_address: "https://olive.atlantishq.de"
tube-archivist:
party_secret: "EHISTORY_PURGED_SECRET"
client_id: tube-archivist
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://youtube-proxy.atlantishq.de/*"
description: "Tube Archivist"
keycloak_id: "00000000-0000-0000-0000-000000000022"
groups: ""
master_address: "https://youtube-proxy.atlantishq.de"
atlantis-status:
party_secret: "EHISTORY_PURGED_SECRET"
client_id: atlantis-status
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://actions.atlantishq.de/*"
description: "Atlantis Actions"
keycloak_id: "00000000-0000-0000-0000-000000000023"
groups: ""
master_address: "https://actions.atlantishq.de"
skips:
- "/endpoints"
- "/hook-passive"
opensearch-dashboard:
party_secret: "tHISTORY_PURGED_SECRET"
client_id: opensearch-dashboard
client_secret: "HISTORY_PURGED_SECRET"
redirect_uris:
- "https://opensearch.atlantishq.de/*"
description: "Atlantis Actions"
keycloak_id: "00000000-0000-0000-0000-000000000024"
groups: ""
master_address: "https://opensearch.atlantishq.de"
group_vars/harbor-registry.yaml
+2 -2
View File
@@ -1,4 +1,4 @@
harbor_version: v2.10.0
harbor_file: harbor-online-installer-{{ harbor_version }}.tgz
harbor_admin_password: 20Dino00
harbor_db_password: HISTORY_PURGED_SECRET
harbor_admin_password: ""
harbor_db_password: ""
group_vars/kube2.yaml
-1
View File
@@ -1 +0,0 @@
is_k8s_master: true
group_vars/mail.yaml
-25
View File
@@ -1,28 +1,3 @@
---
checks :
- { user : nobody, name : mail_queue, cmd : "/usr/lib/nagios/plugins/check_mailq -w 10 -c 20"}
mail_virtual_transport:
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET,kat.maurer@fau.de
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
mail_enabled_senders:
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
HISTORY_PURGED_SECRET: HISTORY_PURGED_SECRET
noreply@atlantishq.de: noreply@atlantishq.de
group_vars/nextcloud.yaml
-1
View File
@@ -1 +0,0 @@
nextcloud_nginx_ssl_enabled: true
group_vars/opensearch.yaml
-6
View File
@@ -1,6 +0,0 @@
opensearch_data_nodes:
- opensearch-data-1
- opensearch-data-2
opensearch_dashboards:
- opensearch-dashboard-1
group_vars/ths.yaml
-6
View File
@@ -1,9 +1,3 @@
---
nextcloud_nginx_ssl_enabled: false
nextcloud_instance_id: HISTORY_PURGED_SECRET
nextcloud_password_salt: HISTORY_PURGED_SECRET
nextcloud_instance_secret: HISTORY_PURGED_SECRET
nextcloud_master_domain: ths.atlantishq.de
nextcloud_db_password: HISTORY_PURGED_SECRET
checks :
- { user : sheppy, name : irc, cmd : ""}
group_vars/vpn.yaml
+1 -1
View File
@@ -4,6 +4,6 @@ checks :
- { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"}
# - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"}
openvpn_management_password: HISTORY_PURGED_SECRET
openvpn_management_password: ""
openvpn_management_passfile: mgnt-pass.txt
openvpn_management_port: 23000
playbook.yaml
+11 -29
View File
@@ -1,6 +1,5 @@
---
- hosts: all
strategy: free
roles:
- { role : monitoring-client, tags : [ "monitoring", "monitoring-client", "client"] }
- { role : sshd-config, tags : [ "sshd" ] }
@@ -10,72 +9,55 @@
- { role : zabbix-agent, tags : [ "zabbix-agent" ] }
- { role : iptables, tags : [ "iptables" ] }
- hosts: opensearch
strategy: free
roles:
- { role : opensearch, tags : [ "opensearch" ] }
- hosts: signal
strategy: free
- hosts: web1
roles:
- { role : signal, tags : [ "signal" ] }
- hosts: all
strategy: free
roles:
- { role : filebeat, tags : [ "filebeat" ] }
- { role : web1, tags : [ "web1" ] }
- { role : media, tags : [ "media" ] }
- hosts: mail
strategy: free
roles:
- { role : mail, tags : [ "mail" ] }
- hosts: backup
strategy: free
roles:
- { role : backup-vm, tags : [ "backup" ] }
- hosts: kube1
strategy: free
roles:
- { role : docker-deployments, tags : [ "docker", "kube1" ] }
- hosts: usermanagement
strategy: free
roles:
- { role : usermanagement, tags : [ "users", "keycloak" ] }
- hosts: monitoring
strategy: free
roles:
- { role : monitoring-master, tags : [ "monitoring-master", "icinga", "grafana" ] }
- hosts: typo3-cms
roles:
- { role : typo3-cms, tags : [ "typo3" ] }
- hosts: paperless
strategy: free
roles:
- { role : paperless, tags : [ "paperless" ] }
- hosts: vault-pki
roles:
- { role : vault-pki, tags : [ "pki_master", "vault" ] }
- hosts: vpn
strategy: free
roles:
- { role : openvpn, tags : [ "openvpn", "vpn", "certificate-manager" ] }
- hosts: timetracking
strategy: free
roles:
- { role : timetracking, tags : [ "timetracking", "kamai" ] }
- hosts: harbor-registry
strategy: free
roles:
- { role : harbor-registry, tags : [ "harbor" ] }
- hosts: nextcloud ths
strategy: free
roles:
- { role: nextcloud, tags: ["nextcloud"] }
#- hosts: kube2
# strategy: free
# roles:
# - { role: kubernetes-base, tags: ["kubernetes"] }
roles/backup-vm/files/backup_priv_key
+38
View File
@@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA2gAT8vYdNPb1EI/oHsL4SDvZA6VAZJFuXRs+h7A8aehS3mdCjjEz
2ckZMDx5AtyXnvL5E5dnxYu8I14ZFkqT3ux/0RXZ+px3+UUrzOGhMIZIw+xNZb3/ZS0VF5
yEnhVxTnQ94aUV6k+clT/TtUt0ZN2/ovRz5XMNbw5hR0uZmfq15sUEshw/LrsghC9UYuSD
s/V8cnGifzB19l2h1lPsYK0Nrr1q74Z4mwd24bX/eBqxyUF0X41HOJxd0ht/d+xZHYreS6
M7gxN/5i6DTej8F89d2dmnApaY4sjmUMaWtvk6cBOYtq1qGcLF7//8s6IR2wN9PqmEsSWE
K2GdV0cjkjxVkqd8MHLo/MjDKjCU9nu+Wclmh7qGLop3ThVuFTEe6RaabLJ523Sx7yRnuT
2TEg8ZcoVLZACuKdZ39pxJ4N1YwgXJ+lFitaaOQ0JnC8JHdHEG1ky8R4x+LALX8qewPI7B
i164Vq2jDjqFNCVZGpma6tgbksmguUu/inbxgoN1AAAFiNBNJKrQTSSqAAAAB3NzaC1yc2
EAAAGBANoAE/L2HTT29RCP6B7C+Eg72QOlQGSRbl0bPoewPGnoUt5nQo4xM9nJGTA8eQLc
l57y+ROXZ8WLvCNeGRZKk97sf9EV2fqcd/lFK8zhoTCGSMPsTWW9/2UtFRechJ4VcU50Pe
GlFepPnJU/07VLdGTdv6L0c+VzDW8OYUdLmZn6tebFBLIcPy67IIQvVGLkg7P1fHJxon8w
dfZdodZT7GCtDa69au+GeJsHduG1/3gasclBdF+NRzicXdIbf3fsWR2K3kujO4MTf+Yug0
3o/BfPXdnZpwKWmOLI5lDGlrb5OnATmLatahnCxe///LOiEdsDfT6phLElhCthnVdHI5I8
VZKnfDBy6PzIwyowlPZ7vlnJZoe6hi6Kd04VbhUxHukWmmyyedt0se8kZ7k9kxIPGXKFS2
QArinWd/acSeDdWMIFyfpRYrWmjkNCZwvCR3RxBtZMvEeMfiwC1/KnsDyOwYteuFatow46
hTQlWRqZmurYG5LJoLlLv4p28YKDdQAAAAMBAAEAAAGAbms5r4eflZM83820SdiBf7zol+
Mc8ZOELh69lmbawt4NE1+EI5eiZr5oRrlqpdtr5PO224iF5FZ5zgQ8esD9kx2BRDtoNHsK
fbTekaD7TyPFOY+4SD9rXCjwlQwPVC8SPCW+rks7BXqbmjFBH4P/iZOUHIrrJR4YgNbsyP
ru60JE3oWOclTCX/4iYzHB8XFDkGRYS3NpVjkKluYoMfJCOVmOI6MHxhj7f7LRMVRI+OG0
iXbg5gEeQPtavjB1aR3JuajYIRaxbJUzKCgE4+yeljvObSdG9THUiuFOTEkXcdtYnPu3uy
d2LcBQzLJ0BY6YvIoI4OFV6lqRRBXMleUSKzHFgkHUuRAKyPtVrE38HV/X5qQeBlg89/7/
XuwZDq+A7fSm95uj85bmrUXBKBog/F31UW+1P3lZ7j/ZxmcPwcJTJvPTFOSweynimeSZB/
lwFJpiDhxJjlfpWF0GxgIHdsjD4CZgSpSKCh/kI954f4HnhWEXbs8quoGwgrjIElTFAAAA
wEbaLe1mPdp8LsvOTbWNiF9eT5pKO2pwkJPINJ20ylxwYaap0Xda79shdskkxKTCwIFvoA
xjdE6B1HKqzsWHu7fiQ29/btdAZav+930tMSxemIwhNe9aHyOgoujNS8UaxaR/sSTnj19V
7DyetxFPGW1H1A/KKnPm+muqgO7KARHoQ+0x3I6pJzM+XHN5DT5FNSdtVm+xWCNsXwL4bk
t5d5vBU/VAspgNZVSge+aN3R2FGqA0dlDww4XX0nywbaO8WgAAAMEA/kwTKHc7W9eqYCzM
yRrPXB1cRhrLYOJNX+ykl/xPPx4YeZmrDmNfzcC8DULC/5HkXEygpsxuzK1SbGM0eeQyMu
LboVYxgslC0QjIfDS3x7CYUMsrK1r1nleGxYFpXRBTqKty6nNR53Unum2QAsGW90xfoD1N
NEeb2d/wgG/QHmTh6BzJ6JYqjc/ATsqfR5aKoNnh1stRHu6TzrIK4Y/6e/HEoXElwOyeYX
DadG5VfnD4jglgQR78sHtaSSIpvCADAAAAwQDbdcgfXQ93mIDnk97aXbrR/tP76+0QmsM2
IImV3/mhnjwsYXHnYTBoci6t+L+zClpW2FIj532XKSBF+fxIOTpnMW4grKICivbWmcrCj+
aA+w+mshv4K1A+TDlzfW4c+UHpp26UopkaFMrG9hvNoDcREyYqERf1YnxZCLTGgNQLpDUa
rveYj+PzCjTzUzH2wgtNttIDWeekFxTJP/7a7sdaRe4DzMMn0B0UDVKGgKY7s5q1xL0IJq
8oXFJvSt894ScAAAASc2hlcHB5QGF0bGFudGlzcGFkAQ==
-----END OPENSSH PRIVATE KEY-----
roles/backup-vm/templates/ths_cal_backup.sh → roles/backup-vm/files/ths_cal_backup.sh
+4 -4
View File
@@ -18,10 +18,10 @@ zip -q -r ~/ths_carddav_telefon_backups/${BACKUP_NAME} ~/ths-carddav-telefon
~/backups/backup-tools/backup_manager.py ~/ths_carddav_telefon_backups/ --debug
# send to storrage box
rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r ths_caldav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/
rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r ths_carddav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav/
rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r ths_carddav_telefon_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav_telefon/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_caldav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_telefon_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav_telefon/
