From 1831cddffaa80d4444444db35c9cebb37b1a2f2d Mon Sep 17 00:00:00 2001 From: Tobias Reisinger Date: Sat, 28 Sep 2024 21:26:13 +0200 Subject: [PATCH] Add vikunja opentofu stuff and fix some issues --- authentik.tf | 5 +++++ output.tf | 8 ++++---- roles/acme_dns/vars/main.yml | 6 +++--- roles/forgejo/vars/main.yml | 6 +++--- roles/linkwarden/vars/main.yml | 6 +++--- roles/tinytinyrss/vars/main.yml | 6 +++--- roles/umami/vars/main.yml | 6 +++--- roles/vikunja/vars/main.yml | 14 +++++++------- roles/wiki_js/vars/main.yml | 6 +++--- services.auto.tfvars | 20 ++++++++++++++------ tailscale.tf | 2 +- 11 files changed, 49 insertions(+), 36 deletions(-) diff --git a/authentik.tf b/authentik.tf index 4594a99..d98cb7d 100644 --- a/authentik.tf +++ b/authentik.tf @@ -2,6 +2,10 @@ data "authentik_flow" "default_authorization_flow" { slug = "default-provider-authorization-implicit-consent" } +data "authentik_certificate_key_pair" "default" { + name = "auth.serguzim.me" +} + data "authentik_property_mapping_provider_scope" "default_scopes" { managed_list = [ "goauthentik.io/providers/oauth2/scope-email", @@ -18,6 +22,7 @@ resource "authentik_provider_oauth2" "service_providers" { authorization_flow = data.authentik_flow.default_authorization_flow.id redirect_uris = each.value.auth_redirects property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids + signing_key = data.authentik_certificate_key_pair.default.id } resource "authentik_application" "service_applications" { diff --git a/output.tf b/output.tf index 4832063..6a7758a 100644 --- a/output.tf +++ b/output.tf @@ -16,8 +16,8 @@ output "hosts" { output "authentik_data" { value = { - for key, val in local.services_auth : key => { - "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}" + for key in keys(authentik_application.service_applications) : key => { + "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/" "client_id" = authentik_provider_oauth2.service_providers[key].client_id "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret } @@ -27,7 +27,7 @@ output "authentik_data" { output "postgresql_data" { value = { - for key, val in local.services_auth : key => { + for key in keys(postgresql_database.service_databases) : key => { "user" = postgresql_role.service_roles[key].name "pass" = postgresql_role.service_roles[key].password "database" = postgresql_database.service_databases[key].name @@ -45,7 +45,7 @@ output "postgresql" { output "scaleway_data" { value = { - for key, val in local.services_s3 : key => { + for key in keys(scaleway_iam_application.service_applications) : key => { "access_key" = scaleway_iam_api_key.service_keys[key].access_key "secret_key" = scaleway_iam_api_key.service_keys[key].secret_key "name" = scaleway_object_bucket.service_buckets[key].name diff --git a/roles/acme_dns/vars/main.yml b/roles/acme_dns/vars/main.yml index 3c68080..616c1e2 100644 --- a/roles/acme_dns/vars/main.yml +++ b/roles/acme_dns/vars/main.yml @@ -10,9 +10,9 @@ acme_dns_svc: db: host: "{{ postgres.host }}" port: "{{ postgres.port }}" - user: "{{ opentofu.postgresql_service_roles.acme_dns.name }}" - pass: "{{ opentofu.postgresql_service_roles.acme_dns.password }}" - db: acme_dns + user: "{{ opentofu.postgresql_data.acme_dns.user }}" + pass: "{{ opentofu.postgresql_data.acme_dns.pass }}" + db: "{{ opentofu.postgresql_data.acme_dns.database }}" acme_dns_compose: watchtower: true diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml index 2d57652..155e06a 100644 --- a/roles/forgejo/vars/main.yml +++ b/roles/forgejo/vars/main.yml @@ -14,9 +14,9 @@ forgejo_svc: forgejo_env: FORGEJO__database__DB_TYPE: postgres FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}" - FORGEJO__database__NAME: forgejo - FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.name }}" - FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.password }}" + FORGEJO__database__NAME: "{{ opentofu.postgresql_service_roles.forgejo.database }}" + FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.user }}" + FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.pass }}" FORGEJO__database__SSL_MODE: verify-full FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml index 79f8f60..fe9ed5e 100644 --- a/roles/linkwarden/vars/main.yml +++ b/roles/linkwarden/vars/main.yml @@ -2,9 +2,9 @@ linkwarden_secret: "{{ vault_linkwarden.secret }}" linkwarden_db_host_port: "{{ postgres.host }}:{{ postgres.port }}" -linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}" -linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}" -linkwarden_db_database: linkwarden +linkwarden_db_user: "{{ opentofu.postgresql_data.linkwarden.user }}" +linkwarden_db_pass: "{{ opentofu.postgresql_data.linkwarden.pass }}" +linkwarden_db_database: "{{ opentofu.postgresql_data.linkwarden.database }}" linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}" linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}" diff --git a/roles/tinytinyrss/vars/main.yml b/roles/tinytinyrss/vars/main.yml index 1523405..5ef2067 100644 --- a/roles/tinytinyrss/vars/main.yml +++ b/roles/tinytinyrss/vars/main.yml @@ -6,9 +6,9 @@ tinytinyrss_svc: db: host: "{{ postgres.host }}" port: "{{ postgres.port }}" - database: tinytinyrss - user: "{{ opentofu.postgresql_service_roles.tinytinyrss.name }}" - pass: "{{ opentofu.postgresql_service_roles.tinytinyrss.password }}" + database: "{{ opentofu.postgresql_data.tinytinyrss.database }}" + user: "{{ opentofu.postgresql_data.tinytinyrss.user }}" + pass: "{{ opentofu.postgresql_data.tinytinyrss.pass }}" tinytinyrss_env: TTRSS_DB_TYPE: pgsql diff --git a/roles/umami/vars/main.yml b/roles/umami/vars/main.yml index 1ac1949..91f4c1a 100644 --- a/roles/umami/vars/main.yml +++ b/roles/umami/vars/main.yml @@ -1,8 +1,8 @@ --- umami_db_host: "{{ postgres.host }}" -umami_db_user: "{{ opentofu.postgresql_service_roles.umami.name }}" -umami_db_pass: "{{ opentofu.postgresql_service_roles.umami.password }}" -umami_db_database: umami +umami_db_user: "{{ opentofu.postgresql_data.umami.user }}" +umami_db_pass: "{{ opentofu.postgresql_data.umami.pass }}" +umami_db_database: "{{ opentofu.postgresql_data.umami.database }}" umami_hash_salt: "{{ vault_umami.hash_salt }}" diff --git a/roles/vikunja/vars/main.yml b/roles/vikunja/vars/main.yml index 66c7771..394fa16 100644 --- a/roles/vikunja/vars/main.yml +++ b/roles/vikunja/vars/main.yml @@ -6,9 +6,9 @@ vikunja_svc: db: host: "{{ postgres.host }}" port: "{{ postgres.port }}" - database: vikunja - user: "{{ vault_vikunja.db.user }}" - pass: "{{ vault_vikunja.db.pass }}" + user: "{{ opentofu.postgresql_data.vikunja.user }}" + pass: "{{ opentofu.postgresql_data.vikunja.pass }}" + database: "{{ opentofu.postgresql_data.vikunja.database }}" vikunja_yml: service: @@ -40,10 +40,10 @@ vikunja_yml: enabled: true providers: - name: auth.serguzim.me - authurl: https://auth.serguzim.me/application/o/todo-serguzim-me/ - logouturl: https://auth.serguzim.me/application/o/todo-serguzim-me/end-session/ - clientid: "{{ vault_vikunja.oidc_client.id }}" - clientsecret: "{{ vault_vikunja.oidc_client.secret }}" + authurl: "{{ opentofu.authentik_data.vikunja.base_url }}" + logouturl: "{{ (opentofu.authentik_data.vikunja.base_url, 'end-session') | path_join }}" + clientid: "{{ opentofu.authentik_data.vikunja.client_id }}" + clientsecret: "{{ opentofu.authentik_data.vikunja.client_secret }}" metrics: enabled: true diff --git a/roles/wiki_js/vars/main.yml b/roles/wiki_js/vars/main.yml index e424c4c..d0e968d 100644 --- a/roles/wiki_js/vars/main.yml +++ b/roles/wiki_js/vars/main.yml @@ -8,9 +8,9 @@ wiki_js_svc: db: host: "{{ postgres.host }}" port: "{{ postgres.port }}" - user: "{{ opentofu.postgresql_service_roles.wiki_js.name }}" - pass: "{{ opentofu.postgresql_service_roles.wiki_js.password }}" - name: wiki_js + user: "{{ opentofu.postgresql_data.wiki_js.user }}" + pass: "{{ opentofu.postgresql_data.wiki_js.pass }}" + name: "{{ opentofu.postgresql_data.wiki_js.database }}" wiki_js_env: DB_TYPE: postgres diff --git a/services.auto.tfvars b/services.auto.tfvars index 70ab8a3..0215915 100644 --- a/services.auto.tfvars +++ b/services.auto.tfvars @@ -3,44 +3,52 @@ services = { name = "acme_dns" subdomain = "acme" auth = false - s3 = false database = true + s3 = false }, "forgejo" = { name = "forgejo" subdomain = "git" auth = true auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"] - s3 = true database = true + s3 = true }, "linkwarden" = { name = "linkwarden" subdomain = "bookmarks" auth = true auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"] - s3 = true database = true + s3 = true }, "tinytinyrss" = { name = "tinytinyrss" subdomain = "rss" auth = false - s3 = false database = true + s3 = false }, "umami" = { name = "umami" subdomain = "analytics" auth = false - s3 = false database = true + s3 = false }, + "vikunja" = { + name = "vikunja" + subdomain = "todo" + auth = true + auth_redirects = ["https://todo.serguzim.me/auth/openid/authserguzimme"] + database = true + s3 = false + } "wiki_js" = { name = "wiki_js" subdomain = "wiki" auth = true - s3 = false database = true + s3 = false }, } diff --git a/tailscale.tf b/tailscale.tf index 0f0a99e..a9250bd 100644 --- a/tailscale.tf +++ b/tailscale.tf @@ -2,7 +2,7 @@ resource "tailscale_tailnet_key" "cloud_init_key" { reusable = true ephemeral = false preauthorized = true - expiry = 3600 + expiry = 21600 # 6 hours description = "Cloud-init key used by opentofu" }