phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Let's encrypt certificates issuer and searx

Browse source
This commit is contained in:
Paul-Henri Froidmont 2019-04-10 02:18:00 +02:00
parent f34742ddea
commit 667cd48c88
12 changed files with 146 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
group_vars/k8s-cluster.yml
View file

@ -2,6 +2,7 @@
ip: "{{vpn_ip}}" ip: "{{vpn_ip}}"
kube_network_plugin: flannel kube_network_plugin: flannel
bin_dir: /usr/local/bin bin_dir: /usr/local/bin
kube_config_dir: "/etc/kubernetes"
kube_api_anonymous_auth: true kube_api_anonymous_auth: true
ingress_nginx_enabled: true ingress_nginx_enabled: true

1
inventories/prod/group_vars/k8s-cluster.yml
View file

@ -1,3 +1,4 @@
--- ---
cluster_name: banditlair cluster_name: banditlair
dns_domain: banditlair.com dns_domain: banditlair.com
default_issuer: letsencrypt-production

1
inventories/test/group_vars/k8s-cluster.yml
View file

@ -1,3 +1,4 @@
--- ---
cluster_name: banditlair-test cluster_name: banditlair-test
dns_domain: test.k8s.banditlair.com dns_domain: test.k8s.banditlair.com
default_issuer: letsencrypt-staging

1
k8s.yml
View file

@ -7,6 +7,7 @@
- name: Include kubespray tasks - name: Include kubespray tasks
import_playbook: kubespray.yml import_playbook: kubespray.yml
# - hosts: k8s_proxy:k8s_masters:k8s_workers # - hosts: k8s_proxy:k8s_masters:k8s_workers
# roles: # roles:
# - role: proxy # - role: proxy

4
manifests.yml Normal file
View file

@ -0,0 +1,4 @@
- hosts: k8s-cluster
roles:
- role: k8s-manifests

3
roles/k8s-manifests/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
letsencrypt_email: letsencrypt.account@banditlair.com
searx_issuer: "{{default_issuer}}"

37
roles/k8s-manifests/tasks/main.yml Normal file
View file

@ -0,0 +1,37 @@
---
- name: Kubernetes manifests | Lay down letsencrypt templates
template:
src: "{{ item }}.j2"
dest: "{{ kube_config_dir }}/{{ item }}"
loop:
- letsencrypt-production-issuer.yml
- letsencrypt-staging-issuer.yml
register: manifests
when: inventory_hostname == groups['kube-master'][0]
- name: Kubernetes manifests | Start letsencrypt issuers
kube:
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/{{ item.item }}"
state: latest
loop: "{{ manifests.results }}"
when: inventory_hostname == groups['kube-master'][0]
- name: Kubernetes manifests | Lay down searx templates
template:
src: "{{ item }}.j2"
dest: "{{ kube_config_dir }}/{{ item }}"
loop:
- searx-deployment.yml
- searx-svc.yml
- searx-ingress.yml
register: manifests
when: inventory_hostname == groups['kube-master'][0]
- name: Kubernetes manifests | Start searx
kube:
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/{{ item.item }}"
state: latest
loop: "{{ manifests.results }}"
when: inventory_hostname == groups['kube-master'][0]

18
roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 Normal file
View file

@ -0,0 +1,18 @@
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
# The ACME production api URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: "{{letsencrypt_email}}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
# Enable the HTTP-01 challenge provider
http01: {}

18
roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 Normal file
View file

@ -0,0 +1,18 @@
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: "{{letsencrypt_email}}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
http01: {}

29
roles/k8s-manifests/templates/searx-deployment.yml.j2 Normal file
View file

@ -0,0 +1,29 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: searx
spec:
replicas: 2
selector:
matchLabels:
app: searx
template:
metadata:
labels:
app: searx
spec:
containers:
- name: searx
image: wonderfall/searx:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8888
livenessProbe:
httpGet:
path: /
port: 8888
readinessProbe:
httpGet:
path: /
port: 8888

21
roles/k8s-manifests/templates/searx-ingress.yml.j2 Normal file
View file

@ -0,0 +1,21 @@
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: searx-ingress
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "{{searx_issuer}}"
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- searx.{{dns_domain}}
secretName: searx-{{searx_issuer}}
rules:
- host: searx.{{dns_domain}}
http:
paths:
- backend:
serviceName: searx
servicePort: 80

12
roles/k8s-manifests/templates/searx-svc.yml.j2 Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: searx
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8888
selector:
app: searx