{"id":20126439,"url":"https://github.com/sovereigncloudstack/system-config","last_synced_at":"2026-03-06T02:03:47.021Z","repository":{"id":250114822,"uuid":"830949049","full_name":"SovereignCloudStack/system-config","owner":"SovereignCloudStack","description":"The configuration of our SCS infrastructure","archived":false,"fork":false,"pushed_at":"2024-12-12T17:17:38.000Z","size":142,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-02T21:16:06.352Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://scs.community/contribute/","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SovereignCloudStack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-19T10:23:06.000Z","updated_at":"2024-12-12T17:17:41.000Z","dependencies_parsed_at":"2024-08-06T13:11:57.248Z","dependency_job_id":"cbdbb9a4-bf98-42aa-b0a7-8f274187ad62","html_url":"https://github.com/SovereignCloudStack/system-config","commit_stats":null,"previous_names":["sovereigncloudstack/system-config"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SovereignCloudStack/system-config","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SovereignCloudStack%2Fsystem-config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SovereignCloudStack%2Fsystem-config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SovereignCloudStack%2Fsystem-config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SovereignCloudStack%2Fsystem-config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SovereignCloudStack","download_url":"https://codeload.github.com/SovereignCloudStack/system-config/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SovereignCloudStack%2Fsystem-config/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30158834,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T22:39:40.138Z","status":"online","status_checked_at":"2026-03-06T02:00:08.268Z","response_time":250,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T20:16:08.654Z","updated_at":"2026-03-06T02:03:47.001Z","avatar_url":"https://github.com/SovereignCloudStack.png","language":"Jinja","readme":"# SCS internal infrastructure provisioning\n\nThis repository is holding public part of the infrastructure provisioning automations.\n\nDeployment and structure of opendev and otc are being used with a single\nrepository (`system-config`) containing all the playbooks and public part of\nthe inventory, a more sensitive counterpartner repository with additional\ninventory values and kubernetes application deployed with the Vault (OpenBAO)\nto rely on infrastructure base authorization so that Kubernetes apps fetch\ntheir necessary secrets directly from Vault. Please see\n[opendev](https://docs.opendev.org/opendev/system-config/latest/) and\n[OTC](https://docs.otc-service.com/system-config/) for the details reference.\n\n## Inventory\n\nSystem inventory is represented in the `inventory` folder. It is structured\nlike a standard project inventory with:\n\n- `hosts.yaml` describes known hosts\n- `group_vars` describes global variables structured per hostgroup\n- `group_vars/all.yaml` variables applicable for every host\n- `group_vars/ssl_cert.yaml` variables necessary for TLS certificates management\n- `host_vars/` hostspecific variables\n\nSensitive part of the inventory hosted in the private git repository follows\nthe same pattern.\n\n## Playbooks\n\nDifferent parts of managed systems are configured using absible playbooks.\n\n### base.yaml\n\nThis playbook performs basic configuration of every hosts and applies the\n`base` role to it. Currently following aspects are configured:\n\n- system package manager repositories established\n- users configured in the ``inventory/group_vars/all.yaml` are provisioned to\nevery host with the defined public keys.\n- timezone\n- unbound\n- firewall\n- audit\n- ...\n\n### acme-certs.yaml\n\nThis playbook is responsible for managing TLS certificates for every host in\nthe `ssl_certs` group using ACME directory.\n\nFor every host in the `ssl_certs` group the following host variables should be\ndefined:\n\n- `ssl_certs`: a dictionary of certificate information. A key is a short\ncertificate name (used as a file name and for internal references and a value\nis a list of FQDN\n\nCertificates are issued using Ansible `acme_certificate` module using DNS\nverification. This is done since it is not uncommon that certain certificates\nmust be valid for variety of the domain names (i.e. vault.infra.XXX and\nvault1.infra.XXX). `dns_cloud` variable (typically set on the `ssl_certs` group\nmust point to the cloud configured on the controller host and point to the\nOpenStack cloud hosting the DNS zone. It is important to mention that records\nare placed into the DNS zone named one level higher then requested record\n(vault.infra.XXX is placed into the infra.XXX zone).\n\nCertain systems get notified when the certificate is renewed (i.e. vault) and\nare automatically restarted.\n\nFurther description is present in the header of the playbook itself.\n\n### provision-vault.yaml\n\nProvisions a new host as OpenStack VM (creates new VM). For that host_vars for\nthe specific host are being used: image, flavor, security_groups, ...\n\nThis playbook is intended to be used only once to create new VM.\n\nVault policies and auth configurations are considered to be sensitive\ninformation therefore they are placed in the suplementary sensitive repository.\n\n### service-vault.yaml\n\nThis playbook configures Vault (OpenBAO) software on the hosts in the `vault`\ngroup. There are may specific variables influencing how the software is\nconfigured.\n\nThe playbook is not responsible for vault operations (sealing, unsealing) but\nis configuring HA cluster when enough hosts are provisioned.\n\n\n## Kubernetes applications\n\nCertain systems are deployed into the Kubernetes with the help of Kustomize.\nThis allows easier integration with ArgoCD or FluxCD.\n\nTypically applications can be installed manually\n\n```\nkubectl kustomize kubernets/\u003cAPP\u003e/overlays/\u003cOVERLAY_NAME\u003e | kubectl [--kubeconfig \u003cPATH_TO_CONFIG\u003e] apply -f -\n```\n\nTypically overlay kustomization file is responsible for components versions.\n\n### Zuul\n\nThis Kustomize application installs Zuul into the Kubernetes. Secrets are\nfetched from Vault directly, therefore no sensitive information is required to\nbe present what makes it trivial to rely on ArgoCD (or similar).\n\nMore details are present in the application's [Readme file](kubernetes/zuul/README.md)\n\nIt is required that [Certmanager](kubernetes/certmanager-issuer),\n[Cloudnative-pg](kubernetes/cloudnative-pg) and [Ingress\ncontroller](kubernetes/ingress) to be installed in the target Kubernetes\ncluster as well.\n\n\n### Keycloak\n\nThis application installs Keycloak. Unfortunately not everything can be easily\nconfigured in the declarative style in Keycloak, therefore parts of the realms\nconfigs cannot be placed here.\n\nPlease ensure backup procedures (beyond the regular DB backups performed by the\ncloudnative-pg) exist.\n\n\n### Delendency-track\n\nInstalls DependencyTrack with the database. Keycloak integration is also\nprepared while the Keycloak integration () is out of scope.\n\nOn the DependencyTrack side a `/dependencytrack-admin` (`/` is crucially\nimportant in the group name) must be present in `Administration/Access\nManagement/OpenID Connect Groups` and all Keycloak member assigned to group\nwith this name in Keycloak are assigned `admin` privileges in the\nDependencyTrack ([Integration\ndocumentation](https://docs.dependencytrack.org/getting-started/openidconnect-configuration/#example-setup-with-keycloak)\ncan be used for reference).\n\n### DefectDojo\n\nUnfortunately there are no working plain Kubernetes manifests exist for\nDefectDojo therefore Kustomize stack wraps helm. This requires (as of writing)\npassing additionally `--enable-helm` to the `kubectl kustomize` to render\nmanifests.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsovereigncloudstack%2Fsystem-config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsovereigncloudstack%2Fsystem-config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsovereigncloudstack%2Fsystem-config/lists"}