From 1831cddffaa80d4444444db35c9cebb37b1a2f2d Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Sat, 28 Sep 2024 21:26:13 +0200
Subject: [PATCH] Add vikunja opentofu stuff and fix some issues
---
authentik.tf | 5 +++++
output.tf | 8 ++++----
roles/acme_dns/vars/main.yml | 6 +++---
roles/forgejo/vars/main.yml | 6 +++---
roles/linkwarden/vars/main.yml | 6 +++---
roles/tinytinyrss/vars/main.yml | 6 +++---
roles/umami/vars/main.yml | 6 +++---
roles/vikunja/vars/main.yml | 14 +++++++-------
roles/wiki_js/vars/main.yml | 6 +++---
services.auto.tfvars | 20 ++++++++++++++------
tailscale.tf | 2 +-
11 files changed, 49 insertions(+), 36 deletions(-)
diff --git a/authentik.tf b/authentik.tf
index 4594a99..d98cb7d 100644
--- a/authentik.tf
+++ b/authentik.tf
@@ -2,6 +2,10 @@ data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
+data "authentik_certificate_key_pair" "default" {
+ name = "auth.serguzim.me"
+}
+
data "authentik_property_mapping_provider_scope" "default_scopes" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
@@ -18,6 +22,7 @@ resource "authentik_provider_oauth2" "service_providers" {
authorization_flow = data.authentik_flow.default_authorization_flow.id
redirect_uris = each.value.auth_redirects
property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids
+ signing_key = data.authentik_certificate_key_pair.default.id
}
resource "authentik_application" "service_applications" {
diff --git a/output.tf b/output.tf
index 4832063..6a7758a 100644
--- a/output.tf
+++ b/output.tf
@@ -16,8 +16,8 @@ output "hosts" {
output "authentik_data" {
value = {
- for key, val in local.services_auth : key => {
- "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}"
+ for key in keys(authentik_application.service_applications) : key => {
+ "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
"client_id" = authentik_provider_oauth2.service_providers[key].client_id
"client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
}
@@ -27,7 +27,7 @@ output "authentik_data" {
output "postgresql_data" {
value = {
- for key, val in local.services_auth : key => {
+ for key in keys(postgresql_database.service_databases) : key => {
"user" = postgresql_role.service_roles[key].name
"pass" = postgresql_role.service_roles[key].password
"database" = postgresql_database.service_databases[key].name
@@ -45,7 +45,7 @@ output "postgresql" {
output "scaleway_data" {
value = {
- for key, val in local.services_s3 : key => {
+ for key in keys(scaleway_iam_application.service_applications) : key => {
"access_key" = scaleway_iam_api_key.service_keys[key].access_key
"secret_key" = scaleway_iam_api_key.service_keys[key].secret_key
"name" = scaleway_object_bucket.service_buckets[key].name
diff --git a/roles/acme_dns/vars/main.yml b/roles/acme_dns/vars/main.yml
index 3c68080..616c1e2 100644
--- a/roles/acme_dns/vars/main.yml
+++ b/roles/acme_dns/vars/main.yml
@@ -10,9 +10,9 @@ acme_dns_svc:
db:
host: "{{ postgres.host }}"
port: "{{ postgres.port }}"
- user: "{{ opentofu.postgresql_service_roles.acme_dns.name }}"
- pass: "{{ opentofu.postgresql_service_roles.acme_dns.password }}"
- db: acme_dns
+ user: "{{ opentofu.postgresql_data.acme_dns.user }}"
+ pass: "{{ opentofu.postgresql_data.acme_dns.pass }}"
+ db: "{{ opentofu.postgresql_data.acme_dns.database }}"
acme_dns_compose:
watchtower: true
diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml
index 2d57652..155e06a 100644
--- a/roles/forgejo/vars/main.yml
+++ b/roles/forgejo/vars/main.yml
@@ -14,9 +14,9 @@ forgejo_svc:
forgejo_env:
FORGEJO__database__DB_TYPE: postgres
FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
- FORGEJO__database__NAME: forgejo
- FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.name }}"
- FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.password }}"
+ FORGEJO__database__NAME: "{{ opentofu.postgresql_service_roles.forgejo.database }}"
+ FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.user }}"
+ FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.pass }}"
FORGEJO__database__SSL_MODE: verify-full
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true
diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml
index 79f8f60..fe9ed5e 100644
--- a/roles/linkwarden/vars/main.yml
+++ b/roles/linkwarden/vars/main.yml
@@ -2,9 +2,9 @@
linkwarden_secret: "{{ vault_linkwarden.secret }}"
linkwarden_db_host_port: "{{ postgres.host }}:{{ postgres.port }}"
-linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}"
-linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}"
-linkwarden_db_database: linkwarden
+linkwarden_db_user: "{{ opentofu.postgresql_data.linkwarden.user }}"
+linkwarden_db_pass: "{{ opentofu.postgresql_data.linkwarden.pass }}"
