serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add vikunja opentofu stuff and fix some issues

Browse source
This commit is contained in:
Tobias Reisinger 2024-09-28 21:26:13 +02:00
parent 6f77230c15
commit 1831cddffa
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
11 changed files with 49 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
authentik.tf
View file

@ -2,6 +2,10 @@ data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_certificate_key_pair" "default" {
name = "auth.serguzim.me"
}
data "authentik_property_mapping_provider_scope" "default_scopes" { data "authentik_property_mapping_provider_scope" "default_scopes" {
managed_list = [ managed_list = [
"goauthentik.io/providers/oauth2/scope-email", "goauthentik.io/providers/oauth2/scope-email",
@ -18,6 +22,7 @@ resource "authentik_provider_oauth2" "service_providers" {
authorization_flow = data.authentik_flow.default_authorization_flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
redirect_uris = each.value.auth_redirects redirect_uris = each.value.auth_redirects
property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids
signing_key = data.authentik_certificate_key_pair.default.id
} }
resource "authentik_application" "service_applications" { resource "authentik_application" "service_applications" {

8
output.tf
View file

@ -16,8 +16,8 @@ output "hosts" {
output "authentik_data" { output "authentik_data" {
value = { value = {
for key, val in local.services_auth : key => { for key in keys(authentik_application.service_applications) : key => {
"base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}" "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
"client_id" = authentik_provider_oauth2.service_providers[key].client_id "client_id" = authentik_provider_oauth2.service_providers[key].client_id
"client_secret" = authentik_provider_oauth2.service_providers[key].client_secret "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
} }
@ -27,7 +27,7 @@ output "authentik_data" {
output "postgresql_data" { output "postgresql_data" {
value = { value = {
for key, val in local.services_auth : key => { for key in keys(postgresql_database.service_databases) : key => {
"user" = postgresql_role.service_roles[key].name "user" = postgresql_role.service_roles[key].name
"pass" = postgresql_role.service_roles[key].password "pass" = postgresql_role.service_roles[key].password
"database" = postgresql_database.service_databases[key].name "database" = postgresql_database.service_databases[key].name
@ -45,7 +45,7 @@ output "postgresql" {
output "scaleway_data" { output "scaleway_data" {
value = { value = {
for key, val in local.services_s3 : key => { for key in keys(scaleway_iam_application.service_applications) : key => {
"access_key" = scaleway_iam_api_key.service_keys[key].access_key "access_key" = scaleway_iam_api_key.service_keys[key].access_key
"secret_key" = scaleway_iam_api_key.service_keys[key].secret_key "secret_key" = scaleway_iam_api_key.service_keys[key].secret_key
"name" = scaleway_object_bucket.service_buckets[key].name "name" = scaleway_object_bucket.service_buckets[key].name

6
roles/acme_dns/vars/main.yml
View file

@ -10,9 +10,9 @@ acme_dns_svc:
db: db:
host: "{{ postgres.host }}" host: "{{ postgres.host }}"
port: "{{ postgres.port }}" port: "{{ postgres.port }}"
user: "{{ opentofu.postgresql_service_roles.acme_dns.name }}" user: "{{ opentofu.postgresql_data.acme_dns.user }}"
pass: "{{ opentofu.postgresql_service_roles.acme_dns.password }}" pass: "{{ opentofu.postgresql_data.acme_dns.pass }}"
db: acme_dns db: "{{ opentofu.postgresql_data.acme_dns.database }}"
acme_dns_compose: acme_dns_compose:
watchtower: true watchtower: true

6
roles/forgejo/vars/main.yml
View file

@ -14,9 +14,9 @@ forgejo_svc:
forgejo_env: forgejo_env:
FORGEJO__database__DB_TYPE: postgres FORGEJO__database__DB_TYPE: postgres
FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}" FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
FORGEJO__database__NAME: forgejo FORGEJO__database__NAME: "{{ opentofu.postgresql_service_roles.forgejo.database }}"
FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.name }}" FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.user }}"
FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.password }}" FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.pass }}"
FORGEJO__database__SSL_MODE: verify-full FORGEJO__database__SSL_MODE: verify-full
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true

6
roles/linkwarden/vars/main.yml
View file

@ -2,9 +2,9 @@
linkwarden_secret: "{{ vault_linkwarden.secret }}" linkwarden_secret: "{{ vault_linkwarden.secret }}"
linkwarden_db_host_port: "{{ postgres.host }}:{{ postgres.port }}" linkwarden_db_host_port: "{{ postgres.host }}:{{ postgres.port }}"
linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}" linkwarden_db_user: "{{ opentofu.postgresql_data.linkwarden.user }}"
linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}" linkwarden_db_pass: "{{ opentofu.postgresql_data.linkwarden.pass }}"
linkwarden_db_database: linkwarden linkwarden_db_database: "{{ opentofu.postgresql_data.linkwarden.database }}"
linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}" linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}"
linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}" linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}"

6
roles/tinytinyrss/vars/main.yml
View file

@ -6,9 +6,9 @@ tinytinyrss_svc:
db: db:
host: "{{ postgres.host }}" host: "{{ postgres.host }}"
port: "{{ postgres.port }}" port: "{{ postgres.port }}"
database: tinytinyrss database: "{{ opentofu.postgresql_data.tinytinyrss.database }}"
user: "{{ opentofu.postgresql_service_roles.tinytinyrss.name }}" user: "{{ opentofu.postgresql_data.tinytinyrss.user }}"
pass: "{{ opentofu.postgresql_service_roles.tinytinyrss.password }}" pass: "{{ opentofu.postgresql_data.tinytinyrss.pass }}"
tinytinyrss_env: tinytinyrss_env:
TTRSS_DB_TYPE: pgsql TTRSS_DB_TYPE: pgsql

