feat(cert-manager): Add Cloudns issuer and DNS-01 challenge support

- Introduced a new Cloudns issuer configuration for cert-manager.
- Created separate tasks for DNS-01 and HTTP-01 challenge issuers.
- Updated cert-manager tasks to include Cloudns provider and manage secrets.
- Refactored existing LetsEncrypt issuer registration to use new task structure.
- Added necessary Kubernetes resources for Cloudns integration, including RBAC and certificates.
- Updated Terraform configurations to support new DNS records and service changes.
- Adjusted deployment strategies for CoreDNS and Open WebUI applications.
This commit is contained in:
2025-06-07 20:39:38 +02:00
parent 3cda0b5624
commit 01bf71f8d2
25 changed files with 590 additions and 17396 deletions
@@ -0,0 +1,78 @@
hostname: gpu-01.lab.alexpires.me
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
# Users
login_users:
- username: "{{ ansible_user }}"
comment: "Managed by Ansible"
sudoer: true
sudoer_root_only: true
sudoer_no_password: true
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
password_disabled: true
- username: operator
comment: "Managed by Ansible"
sudoer: true
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
password_expiration: false
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "10.5.5.5/32" # Wireguard VPN (Laptop)
- "10.19.4.0/24" # local network
sshd_admin_net: "10.19.4.0/24" # local network
sshd_allow_groups: "{{ ansible_user }} users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
# Due to an issue increase the number of max auth tries
sshd_max_auth_tries: 10
packages_blocklist: []
# Firewall ports
ufw_enable: true
fw_allowed_ports:
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # Wireguard VPN (Laptop)
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # local network
- { rule: "allow", port: "11434", proto: "tcp", from: "10.19.4.0/24" } # Ollama (local network)
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.5/32" } # Ollama (Laptop)
- { rule: "allow", port: "8880", proto: "tcp", from: "10.19.4.0/24" } # Kokoro-FastAPI (local network)
ufw_outgoing_traffic:
- 22 # SSH
- 53 # DNS
- 80 # HTTP
- 123 # NTP
- 443 # HTTPS
- 853 # DNS over TLS
ufw_default_forward_policy: "ACCEPT"
ipv4_sysctl_settings:
net.ipv4.ip_forward: 1
disable_ipv6: true
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
custom_hosts_acls: true
# This fixes polkit issues with sudoers file (CIS hardening)
hide_pid: 0
# aide
install_aide: false
# Unattended upgrades
unattended_reboot: true
unattended_reboot_time: "04:30"
# Duo Security
duo_users: ["*", "!provision"]
duo_api_hostname: api-7cda1654.duosecurity.com
# podman services settings
ollama_home: "/mnt/data/ollama"
kokora_home: "/mnt/data/kokoro"