Add foundryvtt service

modules/infrastructure/scaleway.tf

@@ -65,6 +65,18 @@ resource "scaleway_object_bucket_policy" "service_bucket_policies" {
           "${scaleway_object_bucket.service_buckets[each.key].name}/*",
         ]
       },
+      {
+        Sid = "Public statement"
+        Effect = "Allow"
+        Action = try(var.services[each.value].s3_public, false) ? "s3:GetObject" : "s3:GetBucketLocation"
+        Principal = {
+          SCW = "*"
+        }
+        Resource = [
+          "${scaleway_object_bucket.service_buckets[each.key].name}",
+          "${scaleway_object_bucket.service_buckets[each.key].name}/*",
+        ]
+      },
     ]
   })
 }

modules/infrastructure/variables.tf

@@ -37,6 +37,7 @@ variable "services" {
     auth_redirects = optional(list(string))
     s3 = optional(string)
     s3_buckets = optional(list(string))
+    s3_public = bool
     database = bool
     storage_box = optional(bool, false)
   }))

playbooks/roles/foundryvtt/defaults/main.yml

@@ -0,0 +1,69 @@
+---
+foundryvtt_release_url: "{{ undef() }}"
+foundryvtt_license_key: "{{ undef() }}"
+foundryvtt_admin_key: "{{ undef() }}"
+
+foundryvtt_s3_bucket: "{{ opentofu.scaleway_data.foundryvtt.name }}"
+foundryvtt_s3_region: "{{ opentofu.scaleway_data.foundryvtt.region }}"
+foundryvtt_s3_api_endpoint: "{{ opentofu.scaleway_data.foundryvtt.api_endpoint }}"
+foundryvtt_s3_access_key: "{{ opentofu.scaleway_data.foundryvtt.access_key }}"
+foundryvtt_s3_secret_key: "{{ opentofu.scaleway_data.foundryvtt.secret_key }}"
+
+foundryvtt_aws_config:
+  buckets:
+    - "{{ foundryvtt_s3_bucket }}"
+  endpoint: "{{ foundryvtt_s3_api_endpoint }}"
+  region: "{{ foundryvtt_s3_region }}"
+  s3ForcePathStyle: true
+  s3BucketEndpoint: false
+  credentials:
+    accessKeyId: "{{ foundryvtt_s3_access_key }}"
+    secretAccessKey: "{{ foundryvtt_s3_secret_key }}"
+
+foundryvtt_svc:
+  domain: "{{ all_services | service_get_domain(service_name) }}"
+  port: 30000
+  caddy_extra: |
+    handle_path /s3proxy/* {
+      rewrite * /{{ foundryvtt_aws_config.buckets[0] }}{uri}
+      reverse_proxy {{ foundryvtt_s3_api_endpoint }} {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+      }
+    }
+
+    handle_path /{{ foundryvtt_s3_bucket }}.{{ foundryvtt_s3_api_endpoint | urlsplit('hostname') }}/{{ foundryvtt_s3_bucket }}/* {
+      rewrite * /{{ foundryvtt_aws_config.buckets[0] }}{uri}
+      reverse_proxy {{ foundryvtt_s3_api_endpoint }} {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+      }
+    }
+
+foundryvtt_env:
+  FOUNDRY_RELEASE_URL: "{{ foundryvtt_release_url | mandatory }}"
+  FOUNDRY_LICENSE_KEY: "{{ foundryvtt_license_key | mandatory }}"
+  FOUNDRY_ADMIN_KEY: "{{ foundryvtt_admin_key | mandatory }}"
+
+  FOUNDRY_COMPRESS_WEBSOCKET: true
+  FOUNDRY_MINIFY_STATIC_FILES: true
+
+  FOUNDRY_HOSTNAME: "{{ foundryvtt_svc.domain }}"
+  FOUNDRY_PROXY_SSL: true
+  FOUNDRY_PROXY_PORT: 443
+
+  FOUNDRY_LANGUAGE: de.lang-de
+  FOUNDRY_TELEMETRY: true
+
+  FOUNDRY_AWS_CONFIG: aws.json
+
+  TZ: "{{ timezone }}"
+
+
+foundryvtt_compose:
+  watchtower: update
+  image: ghcr.io/felddy/foundryvtt:14
+  volumes:
+    - data:/data
+    - ./aws.json:/data/Config/aws.json
+  file:
+    volumes:
+      data:

playbooks/roles/foundryvtt/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Restart service foundryvtt
+  ansible.builtin.include_tasks: tasks/restart-service.yml

playbooks/roles/foundryvtt/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ service_name }}
+  vars:
+    svc: "{{ foundryvtt_svc }}"
+    env: "{{ foundryvtt_env }}"
+    compose: "{{ foundryvtt_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Create aws config
+      ansible.builtin.copy:
+        dest: "{{ (service_path, 'aws.json') | path_join }}"
+        content: "{{ foundryvtt_aws_config | to_json }}"
+        owner: 1000
+        group: 1000
+        mode: 0644
+      become: true
+      notify: Restart service {{ service_name }}
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

scripts/visualize.py

@@ -16,6 +16,7 @@ icon_overrides = {
     "emgauwa": None,
     "extra_services": None,
     "forgejo_runner": "forgejo",
+    "foundryvtt": "foundry-virtual-tabletop",
     "healthcheck": "healthchecks",
     "immich_worker": "immich",
     "jitsi": "jitsi-meet",
@@ -35,6 +36,7 @@ icon_overrides = {
 }
 
 icon_format = {
+    "foundry-virtual-tabletop": "webp",
     "restic": "webp",
     "telegraf": "webp",
     "tiny-tiny-rss": "webp",

services.auto.tfvars

@@ -275,6 +275,17 @@ services = {
     database = false
   },
 
+  "foundryvtt" = {
+    host = "node002"
+    dns = [{
+      domain = "dnd.serguzim.me"
+    }]
+    auth = false
+    database = false
+    s3 = "external"
+    s3_public = true
+  }
+
   "healthcheck" = {
     host = "node001"
     auth = false

variables.tf

@@ -171,6 +171,7 @@ variable "services" {
     auth_redirects = optional(list(string))
     s3 = optional(string)
     s3_buckets = optional(list(string))
+    s3_public = optional(bool, false)
     database = bool
     storage_box = optional(bool, false)
     mail = optional(string)