7 files changed, 392 insertions, 61 deletions
diff --git a/dan/host_vars/sk-cloudio.yml b/dan/host_vars/sk-cloudio.yml
index 348a49fb..a3792ba0 100644
--- a/dan/host_vars/sk-cloudio.yml
+++ b/dan/host_vars/sk-cloudio.yml
@@ -1,62 +1,75 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-63663565313965643461303636396364383664663433373739303261633538343536653962663961
-3464303239313633363463313962663861623937393331340a386363643133666237396462663832
-35346165386562363630346136313666656635353734383233343138643630643530653331613764
-3431376232653438300a383862363030393839323935356361383838376137623635386232633035
-66323134653030626232366162633030656134306566633932336139323032383130616336656164
-66383436343361306266396232326463333434393163343335633061363336316661393338323462
-30633138323965623038356436383234303137366534333631613132613266643636393761393330
-64663561363738636331613465333463613735626265313538383732343766383965363239656132
-63366666653364343033663866376634343937303463656131336233653762363261656662613564
-63646236373266353934363737393132356535623066366239636363653665313965353265316262
-65396231646631353637613739626666363339313734373661303261623031306334646461363535
-36333034303166623764316133633139643230633333646663376537653938656531616438313935
-66363633623232373539363236373938396235333764323866623336306230363264363364333539
-65373731396136663233626539613530326539326164393638663663376239646333386330633266
-64636336613237323138363935643464613832306634376530646638666239306633383938303831
-35373565383038343532386338346161613731616333663863383431386365363330383636376433
-37663262346535626666323730653563393965306637363035613261363439633062306130643166
-66653437323764316162333564303031656636373331373135386264356366383464633261313235
-64316266343762323334653861636137656362636532373537396566386435396434633866613266
-61626332633833363636336364653361636632613662373162313362333032633937666163326462
-63326562393937396236636661353465643531653332373063336235613434616230353162633634
-61663436613237396362386330303039386132333932616265383833623636326134663265346431
-36656637353666646235313730326537373133646162313534396136363834613735306166323238
-63323065393566363134353039613862616238363362633232363961323730336634326431613136
-64626465663563303563663564623764633133616338363435336632306664643934343238346630
-65343635646334623330383562656166393136623161373061386663636135366232623133666436
-39613135626362643165316637633332333731356263633861613862346537633933646365313038
-32316662636464343664323331343639346134623333376438633530643535313766666463323439
-34393561323764663639323833656239316133373866633631336439396537663863336232343034
-65336562346432663438346535313736303032613832613232343163643831656238626430346631
-61653565303436313737613064303031353530393366386130633366656366303430383862346266
-62323730383836303165376466386261666262353465316637393534373439666338363862373764
-30643138623866663035306336333232306537393036353261656463386437643665633263663064
-39386563316362616639393130313339316232313464633463363664326231346466363530373135
-32386665346635633965636134346161323737633364353932373738666138363933613035326534
-30383863303938653536633964396161656338643437366661333261353034396430643933366432
-64346233623232346338383433306137663231326337613439633230646534666361313766636263
-61626433393563343436663063636465303362666334363738356431666334616637316535373361
-63633935663235663834343738663139353630653832336333306463393835623361653936313336
-62623132346539346363323065336535333739353439646237303131656364646663396465383063
-62663531666264326638313232626131313138666463313666313830636661343462643565383530
-38316638316234343362396534663636346230316230663930326562326336353365393563653866
-63633336333635376263653531613836636162313064626138306163353934306136633736363463
-66643636376534353035666638623038643061346237353730363166333636316366373836663261
-31366161366162303532623134393434626239313539353436306435383938353132393438323733
-37626533626266373930336566323863373062643964343835366438323464356132316265666135
-64376630366464633938356233396132306432643631356439303862623364326236373834386336
-36343765363735323236353864656635386133396134663037396566343163353537666333356531
-63343136636564363731383937613863626235663063316638656561666263326666353132343363
-64396461343463633631656432656366336164306437393866633535653431393431343030656631
