diff options
Diffstat (limited to 'roles/apps/whawty/auth/instance/templates')
4 files changed, 94 insertions, 0 deletions
diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 new file mode 100644 index 00000000..45c692e9 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 @@ -0,0 +1,69 @@ +securityContext: + allowPrivilegeEscalation: false +{# runAsUser: {{ whawty_auth_app_uid }} #} +{# runAsGroup: {{ whawty_auth_app_gid }} #} +containers: +- name: app + image: "ghcr.io/whawty/auth/app:v{{ whawty_auth_instances[whawty_auth_instance].version }}" + args: + - "--store" + - "/config/store.yml" + - "run" + - "--web-addr" + - ":{{ whawty_auth_instances[whawty_auth_instance].port }}" +{% if 'tls' in whawty_auth_instances[whawty_auth_instance] %} + - "--web-config" + - "/config/web.yml" +{% endif %} + volumeMounts: + - name: config + mountPath: /config + readOnly: true + - name: store + mountPath: /store + env: +{# TODO: remove debug output #} + - name: WHAWTY_AUTH_DEBUG + value: "1" + ports: + - containerPort: {{ whawty_auth_instances[whawty_auth_instance].port }} + hostPort: {{ whawty_auth_instances[whawty_auth_instance].port }} +{% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} +- name: sync + image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}" + command: + - "/gokr-rsyncd" + args: + - "--daemon" + - "--gokr.config=/sync/config.toml" +{# TODO: remove debug output #} + - "-v" + volumeMounts: + - name: sync + mountPath: /sync + readOnly: true + - name: store + mountPath: /store + readOnly: true + env: + - name: XDG_CONFIG_HOME + value: "/sync" + ports: + - containerPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }} + hostPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }} +{% endif %} +volumes: +- name: config + hostPath: + path: "{{ whawty_auth_instance_basepath }}/config" + type: Directory +- name: store + hostPath: + path: "{{ whawty_auth_instance_basepath }}/store" + type: Directory +{% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} +- name: sync + hostPath: + path: "{{ whawty_auth_instance_basepath }}/sync" + type: Directory +{% endif %} diff --git a/roles/apps/whawty/auth/instance/templates/store.yml.j2 b/roles/apps/whawty/auth/instance/templates/store.yml.j2 new file mode 100644 index 00000000..afaea6f4 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/store.yml.j2 @@ -0,0 +1,4 @@ +basedir: /store +default: {{ whawty_auth_instances[whawty_auth_instance].store.default }} +params: + {{ whawty_auth_instances[whawty_auth_instance].store.params | to_nice_yaml(indent=2) | indent(2) }} diff --git a/roles/apps/whawty/auth/instance/templates/sync.toml.j2 b/roles/apps/whawty/auth/instance/templates/sync.toml.j2 new file mode 100644 index 00000000..ddea4da5 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/sync.toml.j2 @@ -0,0 +1,8 @@ +dont_namespace = true +[[listener]] + [listener.authorized_ssh] + address = ":{{ whawty_auth_instances[whawty_auth_instance].sync.port }}" + authorized_keys = "/sync/authorized_keys" +[[module]] + name = "store" + path = "/store" diff --git a/roles/apps/whawty/auth/instance/templates/web.yml.j2 b/roles/apps/whawty/auth/instance/templates/web.yml.j2 new file mode 100644 index 00000000..705e056d --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/web.yml.j2 @@ -0,0 +1,13 @@ +--- +tls: + certificate: /config/tls/cert.pem + certificate-key: /config/tls/key.pem + min-protocol-version: "TLSv1.2" + ciphers: + - ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + prefer-server-ciphers: true |