curl -H "Content-Type: application/json" \
-X POST https://async-icinga.atlantishq.de/report \
-d '{ "service" : "ths_caldav_backup", "token" : "{{ slapd_backup_submit_token }}", "status" : "OK", "info" : "" }'
-d '{ "service" : "ths_caldav_backup", "token" : "", "status" : "OK", "info" : "" }'
roles/backup-vm/templates/vsyncdir.conf → roles/backup-vm/files/vsyncdir.conf
+3 -3
View File
@@ -11,7 +11,7 @@ type = "caldav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/calendars/backup/ths_shared_by_ths/"
username = "backup"
password = "{{ backup_vsyncdir_password }}"
password = ""
[storage ths_local_caldav]
type = "filesystem"
@@ -28,7 +28,7 @@ type = "carddav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths_shared_by_ths/"
username = "backup"
password = "{{ backup_vsyncdir_password }}"
password = ""
[storage ths_local_carddav]
type = "filesystem"
@@ -46,7 +46,7 @@ type = "carddav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths-telefon-1_shared_by_ths/"
username = "backup"
password = "{{ backup_vsyncdir_password }}"
password = ""
[storage ths_local_carddav_telefon]
type = "filesystem"
roles/backup-vm/tasks/main.yaml
+3 -2
View File
@@ -5,14 +5,14 @@
- vdirsyncer
- name: Copy Backup caldav script
template:
copy:
src: ths_cal_backup.sh
dest: /home/sheppy/ths_cal_backup.sh
owner: sheppy
group: sheppy
- name: Copy vdirsync config
template:
copy:
src: vsyncdir.conf
dest: /home/sheppy/vsyncdir.conf
owner: sheppy
@@ -48,6 +48,7 @@
group: sheppy
mode: 0600
with_items:
- backup_priv_key
- config
- name: template SLAPD backup script
roles/backup-vm/templates/slapd_backup.sh
+2 -15
View File
@@ -3,25 +3,12 @@ set -e
DIR=/home/sheppy/slapd_backup
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa
cd
rsync -r --remove-source-files sheppy@192.168.122.112:$DIR /home/sheppy
~/backups/backup-tools/backup_manager.py --extensions ldif -- $DIR
rsync --delete --rsh="/usr/bin/sshpass -p {{ storagebox_u244665_sub2_password }} ssh -p23" -r slapd_backup/* u244665-sub2@u244665.your-storagebox.de:./slapd_backup/
for file in "$DIR"/*; do
# Check if the file is empty
if [ ! -s "$file" ]; then
echo "Empty file found: $file"
exit 1
fi
done
rsync --delete --rsh="/usr/bin/sshpass -p ebHYlyVHgRnBcdkb ssh -p23" -r slapd_backup/* u244665-sub2@u244665.your-storagebox.de:./slapd_backup/
curl -H "Content-Type: application/json" \
-X POST https://async-icinga.atlantishq.de/report \
-d '{ "service" : "slapd_backup", "token" : "{{ slapd_backup_submit_token }}", "status" : "OK", "info" : "" }'
-d '{ "service" : "slapd_backup", "token" : "WX0yXFxSsb", "status" : "OK", "info" : "" }'
roles/base/tasks/main.yaml
-33
View File
@@ -7,10 +7,6 @@
- tcpdump
- git
- apt-file
- htop
- ncdu
- gpg
- unattended-upgrades
- name: Ensure Opt dir exists and accessible
file:
@@ -51,32 +47,3 @@
path: /root/.ssh/authorized_keys
line: "{{ item }}"
loop: "{{ extra_root_keys }}"
- name: Add journalctl cleanup
ansible.builtin.cron:
name: "check dirs"
minute: "0"
hour: "0"
job: "/usr/bin/journalctl --vacuum-time={{ keep_journal_for_days }}d"
- name: Remove mails in var-mail
ansible.builtin.cron:
name: "Cleanup local mails"
minute: "0"
hour: "0"
job: "/usr/bin/rm -f /var/mail/*"
- name: Template Logrotate configs
template:
src: "{{ item }}"
dest: "/etc/logrotate/logrotate.d/"
with_items:
- daemon.conf
- syslog.conf
- name: Template Unattended Upgrade conf
template:
src: "{{ item }}"
dest: "/etc/apt/apt.conf.d/"
with_items:
- 20auto-upgrades.conf
roles/base/templates/20auto-upgrades.conf
-2
View File
@@ -1,2 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
roles/base/templates/daemon.conf
-9
View File
@@ -1,9 +0,0 @@
/var/log/daemon.log {
daily
rotate {{ keep_journal_for_days }}
compress
delaycompress
missingok
notifempty
create
}
roles/base/templates/syslog.conf
-9
View File
@@ -1,9 +0,0 @@
/var/log/syslog.log {
daily
rotate {{ keep_journal_for_days }}
compress
delaycompress
missingok
notifempty
create
}
roles/base/templates/wg-client.conf
-5
View File
@@ -1,5 +0,0 @@
[Peer]
PublicKey = {{ hypervisor_wg_public_key }}
Endpoint= {{ hypervisor_internal_ip }}:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
roles/base/templates/wg-hypervisor.conf
-11
View File
@@ -1,11 +0,0 @@
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
{% for client in clients %}
# {{ client.name }}
[Peer]
PublicKey = <client1_public_key>
AllowedIPs = 10.0.0.{{ loop.index + }}/32
{% endfor %}
roles/docker-base/tasks/main.yaml
-13
View File
@@ -1,13 +0,0 @@
- name: Debian | Add GPG Keys
apt_key:
url: "https://download.docker.com/linux/debian/gpg"
- name: Debian | Add Repo Source
apt_repository:
repo: "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"
update_cache: yes
- name: Install docker-ce
apt:
name: docker-ce
state: present
roles/docker-deployments/files/cdn.conf
-16
View File
@@ -1,16 +0,0 @@
server {
autoindex on;
autoindex_localtime on;
listen 5051;
root /var/www/cdn/;
add_header Vary Accept-Encoding;
add_header Access-Control-Allow-Origin $http_origin;
location /videos/{
default_type video/mp4;
limit_rate 2m;
autoindex on;
}
}
roles/docker-deployments/files/htpasswd
-2
View File
@@ -1,2 +0,0 @@
kathi:$y$j9T$HISTORY_PURGED_SECRET
sheppy:$y$HISTORY_PURGED_SECRET
roles/docker-deployments/files/ipcheck.conf
-19
View File
@@ -1,19 +0,0 @@
server {
listen 5053;
access_log off;
gzip off;
default_type text/plain;
if ($remote_addr ~* 172\.16\.1\.(.+)){
return 200 "$remote_addr (This is a local VPN ip, it is NOT your true external ip!)";
}
if ($remote_addr ~* 192\.168\.122\.1){
return 200 $http_x_real_ip;
}
location / {
return 200 $remote_addr;
}
}
roles/docker-deployments/handlers/main.yaml
+1 -1
View File
@@ -5,4 +5,4 @@
- name: restart hub
shell:
cmd: docker restart atlantis-hub_atlantis-hub-1
cmd: docker restart atlantis-hub_atlantis-hub_1
roles/docker-deployments/tasks/main.yaml
+40 -136
View File
@@ -1,10 +1,5 @@
- include_vars: services.yaml
- name: Deploy Docker daemon.json
template:
src: daemon.json
dest: /etc/docker/daemon.json
- name: Create data-dir
file:
name: /data/
@@ -39,16 +34,6 @@
notify:
- reload async icinga settings
- name: Create Event Dispatch Substitutions config dir
file:
name: /data/event-dispatcher/substitutions/
state: directory
- name: Copy Event Dispatcher Substitutions Map
template:
src: event-message-subsitution-map.yaml
dest: /data/event-dispatcher/substitutions/substitutions.yaml
- name: Async Icinga Service (dynamic from backup file)
copy:
src: async-icinga-config-dynamic.json
@@ -65,20 +50,14 @@
- atlantis-hub
- grafana
- event-dispatcher
- reactive-resume
#- reactive-resume
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- ntfy
- code-server
- nginx-media-cdn
- immich
- gitea
- gitea-runner
- atlantis-status
- logstash
- atlantis-web-check
- gotify
- name: Copy AtlantisHub config
copy:
@@ -105,37 +84,6 @@
src: "grafana.ini"
dest: "/data/grafana/grafana.ini"
- name: create_logstash_data_dirs
file:
name: "/data/logstash/{{ item }}"
state: directory
with_items:
- "config"
- "pipeline"
- name: copy_logstash_config
template:
src: "{{ item }}"
dest: "/data/logstash/config/"
with_items:
- "logstash.yml"
- "pipelines.yml"
- name: copy_logstash_pipeline_config
template:
src: "{{ item }}"
dest: "/data/logstash/pipeline/"
with_items:
- "logstash.conf"
- name: copy_atlantis_status_services
template:
src: "{{ item }}.yaml"
dest: "/data/atlantis-status/services/"
with_items:
- "atlantis-array"
- "service-dispatcher-config"
- name: Create compose directories
file:
name: "/opt/{{ item }}"
@@ -150,22 +98,15 @@
- atlantis-hub
- grafana
- event-dispatcher
#- tor
- reactive-resume
- tor
#- reactive-resume
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- ntfy
- code-server
- serienampel
- nginx-media-cdn
- immich
- gitea
- gitea-runner
- atlantis-status
- logstash
- atlantis-web-check
- gotify
- name: Copy compose templates
template:
@@ -181,50 +122,25 @@
- atlantis-hub
- grafana
- event-dispatcher
#- tor
- tor
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- ntfy
- code-server
- serienampel
- nginx-media-cdn
- immich
- gitea
- gitea-runner
- atlantis-status
- logstash
