fkf9
/
ungleich-k8s
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Add working knot variant + various other stuff

master
Nico Schottelius 12 months ago
parent
7d93506bd9
commit
f22fb0080c
18 changed files with 782 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      apps/bind9/.helmignore
  2. 24
      apps/bind9/Chart.yaml
  3. 113
      apps/bind9/templates/deployment.yaml
  4. 1
      apps/bind9/values.yaml
  5. 23
      apps/ejabberd/.helmignore
  6. 15
      apps/ejabberd/Chart.yaml
  7. 1
      apps/ejabberd/README.md
  8. 367
      apps/ejabberd/templates/deployment.yaml
  9. 13
      apps/ejabberd/templates/tests/test-connection.yaml
  10. 32
      apps/ejabberd/values.yaml
  11. 24
      apps/knotdns/.helmignore
  12. 24
      apps/knotdns/Chart.yaml
  13. 79
      apps/knotdns/templates/deployment.yaml
  14. 1
      apps/knotdns/values.yaml
  15. 23
      apps/knotdns/zones/place7.ungleich.ch
  16. 15
      apps/matrix/README.md
  17. 1
      apps/matrix/templates/deployment.yaml
  18. 3
      apps/matrix/values.yaml

24
apps/bind9/.helmignore
Unescape View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
.#*

24
apps/bind9/Chart.yaml
Unescape View File

@ -0,0 +1,24 @@
apiVersion: v2
name: bind9
description: bind DNS server
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "9"

113
apps/bind9/templates/deployment.yaml
Unescape View File

@ -0,0 +1,113 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-bind9
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-bind9
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-bind9
use-as-service: {{ .Release.Name }}
spec:
initContainers:
containers:
- name: bind9
image: resystit/bind9:latest
ports:
- containerPort: 53
volumeMounts:
- name: bind9config
mountPath: "/etc/bind"
volumes:
- name: bind9config
persistentVolumeClaim:
claimName: {{ .Release.Name }}-bind9config
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 53
name: dns-tcp
- protocol: UDP
port: 53
name: dns-udp
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-bind9config
data:
{{ tpl (.Files.Glob "bind9/*").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi
storageClassName: rook-cephfs
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ tpl .Values.identifier . }}-getcert
spec:
template:
metadata:
labels:
app: certbot-letsencrypt-getcert
use-as-service: {{ .Release.Name }}
spec:
restartPolicy: Never
containers:
- name: certbot
image: ungleich/ungleich-certbot
ports:
- containerPort: 80
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
backoffLimit: 3

1
apps/bind9/values.yaml
Unescape View File

@ -0,0 +1 @@
identifier: "{{ .Release.Name }}"

23
apps/ejabberd/.helmignore
Unescape View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

15
apps/ejabberd/Chart.yaml
Unescape View File

@ -0,0 +1,15 @@
apiVersion: v2
name: ungleich-ejabberd
description: ungleich managed xmpp/ejabber
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "any"