-61336539616436366539613261333532333939343531343666343535633732353661303362383666
-31653462373738333433376562363734623462656330663664663732656262326665613035626230
-38646137346535336538633730623433333030343661386237373939333032373864663838356161
-35316535386431383963636139613539346462386436666334366338333964626639366261633637
-39303836383233623734383165366637633334323338646562653064643130306461303961383964
-62353236393130666538346634353339636561626536633835313563623761313335623630303330
-35626132303935623938663537343033313834393665613639653635373364353030396638363636
-61333038633361616531633334346638636336646336383131313531663862633166653036353932
-66363935333364396438623831643737323030356263643036326639613262313963623630333039
-38343431663932646566373739316136656632336230626531613739313431653561373136373237
-3833
+33356331336333323935386132333263653562353535333436323532666535333730353430623536
+3565346438356365313562333739373534336430356532350a636530303331613761613763613964
+39363731316137356566333166626637613861636335353030393266323466643862343962366462
+6131613839386333390a663961346139383038393732366336613262356433366330616139303762
+32636263383631316432666234363163663863386339383037393262633337646264353137366532
+61383035313766336434343265376333623262643431653165363765306432313933316436373733
+34393262636231316339323931313661353837653462363062386364613133303461326332656636
+30366339636565323936383366373136613038656338303532363066643630303638303430616665
+66393835383438363839313164393630666335356639633134656561643539393933393532633437
+63313563633530623662666538643937353266306336656230363234393830623830626437623234
+64366462313635353536326638373234663362333564363737643631323061663437636538616662
+39626237336232306265373139343831343064303238636234336133653733343162373962373836
+62306438636661383238313766343638306166326332333964376435656465666166383564386130
+31633230343132636265623235363266336136653534666637383232373831616636633237393666
+36353939333031363937663236396530636131363765616565643739613832313966303064353664
+64653137393332306332663235333234623234316363383164306665643861616261356336313763
+39313938393065663136633431313132363134326338336464323763363035383164303936376337
+31643936353764353137626166623164616162393730353365353330313233336163356238623664
+37333665363832643961376432656637363037323064343138393938646461616463613033376535
+37316662616537633537303034313632633634363932336631383936653263663731626637373231
+37396363316264373262363766303631313938353961643131363163633135356262333039646237
+39343662306566343734336365613865633761383238346361663563616432633136336462653930
+37613233356638336531366633646133643738616237643334626266363339323232336466326163
+61666363353366316434393166616238376333373762656330316234386263313866346563343632
+38333330626332323934643561636437616663343239653466383938646433633336353938326163
+61656336616339313836646266623765396662333365393131653034393333653165643863323862
+33386634303363333339313330306336316132636230306364626337363639306239366265373538
+38353934623332323563633939633962663530646437643234326434626531366462396139653332
+30383766636335646464373963623235386337396565373362386633336539636630656361633664
+38346138343431633264326434323863666636346537656565663535303564306133396131343631
+64646538333231326534643830363335366566663761643866663436313763323265356162666233
+38626461633262393862663434396635616366316235656437633765353635346165666539303931
+64383532306365366266383561333230393462653738303466396138323665343132613361656530
+30313534323231336662333461656235333330613138393762393262316562616431326262643465
+65376635363537646562346639316537656639363439353363623034666233366136333263363166
+38336366636536393363353234376636363735643033353366363166303461353831636465626363
+31623133636534653035663937313333333334303065663232353731356461323139346235613763
+63646539363933643865613034396633653534363236306333613762383264336334313336376236
+32393661356562393339613232316137303335363062343933613635313439663762613535656435
+64613263363964386462306139616335663334636238636233303739333031363731313033643262
+30373462386662356632376238323964316234353766363732613134643661373233613239643534
+31343233623065376361373134623265383063616239666336326333663436363837653964393431
+30383630613636383965633334306338643665366633623539336633653564396135353832636537
+30376230306263343739666132396438633261323834346565633965353266613831366264353136