- atlantis-web-check
- gotify
- name: create sites-enabled dir
file:
path: "/opt/nginx-media-cdn/sites-enabled/"
state: directory
- name: Deploy nginx-media-cdn config files
copy:
src: "{{ item }}"
dest: "/opt/nginx-media-cdn/sites-enabled/"
with_items:
- media.conf
- cdn.conf
- ipcheck.conf
- name: Deploy nginx auth
copy:
src: "{{ item }}"
dest: "/opt/nginx-media-cdn/"
owner: 101
group: 101
with_items:
- htpasswd
- name: Log into private registry
docker_login:
registry: registry.atlantishq.de
username: docker
password: ""
- name: Deploy compose templates
community.docker.docker_compose_v2:
remove_orphans: true
community.docker.docker_compose:
project_src: "/opt/{{ item }}/"
pull: "missing"
pull: true
files:
- "{{ item }}.yaml"
with_items:
@@ -237,22 +153,14 @@
- atlantis-hub
- grafana
- event-dispatcher
#- tor
- reactive-resume
- tor
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- money-balancer
- ntfy
- code-server
- serienampel
- nginx-media-cdn
- immich
- gitea
- gitea-runner
- atlantis-status
- logstash
- money-balancer
- atlantis-web-check
- gotify
- name: OAuth2Proxy directories
file:
@@ -269,8 +177,7 @@
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- olive-tin
- atlantis-status
- atlantis-web-check
- name: include services ports
include_vars: services.yaml
@@ -279,24 +186,6 @@
template:
src: oauth-standalone-docker-compose.yaml
dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
#remove_orphans: true
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- reactive-resume
- money-balancer
- olive-tin
- atlantis-status
- name: Deploy OAuth2Proxy
community.docker.docker_compose_v2:
project_src: /opt/oauth2proxy/{{ item }}/
pull: always
with_items:
- tmnf-replay-server
- atlantis-hub
@@ -306,6 +195,21 @@
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
#- money-balancer
- olive-tin
- atlantis-status
- money-balancer
- atlantis-web-check
- name: Deploy OAuth2Proxy
community.docker.docker_compose:
project_src: /opt/oauth2proxy/{{ item }}/
pull: true
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
roles/docker-deployments/templates/async-icinga.yaml
+1 -2
View File
@@ -1,5 +1,4 @@
services:
async-icinga:
async-icinga:
volumes:
- "/data/async-icinga/:/app/config"
- "/data/async-icinga/instance/:/app/instance/"
roles/docker-deployments/templates/athq-landing.yaml
+3 -4
View File
@@ -1,6 +1,5 @@
services:
athqlanding:
athqlanding:
ports:
- 5002:5000
image: harbor-registry.atlantishq.de/atlantishq/athq-landing-page
- 5002:5000
image: registry.atlantishq.de/athq/landing-page
restart: always
roles/docker-deployments/templates/atlantis-array.yaml
-23
View File
@@ -1,23 +0,0 @@
name: Atlantis Array
hook_operations:
- start_service:
passive: true
- unlock_service:
location:
url:
- https://ipv4-vpn-activate.atlantishq.de:10443/activate
- https://ipv6-vpn-activate.atlantishq.de:10443/activate
client_secret: https://ipv4-vpn-activate.atlantishq.de:10443/one-time-token
client_secret_field: "secret"
args:
secret: "{{ atlantis_array_action_pw }}"
status_url: https://vpn-activate.atlantishq.de:10443/am-i-unlocked
client: true
register_endpoints:
- start_service:
token: token_1
groups:
- trackmania
roles/docker-deployments/templates/atlantis-hub.yaml
+2 -3
View File
@@ -1,6 +1,5 @@
services:
atlantis-hub:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-hub:latest
atlantis-hub:
image: registry.atlantishq.de/atlantis-hub:latest
restart: always
ports:
- 6011:5000
roles/docker-deployments/templates/atlantis-status.yaml
-8
View File
@@ -1,8 +0,0 @@
services:
atlantis-status-management:
ports:
- 6026:5000
volumes:
- /data/atlantis-status/services:/app/services
image: harbor-registry.atlantishq.de/atlantishq/atlantis-status:latest
restart: always
roles/docker-deployments/templates/atlantis-verify.yaml
+3 -9
View File
@@ -1,5 +1,4 @@
services:
atlantis-verify:
atlantis-verify:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-verify:latest
restart: always
environment:
@@ -10,8 +9,6 @@ services:
LDAP_BASE_DN: {{ ldap_user_dn }}
DISPATCH_SERVER: {{ event_dispatcher_address }}
DISPATCH_SETTINGS_TOKEN: {{ notification_settings_access_token }}
DISPATCH_ACCESS_TOKEN: {{ event_dispatcher_pass }}
SQLALCHEMY_DATABASE_URI: "instance/database.sqlite"
@@ -22,11 +19,8 @@ services:
MAIN_HOME: https://hub.atlantishq.de
NTFY_ACCESS_TOKEN: {{ ntfy_api_access_token }}
NTFY_API_TARGET: {{ ntfy_api_target }}
NTFY_PUSH_TARGET: {{ ntfy_push_target }}
OIDC_ADMIN_USER: sheppy
DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
ports:
- {{ services[item].port + 1000 }}:5000
roles/docker-deployments/templates/atlantis-web-check.yaml
+1
View File
@@ -1,3 +1,4 @@
version: "3.3"
services:
master:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-master:latest
roles/docker-deployments/templates/code-server.yaml
-12
View File
@@ -1,12 +0,0 @@
services:
code:
image: codercom/code-server
volumes:
- /data/code-server/projects/:/home/coder/project/
- /data/code-server/data:/data
environment:
- PASSWORD={{ code_server_password }}
ports:
- 5020:8080
command: code-server --auth password
restart: always
roles/docker-deployments/templates/daemon.json
-5
View File
@@ -1,5 +0,0 @@
{
"live-restore": true,
"storage-driver": "overlay2",
"log-opts": { "max-size": "10m" }
}
roles/docker-deployments/templates/event-dispatcher.yaml
+14 -44
View File
@@ -1,44 +1,14 @@
services:
event-dispatcher:
ports:
- 5007:5000
image: harbor-registry.atlantishq.de/atlantishq/event-dispatcher
restart: always
volumes:
- "/data/event-dispatcher/instance/:/app/instance/"
- "/data/event-dispatcher/substitutions/:/app/substitutions/"
environment:
LDAP_SERVER : "{{ ldap_connection_url }}"
LDAP_BIND_DN : "{{ ldap_bind_dn }}"
LDAP_BIND_PW : "{{ ldap_password }}"
LDAP_BASE_DN : "{{ ldap_user_dn }}"
DISPATCH_ACCESS_TOKEN: "{{ event_dispatcher_pass }}"
SETTINGS_ACCESS_TOKEN: "{{ notification_settings_access_token }}"
SUBSTITUTION_MAP: /app/substitutions/substitutions.yaml
event-dispatcher-worker:
image: harbor-registry.atlantishq.de/atlantishq/event-dispatcher-worker
restart: always
environment:
DISPATCH_SERVER: "{{ event_dispatcher_proto }}://{{ event_dispatcher_host }}"
DISPATCH_ACCESS_TOKEN: "{{ event_dispatcher_pass }}"
NTFY_PUSH_TARGET: "{{ ntfy_push_target }}"
NTFY_USER: "admin"
NTFY_PASS: "{{ ntfy_api_access_token }}"
NTFY_API_SERVER: "{{ ntfy_api_target }}"
NTFY_API_TOKEN: "{{ ntfy_api_access_token }}"
LDAP_SERVER : "{{ ldap_connection_url }}"
LDAP_BIND_DN : "{{ ldap_bind_dn }}"
LDAP_BIND_PW : "{{ ldap_password }}"
LDAP_BASE_DN : "{{ ldap_user_dn }}"
SMTP_TARGET: "{{ smtp_internal_host }}"
SMTP_PORT: "{{ smtp_internal_host_port }}"
SMTP_USER: "{{ smtp_service_user }}@atlantishq.de"
SMTP_PASS: "{{ smtp_service_pass }}"
event-dispatcher:
ports:
- 5007:5000
image: registry.atlantishq.de/athq/event-dispatcher
restart: always
volumes:
- "/data/event-dispatcher/instance/:/app/instance/"
environment:
SIGNAL_API_PASS: "{{ event_dispatcher_pass }}"
LDAP_SERVER : "{{ ldap_connection_url }}"
LDAP_BIND_DN : "{{ ldap_bind_dn }}"
LDAP_BIND_PW : "{{ ldap_password }}"
LDAP_BASE_DN : "{{ ldap_user_dn }}"
SIGNAL_GATEWAY_PASS: "{{ event_dispatcher_token }}"
roles/docker-deployments/templates/event-message-subsitution-map.yaml
-19
View File
@@ -1,19 +0,0 @@
prometheus: "vnet0:"
paperless: "vnet1:"
usermanagement: "vnet2:"
git: "vnet3:"
harbor-registry: "vnet4:"
irc-new: "vnet5:"
backup: "vnet6:"
ths: "vnet7:"
signal: "vnet8:"
zabbix: "vnet9:"
kathi: "vnet10:"
vpn: "vnet11:"
timetracking: "vnet12:"
monitoring: "vnet13:"
mail: "vnet14:"
nextcloud-athq: "vnet15:"
steam-master: "vnet16:"
kube1: "vnet20:"
nextcloud-s3-oidc: "vnet22:"
roles/docker-deployments/templates/ferchau-wscad.yaml
-25
View File
@@ -1,25 +0,0 @@
services:
ferchau-wscad:
image: harbor-registry.atlantishq.de/guenter/wscad-server
restart: always
ports:
- 6019:5000
volumes:
- data:/app/data/
openssh-server:
image: lscr.io/linuxserver/openssh-server:latest
restart: always
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SUDO_ACCESS=false
- PASSWORD_ACCESS=true
- USER_NAME={{ ferchau_sftp_user }}
- USER_PASSWORD={{ ferchau_sftp_password }}
volumes:
- data:/config/data
ports:
