diff --git a/authentik.tf b/authentik.tf index 34cfcb3..4594a99 100644 --- a/authentik.tf +++ b/authentik.tf @@ -11,7 +11,7 @@ data "authentik_property_mapping_provider_scope" "default_scopes" { } resource "authentik_provider_oauth2" "service_providers" { - for_each = local.service_auths + for_each = local.services_auth name = each.value.name client_type = "confidential" client_id = each.value.name @@ -21,7 +21,7 @@ resource "authentik_provider_oauth2" "service_providers" { } resource "authentik_application" "service_applications" { - for_each = local.service_auths + for_each = local.services_auth name = each.value.name slug = "${each.value.subdomain}-serguzim-me" protocol_provider = authentik_provider_oauth2.service_providers[each.key].id diff --git a/main.tf b/main.tf index 153841c..3b205d7 100644 --- a/main.tf +++ b/main.tf @@ -86,6 +86,8 @@ provider "tailscale" { } locals { - service_auths = {for key, val in var.services : key => val if val.auth} + services_auth = {for key, val in var.services : key => val if val.auth} + services_database = {for key, val in var.services : key => val if val.database} + services_s3 = {for key, val in var.services : key => val if val.s3} } diff --git a/output.tf b/output.tf index e4fd4b8..4832063 100644 --- a/output.tf +++ b/output.tf @@ -16,7 +16,7 @@ output "hosts" { output "authentik_data" { value = { - for key, val in local.service_auths : key => { + for key, val in local.services_auth : key => { "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}" "client_id" = authentik_provider_oauth2.service_providers[key].client_id "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret @@ -25,8 +25,14 @@ output "authentik_data" { sensitive = true } -output "postgresql_service_roles" { - value = postgresql_role.service_roles +output "postgresql_data" { + value = { + for key, val in local.services_auth : key => { + "user" = postgresql_role.service_roles[key].name + "pass" = postgresql_role.service_roles[key].password + "database" = postgresql_database.service_databases[key].name + } + } sensitive = true } @@ -37,13 +43,18 @@ output "postgresql" { } } -output "scaleway_service_keys" { - value = scaleway_iam_api_key.service_keys - sensitive = true -} - -output "scaleway_service_buckets" { - value = scaleway_object_bucket.service_buckets +output "scaleway_data" { + value = { + for key, val in local.services_s3 : key => { + "access_key" = scaleway_iam_api_key.service_keys[key].access_key + "secret_key" = scaleway_iam_api_key.service_keys[key].secret_key + "name" = scaleway_object_bucket.service_buckets[key].name + "region" = scaleway_object_bucket.service_buckets[key].region + "endpoint" = scaleway_object_bucket.service_buckets[key].endpoint + "api_endpoint" = scaleway_object_bucket.service_buckets[key].api_endpoint + } + } + sensitive = true } output "scaleway_registry_endpoint_public" { diff --git a/postgresql.tf b/postgresql.tf index d855879..982fecb 100644 --- a/postgresql.tf +++ b/postgresql.tf @@ -1,23 +1,18 @@ -locals { - service_databases = {for key, val in var.services : key => val if val.database} -} - - resource "random_password" "postgresql_service_passwords" { - for_each = local.service_databases + for_each = local.services_database length = 32 special = false } resource "postgresql_role" "service_roles" { - for_each = local.service_databases + for_each = local.services_database name = each.value.name login = true password = random_password.postgresql_service_passwords[each.key].result } resource "postgresql_database" "service_databases" { - for_each = local.service_databases + for_each = local.services_database name = each.value.name owner = postgresql_role.service_roles[each.key].name } diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml index 92e81f8..2d57652 100644 --- a/roles/forgejo/vars/main.yml +++ b/roles/forgejo/vars/main.yml @@ -71,11 +71,11 @@ forgejo_env: FORGEJO__actions__ENABLED: true FORGEJO__storage__STORAGE_TYPE: minio - FORGEJO__storage__MINIO_ENDPOINT: "{{ opentofu.scaleway_service_buckets.forgejo.api_endpoint | urlsplit('hostname') }}" - FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ opentofu.scaleway_service_keys.forgejo.access_key }}" - FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ opentofu.scaleway_service_keys.forgejo.secret_key }}" - FORGEJO__storage__MINIO_BUCKET: "{{ opentofu.scaleway_service_buckets.forgejo.name }}" - FORGEJO__storage__MINIO_LOCATION: "{{ opentofu.scaleway_service_buckets.forgejo.region }}" + FORGEJO__storage__MINIO_ENDPOINT: "{{ opentofu.scaleway_data.forgejo.api_endpoint | urlsplit('hostname') }}" + FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ opentofu.scaleway_data.forgejo.access_key }}" + FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ opentofu.scaleway_data.forgejo.secret_key }}" + FORGEJO__storage__MINIO_BUCKET: "{{ opentofu.scaleway_data.forgejo.name }}" + FORGEJO__storage__MINIO_LOCATION: "{{ opentofu.scaleway_data.forgejo.region }}" FORGEJO__storage__MINIO_USE_SSL: true FORGEJO__other__SHOW_FOOTER_VERSION: true diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml index 33a9036..79f8f60 100644 --- a/roles/linkwarden/vars/main.yml +++ b/roles/linkwarden/vars/main.yml @@ -6,8 +6,8 @@ linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}" linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}" linkwarden_db_database: linkwarden -linkwarden_s3_accesskey: "{{ opentofu.scaleway_service_keys.linkwarden.access_key }}" -linkwarden_s3_secretkey: "{{ opentofu.scaleway_service_keys.linkwarden.secret_key }}" +linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}" +linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}" linkwarden_svc: domain: bookmarks.serguzim.me @@ -21,9 +21,9 @@ linkwarden_env: SPACES_KEY: "{{ linkwarden_s3_accesskey }}" SPACES_SECRET: "{{ linkwarden_s3_secretkey }}" - SPACES_ENDPOINT: "{{ opentofu.scaleway_service_buckets.linkwarden.api_endpoint }}" - SPACES_BUCKET_NAME: "{{ opentofu.scaleway_service_buckets.linkwarden.name }}" - SPACES_REGION: "{{ opentofu.scaleway_service_buckets.linkwarden.region }}" + SPACES_ENDPOINT: "{{ opentofu.scaleway_data.linkwarden.api_endpoint }}" + SPACES_BUCKET_NAME: "{{ opentofu.scaleway_data.linkwarden.name }}" + SPACES_REGION: "{{ opentofu.scaleway_data.linkwarden.region }}" SPACES_FORCE_PATH_STYLE: false NEXT_PUBLIC_DISABLE_REGISTRATION: true diff --git a/scaleway.tf b/scaleway.tf index 33e32e8..5d70bc6 100644 --- a/scaleway.tf +++ b/scaleway.tf @@ -11,17 +11,13 @@ data "scaleway_iam_user" "serguzim" { email = "tobias@msrg.cc" } -locals { - service_buckets = {for key, val in var.services : key => val if val.bucket} -} - resource "scaleway_iam_application" "service_applications" { - for_each = local.service_buckets + for_each = local.services_s3 name = each.value.name } resource "scaleway_iam_policy" "service_storage_policies" { - for_each = local.service_buckets + for_each = local.services_s3 name = "${each.key}_storage_policy" application_id = scaleway_iam_application.service_applications[each.key].id rule { @@ -31,7 +27,7 @@ resource "scaleway_iam_policy" "service_storage_policies" { } resource "scaleway_object_bucket" "service_buckets" { - for_each = local.service_buckets + for_each = local.services_s3 name = "${each.value.name}.serguzim.me" lifecycle { prevent_destroy = true @@ -39,7 +35,7 @@ resource "scaleway_object_bucket" "service_buckets" { } resource "scaleway_object_bucket_policy" "service_bucket_policies" { - for_each = local.service_buckets + for_each = local.services_s3 bucket = scaleway_object_bucket.service_buckets[each.key].id policy = jsonencode({ Version = "2023-04-17", @@ -78,7 +74,7 @@ resource "time_rotating" "rotate_after_a_year" { } resource "scaleway_iam_api_key" "service_keys" { - for_each = local.service_buckets + for_each = local.services_s3 description = "Service key for ${each.key}" application_id = scaleway_iam_application.service_applications[each.key].id expires_at = time_rotating.rotate_after_a_year.rotation_rfc3339 diff --git a/services.auto.tfvars b/services.auto.tfvars index be0f713..70ab8a3 100644 --- a/services.auto.tfvars +++ b/services.auto.tfvars @@ -3,7 +3,7 @@ services = { name = "acme_dns" subdomain = "acme" auth = false - bucket = false + s3 = false database = true }, "forgejo" = { @@ -11,35 +11,36 @@ services = { subdomain = "git" auth = true auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"] - bucket = true + s3 = true database = true }, "linkwarden" = { name = "linkwarden" subdomain = "bookmarks" auth = true - bucket = true + auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"] + s3 = true database = true }, "tinytinyrss" = { name = "tinytinyrss" subdomain = "rss" auth = false - bucket = false + s3 = false database = true }, "umami" = { name = "umami" subdomain = "analytics" auth = false - bucket = false + s3 = false database = true }, "wiki_js" = { name = "wiki_js" subdomain = "wiki" auth = true - bucket = false + s3 = false database = true }, } diff --git a/variables.tf b/variables.tf index 2429459..b0a3019 100644 --- a/variables.tf +++ b/variables.tf @@ -107,7 +107,7 @@ variable "services" { subdomain = string auth = bool auth_redirects = optional(list(string)) - bucket = bool + s3 = bool database = bool })) }