+64386231386266636130333430633735623731313336313032653130643561323336373635323930
+30373235393437306435306136316536623339666136306638376439356661386134383464613939
+65323139316130376239396234616534633332323630623763666131663965363636613535313033
+61663434343865383637633462613931343161623536623263356664373264353839323239376361
+64336631663962343831333466636234363231363263646138323334356464633230613332396539
+66653835653030313036326261333764326632386261343836363566313964643865336661643036
+64623963656434313164646333373337326565663931623966336332633038623561653665393863
+39646266633635356132343536303935616335323762376537343038323535386234316134643036
+38393531626136343766623037653161333331386161643966313236306133316563306439623236
+30626133636534636536393961623238616233393136343166633764336436333161626139616330
+62393132326232303732353135333934373663313534616563353361633337356635353766306537
+64636263373738343638623133663633396137633266353565633035376461346164373665383163
+38663133656565363862336162623435373863393165613838323133336239323337393335633932
+32323636356136633864653630386134376462643064376233383237646133613738633133356433
+31383139663965663864346637336633383531366161333833306539313736623132316530636139
+39653331336264363639323965313966623431306337383537366232313033353466316365666434
+32336563383031306165653361363235346165393761643066613034363663353666666464393131
+35333730656562613837353937393361653938323138633165373435316639356337633864303065
+38393135663536633736613762353939316565633865366539316537363461363039373164626437
+64353436303165353836313737313535646636346562373830666536353136326335383333656231
+39333761653534353964613865323264646531316539666633626632646133393233316261633838
+30353065663865613234396664613336373162656162346162306163343434323935336264333137
+64303934646436346232343564393834613237613663333866646134663730613263666432393035
+32663933353738303964396362326565613731303037633765353662366162306663653535396464
+31393863366238303832373533373736386465353761636561393463343635373565383736613632
+65313534653933613839356336336463333062663738333662333132613536303161306533396430
+30616366663662313434326534653738653366656164373362643662613834306163373033353831
+37393561343535353935306233643830383163386432306265663864303939353932613961353234
+36343765613565623465663436643066633937303763323363316364613430313938653337633234
+3762353332376532666361336135633739636436356532396362
diff --git a/inventory/host_vars/sk-cloudio/nextcloud.yml b/inventory/host_vars/sk-cloudio/nextcloud.yml
index 37682445..2ff79a39 100644
--- a/inventory/host_vars/sk-cloudio/nextcloud.yml
+++ b/inventory/host_vars/sk-cloudio/nextcloud.yml
@@ -54,3 +54,15 @@ nextcloud_instances:
       type: mariadb
       version: 10.5.9
       password: "{{ vault_nextcloud_database_passwords['wae.elevate.at'] }}"
+  wolke.elev8.at:
+    # new: true
+    version: 21.0.1
+    port: 8105
+    hostnames:
+    - wolke.elev8.at
+    zfs_properties:
+      quota: 10G
+    database:
+      type: mariadb
+      version: 10.5.9
+      password: "{{ vault_nextcloud_database_passwords['wolke.elev8.at'] }}"
diff --git a/inventory/host_vars/sk-cloudio/onlyoffice.yml b/inventory/host_vars/sk-cloudio/onlyoffice.yml
new file mode 100644
index 00000000..001c1f74
--- /dev/null
+++ b/inventory/host_vars/sk-cloudio/onlyoffice.yml
@@ -0,0 +1,19 @@
+---
+onlyoffice_zfs:
+  pool: storage
+  name: onlyoffice
+  properties:
+    compression: lz4
+
+onlyoffice_instances:
+  office.elev8.at:
+    version: 6.2.1.24
+    port: 8600
+    hostname: office.elev8.at
+    jwt_secret: "{{ vault_onlyoffice_jwt_secrets['office.elev8.at'] }}"
+    database:
+      version: 9.5.25
+      password: "{{ vault_onlyoffice_database_passwords['office.elev8.at'] }}"
+    amqp:
+      version: 3.8.14
+      password: "{{ vault_onlyoffice_amqp_passwords['office.elev8.at'] }}"
diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml
index 272382c1..550e05b5 100644
--- a/inventory/host_vars/sk-tomnext-nc.yml
+++ b/inventory/host_vars/sk-tomnext-nc.yml
@@ -74,6 +74,10 @@ zfs_sanoid_modules:
     use_template: production
     recursive: yes
     process_children_only: yes
+  storage/onlyoffice:
+    use_template: production
+    recursive: yes
+    process_children_only: yes
 
 
 docker_storage:
diff --git a/roles/apps/onlyoffice/defaults/main.yml b/roles/apps/onlyoffice/defaults/main.yml