- 2222:2222
volumes:
data:
roles/docker-deployments/templates/gitea-runner.yaml
-13
View File
@@ -1,13 +0,0 @@
services:
runner:
image: gitea/act_runner:nightly
environment:
CONFIG_FILE: /config.yaml
GITEA_INSTANCE_URL: "https://git.athq.de"
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_registration_token }}"
GITEA_RUNNER_NAME: "atlantis-runner"
GITEA_RUNNER_LABELS: "ubuntu-latest,atlantis"
volumes:
- /data/gitea-runner/config.yaml:/config.yaml
- /data/gitea-runner/data:/data
- /var/run/docker.sock:/var/run/docker.sock
roles/docker-deployments/templates/gitea.yaml
-40
View File
@@ -1,40 +0,0 @@
version: "3"
networks:
gitea:
external: false
services:
gitea-server:
image: gitea/gitea:latest
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD={{ gitea_postgres_pw }}
restart: always
networks:
- gitea
volumes:
- /data/gitea/data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "5024:3000"
- "222:22"
depends_on:
- db
db:
image: postgres:14
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD={{ gitea_postgres_pw }}
- POSTGRES_DB=gitea
networks:
- gitea
volumes:
- /data/gitea/pg-data:/var/lib/postgresql/data
roles/docker-deployments/templates/gotify.yaml
+11
View File
@@ -0,0 +1,11 @@
gotify:
image: gotify/server
restart: always
environment:
- TZ="Europe/Berlin"
- GOTIFY_DEFAULTUSER_NAME={{ gotify_user }}
- GOTIFY_DEFAULTUSER_PASS={{ gotify_password }}
ports:
- 4001:80
volumes:
- /data/gotify/data:/app/data
roles/docker-deployments/templates/grafana.ini
+1 -1
View File
@@ -304,7 +304,7 @@
;admin_email = admin@localhost
# used for signing
;secret_key = HISTORY_PURGED_SECRET
;secret_key = SW2YcwTIb9zpOOhoPsMm
# current key provider used for envelope encryption, default to static value specified by secret_key
;encryption_provider = secretKey.v1
roles/docker-deployments/templates/grafana.yaml
+1 -2
View File
@@ -1,5 +1,4 @@
services:
grafana:
grafana:
ports:
- 4000:3000
image: grafana/grafana-oss
roles/docker-deployments/templates/hedgedoc.yaml
+6 -5
View File
@@ -1,18 +1,19 @@
version: '3'
services:
database:
image: postgres:15-alpine
image: postgres:13.4-alpine
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD={{ hedgedoc_db_password }}
- POSTGRES_PASSWORD=D7OIx5VBUa7nEzdy6f
- POSTGRES_DB=hedgedoc
volumes:
- /data/hedgedoc/pgsql:/var/lib/postgresql/data
restart: always
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:latest
image: quay.io/hedgedoc/hedgedoc:1.9.9
environment:
- CMD_DB_URL=postgres://hedgedoc:{{ hedgedoc_db_password }}@database:5432/hedgedoc
- CMD_DB_URL=postgres://hedgedoc:D7OIx5VBUa7nEzdy6f@database:5432/hedgedoc
- CMD_DOMAIN=hedgedoc.atlantishq.de
- CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
@@ -22,7 +23,7 @@ services:
- CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=z_hedgedoc
- CMD_OAUTH2_CLIENT_SECRET={{ keycloak_clients['hedgedoc']['client_secret'] }}
- CMD_OAUTH2_CLIENT_SECRET=T4kvtI0ZF1JepEbmTm9bCksCJkuDOicGd
- CMD_OAUTH2_SCOPE=openid email profile
- CMD_OAUTH2_ROLES_CLAIM=roles
- CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
roles/docker-deployments/templates/immich.yaml
-57
View File
@@ -1,57 +0,0 @@
name: immich
services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:release
volumes:
- /data/immich/upload:/usr/src/app/upload
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: HISTORY_PURGED_SECRET
DB_DATABASE_NAME: immich
ports:
- 2283:2283
depends_on:
- redis
- database
restart: always
immich-machine-learning:
container_name: immich_machine_learning
image: ghcr.io/immich-app/immich-machine-learning:release
volumes:
- model-cache:/cache
environment:
DB_USERNAME: postgres
DB_PASSWORD: HISTORY_PURGED_SECRET
DB_DATABASE_NAME: immich
restart: always
redis:
container_name: immich_redis
image: docker.io/redis:6.2-alpine
healthcheck:
test: redis-cli ping || exit 1
restart: always
database:
container_name: immich_postgres
image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0
environment:
POSTGRES_PASSWORD: {{ immich_pg_password }}
POSTGRES_USER: postgres
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- /data/immich/pgdata:/var/lib/postgresql/data
healthcheck:
test: pg_isready --dbname='immich' --username='postgres' || exit 1; Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
interval: 5m
start_interval: 30s
start_period: 5m
command: ["postgres", "-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
restart: always
volumes:
model-cache:
roles/docker-deployments/templates/logstash.conf
-33
View File
@@ -1,33 +0,0 @@
input {
beats {
port => 5044
}
}
output {
if [fields][container_logs] {
opensearch {
hosts => ["https://atlantishq.de:9200"]
index => "filebeat-containers-dev-%{+YYYY.MM.dd}"
ssl_certificate_verification => false
user => "logstash"
password => "HISTORY_PURGED_SECRET"
}
}else if [fields][syslog] {
opensearch {
hosts => ["https://atlantishq.de:9200"]
index => "filebeat-syslog-dev-%{+YYYY.MM.dd}"
ssl_certificate_verification => false
user => "logstash"
password => "HISTORY_PURGED_SECRET"
}
}else{
opensearch {
hosts => ["https://atlantishq.de:9200"]
index => "filebeat-dev-%{+YYYY.MM.dd}"
ssl_certificate_verification => false
user => "logstash"
password => "HISTORY_PURGED_SECRET"
}
}
}
roles/docker-deployments/templates/logstash.yaml
-13
View File
@@ -1,13 +0,0 @@
version: "3.8"
services:
logstash:
restart: always
image: opensearchproject/logstash-oss-with-opensearch-output-plugin:8.9.0
container_name: logstash
ports:
- "5044:5044"
volumes:
- /data/logstash/config:/usr/share/logstash/config
- /data/logstash/pipeline:/usr/share/logstash/pipeline
environment:
LS_JAVA_OPTS: "-Xmx256m -Xms256m"
roles/docker-deployments/templates/logstash.yml
-2
View File
@@ -1,2 +0,0 @@
http.host: "0.0.0.0"
#xpack.monitoring.enabled: false
roles/docker-deployments/templates/money-balancer.yaml
+2 -1
View File
@@ -1,3 +1,4 @@
version: "3"
services:
money-balancer:
image: ghcr.io/dorianim/money-balancer
@@ -7,7 +8,7 @@ services:
volumes:
- /data/money-balancer:/data
environment:
- MONEYBALANCER_JWT_SECRET={{ money_balancer_jwt_secret }}
- MONEYBALANCER_JWT_SECRET=Opta7EkHqgBWUDZULVypcP8FCxw511
- MONEYBALANCER_AUTH_LOCAL_ENABLED=false
- MONEYBALANCER_AUTH_PROXY_ENABLED=true
- MONEYBALANCER_AUTH_PROXY_HEADERS_USERNAME=x-forwarded-preferred-username
roles/docker-deployments/templates/nginx-media-cdn.yaml
-13
View File
@@ -1,13 +0,0 @@
services:
nginx:
image: nginx:latest
restart: always
ports:
- "5051:5051"
- "5052:5052"
- "5053:5053"
volumes:
- /opt/nginx-media-cdn/sites-enabled:/etc/nginx/conf.d
- /opt/nginx-media-cdn/htpasswd:/etc/nginx/htpasswd_1
- /data/nginx-media-cdn/cdn:/var/www/cdn
- /data/nginx-media-cdn/media:/var/www/media
roles/docker-deployments/templates/ntfy.yaml
-37
View File
@@ -1,37 +0,0 @@
services:
ntfy:
image: binwiederhier/ntfy
container_name: ntfy
command:
- serve
environment:
NTFY_BASE_URL: "https://push.atlantishq.de"
NTFY_BEHIND_PROXY: "true"
NTFY_AUTH_FILE: "/userdb/user.db"
NTFY_AUTH_DEFAULT_ACCESS: "deny-all"
volumes:
- /data/ntfy/cache/ntfy:/var/cache/ntfy
- /data/ntfy/etc/ntfy:/etc/ntfy
- /data/ntfy/userdb/:/userdb/
ports:
- 4001:80
healthcheck: # optional: remember to adapt the host:port to your environment
test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"]
interval: 60s
timeout: 10s
retries: 3
start_period: 40s
restart: unless-stopped
ntfy-api:
image: harbor-registry.atlantishq.de/atlantishq/ntfy-api
ports:
- 4002:5000
depends_on:
- ntfy
environment:
ACCESS_TOKEN: {{ ntfy_api_access_token }}
NTFY_AUTH_FILE: "/userdb/user.db"
volumes:
- /data/ntfy/userdb/:/userdb/
- /data/ntfy/instance/:/app/instance/
restart: unless-stopped
roles/docker-deployments/templates/pipelines.yml
-2
View File
@@ -1,2 +0,0 @@
- pipeline.id: main
path.config: "/usr/share/logstash/pipeline/logstash.conf"
roles/docker-deployments/templates/potaris.yaml
+1 -2
View File
@@ -1,5 +1,4 @@
services:
potaris:
potaris:
ports:
- 5003:5000
- 5004:5000
roles/docker-deployments/templates/python-flask-picture-factory.yaml
+1
View File
@@ -1,3 +1,4 @@
version: '3'
services:
image-factory:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-image-factory:latest
roles/docker-deployments/templates/reactive-resume.yaml
