203 lines
6.7 KiB
HCL
203 lines
6.7 KiB
HCL
module "blocky" {
|
|
source = "./blocky"
|
|
|
|
base_hostname = var.base_hostname
|
|
# Not in this module
|
|
# depends_on = [module.databases]
|
|
}
|
|
|
|
module "traefik" {
|
|
source = "./traefik"
|
|
|
|
base_hostname = var.base_hostname
|
|
}
|
|
|
|
module "metrics" {
|
|
source = "./metrics"
|
|
# Not in this module
|
|
# depends_on = [module.databases]
|
|
}
|
|
|
|
resource "nomad_job" "nomad-client-stalker" {
|
|
# Stalker used to allow using Nomad service registry to identify nomad client hosts
|
|
jobspec = file("${path.module}/nomad-client-stalker.nomad")
|
|
}
|
|
|
|
module "loki" {
|
|
source = "../services/service"
|
|
|
|
name = "loki"
|
|
image = "grafana/loki:2.2.1"
|
|
args = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
|
|
service_port = 3100
|
|
ingress = true
|
|
sticky_disk = true
|
|
# healthcheck = "/ready"
|
|
templates = [
|
|
{
|
|
data = file("${path.module}/loki-config.yml")
|
|
dest = "loki-config.yml"
|
|
mount = false
|
|
}
|
|
]
|
|
}
|
|
|
|
resource "nomad_job" "syslog-ng" {
|
|
jobspec = file("${path.module}/syslogng.nomad")
|
|
}
|
|
|
|
resource "nomad_job" "ddclient" {
|
|
jobspec = file("${path.module}/ddclient.nomad")
|
|
}
|
|
|
|
resource "nomad_job" "lldap" {
|
|
jobspec = file("${path.module}/lldap.nomad")
|
|
}
|
|
|
|
module "authelia" {
|
|
source = "../services/service"
|
|
|
|
name = "authelia"
|
|
instance_count = 2
|
|
priority = 70
|
|
image = "authelia/authelia:latest"
|
|
args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]
|
|
ingress = true
|
|
service_port = 9091
|
|
service_port_static = true
|
|
# metrics_port = 9959
|
|
|
|
env = {
|
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
|
|
AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
|
AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
|
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
|
|
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
|
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
|
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
|
|
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
|
|
}
|
|
|
|
use_mysql = true
|
|
use_ldap = true
|
|
use_redis = true
|
|
mysql_bootstrap = {
|
|
enabled = true
|
|
}
|
|
|
|
service_tags = [
|
|
# Configure traefik to add this middleware
|
|
"traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.nomad:9091/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
|
|
"traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
|
|
"traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
|
|
"traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.nomad:9091/api/verify?auth=basic",
|
|
"traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
|
|
"traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
|
|
]
|
|
|
|
templates = [
|
|
{
|
|
data = file("${path.module}/authelia.yml")
|
|
dest = "authelia.yml"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "ldap_password.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "jwt_secret.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "session_secret.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "storage_encryption_key.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "mysql_password.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "oidc_hmac_secret.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "oidc_issuer_private_key.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "oidc_issuer_certificate_chain.txt"
|
|
mount = false
|
|
},
|
|
{
|
|
data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
dest = "smtp_password.txt"
|
|
mount = false
|
|
},
|
|
]
|
|
}
|
|
|
|
resource "nomad_acl_auth_method" "nomad_authelia" {
|
|
name = "authelia"
|
|
type = "OIDC"
|
|
token_locality = "global"
|
|
max_token_ttl = "1h0m0s"
|
|
default = true
|
|
|
|
config {
|
|
oidc_discovery_url = "https://authelia.thefij.rocks"
|
|
oidc_client_id = "nomad"
|
|
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
|
|
bound_audiences = ["nomad"]
|
|
oidc_scopes = [
|
|
"groups",
|
|
"openid",
|
|
]
|
|
allowed_redirect_uris = [
|
|
"https://nomad.thefij.rocks/oidc/callback",
|
|
"https://nomad.thefij.rocks/ui/settings/tokens",
|
|
]
|
|
list_claim_mappings = {
|
|
"groups" : "roles"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_binding_rule" "nomad_authelia_admin" {
|
|
description = "engineering rule"
|
|
auth_method = nomad_acl_auth_method.nomad_authelia.name
|
|
selector = "\"nomad-deploy\" in list.roles"
|
|
bind_type = "role"
|
|
bind_name = "admin" # acls.nomad_acl_role.admin.name
|
|
}
|
|
|
|
resource "nomad_acl_binding_rule" "nomad_authelia_deploy" {
|
|
description = "engineering rule"
|
|
auth_method = nomad_acl_auth_method.nomad_authelia.name
|
|
selector = "\"nomad-deploy\" in list.roles"
|
|
bind_type = "role"
|
|
bind_name = "deploy" # acls.nomad_acl_role.deploy.name
|
|
}
|