serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor output

Browse source
This commit is contained in:
Tobias Reisinger 2024-09-28 18:24:07 +02:00
parent 01ee9d4b44
commit 8ad3a4a041
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
9 changed files with 52 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
authentik.tf
View file

@ -11,7 +11,7 @@ data "authentik_property_mapping_provider_scope" "default_scopes" {
} }
resource "authentik_provider_oauth2" "service_providers" { resource "authentik_provider_oauth2" "service_providers" {
for_each = local.service_auths for_each = local.services_auth
name = each.value.name name = each.value.name
client_type = "confidential" client_type = "confidential"
client_id = each.value.name client_id = each.value.name
@ -21,7 +21,7 @@ resource "authentik_provider_oauth2" "service_providers" {
} }
resource "authentik_application" "service_applications" { resource "authentik_application" "service_applications" {
for_each = local.service_auths for_each = local.services_auth
name = each.value.name name = each.value.name
slug = "${each.value.subdomain}-serguzim-me" slug = "${each.value.subdomain}-serguzim-me"
protocol_provider = authentik_provider_oauth2.service_providers[each.key].id protocol_provider = authentik_provider_oauth2.service_providers[each.key].id

4
main.tf
View file

@ -86,6 +86,8 @@ provider "tailscale" {
} }
locals { locals {
service_auths = {for key, val in var.services : key => val if val.auth} services_auth = {for key, val in var.services : key => val if val.auth}
services_database = {for key, val in var.services : key => val if val.database}
services_s3 = {for key, val in var.services : key => val if val.s3}
} }

29
output.tf
View file

@ -16,7 +16,7 @@ output "hosts" {
output "authentik_data" { output "authentik_data" {
value = { value = {
for key, val in local.service_auths : key => { for key, val in local.services_auth : key => {
"base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}" "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}"
"client_id" = authentik_provider_oauth2.service_providers[key].client_id "client_id" = authentik_provider_oauth2.service_providers[key].client_id
"client_secret" = authentik_provider_oauth2.service_providers[key].client_secret "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
@ -25,8 +25,14 @@ output "authentik_data" {
sensitive = true sensitive = true
} }
output "postgresql_service_roles" { output "postgresql_data" {
value = postgresql_role.service_roles value = {
for key, val in local.services_auth : key => {
"user" = postgresql_role.service_roles[key].name
"pass" = postgresql_role.service_roles[key].password
"database" = postgresql_database.service_databases[key].name
}
}
sensitive = true sensitive = true
} }
@ -37,15 +43,20 @@ output "postgresql" {
} }
} }
output "scaleway_service_keys" { output "scaleway_data" {
value = scaleway_iam_api_key.service_keys value = {
for key, val in local.services_s3 : key => {
"access_key" = scaleway_iam_api_key.service_keys[key].access_key
"secret_key" = scaleway_iam_api_key.service_keys[key].secret_key
"name" = scaleway_object_bucket.service_buckets[key].name
"region" = scaleway_object_bucket.service_buckets[key].region
"endpoint" = scaleway_object_bucket.service_buckets[key].endpoint
"api_endpoint" = scaleway_object_bucket.service_buckets[key].api_endpoint
}
}
sensitive = true sensitive = true
} }
output "scaleway_service_buckets" {
value = scaleway_object_bucket.service_buckets
}
output "scaleway_registry_endpoint_public" { output "scaleway_registry_endpoint_public" {
value = scaleway_registry_namespace.public.endpoint value = scaleway_registry_namespace.public.endpoint
} }

11
postgresql.tf
View file

@ -1,23 +1,18 @@
locals {
service_databases = {for key, val in var.services : key => val if val.database}
}
resource "random_password" "postgresql_service_passwords" { resource "random_password" "postgresql_service_passwords" {
for_each = local.service_databases for_each = local.services_database
length = 32 length = 32
special = false special = false
} }
resource "postgresql_role" "service_roles" { resource "postgresql_role" "service_roles" {
for_each = local.service_databases for_each = local.services_database
name = each.value.name name = each.value.name
login = true login = true
password = random_password.postgresql_service_passwords[each.key].result password = random_password.postgresql_service_passwords[each.key].result
} }
resource "postgresql_database" "service_databases" { resource "postgresql_database" "service_databases" {
for_each = local.service_databases for_each = local.services_database
name = each.value.name name = each.value.name
owner = postgresql_role.service_roles[each.key].name owner = postgresql_role.service_roles[each.key].name
} }

