From 62c7f0f3660e24c6a07013f9f34e84c7335a1c04 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 21 Jan 2024 16:34:35 +0100 Subject: ch-apps: add node-red.chaos-at-home.org and passwd.chaos-at-home.org --- chaos-at-home/ch-apps.yml | 1 + chaos-at-home/host_vars/ch-apps.yml | 27 ++++++++---- .../chaos-at-home/bind-zones/db.chaos-at-home.org | 3 +- inventory/host_vars/ch-apps/node-red.yml | 16 +++++-- inventory/host_vars/ch-apps/vars.yml | 13 ++++++ inventory/host_vars/ch-apps/whawty.yml | 50 ++++++++++++++-------- .../whawty/auth/instance/templates/pod-spec.yml.j2 | 5 ++- 7 files changed, 81 insertions(+), 34 deletions(-) diff --git a/chaos-at-home/ch-apps.yml b/chaos-at-home/ch-apps.yml index cbd39112..45d5a088 100644 --- a/chaos-at-home/ch-apps.yml +++ b/chaos-at-home/ch-apps.yml @@ -18,4 +18,5 @@ - role: monitoring/prometheus/exporter - role: kubernetes/base - role: kubernetes/standalone/base + - role: apps/whawty/auth - role: apps/node-red diff --git a/chaos-at-home/host_vars/ch-apps.yml b/chaos-at-home/host_vars/ch-apps.yml index 6612b6e6..9714ea90 100644 --- a/chaos-at-home/host_vars/ch-apps.yml +++ b/chaos-at-home/host_vars/ch-apps.yml @@ -1,10 +1,19 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -64313462623435636236323762663236393166616439313030353639613936303665383032623862 -6365383936653466313063623332363665643436326231350a366338323064666431653135323838 -37303262343831333130376331653234626131393865643633613963343235613530626533653435 -3365643437663862380a633038343239313235346130613338613334663436326433313730636635 -66616165336261613264353738363336643461643932326538643035656432663033333137616434 -39666666353266346138366462633936323064376139323362613534356535633665393936346439 -39633666336332356266313632656163353639643938353764303031646432346139613266623936 -61373430363064306336613539336335376361363239393235356239633234333961323533363361 -6163 +61393032643235616535363836343637626138393937353634373033386333386161306538643161 +6233336131646139353163366533326161623735623330340a643639353039633930623164336231 +63386230356630363435653031363631653836303537613062303030313865363362623232353666 +3838636163333566640a356461633961393238633762363234623133353832363834656562663939 +38376130303236653636636161616366393538656461346633613030396365313237373964343961 +36383632323764616465353332366165356332616134316537386565346536393362643232326637 +36376563653130396339323034336265393266663433306631363730646365663265626338613736 +66663261363961613835633739643362383261653634613137336663393937366336646632663766 +32633965313963396664623836623132613138646132333765616434316537623130643961643862 +65383262663263636565313165383837323766363461383533626334383033303533373038373765 +61313538346463626566303566363134336439306539313164386364316134336464363738346262 +30343035393566623336323761653266313732396635646263646539386666353266363439353737 +31656663656365333865626334343830346163313735343062616636383337613332626136313165 +37366666383264363863393836656266633031396535343462376261336439613038333932616333 +64656231396533666633303936333565316563613535343130386437343533336562663764666137 +61323836626261323165653738636330613531313765653438663434666432636330636137336562 +65373434353232653539666366643065323961366433366565646466636232636536303865393665 +6366663538373933616636366335313530656261373165633263 diff --git a/files/chaos-at-home/bind-zones/db.chaos-at-home.org b/files/chaos-at-home/bind-zones/db.chaos-at-home.org index ed9d541f..d4b4aa0d 100644 --- a/files/chaos-at-home/bind-zones/db.chaos-at-home.org +++ b/files/chaos-at-home/bind-zones/db.chaos-at-home.org @@ -2,7 +2,7 @@ $origin chaos-at-home.org. $TTL 1h @ SOA ns0 hostmaster ( - 2023122800 + 2024012100 1h 15m 30d @@ -67,6 +67,7 @@ jump 600 CNAME magenta.jump web 600 CNAME