+6 -6
View File
@@ -12,13 +12,13 @@ services:
- resume
environment:
MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: {{ reactive_resume_minio_password }}
MINIO_ROOT_PASSWORD: WGTVrFT73kwv0CbKa0PR
db:
image: postgres:13
environment:
- POSTGRES_USER=reactiveresume
- POSTGRES_PASSWORD={{ reactive_resume_postgres_password }}
- POSTGRES_PASSWORD=pwMOJntCfXdwF9ExnjNi
- POSTGRES_DB=reactiveresume
restart: always
volumes:
@@ -65,11 +65,11 @@ services:
CHROME_URL: ws://chrome:3000
# -- Database (Postgres) --
DATABASE_URL: postgresql://reactiveresume:{{ reactive_resume_postgres_password }}@db:5432/postgres
DATABASE_URL: postgresql://reactiveresume:pwMOJntCfXdwF9ExnjNi@db:5432/postgres
# -- Auth --
ACCESS_TOKEN_SECRET: {{ reactive_resume_access_token }}
REFRESH_TOKEN_SECRET: {{ reactive_resume_refresh_token }}
ACCESS_TOKEN_SECRET: 2EkPnUqJIE2EkPnUqJIE
REFRESH_TOKEN_SECRET: cihib7NzMxcihib7NzMx
# -- Emails --
MAIL_FROM: noreply@atlantishq.de
@@ -80,7 +80,7 @@ services:
STORAGE_PORT: 9000
STORAGE_BUCKET: default
STORAGE_ACCESS_KEY: minioadmin
STORAGE_SECRET_KEY: {{ reactive_resume_minio_password }}
STORAGE_SECRET_KEY: WGTVrFT73kwv0CbKa0PR
# -- Cache (Redis) --
REDIS_URL: redis://default:password@redis:6379
roles/docker-deployments/templates/sector32.yaml
+2 -3
View File
@@ -1,6 +1,5 @@
services:
sector32:
sector32:
ports:
- 5001:5000
image: harbor-registry.atlantishq.de/atlantishq/sector32
image: registry.atlantishq.de/athq/sector32
restart: always
roles/docker-deployments/templates/serienampel.yaml
-6
View File
@@ -1,6 +0,0 @@
services:
serienampel:
image: harbor-registry.atlantishq.de/atlantishq/serienampel:latest
restart: always
ports:
- "5021:5000"
roles/docker-deployments/templates/service-dispatcher-config.yaml
-34
View File
@@ -1,34 +0,0 @@
name: Dispatcher Downtime
hook_operations:
- 5_minutes_downtime:
location:
url:
- https://dispatcher.atlantishq.de/downtime
method: "POST"
args:
token: "{{ notification_settings_access_token }}"
minutes: 5
client: false
- 30_minutes_downtime:
location:
url:
- https://dispatcher.atlantishq.de/downtime
method: "POST"
args:
token: "{{ notification_settings_access_token }}"
minutes: 30
status_url: https://dispatcher.atlantishq.de/downtime
client: false
- 24_hours_downtime:
location:
url:
- https://dispatcher.atlantishq.de/downtime
method: "POST"
args:
token: "{{ notification_settings_access_token }}"
minutes: 720
client: false
groups:
- pki
roles/docker-deployments/templates/soundlib-interface.yaml
+1
View File
@@ -1,3 +1,4 @@
version: '3'
services:
soundlib:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-soundlib:latest
roles/docker-deployments/templates/tmnf-replay-server.yaml
+4 -3
View File
@@ -1,5 +1,4 @@
services:
tmnf-replay-server:
tmnf-replay-server:
image: harbor-registry.atlantishq.de/atlantishq/tmnf-replay-server:latest
restart: always
ports:
@@ -10,4 +9,6 @@ services:
environment:
SQLITE_LOCATION: sqlite:////app/data/sqlite.db
DISPATCH_SERVER: {{ event_dispatcher_address }}
DISPATCH_TOKEN: {{ event_dispatcher_pass }}
DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
roles/docker-deployments/templates/tor.yaml
+2 -2
View File
@@ -7,8 +7,8 @@ services:
environment:
- OR_PORT=20000
- PT_PORT=20001
- EMAIL={{ tor_bridge_email }}
- NICKNAME={{ tor_bridge_name }}
- EMAIL=nobody@nowhere.com
- NICKNAME=nowhere
- OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
- OBFS4V_AddressDisableIPv6=1
# - OBFS4V_PublishServerDescriptor=0
roles/docker-deployments/templates/tube-archivist.yaml
-65
View File
@@ -1,65 +0,0 @@
ersion: '3.5'
services:
tubearchivist:
container_name: tubearchivist
restart: unless-stopped
image: bbilly1/tubearchivist
ports:
- 8000:8000
volumes:
- media:/youtube
- cache:/cache
environment:
- ES_URL=http://archivist-es:9200 # needs protocol e.g. http and port
- REDIS_HOST=archivist-redis # don't add protocol
- HOST_UID=1000
- HOST_GID=1000
- TA_HOST=tubearchivist.local # set your host name
- TA_USERNAME=tubearchivist # your initial TA credentials
- TA_PASSWORD=verysecret # your initial TA credentials
- ELASTIC_PASSWORD={{ tube_archivist_elasticsearch_password }}
- TZ=Europe/Berlin # set your time zone
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
interval: 2m
timeout: 10s
retries: 3
start_period: 30s
depends_on:
- archivist-es
- archivist-redis
archivist-redis:
image: redis/redis-stack-server
container_name: archivist-redis
restart: unless-stopped
expose:
- "6379"
volumes:
- redis:/data
depends_on:
- archivist-es
archivist-es:
image: bbilly1/tubearchivist-es # only for amd64, or use official es 8.14.3
container_name: archivist-es
restart: unless-stopped
environment:
- "ELASTIC_PASSWORD={{ tube_archivist_elasticsearch_password }}"
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- "xpack.security.enabled=true"
- "discovery.type=single-node"
- "path.repo=/usr/share/elasticsearch/data/snapshot"
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- es:/usr/share/elasticsearch/data # check for permission error when using bind mount, see readme
expose:
- "9200"
volumes:
media:
cache:
redis:
es:
roles/filebeat/handlers/main.yml
-4
View File
@@ -1,4 +0,0 @@
- name: restart filebeat
systemd:
name: filebeat
state: restarted
roles/filebeat/tasks/main.yaml
-40
View File
@@ -1,40 +0,0 @@
---
- name: Add Elastic GPG key
ansible.builtin.apt_key:
url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
state: present
- name: Ensure apt-transport-https is installed
ansible.builtin.apt:
name: apt-transport-https
state: present
update_cache: yes
- name: Add Elastic repository (OSS package)
ansible.builtin.copy:
dest: /etc/apt/sources.list.d/elastic-8.x.list
content: "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main\n"
owner: root
group: root
mode: '0644'
- name: Update apt cache
ansible.builtin.apt:
update_cache: yes
- name: Install Filebeat
ansible.builtin.apt:
name: filebeat
state: present
- name: Enable Filebeat to start on boot
ansible.builtin.systemd:
name: filebeat
enabled: yes
- name: copy filebeat config
template:
src: filebeat.yml
dest: /etc/filebeat/filebeat.yml
notify:
- restart filebeat
roles/filebeat/templates/filebeat.yml
-50
View File
@@ -1,50 +0,0 @@
logging.level: error
filebeat.inputs:
- type: filestream
id: kube1-var-log
enabled: true
paths:
- /var/log/syslog
fields:
syslog: true
processors:
- syslog:
field: message
- type: log
paths:
- "/var/lib/docker/containers/*/*.log"
json.keys_under_root: true
json.add_error_key: true
json.overwrite_keys: true
fields:
container_logs: true
processors:
- dissect:
tokenizer: '{"test": %{json_data}}'
field: message
target_prefix: ""
ignore_failure: true
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["192.168.122.1:5044"]
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
- drop_fields:
fields: ["host.ip", "host.mac"]
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
roles/global-handlers/handlers/main.yml
-15
View File
@@ -30,11 +30,6 @@
name: dovecot
state: restarted
- name: reload nginx
systemd:
name: nginx
state: reloaded
- name: restart nginx
systemd:
name: nginx
@@ -50,21 +45,11 @@
name: opendkim
state: restarted
- name: restart docker
systemd:
name: docker
state: restarted
- name: restart slapd
systemd:
name: slapd-custom
state: restarted
- name: restart php-fpm
systemd:
name: php8.2-fpm
state: restarted
- name: daemon reload
systemd:
daemon-reload: yes
roles/harbor-registry/files/harbor-oidc.json
+1 -1
View File
@@ -5,7 +5,7 @@
"oidc_groups_claim": "groups",
"oidc_admin_group": "pki",
"oidc_client_id": "z_harbor",
"oidc_client_secret": "{{ keycloak_clients['harbor']['client_secret'] }}",
"oidc_client_secret": "TODO MUST BE SET",
"oidc_scope": "openid,email,profile",
"oidc_verify_cert": "true",
"oidc_auto_onboard": "true",
roles/kubernetes-base/files/calico.yaml
-522
View File
@@ -1,522 +0,0 @@
# Calico Version v3.3.7
# https://docs.projectcalico.org/v3.3/releases#v3.3.7
# This manifest includes the following component versions:
# calico/node:v3.3.7
# calico/cni:v3.3.7
# This ConfigMap is used to configure a self-hosted Calico installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-config
namespace: kube-system
data:
# To enable Typha, set this to "calico-typha" *and* set a non-zero value for Typha replicas
# below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is
# essential.
typha_service_name: "none"
# Configure the Calico backend to use.
calico_backend: "bird"
# Configure the MTU to use
veth_mtu: "1440"
# The CNI network configuration to install on each node. The special
# values in this config will be automatically populated.
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.3.0",
"plugins": [
{
"type": "calico",
"log_level": "info",
"datastore_type": "kubernetes",
"nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "host-local",
"subnet": "usePodCidr"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
}
]
}
---
# This manifest creates a Service, which will be backed by Calico's Typha daemon.
# Typha sits in between Felix and the API server, reducing Calico's load on the API server.
apiVersion: v1
kind: Service
metadata:
name: calico-typha
namespace: kube-system
labels:
k8s-app: calico-typha
spec:
ports:
- port: 5473
protocol: TCP
targetPort: calico-typha
name: calico-typha
selector:
k8s-app: calico-typha
---
# This manifest creates a Deployment of Typha to back the above service.
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-typha
namespace: kube-system
labels:
k8s-app: calico-typha
spec:
# Number of Typha replicas. To enable Typha, set this to a non-zero value *and* set the
# typha_service_name variable in the calico-config ConfigMap above.
#
# We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is essential
# (when using the Kubernetes datastore). Use one replica for every 100-200 nodes. In
# production, we recommend running at least 3 replicas to reduce the impact of rolling upgrade.
replicas: 0
revisionHistoryLimit: 2
template:
metadata:
labels:
k8s-app: calico-typha
annotations:
# This, along with the CriticalAddonsOnly toleration below, marks the pod as a critical
# add-on, ensuring it gets priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
# Since Calico can't network a pod until Typha is up, we need to run Typha itself
# as a host-networked pod.
serviceAccountName: calico-node
containers:
- image: calico/typha:v3.3.7
name: calico-typha
ports:
- containerPort: 5473
name: calico-typha
protocol: TCP
env:
# Enable "info" logging by default. Can be set to "debug" to increase verbosity.
- name: TYPHA_LOGSEVERITYSCREEN
value: "info"
# Disable logging to file and syslog since those don't make sense in Kubernetes.
- name: TYPHA_LOGFILEPATH
value: "none"
- name: TYPHA_LOGSEVERITYSYS
value: "none"
# Monitor the Kubernetes API to find the number of running instances and rebalance
# connections.
- name: TYPHA_CONNECTIONREBALANCINGMODE
value: "kubernetes"
- name: TYPHA_DATASTORETYPE
value: "kubernetes"
- name: TYPHA_HEALTHENABLED
value: "true"
# Uncomment these lines to enable prometheus metrics. Since Typha is host-networked,
# this opens a port on the host, which may need to be secured.
#- name: TYPHA_PROMETHEUSMETRICSENABLED
# value: "true"
#- name: TYPHA_PROMETHEUSMETRICSPORT
# value: "9093"
livenessProbe:
exec:
command:
- calico-typha
- check
- liveness
periodSeconds: 30
initialDelaySeconds: 30
readinessProbe:
exec:
command:
- calico-typha
- check
- readiness
periodSeconds: 10
---
# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: calico-typha
namespace: kube-system
labels:
k8s-app: calico-typha
spec:
maxUnavailable: 1
selector:
matchLabels:
k8s-app: calico-typha
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: extensions/v1
metadata:
name: calico-node
namespace: kube-system
labels:
k8s-app: calico-node
spec:
selector:
matchLabels:
k8s-app: calico-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: calico-node
annotations:
# This, along with the CriticalAddonsOnly toleration below,
# marks the pod as a critical add-on, ensuring it gets
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
tolerations:
# Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: calico-node
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
containers:
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
image: calico/node:v3.3.7
env:
# Use Kubernetes API as the backing datastore.
- name: DATASTORE_TYPE
value: "kubernetes"
# Typha support: controlled by the ConfigMap.
- name: FELIX_TYPHAK8SSERVICENAME
valueFrom:
configMapKeyRef:
name: calico-config
key: typha_service_name
# Wait for the datastore.
- name: WAIT_FOR_DATASTORE
value: "true"
# Set based on the k8s node name.
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Choose the backend to use.
- name: CALICO_NETWORKING_BACKEND
valueFrom:
configMapKeyRef:
name: calico-config
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "k8s,bgp"
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
# Enable IPIP
- name: CALICO_IPV4POOL_IPIP
value: "Always"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
# chosen from this range. Changing this value after installation will have
# no effect. This should fall within `--cluster-cidr`.
- name: CALICO_IPV4POOL_CIDR
value: "10.10.0.0/18"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
value: "info"
- name: FELIX_HEALTHENABLED
value: "true"
securityContext:
privileged: true
resources:
requests:
cpu: 250m
livenessProbe:
httpGet:
path: /liveness
port: 9099
host: localhost
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
readinessProbe:
exec:
command:
- /bin/calico-node
- -bird-ready
- -felix-ready
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: calico/cni:v3.3.7
command: ["/install-cni.sh"]
env:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# Set the hostname based on the k8s node name.
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-config
key: cni_network_config
# CNI MTU Config variable
- name: CNI_MTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
volumes:
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-node
namespace: kube-system
---
# Create all the CustomResourceDefinitions needed for
# Calico policy and networking mode.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: felixconfigurations.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: FelixConfiguration
plural: felixconfigurations
singular: felixconfiguration
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: bgppeers.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: BGPPeer
plural: bgppeers
singular: bgppeer
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: bgpconfigurations.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: BGPConfiguration
plural: bgpconfigurations
singular: bgpconfiguration
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ippools.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: IPPool
plural: ippools
singular: ippool
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: hostendpoints.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: HostEndpoint
plural: hostendpoints
singular: hostendpoint
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterinformations.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: ClusterInformation
plural: clusterinformations
singular: clusterinformation
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: globalnetworkpolicies.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: GlobalNetworkPolicy
plural: globalnetworkpolicies
singular: globalnetworkpolicy
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: globalnetworksets.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: GlobalNetworkSet
plural: globalnetworksets
singular: globalnetworkset
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkpolicies.crd.projectcalico.org
spec:
scope: Namespaced
group: crd.projectcalico.org
version: v1
names:
kind: NetworkPolicy
plural: networkpolicies
singular: networkpolicy
roles/kubernetes-base/files/containerd.toml
-19
View File
@@ -1,19 +0,0 @@
disabled_plugins = []
#root = "/var/lib/containerd"
#state = "/run/containerd"
#subreaper = true
#oom_score = 0
#[grpc]
# address = "/run/containerd/containerd.sock"
# uid = 0
# gid = 0
#[debug]
# address = "/run/containerd/debug.sock"
# uid = 0
# gid = 0
# level = "info"
[plugins."io.containerd.grpc.v1.cri"]
systemd_cgroup = true
roles/kubernetes-base/files/dashboard-adminuser.yaml
-17
View File
@@ -1,17 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
roles/kubernetes-base/files/rbac-kdd.yaml
-92
View File
@@ -1,92 +0,0 @@
# Calico Version v3.3.7
# https://docs.projectcalico.org/v3.3/releases#v3.3.7
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-node
rules:
- apiGroups: [""]
resources:
- namespaces
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- pods/status
verbs:
- patch
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- services
verbs:
- get
- apiGroups: [""]
resources:
- endpoints
verbs:
- get
- apiGroups: [""]
resources:
- nodes
verbs:
- get
- list
- update
- watch