10
roles/forgejo/vars/main.yml
View file

@ -71,11 +71,11 @@ forgejo_env:
FORGEJO__actions__ENABLED: true FORGEJO__actions__ENABLED: true
FORGEJO__storage__STORAGE_TYPE: minio FORGEJO__storage__STORAGE_TYPE: minio
FORGEJO__storage__MINIO_ENDPOINT: "{{ opentofu.scaleway_service_buckets.forgejo.api_endpoint | urlsplit('hostname') }}" FORGEJO__storage__MINIO_ENDPOINT: "{{ opentofu.scaleway_data.forgejo.api_endpoint | urlsplit('hostname') }}"
FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ opentofu.scaleway_service_keys.forgejo.access_key }}" FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ opentofu.scaleway_data.forgejo.access_key }}"
FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ opentofu.scaleway_service_keys.forgejo.secret_key }}" FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ opentofu.scaleway_data.forgejo.secret_key }}"
FORGEJO__storage__MINIO_BUCKET: "{{ opentofu.scaleway_service_buckets.forgejo.name }}" FORGEJO__storage__MINIO_BUCKET: "{{ opentofu.scaleway_data.forgejo.name }}"
FORGEJO__storage__MINIO_LOCATION: "{{ opentofu.scaleway_service_buckets.forgejo.region }}" FORGEJO__storage__MINIO_LOCATION: "{{ opentofu.scaleway_data.forgejo.region }}"
FORGEJO__storage__MINIO_USE_SSL: true FORGEJO__storage__MINIO_USE_SSL: true
FORGEJO__other__SHOW_FOOTER_VERSION: true FORGEJO__other__SHOW_FOOTER_VERSION: true

10
roles/linkwarden/vars/main.yml
View file

@ -6,8 +6,8 @@ linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}"
linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}" linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}"
linkwarden_db_database: linkwarden linkwarden_db_database: linkwarden
linkwarden_s3_accesskey: "{{ opentofu.scaleway_service_keys.linkwarden.access_key }}" linkwarden_s3_accesskey: "{{ opentofu.scaleway_data.linkwarden.access_key }}"
linkwarden_s3_secretkey: "{{ opentofu.scaleway_service_keys.linkwarden.secret_key }}" linkwarden_s3_secretkey: "{{ opentofu.scaleway_data.linkwarden.secret_key }}"
linkwarden_svc: linkwarden_svc:
domain: bookmarks.serguzim.me domain: bookmarks.serguzim.me
@ -21,9 +21,9 @@ linkwarden_env:
SPACES_KEY: "{{ linkwarden_s3_accesskey }}" SPACES_KEY: "{{ linkwarden_s3_accesskey }}"
SPACES_SECRET: "{{ linkwarden_s3_secretkey }}" SPACES_SECRET: "{{ linkwarden_s3_secretkey }}"
SPACES_ENDPOINT: "{{ opentofu.scaleway_service_buckets.linkwarden.api_endpoint }}" SPACES_ENDPOINT: "{{ opentofu.scaleway_data.linkwarden.api_endpoint }}"
SPACES_BUCKET_NAME: "{{ opentofu.scaleway_service_buckets.linkwarden.name }}" SPACES_BUCKET_NAME: "{{ opentofu.scaleway_data.linkwarden.name }}"
SPACES_REGION: "{{ opentofu.scaleway_service_buckets.linkwarden.region }}" SPACES_REGION: "{{ opentofu.scaleway_data.linkwarden.region }}"
SPACES_FORCE_PATH_STYLE: false SPACES_FORCE_PATH_STYLE: false
NEXT_PUBLIC_DISABLE_REGISTRATION: true NEXT_PUBLIC_DISABLE_REGISTRATION: true

