chore: wip on demo-gymburgdorf inventory and architecture notes
This commit is contained in:
Simon Bärlocher
parent
1ddd5d9eb9
commit
82f0db8fe3
15 changed files with 451 additions and 8 deletions
2
inventories/demo-gymburgdorf/group_vars/all/ansible.yml
Normal file
2
inventories/demo-gymburgdorf/group_vars/all/ansible.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
|
|
@ -5,7 +5,7 @@ traefik_cert_mode: "acme"
|
|||
traefik_log_level: DEBUG
|
||||
traefik_network: proxy
|
||||
|
||||
traefik_acme_dns_zone: "gymb._acme.digitalboard.ch"
|
||||
traefik_acme_dns_zone: "demo-gymb._acme.digitalboard.ch"
|
||||
traefik_acme_dns_nameserver: "{{ _acme_tsig.server }}"
|
||||
traefik_acme_tsig_algorithm: "hmac-sha256"
|
||||
traefik_acme_tsig_key: "{{ _acme_tsig.tsig_key }}"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
# Bao secret expected at <mount>/data/authentik with keys:
|
||||
# secret_key, postgres_password, admin_password,
|
||||
# ldap_outpost_token,
|
||||
# nextcloud_oidc_secret
|
||||
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
|
||||
|
||||
authentik_domain: "auth.gymb.souveredu.ch"
|
||||
authentik_secret_key: "{{ _authentik.secret_key }}"
|
||||
authentik_postgres_password: "{{ _authentik.postgres_password }}"
|
||||
|
||||
# LDAP outpost (provider for nextcloud)
|
||||
authentik_ldap_apps:
|
||||
- slug: ldap
|
||||
name: LDAP
|
||||
base_dn: "dc=gymb,dc=souveredu,dc=ch"
|
||||
search_group: admins
|
||||
|
||||
authentik_ldap_outpost:
|
||||
name: "ldap-outpost"
|
||||
token: "{{ _authentik.ldap_outpost_token }}"
|
||||
config:
|
||||
authentik_host: "https://auth.gymb.souveredu.ch/"
|
||||
log_level: "info"
|
||||
|
||||
# OIDC clients
|
||||
authentik_oidc_apps:
|
||||
- slug: nextcloud
|
||||
name: Nextcloud
|
||||
client_id: nextcloud
|
||||
client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
|
||||
redirect_uris:
|
||||
- url: "https://cloud.gymb.souveredu.ch/apps/user_oidc/code"
|
||||
matching_mode: strict
|
||||
signing_key_name: "authentik Self-signed Certificate"
|
||||
flows:
|
||||
authorization_slug: default-provider-authorization-implicit-consent
|
||||
invalidation_slug: default-provider-invalidation-flow
|
||||
scopes: [openid, email, profile, offline_access]
|
||||
|
||||
authentik_groups:
|
||||
- name: admins
|
||||
- name: users
|
||||
|
||||
authentik_local_users:
|
||||
- username: akadmin
|
||||
name: "Authentik Admin"
|
||||
email: "admin@gymb.souveredu.ch"
|
||||
password: "{{ _authentik.admin_password }}"
|
||||
is_active: true
|
||||
groups:
|
||||
- authentik Admins
|
||||
- admins
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# Same token as authentik_ldap_outpost.token above — outpost uses it to