- apiGroups: ["extensions"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
- apiGroups: ["crd.projectcalico.org"]
resources:
- globalfelixconfigs
- felixconfigurations
- bgppeers
- globalbgpconfigs
- bgpconfigurations
- ippools
- globalnetworkpolicies
- globalnetworksets
- networkpolicies
- clusterinformations
- hostendpoints
verbs:
- create
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-node
subjects:
- kind: ServiceAccount
name: calico-node
namespace: kube-system
roles/kubernetes-base/tasks/cluster_setup.yaml
-155
View File
@@ -1,155 +0,0 @@
- name: include services ports
include_vars: kubernetes.yaml
- name: Configure K8S Master Block
block:
- name: Initialise the Kubernetes cluster using kubeadm
become: true
command: kubeadm init --apiserver-advertise-address={{ ansible_default_ipv4.address }} --pod-network-cidr={{ k8s_pod_network }}
args:
creates: "{{ k8s_admin_config }}"
- name: Wait for apiserver to become ready
wait_for:
port: 6443
sleep: 10
- name: Setup kubeconfig for {{ k8s_user }} user
file:
path: "{{ k8s_user_home }}/.kube"
state: directory
owner: "{{ k8s_user }}"
group: "{{ k8s_user }}"
mode: "0750"
- name: Copy {{ k8s_admin_config }}
become: true
copy:
src: "{{ k8s_admin_config }}"
dest: "{{ k8s_user_home }}/.kube/config"
owner: "{{ k8s_user }}"
group: "{{ k8s_user }}"
mode: "0640"
remote_src: yes
# - name: Copy {{ calico_rbac_config }}
# copy:
# src: "{{ calico_rbac_config }}"
# dest: "{{ k8s_user_home }}/{{ calico_rbac_config }}"
# owner: "{{ k8s_user }}"
# group: "{{ k8s_user }}"
# mode: "0640"
#
# - name: Copy {{ calico_net_url }}
# copy:
# src: "{{ calico_net_config }}"
# dest: "{{ k8s_user_home }}/{{ calico_net_config }}"
# owner: "{{ k8s_user }}"
# group: "{{ k8s_user }}"
# mode: "0640"
#
# - name: Set CALICO_IPV4POOL_CIDR to {{ k8s_pod_network }}
# replace:
# path: "{{ k8s_user_home }}/{{ calico_net_config }}"
# regexp: "192.168.0.0/16"
# replace: "{{ k8s_pod_network }}"
- name: Download Dashboard
get_url:
url: "{{ dashboard_url }}"
dest: "{{ k8s_user_home }}/{{ dashboard_config }}"
owner: "{{ k8s_user }}"
group: "{{ k8s_user }}"
mode: "0640"
# - name: Install calico pod network {{ calico_rbac_config }}
# remote_user: false
# remote_user: "{{ k8s_user }}"
# command: kubectl apply -f "{{ k8s_user_home }}/{{ calico_rbac_config }}"
#
# - name: Install calico pod network {{ calico_net_config }}
# become: false
# remote_user: "{{ k8s_user }}"
# command: kubectl apply -f "{{ k8s_user_home }}/{{ calico_net_config }}"
- name: Install K8S dashboard {{ dashboard_config }}
become: false
remote_user: "{{ k8s_user }}"
command: kubectl apply -f "{{ k8s_user_home }}/{{ dashboard_config }}"
- name: Create service account
become: false
remote_user: "{{ k8s_user }}"
command: kubectl create serviceaccount dashboard -n default
ignore_errors: yes
- name: Create cluster role binding dashboard-admin
remote_user: "{{ k8s_user }}"
become: false
command: kubectl create clusterrolebinding dashboard-admin -n default --clusterrole=cluster-admin --serviceaccount=default:dashboard
ignore_errors: yes
- name: Create {{ k8s_dashboard_adminuser_config }} for service account
copy:
src: "files/{{ k8s_dashboard_adminuser_config }}"
dest: "{{ k8s_user_home }}/{{ k8s_dashboard_adminuser_config }}"
owner: "{{ k8s_user }}"
group: "{{ k8s_user }}"
mode: "0640"
- name: Create service account
become: false
remote_user: "{{ k8s_user }}"
command: kubectl apply -f "{{ k8s_user_home }}/{{ k8s_dashboard_adminuser_config }}"
ignore_errors: yes
- name: Create cluster role binding cluster-system-anonymous
become: false
remote_user: "{{ k8s_user }}"
command: kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
ignore_errors: yes
- name: Test K8S dashboard and wait for HTTP 200
uri:
url: "{{ k8s_dashboard_url }}"
status_code: 200
validate_certs: no
ignore_errors: yes
register: result_k8s_dashboard_page
retries: 10
delay: 6
until: result_k8s_dashboard_page is succeeded
- name: K8S dashboard URL
debug:
var: k8s_dashboard_url
- name: Generate join command
command: kubeadm token create --print-join-command
register: join_command
- name: Copy join command to local file
become: false
remote_user: "{{ k8s_user }}"
copy:
content: "{{ join_command.stdout_lines[0] }}"
dest: "{{ k8s_token_file }}"
delegate_to: localhost
when: is_k8s_master is defined and is_k8s_master
- name: Configure K8S Node Block
block:
- name: Copy {{ k8s_token_file }} to server location
copy:
src: "{{ k8s_token_file }}"
dest: "{{ k8s_user_home }}/{{ k8s_token_file }}.sh"
owner: "{{ k8s_user }}"
group: "{{ k8s_user }}"
mode: "0750"
- name: Join the node to cluster unless file {{ k8s_kubelet_config }} exists
become: true
command: sh "{{ k8s_user_home }}/{{ k8s_token_file }}.sh"
args:
creates: "{{ k8s_kubelet_config }}"
when: is_k8s_node is defined and is_k8s_node
roles/kubernetes-base/tasks/main.yaml
-37
View File
@@ -1,37 +0,0 @@
- name: Debian | Configure Sysctl
sysctl:
name: "net.ipv4.ip_forward"
value: "1"
state: present
- name: Fix CRI Plugin containerd config
copy:
src: containerd.toml
dest: /etc/containerd/containerd.toml
mode: 0644
notify: restart docker
- name: Debian | Add GPG Key
apt_key:
url: "https://packages.cloud.google.com/apt/doc/apt-key.gpg"
- name: Debian | Add Kubernetes Repository
apt_repository:
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
update_cache: yes
- name: Debian | Install Dependencies
apt:
pkg:
- kubernetes-cni
- kubelet
state: present
- name: Debian | Install Kubernetes
apt:
pkg:
- kubeadm
- kubectl
state: present
- include: cluster_setup.yaml
roles/mail/files/dovecot_passwd
+1 -9
View File
@@ -1,9 +1 @@
sheppy:{SHA512-CRYPT}$6$Vrwtoe79Xa4jbghz$QFQI7P/j7k1sFeaQg.KBXjqs3F3S6H0u14kkd8GYrVV1mf2eblYC0rAVcAho.j8Axd1CyDpGQxri3HMC54CAr/:106:113::/var/dovecot/sheppy::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
joerg:{SHA512-CRYPT}$6$x0nQ/K7W2KzI$xjidl.uf7a5uI0DStTGGujUP1XZblKctZLxVtvpIuv9NGuuZ5BnTBUeAWDJkBXkUsskbWuxUgt1RJcEoSuIc./:106:113::/var/dovecot/darknet::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
yannik.schmidt:{SHA512-CRYPT}$6$Vrwtoe79Xa4jbghz$QFQI7P/j7k1sFeaQg.KBXjqs3F3S6H0u14kkd8GYrVV1mf2eblYC0rAVcAho.j8Axd1CyDpGQxri3HMC54CAr/:106:113::/var/dovecot/yannik.schmidt::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
kathi:{SHA512-CRYPT}$6$AiHMofDe6i5huwb7$seYE1LIvoq8zJd1GL0lj3EkPf1BeI156ja/scPCExYJvNNz9y9xZqJ6LlY3DQPHINTU7JuUFgyPAzTPHnCmoE1:106:113::/var/dovecot/kathi::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=100M
check:{SHA512-CRYPT}$6$004oR5.gn4nRsfM0$G8D5ZW7s6OueAwMZgj//jPgNAuXp4N0v6sXmvohSwwZPYUJaSegtf1fhg2V5.mPjjmkww0PV4Ny6/aj9tZLVe1:106:113::/var/dovecot/check::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
ths-nas:{SHA512-CRYPT}$6$UAlpqf8tDKL.IBQj$r9j/xurvOrzmvWDJ.Ain8855HH9.pECQGr9mPuHorGYxrHXDMSPO/8t.HaHGXbq84UqV46qebFQi2v0SX6O8C.:106:113::/var/dovecot/check::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
spamsink:{SHA512-CRYPT}$6$GVfeeL.8ObPDcfN3$.E8MTpHZZUivgwUutq4FHqIH8ra4MZ10/lLx74o4ssGuC/Yrgjbx0vl05aOe5iq6fD9hqu.5bYXWhVt3/O5pU1:106:113::/var/dovecot/spamsink::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
noreply:{SHA512-CRYPT}$6$BexmD9kCiVyjyDEf$XVfJZh3mm5ed6e68feWUBiaFEOBlaq1aYGwZ/rs8bkQpaTlFkouNMB7TkeVwMMsipDQz.DpXziuBls6b0e1wE/:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
alexander.schmidt:{SHA512-CRYPT}$y$j9T$/Vsucd.N.8AJJKGsZ/e./0$N5yBhGq3RAGpy5Lih/Vfx7oRU1sfOJkGHDgZM9udeo6:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
noreply:{SHA512-CRYPT}$6$XXXXXXXXXXXXXXXXXXXuse this: $(mkpasswd -msha512crypt)XXXXX:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
roles/mail/templates/dynamicmaps.cf → roles/mail/files/dynamicmaps.cf
View File
roles/mail/files/enabled_senders
+9
View File
@@ -0,0 +1,9 @@
# Sender adress the user may use :)
sheppy@atlantishq.de sheppy@atlantishq.de
ths-nas@atlantishq.de ths-nas@atlantishq.de
joerg@darknet-fashion.de joerg@darknet-fashion.de
yannik.schmidt@potaris.de yannik.schmidt@potaris.de
noreply@atlantishq.de noreply@atlantishq.de
@darknet-fashion.de joerg
@darknet-fashion.com joerg
@atlantishq.de sheppy
roles/mail/templates/header_checks → roles/mail/files/header_checks
View File
roles/mail/templates/main.cf → roles/mail/files/main.cf
+1 -2
View File
@@ -6,7 +6,6 @@ append_dot_mydomain = no
# delay_warning_time = 10h
queue_directory = /var/spool/postfix
maximal_queue_lifetime = 2d
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
@@ -54,7 +53,7 @@ smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,check_sender_access hash:/etc/postfix/sender_access,permit_sasl_authenticated
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
# USER mappings (not reliant on unix users)
roles/mail/templates/master.cf → roles/mail/files/master.cf
View File
roles/mail/files/nginx.conf
+1 -1
View File
@@ -31,7 +31,7 @@ http {