14
scaleway.tf
View file

@ -11,17 +11,13 @@ data "scaleway_iam_user" "serguzim" {
email = "tobias@msrg.cc" email = "tobias@msrg.cc"
} }
locals {
service_buckets = {for key, val in var.services : key => val if val.bucket}
}
resource "scaleway_iam_application" "service_applications" { resource "scaleway_iam_application" "service_applications" {
for_each = local.service_buckets for_each = local.services_s3
name = each.value.name name = each.value.name
} }
resource "scaleway_iam_policy" "service_storage_policies" { resource "scaleway_iam_policy" "service_storage_policies" {
for_each = local.service_buckets for_each = local.services_s3
name = "${each.key}_storage_policy" name = "${each.key}_storage_policy"
application_id = scaleway_iam_application.service_applications[each.key].id application_id = scaleway_iam_application.service_applications[each.key].id
rule { rule {
@ -31,7 +27,7 @@ resource "scaleway_iam_policy" "service_storage_policies" {
} }
resource "scaleway_object_bucket" "service_buckets" { resource "scaleway_object_bucket" "service_buckets" {
for_each = local.service_buckets for_each = local.services_s3
name = "${each.value.name}.serguzim.me" name = "${each.value.name}.serguzim.me"
lifecycle { lifecycle {
prevent_destroy = true prevent_destroy = true
@ -39,7 +35,7 @@ resource "scaleway_object_bucket" "service_buckets" {
} }
resource "scaleway_object_bucket_policy" "service_bucket_policies" { resource "scaleway_object_bucket_policy" "service_bucket_policies" {
for_each = local.service_buckets for_each = local.services_s3
bucket = scaleway_object_bucket.service_buckets[each.key].id bucket = scaleway_object_bucket.service_buckets[each.key].id
policy = jsonencode({ policy = jsonencode({
Version = "2023-04-17", Version = "2023-04-17",
@ -78,7 +74,7 @@ resource "time_rotating" "rotate_after_a_year" {
} }
resource "scaleway_iam_api_key" "service_keys" { resource "scaleway_iam_api_key" "service_keys" {
for_each = local.service_buckets for_each = local.services_s3
description = "Service key for ${each.key}" description = "Service key for ${each.key}"
application_id = scaleway_iam_application.service_applications[each.key].id application_id = scaleway_iam_application.service_applications[each.key].id
expires_at = time_rotating.rotate_after_a_year.rotation_rfc3339 expires_at = time_rotating.rotate_after_a_year.rotation_rfc3339

13
services.auto.tfvars
View file

@ -3,7 +3,7 @@ services = {
name = "acme_dns" name = "acme_dns"
subdomain = "acme" subdomain = "acme"
auth = false auth = false
bucket = false s3 = false
database = true database = true
}, },
"forgejo" = { "forgejo" = {
@ -11,35 +11,36 @@ services = {
subdomain = "git" subdomain = "git"
auth = true auth = true
auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"] auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"]
bucket = true s3 = true
database = true database = true
}, },
"linkwarden" = { "linkwarden" = {
name = "linkwarden" name = "linkwarden"
subdomain = "bookmarks" subdomain = "bookmarks"
auth = true auth = true
bucket = true auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"]
s3 = true
database = true database = true
}, },
"tinytinyrss" = { "tinytinyrss" = {
name = "tinytinyrss" name = "tinytinyrss"
subdomain = "rss" subdomain = "rss"
auth = false auth = false
bucket = false s3 = false
database = true database = true
}, },
"umami" = { "umami" = {
name = "umami" name = "umami"
subdomain = "analytics" subdomain = "analytics"
auth = false auth = false
bucket = false s3 = false
database = true database = true
}, },
"wiki_js" = { "wiki_js" = {
name = "wiki_js" name = "wiki_js"
subdomain = "wiki" subdomain = "wiki"
auth = true auth = true
bucket = false s3 = false
database = true database = true
}, },
} }

2
variables.tf
View file

@ -107,7 +107,7 @@ variable "services" {
subdomain = string subdomain = string
auth = bool auth = bool
auth_redirects = optional(list(string)) auth_redirects = optional(list(string))
bucket = bool s3 = bool
database = bool database = bool
})) }))
} }