new file mode 100644
index 00000000..1ea4773a
--- /dev/null
+++ b/roles/apps/onlyoffice/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+# onlyoffice_app_uid: "960"
+# onlyoffice_app_gid: "960"
+
+onlyoffice_db_uid: "961"
+onlyoffice_db_gid: "961"
+
+# onlyoffice_amqp_uid: "962"
+# onlyoffice_amqp_gid: "962"
+
+# onlyoffice_base_path: /srv/onlyoffice
+
+# onlyoffice_zfs:
+#   pool: storage
+#   name: onlyoffice
+#   properties:
+#     compression: lz4
+
+# onlyoffice_instances:
+#   example:
+#     version: 6.2.1.24
+#     port: 8600
+#     hostname: office.example.com
+#     jwt_secret: very-secure-password
+#     database:
+#       version: 9.5.25
+#       password: secret
+#     amqp:
+#       version: 3.8.14
+#       password: secret
diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml
new file mode 100644
index 00000000..da253a77
--- /dev/null
+++ b/roles/apps/onlyoffice/tasks/main.yml
@@ -0,0 +1,149 @@
+---
+- name: create zfs datasets
+  when: onlyoffice_zfs is defined
+  block:
+  - name: create zfs base dataset
+    zfs:
+      name: "{{ onlyoffice_zfs.pool }}/{{ onlyoffice_zfs.name }}"
+      state: present
+      extra_zfs_properties: "{{ onlyoffice_zfs.properties | default(omit) }}"
+
+  - name: create zfs volumes for instances
+    loop: "{{ onlyoffice_instances | dict2items }}"
+    loop_control:
+      label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})"
+    zfs:
+      name: "{{ onlyoffice_zfs.pool }}/{{ onlyoffice_zfs.name }}/{{ item.key }}"
+      state: present
+      extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}"
+
+  - name: configure onlyoffice base bath
+    set_fact:
+      onlyoffice_base_path: "{{ (zfs_pools[onlyoffice_zfs.pool].mountpoint, onlyoffice_zfs.name) | path_join }}"
+
+
+- name: create instance subdirectories
+  when: onlyoffice_zfs is not defined
+  loop: "{{ onlyoffice_instances | list }}"
+  file:
+    path: "{{ onlyoffice_base_path }}/{{ item }}"
+    state: directory
+
+
+# TODO: run documentserver components as non-root
+# - name: add group for onlyoffice app
+#   group:
+#     name: oo-app
+#     gid: "{{ onlyoffice_app_gid }}"
+
+# - name: add user for onlyoffice app
+#   user:
+#     name: oo-app
+#     uid: "{{ onlyoffice_app_uid }}"
+#     group: oo-app
+#     password: "!"
+
+# - name: create onlyoffice app subdirectory
+#   loop: "{{ onlyoffice_instances | list }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
+#     owner: "{{ onlyoffice_app_uid }}"
+#     group: "{{ onlyoffice_app_gid }}"
+#     state: directory
+
+
+- name: add group for onlyoffice db
+  group:
+    name: oo-db
+    gid: "{{ onlyoffice_db_gid }}"
+
+- name: add user for onlyoffice db
+  user:
+    name: oo-db
+    uid: "{{ onlyoffice_db_uid }}"
+    group: oo-db
+    password: "!"
+
+- name: create onlyoffice database subdirectory
+  loop: "{{ onlyoffice_instances | dict2items}}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres"
+    owner: "{{ onlyoffice_db_uid }}"
+    group: "{{ onlyoffice_db_gid }}"
+    state: directory
+
+
+# TODO: run documentserver components as non-root
+# - name: add group for onlyoffice aqmp
+#   group:
+#     name: oo-aqmp
+#     gid: "{{ onlyoffice_aqmp_gid }}"
+
+# - name: add user for onlyoffice aqmp
+#   user:
+#     name: oo-aqmp
+#     uid: "{{ onlyoffice_aqmp_uid }}"
+#     group: oo-aqmp
+#     password: "!"
+
+# - name: create onlyoffice aqmp subdirectory
+#   loop: "{{ onlyoffice_instances | list }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
+#     owner: "{{ onlyoffice_aqmp_uid }}"
+#     group: "{{ onlyoffice_aqmp_gid }}"
+#     state: directory
+
+# TODO: AQMP config?
+# - name: create onlyoffice rabbitmq subdirectory
+#   loop: "{{ onlyoffice_instances | dict2items}}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
+#     state: directory
+
+# - name: install rabbitmq config snipped
+#   loop: "{{ onlyoffice_instances | dict2items}}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   copy:
+#     dest: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
+#     content: |
+#       management.tcp.ip = 127.0.0.1
+
+
+- name: install pod manifest
+  loop: "{{ onlyoffice_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    kubernetes_standalone_pod:
+      name: "onlyoffice-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
+      mode: "0600"
+# TODO: AQMP config?
