From 3060d7fbb5bc636821461daa67b042472ab5617f Mon Sep 17 00:00:00 2001
From: richard <r_morgan@sympatico.ca>
Date: Sun, 21 Sep 2025 08:53:07 -0400
Subject: [PATCH] update TLS config on ingresses

---
 ansible-5/playbooks/kube.yaml                             | 3 +++
 ansible-5/roles/prod.k3s/defaults/main.yml                | 4 ++--
 .../files/cert-manager/certificate.xai-corp.stg.yaml      | 3 ++-
 ansible-5/roles/prod.k3s/files/funkwhale/values.yaml      | 2 ++
 ansible-5/roles/prod.k3s/files/gitea/values.yaml          | 8 ++++++--
 ansible-5/roles/prod.k3s/files/nextcloud/values.yaml      | 7 +++++--
 ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml    | 2 ++
 ansible-5/roles/prod.k3s/files/stash/values.yaml          | 5 ++++-
 .../prod.k3s/tasks/{ => deployments}/cert_manager.yml     | 3 ++-
 ansible-5/roles/prod.k3s/tasks/main.yml                   | 2 +-
 10 files changed, 29 insertions(+), 10 deletions(-)
 rename ansible-5/roles/prod.k3s/tasks/{ => deployments}/cert_manager.yml (91%)

diff --git a/ansible-5/playbooks/kube.yaml b/ansible-5/playbooks/kube.yaml
index fb4d140..02de27a 100644
--- a/ansible-5/playbooks/kube.yaml
+++ b/ansible-5/playbooks/kube.yaml
@@ -6,5 +6,8 @@
   roles:
     - role: k3s
       become: true
+      vars:
+        k3s_upgrade: false
+
     - role: prod.k3s
 #      become: true
diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml
index becfb62..2f3f9e2 100644
--- a/ansible-5/roles/prod.k3s/defaults/main.yml
+++ b/ansible-5/roles/prod.k3s/defaults/main.yml
@@ -45,7 +45,7 @@ apps:
     enabled: true
 
   stash:
-    enabled: true
+    enabled: false
     state: present
     namespace: stashapp
 
@@ -93,7 +93,7 @@ apps:
     state: absent
 
   funkwhale:
-    enabled: false
+    enabled: true
     namespace: funkwhale
     state: present
 
diff --git a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
index 017a3a1..4dfcaa5 100644
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
@@ -14,10 +14,11 @@ spec:
   dnsNames:
     - xai-corp.net
     - www.xai-corp.net
-    - sql.xai-corp.net
+
   acme:
     config:
       - http01:
           ingressClass: traefik
         domains:
           - xai-corp.net
+          - www.xai-corp.net
diff --git a/ansible-5/roles/prod.k3s/files/funkwhale/values.yaml b/ansible-5/roles/prod.k3s/files/funkwhale/values.yaml
index 9468bdc..1b5d291 100644
--- a/ansible-5/roles/prod.k3s/files/funkwhale/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/funkwhale/values.yaml
@@ -14,6 +14,8 @@ ingress:
   #  protocol: https
   tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
     - secretName: xai-corp-production-tls
+      hosts:
+        - funkwhale.xai-corp.net
 
 replicaCount: 1
 
diff --git a/ansible-5/roles/prod.k3s/files/gitea/values.yaml b/ansible-5/roles/prod.k3s/files/gitea/values.yaml
index fd583d6..cb1cb57 100644
--- a/ansible-5/roles/prod.k3s/files/gitea/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/gitea/values.yaml
@@ -13,19 +13,23 @@ image:
   registry: ""
   repository: gitea/gitea
   # Overrides the image tag whose default is the chart appVersion.
-#  tag: "1.22.0"
+  tag: "1.24"
   pullPolicy: Always
   rootless: true # only possible when running 1.14 or later
 
 ingress:
   enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
   hosts:
     - host: git.xai-corp.net
       paths:
         - path: /
           pathType: Prefix
   tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
-    - secretName: xai-corp-production-tls
+    - secretName: xai-corp-production-tls-funkwhale
+      hosts:
+        - git.xai-corp.net
 
