Add vikunja opentofu stuff and fix some issues

authentik.tf

@@ -2,6 +2,10 @@ data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
 
+data "authentik_certificate_key_pair" "default" {
+  name = "auth.serguzim.me"
+}
+
 data "authentik_property_mapping_provider_scope" "default_scopes" {
   managed_list = [
     "goauthentik.io/providers/oauth2/scope-email",
@@ -18,6 +22,7 @@ resource "authentik_provider_oauth2" "service_providers" {
   authorization_flow = data.authentik_flow.default_authorization_flow.id
   redirect_uris      = each.value.auth_redirects
   property_mappings  = data.authentik_property_mapping_provider_scope.default_scopes.ids
+  signing_key        = data.authentik_certificate_key_pair.default.id
 }
 
 resource "authentik_application" "service_applications" {

output.tf

@@ -16,8 +16,8 @@ output "hosts" {
 
 output "authentik_data" {
   value = {
-    for key, val in local.services_auth : key => {
+    for key in keys(authentik_application.service_applications) : key => {
-      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}"
+      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
       "client_id"     = authentik_provider_oauth2.service_providers[key].client_id
       "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
     }
@@ -27,7 +27,7 @@ output "authentik_data" {
 
 output "postgresql_data" {
   value = {
-    for key, val in local.services_auth : key => {
+    for key in keys(postgresql_database.service_databases) : key => {
       "user"      = postgresql_role.service_roles[key].name
       "pass"      = postgresql_role.service_roles[key].password
       "database"  = postgresql_database.service_databases[key].name
@@ -45,7 +45,7 @@ output "postgresql" {
 
 output "scaleway_data" {
   value = {
-    for key, val in local.services_s3 : key => {
+    for key in keys(scaleway_iam_application.service_applications) : key => {
       "access_key"   = scaleway_iam_api_key.service_keys[key].access_key
       "secret_key"   = scaleway_iam_api_key.service_keys[key].secret_key
       "name"         = scaleway_object_bucket.service_buckets[key].name

roles/acme_dns/vars/main.yml

@@ -10,9 +10,9 @@ acme_dns_svc:
   db:
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
-    user: "{{ opentofu.postgresql_service_roles.acme_dns.name }}"
+    user: "{{ opentofu.postgresql_data.acme_dns.user }}"
-    pass: "{{ opentofu.postgresql_service_roles.acme_dns.password }}"
+    pass: "{{ opentofu.postgresql_data.acme_dns.pass }}"
-    db: acme_dns
+    db: "{{ opentofu.postgresql_data.acme_dns.database }}"
 
 acme_dns_compose:
   watchtower: true

roles/forgejo/vars/main.yml

@@ -14,9 +14,9 @@ forgejo_svc:
 forgejo_env:
   FORGEJO__database__DB_TYPE: postgres
   FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
-  FORGEJO__database__NAME: forgejo
+  FORGEJO__database__NAME: "{{ opentofu.postgresql_service_roles.forgejo.database }}"
-  FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.name }}"
+  FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.user }}"
-  FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.password }}"
+  FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.pass }}"
   FORGEJO__database__SSL_MODE: verify-full
 
   FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true

roles/linkwarden/vars/main.yml

@@ -2,9 +2,9 @@
 linkwarden_secret: "{{ vault_linkwarden.secret }}"
 
 linkwarden_db_host_port: "{{ postgres.host }}:{{ postgres.port }}"
-linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}"
+linkwarden_db_user: "{{ opentofu.postgresql_data.linkwarden.user }}"
-linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}"
+linkwarden_db_pass: "{{ opentofu.postgresql_data.linkwarden.pass }}"
-linkwarden_db_database: linkwarden
+linkwarden_db_database: "{{ opentofu.postgresql_data.linkwarden.database }}"
 
 linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}"
 linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}"

roles/tinytinyrss/vars/main.yml

@@ -6,9 +6,9 @@ tinytinyrss_svc:
   db:
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
-    database: tinytinyrss
+    database: "{{ opentofu.postgresql_data.tinytinyrss.database }}"
-    user: "{{ opentofu.postgresql_service_roles.tinytinyrss.name }}"
+    user: "{{ opentofu.postgresql_data.tinytinyrss.user }}"
-    pass: "{{ opentofu.postgresql_service_roles.tinytinyrss.password }}"
+    pass: "{{ opentofu.postgresql_data.tinytinyrss.pass }}"
 