ssl_certificate /etc/letsencrypt/live/atlantishq.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/atlantishq.de/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
roles/mail/files/relocated
+1
View File
@@ -0,0 +1 @@
test@atlantishq.de sheppy@atlantishq.de
roles/mail/files/scripts/spam_check.sh
-2
View File
@@ -1,2 +0,0 @@
cat "${1}" | sudo -H -u debian-spamd spamassassin --test-mode --local --cf="bayes_auto_learn 0" \
--cf='add_header all Spam-Tokens-Spammy _SPAMMYTOKENS(20,compact)_' --cf='add header all Spam-Tokens-Hammy _HAMMYTOKENS(20,compact)_' | less
roles/mail/files/scripts/spam_learn.sh
-12
View File
@@ -1,12 +0,0 @@
set e
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --spam /var/dovecot/spamsink/Maildir/cur/
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.2024
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.freelancermap
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Trash
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Archives.2024
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Trash
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.Ferchau\ -\ G\&APw-nther\ Anlagen/
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.SINC-AfA/
sudo -u spamd sa-compile
systemctl restart spamassassin.service
mv /var/dovecot/spamsink/Maildir/cur/* /var/dovecot/spamsink/Maildir/.Learned/
roles/mail/templates/sender_blacklist → roles/mail/files/sender_blacklist
-4
View File
@@ -7,9 +7,5 @@ zapingers.autos REJECT
cleverep.com REJECT
.ru REJECT
allsip.ru REJECT
clickup.com REJECT
secureserver.net REJECT
pillenstein.de REJECT
ayoryor.com REJECT
sina.buffy@avantgarde-experts.de OK
.avantgarde-experts.de OK
roles/mail/files/spamassasin/local.cf
-76
View File
@@ -1,76 +0,0 @@
include /usr/share/spamassassin/
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 3
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 2
endif # Mail::SpamAssassin::Plugin::AskDNS
score DKIM_INVALID 5
header LOCAL_FROM_TLD_BASE From =~ /@[a-z0-9\-\.]+\.*/i
describe LOCAL_FROM_TLD_BASE Match any Domain
score LOCAL_FROM_TLD_BASE 2
header LOCAL_FROM_TLD From =~ /@[a-z0-9\-\.]+\.(de|com|org)[>\s]*\z/i
describe LOCAL_FROM_TLD Match standard domains
score LOCAL_FROM_TLD -3
header OBFUSCATED_FROM_TLD From =~ /@[a-z0-9\-\.]+\.(de|com|org)\..+/i
describe OBFUSCATED_FROM_TLD Obfuscation attempt in FROM TLD
score OBFUSCATED_FROM_TLD 5
header MAIL_CHIMP_MARKETING Return-Path =~ /@.*bounce-mc.+/i
describe MAIL_CHIMP_MARKETING Mailchimp Marketing Lists
score MAIL_CHIMP_MARKETING 5
header UTF_BASE64_SUBJECT Subject =~ /.*=\?utf-[0-9]+\?.*/i
describe UTF_BASE64_SUBJECT UTF_X base64 encoded subject
score UTF_BASE64_SUBJECT 1
score HTML_MESSAGE 1
score URIBL_ABUSE_SURBL 5
score HTML_IMAGE_ONLY_24 2
score HTML_IMAGE_ONLY_28 2
score HTML_IMAGE_RATIO_02 2
score BAYES_999 0.8
# Bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_file_mode 0660
bayes_path /etc/spamassassin/bayes/bayes
bayes_file_mode 0770
bayes_min_ham_num 40
bayes_min_spam_num 40
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
required_hits 3.1
clear_report_template
report Hello!
report This is the atlantis-mailsystem reporting in. This mail is likely spam. Proceed with maximum caution.
report
report Content analysis details: (_SCORE_ points, _REQD_ required)
report
report " pts rule name description"
report ---- ---------------------- --------------------------------------------------
report _SUMMARY_
roles/mail/templates/tls_policy → roles/mail/files/tls_policy
View File
roles/mail/templates/transport → roles/mail/files/transport
View File
roles/mail/files/virtual
+38
View File
@@ -0,0 +1,38 @@
# you can also so this: test-second-account@atlantishq.de test@atlantishq.de
# which will give all incoming mails of test-second-account to test (sorta obvious)
# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
# user@atlantishq.de user@esports-erlangen.de
# every user will get emails from both domains
# If a user also wants to _SEND_ mails, he also have to have an
# entry in the /etc/postfix/enabled-senders
# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
# postmap FILENAME
# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
# sheppy
insurgency@atlantishq.de sheppy@atlantishq.de
yannik@atlantishq.de sheppy@atlantishq.de
tac@atlantishq.de sheppy@atlantishq.de
uplay@atlantishq.de sheppy@atlantishq.de
#yannik.schmidt@potaris.de sheppy@atlantishq.de
acc@atlantishq.de sheppy@atlantishq.de
mail@potaris.de yannik.schmidt@potaris.de
sector32@potaris.de yannik.schmidt@potaris.de
root@atlantishq.de sheppy@atlantishq.de
trackmania-2@atlantishq.de sheppy@atlantishq.de
maria@atlantishq.de mondauge@icloud.com
steam-potaris-1@atlantishq.de sheppy@atlantishq.de
steam-potaris-2@atlantishq.de sheppy@atlantishq.de
steam-potaris-3@atlantishq.de sheppy@atlantishq.de
# michy
ipatix@atlantishq.de michael.panzlaff@fau.de
# catchall
#@atlantishq.de root@atlantishq.de
#@esports-erlangen.de root@atlantishq.de
@darknet-fashion.com joerg@darknet-fashion.de
@darknet-fashion.de joerg@darknet-fashion.de
roles/mail/handlers/main.yml
-11
View File
@@ -1,11 +0,0 @@
- name: postmap all
shell:
cmd: "/usr/sbin/postmap {{ item }}"
chdir: "/etc/postfix/"
with_items:
- sender_access
- enabled_senders
- sender_blacklist
- tls_policy
- transport
- virtual
roles/mail/tasks/main.yaml
+3 -17
View File
@@ -12,7 +12,7 @@
state: present
- name: Deploy Postfix config
template:
copy:
src: "{{ item }}"
dest: "/etc/postfix/{{ item }}"
with_items:
@@ -20,15 +20,13 @@
- enabled_senders
- main.cf
- master.cf
- relocated
- sender_blacklist
- tls_policy
- transport
- virtual
- header_checks
- sender_access
notify:
- postmap all
- restart postfix
notify: restart postfix
- name: Deploy dmark/opendkim config (main)
copy:
@@ -88,15 +86,3 @@
owner: dovecot
group: dovecot
notify: restart dovecot
- name: Deploy spam learning script
template:
src: spam.sh
dest: /root/spam.sh
- name: Add cronjob for reloading certs and config every night
cron:
minute: "0"
hour: "1"
name: reload_postfix_dovecot
job: /usr/bin/systemctl reload postfix.service dovecot.service
roles/mail/templates/enabled_senders
-6
View File
@@ -1,6 +0,0 @@
# Sender adress the user may use :)
{% for key, value in mail_enabled_senders.items() %}
{{ key }} {{ value }}
{% endfor %}
@atlantishq.de sheppy
roles/mail/templates/relocated
-1
View File
@@ -1 +0,0 @@
test@atlantishq.de HISTORY_PURGED_SECRET
roles/mail/templates/sender_access
-1
View File
@@ -1 +0,0 @@
rejected-send@atlantishq.de REJECT
roles/mail/templates/spam.sh
-16
View File
@@ -1,16 +0,0 @@
#!/bin/bash
set e
sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --spam /var/dovecot/spamsink/Maildir/cur/
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.2024
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Archives.freelancermap
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.Trash
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Archives.2024
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/sheppy/Maildir/.Trash
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.Ferchau\ -\ G\&APw-nther\ Anlagen/
#sa-learn --progress -p /etc/spamassassin/local.cf --no-sync --ham /var/dovecot/yannik.schmidt/Maildir/.INBOX.Job2024.SINC-AfA/
chmod a+r -R /etc/spamassassin/bayes/bayes_journal
sudo -u spamd sa-compile
chmod a+r -R /etc/spamassassin/bayes/bayes_journal
systemctl restart spamd.service
mv /var/dovecot/spamsink/Maildir/cur/* /var/dovecot/spamsink/Maildir/.Learned/
roles/mail/templates/virtual
-17
View File
@@ -1,17 +0,0 @@
# you can also so this: test-second-account@atlantishq.de test@atlantishq.de
# which will give all incoming mails of test-second-account to test (sorta obvious)
# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
# user@atlantishq.de user@esports-erlangen.de
# every user will get emails from both domains
# If a user also wants to _SEND_ mails, he also have to have an
# entry in the /etc/postfix/enabled-senders
# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
# postmap FILENAME
# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
{% for ingress_mail, target in mail_virtual_transport.items() %}
{{ ingress_mail }} {{ target }}
{% endfor %}
roles/media/files/htpasswd
+2
View File
@@ -0,0 +1,2 @@
kathi:$y$j9T$llGL4Qoz3NYzphDi4UcK41$O2DR8i5YMS6iiKohETw58Wt5m55F/H/MIHgH3qxAdz9
sheppy:$y$j9T$nh0aLCxl0aZ9hczSkAUxP1$zEA6PI7Kwv.lfcfJJn91hQ4A4wCjQrGyZ0w47IeyYg8
roles/docker-deployments/files/media.conf → roles/media/files/nginx_media.conf
+2 -2
View File
@@ -9,7 +9,7 @@ server {
autoindex on;
autoindex_localtime on;
listen 5052;
listen 8000;
root /var/www/media;
add_header Vary Accept-Encoding;
@@ -23,6 +23,6 @@ server {
location /auth/{
auth_basic $basic_auth_val;
auth_basic_user_file /etc/nginx/htpasswd_1;
auth_basic_user_file /etc/nginx/htpasswd;
}
}

Some files were not shown because too many files have changed in this diff Show More