Add working knot variant + various other stuff

This commit is contained in:
Nico Schottelius 2021-07-18 00:16:35 +02:00
parent 7d93506bd9
commit f22fb0080c
18 changed files with 782 additions and 1 deletions

24
apps/bind9/.helmignore Normal file
View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
.#*

24
apps/bind9/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: bind9
description: bind DNS server
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "9"

View File

@ -0,0 +1,113 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-bind9
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-bind9
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-bind9
use-as-service: {{ .Release.Name }}
spec:
initContainers:
containers:
- name: bind9
image: resystit/bind9:latest
ports:
- containerPort: 53
volumeMounts:
- name: bind9config
mountPath: "/etc/bind"
volumes:
- name: bind9config
persistentVolumeClaim:
claimName: {{ .Release.Name }}-bind9config
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 53
name: dns-tcp
- protocol: UDP
port: 53
name: dns-udp
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-bind9config
data:
{{ tpl (.Files.Glob "bind9/*").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi
storageClassName: rook-cephfs
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ tpl .Values.identifier . }}-getcert
spec:
template:
metadata:
labels:
app: certbot-letsencrypt-getcert
use-as-service: {{ .Release.Name }}
spec:
restartPolicy: Never
containers:
- name: certbot
image: ungleich/ungleich-certbot
ports:
- containerPort: 80
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
backoffLimit: 3

1
apps/bind9/values.yaml Normal file
View File

@ -0,0 +1 @@
identifier: "{{ .Release.Name }}"

23
apps/ejabberd/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

15
apps/ejabberd/Chart.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v2
name: ungleich-ejabberd
description: ungleich managed xmpp/ejabber
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "any"

1
apps/ejabberd/README.md Normal file
View File

@ -0,0 +1 @@
## Jabber

View File

@ -0,0 +1,367 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-jabber
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-jabber
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-jabber
use-as-service: {{ .Release.Name }}
spec:
initContainers:
- name: generate-jabber-signing-key
image: ungleich/ungleich-jabber-synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
command:
- "python"
- "-m"
- "synapse.app.homeserver"
- "--config-path"
- "/baseconfig"
- "--keys-directory"
- "/data"
- "--generate-keys"
volumeMounts:
- name: data
mountPath: "/data"
- name: jabber-config
mountPath: "/baseconfig"
containers:
- name: certbot
image: ungleich/ungleich-certbot
imagePullPolicy: Always
ports:
- containerPort: 80
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
# This container will only start *after* the cert has been placed
- name: debug
image: alpine:latest
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: data
mountPath: "/data"
- name: jabber-config
mountPath: "/baseconfig"
- name: postgres-vars
mountPath: "/postgres"
args:
- sleep
- "1000000"
- name: nginx
image: nginx:1.21-alpine
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: postgres
image: postgres:13
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
# Use subpath to avoid lost+found error
subPath: postgres
- name: jabber
# SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml
# SYNAPSE_CONFIG_PATH: the initial config
# log.yaml -> same dir as postgres-db.yaml
# /data = persistent storage
image: ungleich/ungleich-jabber-synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
ports:
- containerPort: 8008
env:
- name: SYNAPSE_CONFIG_PATH
value: "/baseconfig/homeserver.yaml"
- name: SYNAPSE_CONFIG_DIR
value: "/config"
volumeMounts:
- name: data
mountPath: "/data"
- name: jabber-config
mountPath: "/baseconfig"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
- name: data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data
- name: postgres-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data
- name: postgres-vars
secret:
secretName: {{ tpl .Values.identifier . }}-postgres-config
- name: nginx-config
configMap:
name: {{ tpl .Values.identifier . }}-nginx-config
- name: jabber-config
configMap:
name: {{ tpl .Values.identifier . }}-jabber-config
items:
- key: homeserver.yaml
path: homeserver.yaml
- key: log.yaml
path: log.yaml
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
# Required for letsencrypt
- port: 80
name: http
- port: 443
name: https
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}-web
labels:
app: {{ tpl .Values.identifier . }}-web
spec:
type: ClusterIP
ports:
# Required for letsencrypt
- port: 80
name: http
- port: 443
name: https
selector:
use-as-service: {{ .Release.Name }}-web
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-postgres-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi
storageClassName: rook-ceph-block
---
# apiVersion: batch/v1
# kind: Job
# metadata:
# name: {{ tpl .Values.identifier . }}-getcert
# spec:
# template:
# metadata:
# labels:
# app: certbot-letsencrypt-getcert
# use-as-service: {{ .Release.Name }}
# spec:
# restartPolicy: Never
# containers:
# - name: certbot
# image: ungleich/ungleich-certbot
# ports:
# - containerPort: 80
# env:
# - name: DOMAIN
# value: "{{ tpl .Values.fqdn . }}"
# - name: EMAIL
# value: "{{ .Values.email }}"
# {{ if eq .Values.letsencryptStaging "no" }}
# - name: STAGING
# value: "no"
# {{ end }}
# volumeMounts:
# - name: etcletsencrypt
# mountPath: "/etc/letsencrypt"
# volumes:
# - name: etcletsencrypt
# persistentVolumeClaim:
# claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
# backoffLimit: 3
#---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-nginx-config
data:
default.conf: |
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ tpl .Values.fqdn . }};
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
client_max_body_size {{ .Values.max_filesize_in_mb }}m;
location ~ /_jabber|/_synapse {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8008;
}
}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}-postgres-config
annotations:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
stringData:
POSTGRES_USER: "jabber-synapse"
POSTGRES_DB: "jabber-synapse"
POSTGRES_HOST: "localhost"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-jabber-config
data:
homeserver.yaml: |
server_name: "{{ .Values.server_name }}"
web_client_location: "{{ .Values.web_client_location }}"
public_baseurl: "{{ tpl .Values.fqdn . }}"
allow_public_rooms_without_auth: true
allow_public_rooms_over_federation: false
pid_file: "/var/run/jabber/homeserver.pid"
report_stats: false
signing_key_path: "/data/signin.key"
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses:
- '::1'
- '127.0.0.1'
resources:
- names: [federation,client]
compress: false
- port: 9093
bind_addresses:
- '::1'
- '127.0.0.1'
type: http
resources:
- names: [replication]
database:
name: "psycopg2"
args:
database: "jabber-synapse"
host: "localhost"
user: "jabber-synapse"
password: ""
cp_min: 10
cp_min: 5
log_config: "/baseconfig/log.yaml"
enable_media_repo: true
media_store_path: "/data/media"
max_upload_size: "{{ .Values.max_filesize_in_mb }}M"
enable_registration: {{ .Values.enable_registration }}
log.yaml: |
version: 1
formatters:
fmt:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.logging.context.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: fmt
filters: [context]
root:
level: INFO
handlers: [console] # to use file handler instead, switch to [file]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
level: INFO
# example of enabling debugging for a component:
#
# synapse.federation.transport.server:
# level: DEBUG