|
||||
# authenticate against the authentik server it talks to.
|
||||
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
|
||||
|
||||
authentik_outpost_ldap_host: "https://auth.gymb.souveredu.ch"
|
||||
authentik_outpost_ldap_token: "{{ _authentik.ldap_outpost_token }}"
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
collabora_domain: "office.gymb.souveredu.ch"
|
||||
|
||||
collabora_allowed_domains:
|
||||
- "cloud.gymb.souveredu.ch"
|
||||
|
||||
collabora_frame_ancestors:
|
||||
- "cloud.gymb.souveredu.ch"
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
drawio_domain: "draw.gymb.souveredu.ch"
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
# application host runs: authentik, authentik-ldap-outpost,
|
||||
# nextcloud, collabora, drawio
|
||||
|
|
@ -0,0 +1,90 @@
|
|||
---
|
||||
# Bao secret <mount>/data/nextcloud expected to contain:
|
||||
# postgres_password, admin_password
|
||||
_nextcloud: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/nextcloud', url=vault_addr) }}"
|
||||
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
|
||||
|
||||
nextcloud_domain: "cloud.gymb.souveredu.ch"
|
||||
nextcloud_postgres_password: "{{ _nextcloud.postgres_password }}"
|
||||
nextcloud_admin_user: admin
|
||||
nextcloud_admin_password: "{{ _nextcloud.admin_password }}"
|
||||
|
||||
nextcloud_enable_notify_push: true
|
||||
|
||||
# Collabora integration
|
||||
nextcloud_enable_collabora: true
|
||||
nextcloud_collabora_domain: "office.gymb.souveredu.ch"
|
||||
|
||||
# Draw.io integration
|
||||
nextcloud_enable_drawio: true
|
||||
nextcloud_drawio_url: "https://draw.gymb.souveredu.ch"
|
||||
|
||||
nextcloud_apps_to_install:
|
||||
- groupfolders
|
||||
- richdocuments
|
||||
- spreed
|
||||
- user_ldap
|
||||
- user_oidc
|
||||
- whiteboard
|
||||
- drawio
|
||||
- files_lock
|
||||
- notify_push
|
||||
|
||||
# S3 primary storage via Garage
|
||||
nextcloud_use_s3_storage: true
|
||||
nextcloud_s3_key: "{{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='storage')['key_id'] }}"
|
||||
nextcloud_s3_secret: "{{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='storage')['secret_key'] }}"
|
||||
nextcloud_s3_bucket: "nextcloud"
|
||||
nextcloud_s3_host: "{{ hostvars['storage']['garage_s3_domain'] }}"
|
||||
nextcloud_s3_port: 443
|
||||
nextcloud_s3_ssl: true
|
||||
nextcloud_s3_usepath_style: true
|
||||
|
||||
# Share the LDAP docker network with the authentik LDAP outpost
|
||||
nextcloud_extra_networks:
|
||||
- ldap
|
||||
|
||||
# LDAP backend (Authentik LDAP outpost)
|
||||
nextcloud_ldap_enabled: true
|
||||
nextcloud_ldap_config:
|
||||
ldapHost: "ldap://authentik-outpost-ldap-ldap-1"
|
||||
ldapPort: "3389"
|
||||
ldapAgentName: "cn=akadmin,ou=users,dc=gymb,dc=souveredu,dc=ch"
|
||||
ldapAgentPassword: "{{ _authentik.admin_password }}"
|
||||
ldapBase: "dc=gymb,dc=souveredu,dc=ch"
|
||||
ldapBaseUsers: "ou=users,dc=gymb,dc=souveredu,dc=ch"
|
||||
ldapTLS: "0"
|
||||
turnOffCertCheck: "1"
|
||||
ldapUserFilter: "(&(objectClass=user)(cn=*))"
|
||||
ldapUserFilterObjectclass: "user"
|
||||
ldapLoginFilter: "(&(objectClass=user)(cn=%uid))"
|
||||
ldapLoginFilterUsername: "1"
|
||||
ldapUserDisplayName: "cn"
|
||||
ldapEmailAttribute: "mail"
|
||||
ldapExpertUsernameAttr: "cn"
|
||||
ldapExpertUUIDUserAttr: "uid"
|
||||
ldapExpertUUIDGroupAttr: "uid"
|
||||
ldapBaseGroups: "ou=groups,dc=gymb,dc=souveredu,dc=ch"
|
||||
ldapGroupFilter: "(&(objectClass=group))"
|