 persistence:
   enabled: true
diff --git a/ansible-5/roles/prod.k3s/files/nextcloud/values.yaml b/ansible-5/roles/prod.k3s/files/nextcloud/values.yaml
index 16e4af4..f4cd95a 100644
--- a/ansible-5/roles/prod.k3s/files/nextcloud/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/nextcloud/values.yaml
@@ -3,7 +3,7 @@
 
 image:
   repository: nextcloud
-  tag: "29.0.6" #https://hub.docker.com/_/nextcloud/tags?page=1&name=28.
+  tag: "30.0.15" #https://hub.docker.com/_/nextcloud/tags?page=1&name=28.
   flavor: apache
 #  pullSecrets: regcred
 
@@ -14,9 +14,12 @@ ingress:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/custom-response-headers: "Access-Control-Allow-Origin:*||Access-Control-Allow-Methods:GET,POST,OPTIONS||Access-Control-Allow-Headers:DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range||Access-Control-Expose-Headers:Content-Length,Content-Range"
+    cert-manager.io/cluster-issuer: letsencrypt-production
 
   tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
-    - secretName: xai-corp-production-tls
+    - secretName: xai-corp-production-tls-xaibox
+      hosts:
+        - xaibox.xai-corp.net
 
 nextcloud:
 #  image: xaicorp/nextcloud
diff --git a/ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml b/ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml
index 52bc847..f21755c 100644
--- a/ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml
+++ b/ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml
@@ -33,6 +33,8 @@ ingress:
   # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
   tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
     - secretName: xai-corp-production-tls
+      hosts:
+        - stash.xai-corp.net
   annotations:
     ingress.kubernetes.io/force-hsts: "true"
     ingress.kubernetes.io/hsts-max-age: "315360000"
diff --git a/ansible-5/roles/prod.k3s/files/stash/values.yaml b/ansible-5/roles/prod.k3s/files/stash/values.yaml
index 3953542..b273e7b 100644
--- a/ansible-5/roles/prod.k3s/files/stash/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/stash/values.yaml
@@ -9,10 +9,13 @@ image:
 
 ingress:
   main:
-    enabled: false
+    enabled: true
     hosts:
       - host: stash.xai-corp.net
         paths:
           - path: /
     tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
       - secretName: xai-corp-production-tls
+        hosts:
+          - stash.xai-corp.net
+
diff --git a/ansible-5/roles/prod.k3s/tasks/cert_manager.yml b/ansible-5/roles/prod.k3s/tasks/deployments/cert_manager.yml
similarity index 91%
rename from ansible-5/roles/prod.k3s/tasks/cert_manager.yml
rename to ansible-5/roles/prod.k3s/tasks/deployments/cert_manager.yml
index ede90aa..4ecbc5b 100644
--- a/ansible-5/roles/prod.k3s/tasks/cert_manager.yml
+++ b/ansible-5/roles/prod.k3s/tasks/deployments/cert_manager.yml
@@ -5,7 +5,8 @@
     kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
     atomic: true
     name: cert-manager
-    chart_ref: jetstack/cert-manager
+    chart_ref: oci://quay.io/jetstack/charts/cert-manager
+    chart_version: "v1.18.2"
     release_namespace: cert-manager
     create_namespace: true
     release_values:
diff --git a/ansible-5/roles/prod.k3s/tasks/main.yml b/ansible-5/roles/prod.k3s/tasks/main.yml
index 322818c..134e6f1 100644
--- a/ansible-5/roles/prod.k3s/tasks/main.yml
+++ b/ansible-5/roles/prod.k3s/tasks/main.yml
@@ -12,7 +12,7 @@
   when: apps.hello_world.enabled
 
 - name: deploy cert_manager
-  include_tasks: cert_manager.yml
+  include_tasks: deployments/cert_manager.yml
   when: apps.cert_manager.enabled
 
 - name: deploy stash