1
apps/ejabberd/README.md
Unescape View File

@ -0,0 +1 @@
## Jabber

367
apps/ejabberd/templates/deployment.yaml
Unescape View File

@ -0,0 +1,367 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-jabber
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-jabber
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-jabber
use-as-service: {{ .Release.Name }}
spec:
initContainers:
- name: generate-jabber-signing-key
image: ungleich/ungleich-jabber-synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
command:
- "python"
- "-m"
- "synapse.app.homeserver"
- "--config-path"
- "/baseconfig"
- "--keys-directory"
- "/data"
- "--generate-keys"
volumeMounts:
- name: data
mountPath: "/data"
- name: jabber-config
mountPath: "/baseconfig"
containers:
- name: certbot
image: ungleich/ungleich-certbot
imagePullPolicy: Always
ports:
- containerPort: 80
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
# This container will only start *after* the cert has been placed
- name: debug
image: alpine:latest
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: data
mountPath: "/data"
- name: jabber-config
mountPath: "/baseconfig"
- name: postgres-vars
mountPath: "/postgres"
args:
- sleep
- "1000000"
- name: nginx
image: nginx:1.21-alpine
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: postgres
image: postgres:13
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
# Use subpath to avoid lost+found error
subPath: postgres
- name: jabber
# SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml
# SYNAPSE_CONFIG_PATH: the initial config
# log.yaml -> same dir as postgres-db.yaml
# /data = persistent storage
image: ungleich/ungleich-jabber-synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
ports:
- containerPort: 8008
env:
- name: SYNAPSE_CONFIG_PATH
value: "/baseconfig/homeserver.yaml"
- name: SYNAPSE_CONFIG_DIR
value: "/config"
volumeMounts:
- name: data
mountPath: "/data"
- name: jabber-config
mountPath: "/baseconfig"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
- name: data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data
- name: postgres-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data
- name: postgres-vars
secret:
secretName: {{ tpl .Values.identifier . }}-postgres-config
- name: nginx-config
configMap:
name: {{ tpl .Values.identifier . }}-nginx-config
- name: jabber-config
configMap:
name: {{ tpl .Values.identifier . }}-jabber-config
items:
- key: homeserver.yaml
path: homeserver.yaml
- key: log.yaml
path: log.yaml
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
# Required for letsencrypt
- port: 80
name: http
- port: 443
name: https
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}-web
labels:
app: {{ tpl .Values.identifier . }}-web
spec:
type: ClusterIP
ports:
# Required for letsencrypt
- port: 80
name: http
- port: 443
name: https
selector:
use-as-service: {{ .Release.Name }}-web
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-postgres-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi
storageClassName: rook-ceph-block
---
# apiVersion: batch/v1
# kind: Job
# metadata:
# name: {{ tpl .Values.identifier . }}-getcert
# spec:
# template:
# metadata:
# labels:
# app: certbot-letsencrypt-getcert
# use-as-service: {{ .Release.Name }}
# spec:
# restartPolicy: Never
# containers:
# - name: certbot
# image: ungleich/ungleich-certbot
# ports:
# - containerPort: 80
# env:
# - name: DOMAIN
# value: "{{ tpl .Values.fqdn . }}"
# - name: EMAIL
# value: "{{ .Values.email }}"
# {{ if eq .Values.letsencryptStaging "no" }}
# - name: STAGING
# value: "no"
# {{ end }}
# volumeMounts:
# - name: etcletsencrypt
# mountPath: "/etc/letsencrypt"
# volumes:
# - name: etcletsencrypt
# persistentVolumeClaim:
# claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
# backoffLimit: 3
#---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-nginx-config
data:
default.conf: |
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ tpl .Values.fqdn . }};
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
client_max_body_size {{ .Values.max_filesize_in_mb }}m;
location ~ /_jabber|/_synapse {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8008;
}
}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}-postgres-config
annotations:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
stringData:
POSTGRES_USER: "jabber-synapse"
POSTGRES_DB: "jabber-synapse"
POSTGRES_HOST: "localhost"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-jabber-config
data:
homeserver.yaml: |
server_name: "{{ .Values.server_name }}"
web_client_location: "{{ .Values.web_client_location }}"
public_baseurl: "{{ tpl .Values.fqdn . }}"
allow_public_rooms_without_auth: true
allow_public_rooms_over_federation: false
pid_file: "/var/run/jabber/homeserver.pid"
report_stats: false
signing_key_path: "/data/signin.key"
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses:
- '::1'
- '127.0.0.1'
resources:
- names: [federation,client]
compress: false
- port: 9093
bind_addresses:
- '::1'
- '127.0.0.1'
type: http
resources:
- names: [replication]
database:
name: "psycopg2"
args:
database: "jabber-synapse"
host: "localhost"
user: "jabber-synapse"
password: ""
cp_min: 10
cp_min: 5
log_config: "/baseconfig/log.yaml"
enable_media_repo: true
media_store_path: "/data/media"
max_upload_size: "{{ .Values.max_filesize_in_mb }}M"
enable_registration: {{ .Values.enable_registration }}
log.yaml: |
version: 1
formatters:
fmt:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.logging.context.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: fmt
filters: [context]
root:
level: INFO
handlers: [console] # to use file handler instead, switch to [file]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
level: INFO
# example of enabling debugging for a component:
#
# synapse.federation.transport.server:
# level: DEBUG

13
apps/ejabberd/templates/tests/test-connection.yaml
Unescape View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ tpl .Values.identifier . }}-test-connection"
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['https://{{ tpl .Values.fqdn . }}']
restartPolicy: Never