6
roles/umami/vars/main.yml
View file

@ -1,8 +1,8 @@
--- ---
umami_db_host: "{{ postgres.host }}" umami_db_host: "{{ postgres.host }}"
umami_db_user: "{{ opentofu.postgresql_service_roles.umami.name }}" umami_db_user: "{{ opentofu.postgresql_data.umami.user }}"
umami_db_pass: "{{ opentofu.postgresql_service_roles.umami.password }}" umami_db_pass: "{{ opentofu.postgresql_data.umami.pass }}"
umami_db_database: umami umami_db_database: "{{ opentofu.postgresql_data.umami.database }}"
umami_hash_salt: "{{ vault_umami.hash_salt }}" umami_hash_salt: "{{ vault_umami.hash_salt }}"

14
roles/vikunja/vars/main.yml
View file

@ -6,9 +6,9 @@ vikunja_svc:
db: db:
host: "{{ postgres.host }}" host: "{{ postgres.host }}"
port: "{{ postgres.port }}" port: "{{ postgres.port }}"
database: vikunja user: "{{ opentofu.postgresql_data.vikunja.user }}"
user: "{{ vault_vikunja.db.user }}" pass: "{{ opentofu.postgresql_data.vikunja.pass }}"
pass: "{{ vault_vikunja.db.pass }}" database: "{{ opentofu.postgresql_data.vikunja.database }}"
vikunja_yml: vikunja_yml:
service: service:
@ -40,10 +40,10 @@ vikunja_yml:
enabled: true enabled: true
providers: providers:
- name: auth.serguzim.me - name: auth.serguzim.me
authurl: https://auth.serguzim.me/application/o/todo-serguzim-me/ authurl: "{{ opentofu.authentik_data.vikunja.base_url }}"
logouturl: https://auth.serguzim.me/application/o/todo-serguzim-me/end-session/ logouturl: "{{ (opentofu.authentik_data.vikunja.base_url, 'end-session') | path_join }}"
clientid: "{{ vault_vikunja.oidc_client.id }}" clientid: "{{ opentofu.authentik_data.vikunja.client_id }}"
clientsecret: "{{ vault_vikunja.oidc_client.secret }}" clientsecret: "{{ opentofu.authentik_data.vikunja.client_secret }}"
metrics: metrics:
enabled: true enabled: true

6
roles/wiki_js/vars/main.yml
View file

@ -8,9 +8,9 @@ wiki_js_svc:
db: db:
host: "{{ postgres.host }}" host: "{{ postgres.host }}"
port: "{{ postgres.port }}" port: "{{ postgres.port }}"
user: "{{ opentofu.postgresql_service_roles.wiki_js.name }}" user: "{{ opentofu.postgresql_data.wiki_js.user }}"
pass: "{{ opentofu.postgresql_service_roles.wiki_js.password }}" pass: "{{ opentofu.postgresql_data.wiki_js.pass }}"
name: wiki_js name: "{{ opentofu.postgresql_data.wiki_js.database }}"
wiki_js_env: wiki_js_env:
DB_TYPE: postgres DB_TYPE: postgres

20
services.auto.tfvars
View file

@ -3,44 +3,52 @@ services = {
name = "acme_dns" name = "acme_dns"
subdomain = "acme" subdomain = "acme"
auth = false auth = false
s3 = false
database = true database = true
s3 = false
}, },
"forgejo" = { "forgejo" = {
name = "forgejo" name = "forgejo"
subdomain = "git" subdomain = "git"
auth = true auth = true
auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"] auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"]
s3 = true
database = true database = true
s3 = true
}, },
"linkwarden" = { "linkwarden" = {
name = "linkwarden" name = "linkwarden"
subdomain = "bookmarks" subdomain = "bookmarks"
auth = true auth = true
auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"] auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"]
s3 = true
database = true database = true
s3 = true
}, },
"tinytinyrss" = { "tinytinyrss" = {
name = "tinytinyrss" name = "tinytinyrss"
subdomain = "rss" subdomain = "rss"
auth = false auth = false
s3 = false
database = true database = true
s3 = false
}, },
"umami" = { "umami" = {
name = "umami" name = "umami"
subdomain = "analytics" subdomain = "analytics"
auth = false auth = false
s3 = false
database = true database = true
s3 = false
}, },
"vikunja" = {
name = "vikunja"
subdomain = "todo"
auth = true
auth_redirects = ["https://todo.serguzim.me/auth/openid/authserguzimme"]
database = true
s3 = false
}
"wiki_js" = { "wiki_js" = {
name = "wiki_js" name = "wiki_js"
subdomain = "wiki" subdomain = "wiki"
auth = true auth = true
s3 = false
database = true database = true
s3 = false
}, },
} }

2
tailscale.tf
View file

@ -2,7 +2,7 @@ resource "tailscale_tailnet_key" "cloud_init_key" {
reusable = true reusable = true
ephemeral = false ephemeral = false
preauthorized = true preauthorized = true
expiry = 3600 expiry = 21600 # 6 hours
description = "Cloud-init key used by opentofu" description = "Cloud-init key used by opentofu"
} }