magenta.web mail 600 CNAME magenta.mail passwd 600 CNAME magenta.passwd +passwd-ng 600 CNAME magenta.passwd login 600 CNAME magenta.login node-red 600 CNAME magenta.node-red diff --git a/inventory/host_vars/ch-apps/node-red.yml b/inventory/host_vars/ch-apps/node-red.yml index ee11a495..f57d9318 100644 --- a/inventory/host_vars/ch-apps/node-red.yml +++ b/inventory/host_vars/ch-apps/node-red.yml @@ -1,9 +1,13 @@ --- +_node_red_zfs_base_: + pool: storage + name: node-red + node_red_instances: - test: + node-red.chaos-at-home.org: version: 3.1.3 port: 1880 - credential_secret: "{{ vault_nodered_credential_secrets['test'] }}" + credential_secret: "{{ vault_nodered_credential_secrets['node-red.chaos-at-home.org'] }}" mqtt_tls: certificate_provider: managed-ca certificate_config: @@ -11,12 +15,18 @@ node_red_instances: host: ch-iot name: mqtt cert: - common_name: test + common_name: node-red.chaos-at-home.org extended_key_usage: - clientAuth extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w + storage: + type: zfs + parent: "{{ _node_red_zfs_base_ }}" + name: node-red.chaos-at-home.org + properties: + quota: 512M publish: zone: "{{ apps_publish_zone__chaos_at_home }}" hostnames: diff --git a/inventory/host_vars/ch-apps/vars.yml b/inventory/host_vars/ch-apps/vars.yml index 4bfb2d29..a3a4af5b 100644 --- a/inventory/host_vars/ch-apps/vars.yml +++ b/inventory/host_vars/ch-apps/vars.yml @@ -81,6 +81,19 @@ zfs_pools: ashift: 12 autotrim: "on" +zfs_volumes: + storage: + node-red: + properties: + compression: lz4 + xattr: sa + whawty: + properties: + compression: lz4 + xattr: sa + children: + auth: {} + zfs_sanoid_modules: storage: use_template: production diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml index a909f780..6d6d8aab 100644 --- a/inventory/host_vars/ch-apps/whawty.yml +++ b/inventory/host_vars/ch-apps/whawty.yml @@ -1,34 +1,46 @@ --- +_whawty_auth_zfs_base_: + pool: storage + name: whawty/auth + whawty_auth_instances: - test: + passwd.chaos-at-home.org: version: 0.2-rc9 port: 3080 store: - default: 1 + default: 2 params: - id: 1 + scryptauth: + hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['1'] }}" + cost: 12 + - id: 2 + scryptauth: + hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['2'] }}" + cost: 12 + - id: 3 argon2id: time: 1 memory: 65536 threads: 4 length: 32 - hostnames: - - passwd.example.com - tls: - certificate_provider: selfsigned - cert: - organization_name: "chaos-at-home" - organizational_unit_name: "ansible" - key_usage: - - digitalSignature - - keyAgreement - key_usage_critical: yes - extended_key_usage: - - serverAuth - extended_key_usage_critical: yes - create_subject_key_identifier: yes - not_after: +52w - renew_margin: +42d sync: port: 3022 authorized_keys: "{{ users.equinox.ssh }}" + storage: + type: zfs + parent: "{{ _whawty_auth_zfs_base_ }}" + name: passwd.chaos-at-home.org + properties: + quota: 128M + publish: + zone: "{{ apps_publish_zone__chaos_at_home }}" + hostnames: + #- passwd.chaos-at-home.org + - passwd-ng.chaos-at-home.org + tls: + certificate_provider: acmetool + certificate_config: + request: + challenge: + http-self-test: false diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 index 3677d84b..99c6e733 100644 --- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 +++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 @@ -6,13 +6,14 @@ containers: - name: app image: "ghcr.io/whawty/auth/app:v{{ whawty_auth_instances[whawty_auth_instance].version }}" args: - - "--store" - - "/config/store.yml" - "run" - "--web-addr" - ":{{ whawty_auth_instances[whawty_auth_instance].port }}" - "--web-config" - "/config/web.yml" + env: + - name: "WHAWTY_AUTH_STORE_CONFIG" + value: "/config/store.yml" volumeMounts: - name: config mountPath: /config -- cgit v1.2.3