+linkwarden_db_database: "{{ opentofu.postgresql_data.linkwarden.database }}"
linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}"
linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}"
diff --git a/roles/tinytinyrss/vars/main.yml b/roles/tinytinyrss/vars/main.yml
index 1523405..5ef2067 100644
--- a/roles/tinytinyrss/vars/main.yml
+++ b/roles/tinytinyrss/vars/main.yml
@@ -6,9 +6,9 @@ tinytinyrss_svc:
db:
host: "{{ postgres.host }}"
port: "{{ postgres.port }}"
- database: tinytinyrss
- user: "{{ opentofu.postgresql_service_roles.tinytinyrss.name }}"
- pass: "{{ opentofu.postgresql_service_roles.tinytinyrss.password }}"
+ database: "{{ opentofu.postgresql_data.tinytinyrss.database }}"
+ user: "{{ opentofu.postgresql_data.tinytinyrss.user }}"
+ pass: "{{ opentofu.postgresql_data.tinytinyrss.pass }}"
tinytinyrss_env:
TTRSS_DB_TYPE: pgsql
diff --git a/roles/umami/vars/main.yml b/roles/umami/vars/main.yml
index 1ac1949..91f4c1a 100644
--- a/roles/umami/vars/main.yml
+++ b/roles/umami/vars/main.yml
@@ -1,8 +1,8 @@
---
umami_db_host: "{{ postgres.host }}"
-umami_db_user: "{{ opentofu.postgresql_service_roles.umami.name }}"
-umami_db_pass: "{{ opentofu.postgresql_service_roles.umami.password }}"
-umami_db_database: umami
+umami_db_user: "{{ opentofu.postgresql_data.umami.user }}"
+umami_db_pass: "{{ opentofu.postgresql_data.umami.pass }}"
+umami_db_database: "{{ opentofu.postgresql_data.umami.database }}"
umami_hash_salt: "{{ vault_umami.hash_salt }}"
diff --git a/roles/vikunja/vars/main.yml b/roles/vikunja/vars/main.yml
index 66c7771..394fa16 100644
--- a/roles/vikunja/vars/main.yml
+++ b/roles/vikunja/vars/main.yml
@@ -6,9 +6,9 @@ vikunja_svc:
db:
host: "{{ postgres.host }}"
port: "{{ postgres.port }}"
- database: vikunja
- user: "{{ vault_vikunja.db.user }}"
- pass: "{{ vault_vikunja.db.pass }}"
+ user: "{{ opentofu.postgresql_data.vikunja.user }}"
+ pass: "{{ opentofu.postgresql_data.vikunja.pass }}"
+ database: "{{ opentofu.postgresql_data.vikunja.database }}"
vikunja_yml:
service:
@@ -40,10 +40,10 @@ vikunja_yml:
enabled: true
providers:
- name: auth.serguzim.me
- authurl: https://auth.serguzim.me/application/o/todo-serguzim-me/
- logouturl: https://auth.serguzim.me/application/o/todo-serguzim-me/end-session/
- clientid: "{{ vault_vikunja.oidc_client.id }}"
- clientsecret: "{{ vault_vikunja.oidc_client.secret }}"
+ authurl: "{{ opentofu.authentik_data.vikunja.base_url }}"
+ logouturl: "{{ (opentofu.authentik_data.vikunja.base_url, 'end-session') | path_join }}"
+ clientid: "{{ opentofu.authentik_data.vikunja.client_id }}"
+ clientsecret: "{{ opentofu.authentik_data.vikunja.client_secret }}"
metrics:
enabled: true
diff --git a/roles/wiki_js/vars/main.yml b/roles/wiki_js/vars/main.yml
index e424c4c..d0e968d 100644
--- a/roles/wiki_js/vars/main.yml
+++ b/roles/wiki_js/vars/main.yml
@@ -8,9 +8,9 @@ wiki_js_svc:
db:
host: "{{ postgres.host }}"
port: "{{ postgres.port }}"
- user: "{{ opentofu.postgresql_service_roles.wiki_js.name }}"
- pass: "{{ opentofu.postgresql_service_roles.wiki_js.password }}"
- name: wiki_js
+ user: "{{ opentofu.postgresql_data.wiki_js.user }}"
+ pass: "{{ opentofu.postgresql_data.wiki_js.pass }}"
+ name: "{{ opentofu.postgresql_data.wiki_js.database }}"
wiki_js_env:
DB_TYPE: postgres
diff --git a/services.auto.tfvars b/services.auto.tfvars
index 70ab8a3..0215915 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -3,44 +3,52 @@ services = {
name = "acme_dns"
subdomain = "acme"
auth = false
- s3 = false
database = true
+ s3 = false
},
"forgejo" = {
name = "forgejo"
subdomain = "git"
auth = true
auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"]
- s3 = true
database = true
+ s3 = true
},
"linkwarden" = {
name = "linkwarden"
subdomain = "bookmarks"
auth = true
auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"]
- s3 = true
database = true
+ s3 = true
},
"tinytinyrss" = {
name = "tinytinyrss"
subdomain = "rss"
auth = false
- s3 = false
database = true
+ s3 = false
},
"umami" = {
name = "umami"
subdomain = "analytics"
auth = false
- s3 = false
database = true
+ s3 = false
},
+ "vikunja" = {
+ name = "vikunja"
+ subdomain = "todo"
+ auth = true
+ auth_redirects = ["https://todo.serguzim.me/auth/openid/authserguzimme"]
+ database = true
+ s3 = false
+ }
"wiki_js" = {
name = "wiki_js"
subdomain = "wiki"
auth = true
- s3 = false
database = true
+ s3 = false
},
}
diff --git a/tailscale.tf b/tailscale.tf
index 0f0a99e..a9250bd 100644
--- a/tailscale.tf
+++ b/tailscale.tf
@@ -2,7 +2,7 @@ resource "tailscale_tailnet_key" "cloud_init_key" {
reusable = true
ephemeral = false
preauthorized = true
- expiry = 3600
+ expiry = 21600 # 6 hours
description = "Cloud-init key used by opentofu"
}