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ tpl .Values.identifier . }}-test-connection"
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['https://{{ tpl .Values.fqdn . }}']
restartPolicy: Never

32
apps/ejabberd/values.yaml Normal file
View File

@ -0,0 +1,32 @@
clusterDomain: c2.k8s.ooo
email: technik@ungleich.ch
letsencryptStaging: "yes"
# This is how the service and the data volumes are named - i.e. the
# persistent thing
identifier: "{{ .Release.Name }}"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
# This needs delegation / configuration on fn.nf
server_name: "fn.nf"
# Full URL -- for later, when external domains are supported
# web_client_location: "https://TBD"
enable_registration: false
# Maximum size of one particular file
max_filesize_in_mb: 100
elementVersion: "1.7.32"
#synapseVersion: "1.38.0"
synapseVersion: "latest"
#synapse_config:
# ---
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: {{ tpl .Values.identifier . }}-matrixconfig
# data:
# {{ tpl (.Files.Glob "matrix/*").AsConfig . | indent 2 }}

24
apps/knotdns/.helmignore Normal file
View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
.#*

24
apps/knotdns/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: knotdns
description: DNS Auth
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "any"

View File

@ -0,0 +1,79 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-knot
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-knot
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-knot
use-as-service: {{ .Release.Name }}
spec:
initContainers:
containers:
- name: knot
image: cznic/knot:3.0
ports:
- containerPort: 53
volumeMounts:
- name: config
mountPath: "/config"
- name: zones
mountPath: "/zones"
args:
- knotd
volumes:
- name: config
configMap:
name: {{ tpl .Values.identifier . }}-config
- name: zones
configMap:
name: {{ tpl .Values.identifier . }}-zones
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
- port: 53
protocol: TCP
name: tcp-53
- port: 53
protocol: UDP
name: udp-53
selector:
use-as-service: {{ .Release.Name }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-zones
data:
{{ tpl (.Files.Glob "zones/*").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-config
data:
knot.conf: |
server:
listen: 0.0.0.0@53
listen: ::@53
log:
- target: stdout
zone:
- domain: place7.ungleich.ch
file: /zones/place7.ungleich.ch

1
apps/knotdns/values.yaml Normal file
View File

@ -0,0 +1 @@
identifier: "{{ .Release.Name }}"

View File

@ -0,0 +1,23 @@
$TTL 60
@ IN SOA dns3.ungleich.ch. root.ungleich.ch. (
2021021800 ; serial number of this zone file
1d ; slave refresh (1 day)
2h ; slave retry time in case of a problem (2 hours)
4w ; slave expiration time (4 weeks)
1w ; maximum caching time in case of failed lookups (1 hour)
)
NS dns1.ungleich.ch.
NS dns2.ungleich.ch.
NS dns3.ungleich.ch.
MX 10 smtp.ungleich.ch.
MX 20 mx-backup.ungleich.ch.
; red AAAA 2a0a:e5c1:111:111::42
red AAAA 2a0a:e5c0:13::42
router1 AAAA 2a0a:e5c0:13::42
router2 AAAA 2a0a:e5c0:13:0:20d:b9ff:fe46:3bd4

View File

@ -1,6 +1,21 @@
## Missing
- db secret generation (sops?)
- done via mittwald
- SMTP settings / secrets (ungleich mail + sops?)
- Exposing sizes in value.yaml (db, gitea)
- Maybe reducing to 1 PVC?
## TODOs
- Maybe move postgres into own service -> stays running by default
## Reset
What I want:
- Easy access to latest matrix version
- Based on the official container makes sense
- Being able to inject postgres secret
- Postgres not restarting if synapse is getting updated
- 2nd service could nicely solve that

View File

@ -94,6 +94,7 @@ spec:
# log.yaml -> same dir as postgres-db.yaml
# /data = persistent storage
image: ungleich/ungleich-matrix-synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
ports:
- containerPort: 8008
env:

View File

@ -19,7 +19,8 @@ enable_registration: false
max_filesize_in_mb: 100
elementVersion: "1.7.32"
synapseVersion: "1.38.0"
#synapseVersion: "1.38.0"
synapseVersion: "latest"
#synapse_config:
# ---