xai-corp.net/provisioning
1
0
Fork 0
Code Issues 9 Releases Activity

update TLS config on ingresses

Browse Source
This commit is contained in:
richard
2025-09-21 08:53:07 -04:00
parent 373b3fad7d
commit 3060d7fbb5
10 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ansible-5/playbooks/kube.yaml
View File

@@ -6,5 +6,8 @@
roles: roles:
- role: k3s - role: k3s
become: true become: true
vars:
k3s_upgrade: false
- role: prod.k3s - role: prod.k3s
# become: true # become: true

4
ansible-5/roles/prod.k3s/defaults/main.yml
View File

@@ -45,7 +45,7 @@ apps:
enabled: true enabled: true
stash: stash:
enabled: true enabled: false
state: present state: present
namespace: stashapp namespace: stashapp
@@ -93,7 +93,7 @@ apps:
state: absent state: absent
funkwhale: funkwhale:
enabled: false enabled: true
namespace: funkwhale namespace: funkwhale
state: present state: present

3
ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
View File

@@ -14,10 +14,11 @@ spec:
dnsNames: dnsNames:
- xai-corp.net - xai-corp.net
- www.xai-corp.net - www.xai-corp.net
- sql.xai-corp.net
acme: acme:
config: config:
- http01: - http01:
ingressClass: traefik ingressClass: traefik
domains: domains:
- xai-corp.net - xai-corp.net
- www.xai-corp.net

2
ansible-5/roles/prod.k3s/files/funkwhale/values.yaml
View File

@@ -14,6 +14,8 @@ ingress:
# protocol: https # protocol: https
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- secretName: xai-corp-production-tls - secretName: xai-corp-production-tls
hosts:
- funkwhale.xai-corp.net
replicaCount: 1 replicaCount: 1

8
ansible-5/roles/prod.k3s/files/gitea/values.yaml
View File

@@ -13,19 +13,23 @@ image:
registry: "" registry: ""
repository: gitea/gitea repository: gitea/gitea
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
# tag: "1.22.0" tag: "1.24"
pullPolicy: Always pullPolicy: Always
rootless: true # only possible when running 1.14 or later rootless: true # only possible when running 1.14 or later
ingress: ingress:
enabled: true enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
hosts: hosts:
- host: git.xai-corp.net - host: git.xai-corp.net
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- secretName: xai-corp-production-tls - secretName: xai-corp-production-tls-funkwhale
hosts:
- git.xai-corp.net
persistence: persistence:
enabled: true enabled: true

7
ansible-5/roles/prod.k3s/files/nextcloud/values.yaml
View File

@@ -3,7 +3,7 @@
image: image:
repository: nextcloud repository: nextcloud
tag: "29.0.6" #https://hub.docker.com/_/nextcloud/tags?page=1&name=28. tag: "30.0.15" #https://hub.docker.com/_/nextcloud/tags?page=1&name=28.
flavor: apache flavor: apache
# pullSecrets: regcred # pullSecrets: regcred
@@ -14,9 +14,12 @@ ingress:
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/custom-response-headers: "Access-Control-Allow-Origin:*||Access-Control-Allow-Methods:GET,POST,OPTIONS||Access-Control-Allow-Headers:DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range||Access-Control-Expose-Headers:Content-Length,Content-Range" traefik.ingress.kubernetes.io/custom-response-headers: "Access-Control-Allow-Origin:*||Access-Control-Allow-Methods:GET,POST,OPTIONS||Access-Control-Allow-Headers:DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range||Access-Control-Expose-Headers:Content-Length,Content-Range"
cert-manager.io/cluster-issuer: letsencrypt-production
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- secretName: xai-corp-production-tls - secretName: xai-corp-production-tls-xaibox
hosts:
- xaibox.xai-corp.net
nextcloud: nextcloud:
# image: xaicorp/nextcloud # image: xaicorp/nextcloud

2
ansible-5/roles/prod.k3s/files/stash/proxy-values.yaml
View File

@@ -33,6 +33,8 @@ ingress:
# Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- secretName: xai-corp-production-tls - secretName: xai-corp-production-tls
hosts:
- stash.xai-corp.net
annotations: annotations:
ingress.kubernetes.io/force-hsts: "true" ingress.kubernetes.io/force-hsts: "true"
ingress.kubernetes.io/hsts-max-age: "315360000" ingress.kubernetes.io/hsts-max-age: "315360000"

5
ansible-5/roles/prod.k3s/files/stash/values.yaml
View File

@@ -9,10 +9,13 @@ image:
ingress: ingress:
main: main:
enabled: false enabled: true
hosts: hosts:
- host: stash.xai-corp.net - host: stash.xai-corp.net
paths: paths:
- path: / - path: /
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
- secretName: xai-corp-production-tls - secretName: xai-corp-production-tls
hosts:
- stash.xai-corp.net

3
ansible-5/roles/prod.k3s/tasks/cert_manager.yml → ansible-5/roles/prod.k3s/tasks/deployments/cert_manager.yml
View File

@@ -5,7 +5,8 @@
kubeconfig_path: "/etc/rancher/k3s/k3s.yaml" kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
atomic: true atomic: true
name: cert-manager name: cert-manager
chart_ref: jetstack/cert-manager chart_ref: oci://quay.io/jetstack/charts/cert-manager
chart_version: "v1.18.2"
release_namespace: cert-manager release_namespace: cert-manager
create_namespace: true create_namespace: true
release_values: release_values:

2
ansible-5/roles/prod.k3s/tasks/main.yml
View File

@@ -12,7 +12,7 @@
when: apps.hello_world.enabled when: apps.hello_world.enabled
- name: deploy cert_manager - name: deploy cert_manager
include_tasks: cert_manager.yml include_tasks: deployments/cert_manager.yml
when: apps.cert_manager.enabled when: apps.cert_manager.enabled
- name: deploy stash - name: deploy stash