32
apps/ejabberd/values.yaml
Unescape View File

@ -0,0 +1,32 @@
clusterDomain: c2.k8s.ooo
email: technik@ungleich.ch
letsencryptStaging: "yes"
# This is how the service and the data volumes are named - i.e. the
# persistent thing
identifier: "{{ .Release.Name }}"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
# This needs delegation / configuration on fn.nf
server_name: "fn.nf"
# Full URL -- for later, when external domains are supported
# web_client_location: "https://TBD"
enable_registration: false
# Maximum size of one particular file
max_filesize_in_mb: 100
elementVersion: "1.7.32"
#synapseVersion: "1.38.0"
synapseVersion: "latest"
#synapse_config:
# ---
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: {{ tpl .Values.identifier . }}-matrixconfig
# data:
# {{ tpl (.Files.Glob "matrix/*").AsConfig . | indent 2 }}

24
apps/knotdns/.helmignore
Unescape View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
.#*

24
apps/knotdns/Chart.yaml
Unescape View File

@ -0,0 +1,24 @@
apiVersion: v2
name: knotdns
description: DNS Auth
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "any"

79
apps/knotdns/templates/deployment.yaml
Unescape View File

@ -0,0 +1,79 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-knot
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-knot
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-knot
use-as-service: {{ .Release.Name }}
spec:
initContainers:
containers:
- name: knot
image: cznic/knot:3.0
ports:
- containerPort: 53
volumeMounts:
- name: config
mountPath: "/config"
- name: zones
mountPath: "/zones"
args:
- knotd
volumes:
- name: config
configMap:
name: {{ tpl .Values.identifier . }}-config
- name: zones
configMap:
name: {{ tpl .Values.identifier . }}-zones
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
- port: 53
protocol: TCP
name: tcp-53
- port: 53
protocol: UDP
name: udp-53
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-zones
data:
{{ tpl (.Files.Glob "zones/*").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-config
data:
knot.conf: |
server:
listen: 0.0.0.0@53
listen: ::@53
log:
- target: stdout
zone:
- domain: place7.ungleich.ch
file: /zones/place7.ungleich.ch

1
apps/knotdns/values.yaml
Unescape View File

@ -0,0 +1 @@
identifier: "{{ .Release.Name }}"

23
apps/knotdns/zones/place7.ungleich.ch
Unescape View File

@ -0,0 +1,23 @@
$TTL 60
@ IN SOA dns3.ungleich.ch. root.ungleich.ch. (
2021021800 ; serial number of this zone file
1d ; slave refresh (1 day)
2h ; slave retry time in case of a problem (2 hours)
4w ; slave expiration time (4 weeks)
1w ; maximum caching time in case of failed lookups (1 hour)
)
NS dns1.ungleich.ch.
NS dns2.ungleich.ch.
NS dns3.ungleich.ch.
MX 10 smtp.ungleich.ch.
MX 20 mx-backup.ungleich.ch.
; red AAAA 2a0a:e5c1:111:111::42
red AAAA 2a0a:e5c0:13::42
router1 AAAA 2a0a:e5c0:13::42
router2 AAAA 2a0a:e5c0:13:0:20d:b9ff:fe46:3bd4

15
apps/matrix/README.md
Unescape View File

@ -1,6 +1,21 @@
## Missing
- db secret generation (sops?)
- done via mittwald
- SMTP settings / secrets (ungleich mail + sops?)
- Exposing sizes in value.yaml (db, gitea)
- Maybe reducing to 1 PVC?
## TODOs
- Maybe move postgres into own service -> stays running by default
## Reset
What I want:
- Easy access to latest matrix version
- Based on the official container makes sense
- Being able to inject postgres secret
- Postgres not restarting if synapse is getting updated
- 2nd service could nicely solve that

1
apps/matrix/templates/deployment.yaml
Unescape View File

@ -94,6 +94,7 @@ spec:
# log.yaml -> same dir as postgres-db.yaml
# /data = persistent storage
image: ungleich/ungleich-matrix-synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
ports:
- containerPort: 8008
env:

3
apps/matrix/values.yaml
Unescape View File

@ -19,7 +19,8 @@ enable_registration: false
max_filesize_in_mb: 100
elementVersion: "1.7.32"
synapseVersion: "1.38.0"
#synapseVersion: "1.38.0"
synapseVersion: "latest"
#synapse_config:
# ---

Write Preview
Loading…
Cancel
Save