+#       config_hash_items:
+#       - path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
+#         properties:
+#         - checksum
+  include_role:
+    name: kubernetes/standalone/pod
+
+- name: configure nginx vhost
+  loop: "{{ onlyoffice_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    nginx_vhost:
+      name: "onlyoffice-{{ item.key }}"
+      template: generic-proxy-no-buffering-with-acme
+      acme: true
+      hostnames:
+      - "{{ item.value.hostname }}"
+      client_max_body_size: "0"
+      proxy_pass: "http://127.0.0.1:{{ item.value.port }}"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/apps/onlyoffice/templates/pod-spec.yml.j2 b/roles/apps/onlyoffice/templates/pod-spec.yml.j2
new file mode 100644
index 00000000..74fb1ab6
--- /dev/null
+++ b/roles/apps/onlyoffice/templates/pod-spec.yml.j2
@@ -0,0 +1,104 @@
+{# TODO:
+securityContext:
+  allowPrivilegeEscalation: false
+#}
+terminationGracePeriodSeconds: 120
+containers:
+{# TODO: only listen to localhost #}
+- name: documentserver
+  image: "onlyoffice/documentserver:{{ item.value.version }}"
+  resources:
+    limits:
+      memory: "4Gi"
+{# TODO:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_amqp_uid }}
+    runAsGroup: {{ onlyoffice_amqp_gid }}
+#}
+  env:
+  - name: "DB_TYPE"
+    value: "postgres"
+  - name: "DB_HOST"
+    value: "127.0.0.1"
+  - name: "DB_PORT"
+    value: "5432"
+  - name: "DB_NAME"
+    value: "onlyoffice"
+  - name: "DB_USER"
+    value: "onlyoffice"
+  - name: "DB_PWD"
+    value: "{{ item.value.database.password }}"
+  - name: "AMQP_TYPE"
+    value: "rabbitmq"
+  - name: "AMQP_URI"
+    value: "amqp://onlyoffice:{{ item.value.amqp.password }}@127.0.0.1:5672"
+{% if 'jwt_secret' in item.value %}
+  - name: "JWT_ENABLED"
+    value: "true"
+  - name: "JWT_SECRET"
+    value: "{{ item.value.jwt_secret }}"
+{% endif %}
+  ports:
+  - containerPort: 80
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+
+- name: postgresql
+  image: "postgres:{{ item.value.database.version }}"
+  args:
+  - postgres
+  - -c
+  - listen_addresses=127.0.0.1
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_db_uid }}
+    runAsGroup: {{ onlyoffice_db_gid }}
+  env:
+  - name: "POSTGRES_DB"
+    value: "onlyoffice"
+  - name: "POSTGRES_USER"
+    value: "onlyoffice"
+  - name: "POSTGRES_PASSWORD"
+    value: "{{ item.value.database.password }}"
+  volumeMounts:
+  - name: postgres
+    mountPath: /var/lib/postgresql/data
+
+{# TODO: only listen to localhost #}
+- name: rabbitmq
+  image: "rabbitmq:{{ item.value.amqp.version }}"
+{# TODO:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_amqp_uid }}
+    runAsGroup: {{ onlyoffice_amqp_gid }}
+#}
+  env:
+  - name: "RABBITMQ_NODENAME"
+    value: "rabbit@localhost"
+  - name: "RABBITMQ_NODE_IP_ADDRESS"
+    value: "127.0.0.1"
+  - name: "RABBITMQ_DEFAULT_USER"
+    value: "onlyoffice"
+  - name: "RABBITMQ_DEFAULT_PASS"
+    value: "{{ item.value.amqp.password }}"
+{# TODO: AQMP config?
+  volumeMounts:
+  - name: rabbitmq
+    mountPath: /etc/rabbitmq/conf.d/k8s.conf
+    subPath: config
+    readOnly: true
+#}
+
+volumes:
+- name: postgres
+  hostPath:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres"
+    type: Directory
+{# TODO: AQMP config?
+- name: rabbitmq
+  hostPath:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
+    type: Directory
+#}