From ddeb8fffbc8803c809b13850ff5f623001882183 Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Mon, 7 Aug 2023 11:37:19 -0700 Subject: [PATCH] Move services to their own tf files for easier locating --- core/authelia.tf | 146 ++++++++++++++++++++++ core/loki.tf | 18 +++ core/main.tf | 166 ------------------------ services/adminer.tf | 17 +++ services/diun.tf | 33 +++++ services/lidarr.tf | 47 +++++++ services/main.tf | 257 -------------------------------------- services/media-library.tf | 16 +++ services/minitor.tf | 29 +++++ services/photoprism.tf | 98 +++++++++++++++ services/whoami.tf | 10 ++ 11 files changed, 414 insertions(+), 423 deletions(-) create mode 100644 core/authelia.tf create mode 100644 core/loki.tf create mode 100644 services/adminer.tf create mode 100644 services/diun.tf create mode 100644 services/lidarr.tf create mode 100644 services/media-library.tf create mode 100644 services/minitor.tf create mode 100644 services/photoprism.tf create mode 100644 services/whoami.tf diff --git a/core/authelia.tf b/core/authelia.tf new file mode 100644 index 0000000..65011c1 --- /dev/null +++ b/core/authelia.tf @@ -0,0 +1,146 @@ +module "authelia" { + source = "../services/service" + + name = "authelia" + instance_count = 2 + priority = 70 + image = "authelia/authelia:latest" + args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"] + ingress = true + service_port = 9999 + service_port_static = true + # metrics_port = 9959 + + env = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt" + AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt" + AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt" + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt" + AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt" + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt" + AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt" + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt" + # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt" + } + + use_mysql = true + use_ldap = true + use_redis = true + mysql_bootstrap = { + enabled = true + } + + service_tags = [ + # Configure traefik to add this middleware + "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", + "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true", + "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", + "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?auth=basic", + "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true", + "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", + ] + + templates = [ + { + data = file("${path.module}/authelia.yml") + dest = "authelia.yml" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "ldap_password.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "jwt_secret.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "session_secret.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "storage_encryption_key.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "mysql_password.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "oidc_hmac_secret.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "oidc_issuer_private_key.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "oidc_issuer_certificate_chain.txt" + mount = false + }, + { + data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}" + dest_prefix = "$${NOMAD_SECRETS_DIR}" + dest = "smtp_password.txt" + mount = false + }, + ] +} + +resource "nomad_acl_auth_method" "nomad_authelia" { + name = "authelia" + type = "OIDC" + token_locality = "global" + max_token_ttl = "1h0m0s" + default = true + + config { + oidc_discovery_url = "https://authelia.thefij.rocks" + oidc_client_id = "nomad" + oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"] + bound_audiences = ["nomad"] + oidc_scopes = [ + "groups", + "openid", + ] + allowed_redirect_uris = [ + "https://nomad.thefij.rocks/oidc/callback", + "https://nomad.thefij.rocks/ui/settings/tokens", + ] + list_claim_mappings = { + "groups" : "roles" + } + } +} + +resource "nomad_acl_binding_rule" "nomad_authelia_admin" { + description = "engineering rule" + auth_method = nomad_acl_auth_method.nomad_authelia.name + selector = "\"nomad-deploy\" in list.roles" + bind_type = "role" + bind_name = "admin" # acls.nomad_acl_role.admin.name +} + +resource "nomad_acl_binding_rule" "nomad_authelia_deploy" { + description = "engineering rule" + auth_method = nomad_acl_auth_method.nomad_authelia.name + selector = "\"nomad-deploy\" in list.roles" + bind_type = "role" + bind_name = "deploy" # acls.nomad_acl_role.deploy.name +} diff --git a/core/loki.tf b/core/loki.tf new file mode 100644 index 0000000..af4a482 --- /dev/null +++ b/core/loki.tf @@ -0,0 +1,18 @@ +module "loki" { + source = "../services/service" + + name = "loki" + image = "grafana/loki:2.2.1" + args = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"] + service_port = 3100 + ingress = true + sticky_disk = true + # healthcheck = "/ready" + templates = [ + { + data = file("${path.module}/loki-config.yml") + dest = "loki-config.yml" + mount = false + } + ] +} diff --git a/core/main.tf b/core/main.tf index d786854..4da4aae 