||||
ldapGroupFilterObjectclass: "group"
|
||||
ldapGroupDisplayName: "cn"
|
||||
ldapGroupMemberAssocAttr: "member"
|
||||
ldapAdminGroup: "admins"
|
||||
ldapCacheTTL: "600"
|
||||
ldapPagingSize: "500"
|
||||
ldapExperiencedAdmin: "1"
|
||||
ldapConfigurationActive: "1"
|
||||
|
||||
# OIDC providers for login (Authentik)
|
||||
nextcloud_oidc_providers:
|
||||
- identifier: authentik
|
||||
display_name: "Login with Authentik"
|
||||
client_id: nextcloud
|
||||
client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
|
||||
discovery_url: "https://auth.gymb.souveredu.ch/application/o/nextcloud/.well-known/openid-configuration"
|
||||
scope: "openid email profile"
|
||||
unique_uid: true
|
||||
mapping:
|
||||
uid: preferred_username
|
||||
display_name: name
|
||||
email: email
|
||||
|
|
@ -1 +1,28 @@
|
|||
traefik_mode: dmz
|
||||
---
|
||||
traefik_mode: dmz
|
||||
|
||||
traefik_dmz_exposed_services:
|
||||
- name: authentik
|
||||
domain: auth.gymb.souveredu.ch
|
||||
port: 443
|
||||
protocol: https
|
||||
- name: nextcloud
|
||||
domain: cloud.gymb.souveredu.ch
|
||||
port: 443
|
||||
protocol: https
|
||||
- name: collabora
|
||||
domain: office.gymb.souveredu.ch
|
||||
port: 443
|
||||
protocol: https
|
||||
- name: drawio
|
||||
domain: draw.gymb.souveredu.ch
|
||||
port: 443
|
||||
protocol: https
|
||||
- name: garage-webui
|
||||
domain: console.s3.gymb.souveredu.ch
|
||||
port: 443
|
||||
protocol: https
|
||||
- name: garage-s3
|
||||
domain: s3.gymb.souveredu.ch
|
||||
port: 443
|
||||
protocol: https
|
||||
|
|
|
|||
27
inventories/demo-gymburgdorf/host_vars/storage/garage.yml
Normal file
27
inventories/demo-gymburgdorf/host_vars/storage/garage.yml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
# Bao secret <mount>/data/garage expected to contain:
|
||||
# rpc_secret, admin_token, metrics_token, webui_password
|
||||
_garage: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/garage', url=vault_addr) }}"
|
||||
|
||||
garage_s3_domain: "s3.gymb.souveredu.ch"
|
||||
garage_webui_domain: "console.s3.gymb.souveredu.ch"
|
||||
garage_use_ssl: true
|
||||
garage_webui_enabled: true
|
||||
garage_webui_username: "admin"
|
||||
garage_webui_password: "{{ _garage.webui_password }}"
|
||||
|
||||
garage_rpc_secret: "{{ _garage.rpc_secret }}"
|
||||
garage_admin_token: "{{ _garage.admin_token }}"
|
||||
garage_metrics_token: "{{ _garage.metrics_token }}"
|
||||
|
||||
# Initial cluster bootstrap (single-node)
|
||||
garage_bootstrap_enabled: true
|
||||
garage_bootstrap_zone: "burgdorf1"
|
||||
garage_bootstrap_capacity: "100G"
|
||||
|
||||
# Buckets and keys consumed by nextcloud
|
||||
garage_s3_keys:
|
||||
- name: nextcloud
|
||||
buckets:
|
||||
- name: nextcloud
|
||||
permissions: ["read", "write"]
|
||||
2
inventories/demo-gymburgdorf/host_vars/storage/main.yml
Normal file
2
inventories/demo-gymburgdorf/host_vars/storage/main.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# storage host runs: garage (S3 + WebUI)
|
||||
|
|
@ -32,10 +32,6 @@ all:
|
|||
hosts:
|
||||
application:
|
||||
|
||||
opencloud_servers:
|
||||
hosts:
|
||||
application:
|
||||
|
||||
collabora_servers:
|
||||
hosts:
|
||||
application:
|
||||
|
|
@ -45,5 +41,9 @@ all:
|
|||
application:
|
||||
|
||||
authentik_servers:
|
||||
hosts:
|
||||
application:
|
||||
|
||||
authentik_outpost_ldap_servers:
|
||||
hosts:
|
||||
application:
|
||||
Loading…
Add table
Add a link
Reference in a new issue