 tinytinyrss_env:
   TTRSS_DB_TYPE: pgsql

roles/umami/vars/main.yml

@@ -1,8 +1,8 @@
 ---
 umami_db_host: "{{ postgres.host }}"
-umami_db_user: "{{ opentofu.postgresql_service_roles.umami.name }}"
+umami_db_user: "{{ opentofu.postgresql_data.umami.user }}"
-umami_db_pass: "{{ opentofu.postgresql_service_roles.umami.password }}"
+umami_db_pass: "{{ opentofu.postgresql_data.umami.pass }}"
-umami_db_database: umami
+umami_db_database: "{{ opentofu.postgresql_data.umami.database }}"
 
 umami_hash_salt: "{{ vault_umami.hash_salt }}"
 

roles/vikunja/vars/main.yml

@@ -6,9 +6,9 @@ vikunja_svc:
   db:
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
-    database: vikunja
+    user: "{{ opentofu.postgresql_data.vikunja.user }}"
-    user: "{{ vault_vikunja.db.user }}"
+    pass: "{{ opentofu.postgresql_data.vikunja.pass }}"
-    pass: "{{ vault_vikunja.db.pass }}"
+    database: "{{ opentofu.postgresql_data.vikunja.database }}"
 
 vikunja_yml:
   service:
@@ -40,10 +40,10 @@ vikunja_yml:
       enabled: true
       providers:
         - name: auth.serguzim.me
-          authurl: https://auth.serguzim.me/application/o/todo-serguzim-me/
+          authurl: "{{ opentofu.authentik_data.vikunja.base_url }}"
-          logouturl: https://auth.serguzim.me/application/o/todo-serguzim-me/end-session/
+          logouturl: "{{ (opentofu.authentik_data.vikunja.base_url, 'end-session') | path_join }}"
-          clientid: "{{ vault_vikunja.oidc_client.id }}"
+          clientid: "{{ opentofu.authentik_data.vikunja.client_id }}"
-          clientsecret: "{{ vault_vikunja.oidc_client.secret }}"
+          clientsecret: "{{ opentofu.authentik_data.vikunja.client_secret }}"
 
   metrics:
     enabled: true

roles/wiki_js/vars/main.yml

@@ -8,9 +8,9 @@ wiki_js_svc:
   db:
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
-    user: "{{ opentofu.postgresql_service_roles.wiki_js.name }}"
+    user: "{{ opentofu.postgresql_data.wiki_js.user }}"
-    pass: "{{ opentofu.postgresql_service_roles.wiki_js.password }}"
+    pass: "{{ opentofu.postgresql_data.wiki_js.pass }}"
-    name: wiki_js
+    name: "{{ opentofu.postgresql_data.wiki_js.database }}"
 
 wiki_js_env:
   DB_TYPE: postgres

services.auto.tfvars

@@ -3,44 +3,52 @@ services = {
     name = "acme_dns"
     subdomain = "acme"
     auth = false
-    s3 = false
     database = true
+    s3 = false
   },
   "forgejo" = {
     name = "forgejo"
     subdomain = "git"
     auth = true
     auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"]
-    s3 = true
     database = true
+    s3 = true
   },
   "linkwarden" = {
     name = "linkwarden"
     subdomain = "bookmarks"
     auth = true
     auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"]
-    s3 = true
     database = true
+    s3 = true
   },
   "tinytinyrss" = {
     name = "tinytinyrss"
     subdomain = "rss"
     auth = false
-    s3 = false
     database = true
+    s3 = false
   },
   "umami" = {
     name = "umami"
     subdomain = "analytics"
     auth = false
-    s3 = false
     database = true
+    s3 = false
   },
+  "vikunja" = {
+    name = "vikunja"
+    subdomain = "todo"
+    auth = true
+    auth_redirects = ["https://todo.serguzim.me/auth/openid/authserguzimme"]
+    database = true
+    s3 = false
+  }
   "wiki_js" = {
     name = "wiki_js"
     subdomain = "wiki"
     auth = true
-    s3 = false
     database = true
+    s3 = false
   },
 }

tailscale.tf

@@ -2,7 +2,7 @@ resource "tailscale_tailnet_key" "cloud_init_key" {
   reusable      = true
   ephemeral     = false
   preauthorized = true
-  expiry        = 3600
+  expiry        = 21600 # 6 hours
   description   = "Cloud-init key used by opentofu"
 }