100644 --- a/core/main.tf +++ b/core/main.tf @@ -23,25 +23,6 @@ resource "nomad_job" "nomad-client-stalker" { jobspec = file("${path.module}/nomad-client-stalker.nomad") } -module "loki" { - source = "../services/service" - - name = "loki" - image = "grafana/loki:2.2.1" - args = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"] - service_port = 3100 - ingress = true - sticky_disk = true - # healthcheck = "/ready" - templates = [ - { - data = file("${path.module}/loki-config.yml") - dest = "loki-config.yml" - mount = false - } - ] -} - resource "nomad_job" "syslog-ng" { jobspec = file("${path.module}/syslogng.nomad") } @@ -53,150 +34,3 @@ resource "nomad_job" "ddclient" { resource "nomad_job" "lldap" { jobspec = file("${path.module}/lldap.nomad") } - -module "authelia" { - source = "../services/service" - - name = "authelia" - instance_count = 2 - priority = 70 - image = "authelia/authelia:latest" - args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"] - ingress = true - service_port = 9999 - service_port_static = true - # metrics_port = 9959 - - env = { - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt" - AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt" - AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt" - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt" - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt" - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt" - # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt" - } - - use_mysql = true - use_ldap = true - use_redis = true - mysql_bootstrap = { - enabled = true - } - - service_tags = [ - # Configure traefik to add this middleware - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true", - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", - "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?auth=basic", - "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true", - "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", - ] - - templates = [ - { - data = file("${path.module}/authelia.yml") - dest = "authelia.yml" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "ldap_password.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "jwt_secret.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "session_secret.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "storage_encryption_key.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "mysql_password.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "oidc_hmac_secret.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "oidc_issuer_private_key.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "oidc_issuer_certificate_chain.txt" - mount = false - }, - { - data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}" - dest_prefix = "$${NOMAD_SECRETS_DIR}" - dest = "smtp_password.txt" - mount = false - }, - ] -} - -resource "nomad_acl_auth_method" "nomad_authelia" { - name = "authelia" - type = "OIDC" - token_locality = "global" - max_token_ttl = "1h0m0s" - default = true - - config { - oidc_discovery_url = "https://authelia.thefij.rocks" - oidc_client_id = "nomad" - oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"] - bound_audiences = ["nomad"] - oidc_scopes = [ - "groups", - "openid", - ] - allowed_redirect_uris = [ - "https://nomad.thefij.rocks/oidc/callback", - "https://nomad.thefij.rocks/ui/settings/tokens", - ] - list_claim_mappings = { - "groups" : "roles" - } - } -} - -resource "nomad_acl_binding_rule" "nomad_authelia_admin" { - description = "engineering rule" - auth_method = nomad_acl_auth_method.nomad_authelia.name - selector = "\"nomad-deploy\" in list.roles" - bind_type = "role" - bind_name = "admin" # acls.nomad_acl_role.admin.name -} - -resource "nomad_acl_binding_rule" "nomad_authelia_deploy" { - description = "engineering rule" - auth_method = nomad_acl_auth_method.nomad_authelia.name - selector = "\"nomad-deploy\" in list.roles" - bind_type = "role" - bind_name = "deploy" # acls.nomad_acl_role.deploy.name -} diff --git a/services/adminer.tf b/services/adminer.tf new file mode 100644 index 0000000..6730f82 --- /dev/null +++ b/services/adminer.tf @@ -0,0 +1,17 @@ +module "adminer" { + source = "./service" + + name = "adminer" + image = "adminer" + + ingress = true + service_port = 8080 + + use_mysql = true + use_postgres = true + + resources = { + cpu = 50 + memory = 50 + } +} diff --git a/services/diun.tf b/services/diun.tf new file mode 100644 index 0000000..c431b6e --- /dev/null +++ b/services/diun.tf @@ -0,0 +1,33 @@ +module "diun" { + source = "./service" + + name = "diun" + image = "crazymax/diun:4.24" + args = ["serve", "--log-level=debug"] + + env = { + DIUN_DB_PATH = "$${NOMAD_TASK_DIR}/diun.db" + DIUN_WATCH_SCHEDULE = "0 */6 * * *" + DIUN_PROVIDERS_NOMAD_WATCHBYDEFAULT = true + + # Nomad API + # TODO: Use socket in $NOMAD_SECRETS_DIR/api.sock when we can assign workload ACLs with Terraform to + # allow read access. Will need to update template to allow passing token by env + NOMAD_ADDR = "http://$${attr.unique.network.ip-address}:4646/" + DIUN_PROVIDERS_NOMAD = true + } + + templates = [ + { + data = <