From ca1c3d83479a68503e6c2eda3584f1ab96483ef1 Mon Sep 17 00:00:00 2001 From: Florian Maury Date: Sun, 26 Jan 2025 17:56:16 +0100 Subject: [PATCH] add nextcloud + fmt --- main.tf | 120 +-- modules/acme_server/main.tf | 74 +- modules/acme_server/outputs.tf | 2 +- modules/acme_server/variables.tf | 4 +- modules/caddy_reverse/main.tf | 266 +++--- modules/caddy_reverse/outputs.tf | 2 +- modules/caddy_reverse/variables.tf | 22 +- modules/castopod/main.tf | 820 +++++++++--------- modules/castopod/outputs.tf | 2 +- modules/castopod/variables.tf | 16 +- modules/dns_resolver/main.tf | 208 ++--- modules/dns_resolver/variables.tf | 76 +- modules/netboot_server/caddy.tf | 252 +++--- modules/netboot_server/dhcp.tf | 222 ++--- modules/netboot_server/main.tf | 416 ++++----- modules/netboot_server/sftp.tf | 328 +++---- modules/netboot_server/variables.tf | 80 +- modules/nextcloud/files/Caddyfile.tftpl | 102 +++ modules/nextcloud/files/caddy-backend.network | 6 + .../nextcloud/files/caddy-data.volume.tftpl | 11 + .../nextcloud/files/caddy-frontend.network | 5 + modules/nextcloud/files/caddy.container.tftpl | 23 + .../files/generate-secrets.service.tftpl | 10 + .../nextcloud/files/nextcloud-backend.network | 6 + .../files/nextcloud-data.volume.tftpl | 11 + .../files/nextcloud-internet.network | 5 + .../nextcloud/files/nextcloud.container.tftpl | 31 + modules/nextcloud/files/php-fpm-www.conf | 490 +++++++++++ .../files/postgres-data.volume.tftpl | 11 + .../nextcloud/files/postgres.container.tftpl | 23 + modules/nextcloud/files/postgres.env.tftpl | 3 + .../nextcloud/files/valkey-data.volume.tftpl | 8 + .../nextcloud/files/valkey.container.tftpl | 20 + modules/nextcloud/main.tf | 603 +++++++++++++ modules/nextcloud/outputs.tf | 3 + modules/nextcloud/variables.tf | 30 + modules/poc/main.tf | 214 ++--- modules/poc/variables.tf | 76 +- modules/sshd/main.tf | 232 ++--- modules/sshd/outputs.tf | 18 +- modules/sshd/variables.tf | 220 ++--- outputs.tf | 9 +- settings.auto.tfvars | 25 +- variables.tf | 127 +-- 44 files changed, 3335 insertions(+), 1897 deletions(-) create mode 100644 modules/nextcloud/files/Caddyfile.tftpl create mode 100644 modules/nextcloud/files/caddy-backend.network create mode 100644 modules/nextcloud/files/caddy-data.volume.tftpl create mode 100644 modules/nextcloud/files/caddy-frontend.network create mode 100644 modules/nextcloud/files/caddy.container.tftpl create mode 100644 modules/nextcloud/files/generate-secrets.service.tftpl create mode 100644 modules/nextcloud/files/nextcloud-backend.network create mode 100644 modules/nextcloud/files/nextcloud-data.volume.tftpl create mode 100644 modules/nextcloud/files/nextcloud-internet.network create mode 100644 modules/nextcloud/files/nextcloud.container.tftpl create mode 100644 modules/nextcloud/files/php-fpm-www.conf create mode 100644 modules/nextcloud/files/postgres-data.volume.tftpl create mode 100644 modules/nextcloud/files/postgres.container.tftpl create mode 100644 modules/nextcloud/files/postgres.env.tftpl create mode 100644 modules/nextcloud/files/valkey-data.volume.tftpl create mode 100644 modules/nextcloud/files/valkey.container.tftpl create mode 100644 modules/nextcloud/main.tf create mode 100644 modules/nextcloud/outputs.tf create mode 100644 modules/nextcloud/variables.tf diff --git a/main.tf b/main.tf index 3b2ae9a..60a802b 100644 --- a/main.tf +++ b/main.tf @@ -1,73 +1,73 @@ terraform { required_providers { proxmox = { - source = "bpg/proxmox" - version = "~>0.56.1" + source = "bpg/proxmox" + version = ">= 0.70.0" } } required_version = ">=1.6.2" } provider "proxmox" { - endpoint = var.pve_api_base_url - api_token = var.pve_api_token + endpoint = var.pve_api_base_url + api_token = var.pve_api_token } -module "netboot_server" { - source = "./modules/netboot_server" - hostname = "netboot_server" - prod_network_name = var.admin_network_name - dhcp_iface = "ens18" - dhcp_server_ip_addr = cidrhost(var.admin_network_prefix, 2) - dhcp_gateway = cidrhost(var.admin_network_prefix, 1) - dhcp_range = var.admin_network_prefix - ssh_public_key_opentofu_netboot_server = var.ssh_public_key_opentofu_netboot_server +# module "netboot_server" { +# source = "./modules/netboot_server" +# hostname = "netboot_server" +# prod_network_name = var.admin_network_name +# dhcp_iface = "ens18" +# dhcp_server_ip_addr = cidrhost(var.admin_network_prefix, 2) +# dhcp_gateway = cidrhost(var.admin_network_prefix, 1) +# dhcp_range = var.admin_network_prefix +# ssh_public_key_opentofu_netboot_server = var.ssh_public_key_opentofu_netboot_server - pve_api_base_url = var.pve_api_base_url - pve_api_token = var.pve_api_token - pve_node_name = var.pve_node_name - pve_storage_id = var.pve_storage_id - pve_vm_id = 108 -} +# pve_api_base_url = var.pve_api_base_url +# pve_api_token = var.pve_api_token +# pve_node_name = var.pve_node_name +# pve_storage_id = var.pve_storage_id +# pve_vm_id = 108 +# } -module "poc" { - depends_on = [ module.netboot_server ] - source = "./modules/poc" - pve_vm_id = 110 - pve_storage_id = "local" - pve_node_name = "ns3152888" - pve_ssh_user = var.pve_ssh_user - pve_ssh_host = var.pve_ssh_host - netboot_server_ip_address = cidrhost(var.admin_network_prefix, 2) - - admin_network = { - name = var.admin_network_name - prefix = var.admin_network_prefix - mac_address = "1c:69:7a:ff:ff:01" - } - prod_network = { - name = var.prod_network_name - prefix = var.prod_network_prefix - mac_address = "1c:69:7a:ef:ff:01" - } - monitoring_network = { - name = var.monit_network_name - prefix = var.monit_network_prefix - mac_address = "1c:69:7a:df:ff:01" - } - admin_ssh_public_key = var.ssh_public_key_admin_netboot_server -} +# module "poc" { +# depends_on = [module.netboot_server] +# source = "./modules/poc" +# pve_vm_id = 110 +# pve_storage_id = "local" +# pve_node_name = "ns3152888" +# pve_ssh_user = var.pve_ssh_user +# pve_ssh_host = var.pve_ssh_host +# netboot_server_ip_address = cidrhost(var.admin_network_prefix, 2) + +# admin_network = { +# name = var.admin_network_name +# prefix = var.admin_network_prefix +# mac_address = "1c:69:7a:ff:ff:01" +# } +# prod_network = { +# name = var.prod_network_name +# prefix = var.prod_network_prefix +# mac_address = "1c:69:7a:ef:ff:01" +# } +# monitoring_network = { +# name = var.monit_network_name +# prefix = var.monit_network_prefix +# mac_address = "1c:69:7a:df:ff:01" +# } +# admin_ssh_public_key = var.ssh_public_key_admin_netboot_server +# } locals { - castopod_domain = "pod.broken-by-design.fr" + castopod_domain = "pod.broken-by-design.fr" castopod_upstream_port = 8000 } module "castopod_config" { source = "./modules/castopod" - base_url = "https://pod.broken-by-design.fr/" - castopod_domain = local.castopod_domain + base_url = "https://pod.broken-by-design.fr/" + castopod_domain = local.castopod_domain castopod_upstream_port = local.castopod_upstream_port ssh_authorized_keys = [ file("/var/home/fmaury/.ssh/fma_ovh_rise2.pub") @@ -83,10 +83,26 @@ module "caddy_config" { upstreams = [ "10.109.0.13:${local.castopod_upstream_port}" ] + }, + { + domain = "nextcloud.broken-by-design.fr" + upstreams = [ + "10.109.0.16:8443" + ] } ] - ssh_authorized_keys = [ - file("/var/home/fmaury/.ssh/fma_ovh_rise2.pub") - ] + ssh_authorized_keys = var.ssh_authorized_keys } + +module "nextcloud_config" { + source = "./modules/nextcloud" + ssh_authorized_keys = var.ssh_authorized_keys + nextcloud_domain = "nextcloud.broken-by-design.fr" + reverse_proxy_ip_address = "10.109.0.14" + nextcloud_trusted_domains = [ + "nextcloud.broken-by-design.fr", + ] + luks_passphrase = var.nextcloud_luks_passphrase + luks_use_tpm2 = false +} \ No newline at end of file diff --git a/modules/acme_server/main.tf b/modules/acme_server/main.tf index 82c5301..85e3d09 100644 --- a/modules/acme_server/main.tf +++ b/modules/acme_server/main.tf @@ -1,11 +1,11 @@ terraform { required_providers { proxmox = { - source = "bpg/proxmox" + source = "bpg/proxmox" version = "~>0.56.1" } ignition = { - source = "community-terraform-providers/ignition" + source = "community-terraform-providers/ignition" version = "2.3.4" } } @@ -13,48 +13,48 @@ terraform { } data "ignition_disk" "data" { - device = "/dev/disk/by-path/0000:00:0b.0" - - partition { - label = "caddy_config" - number = 0 - sizemib = 100 - startmib = 0 - type_guid = "0FC63DAF-8483-4772-8E79-3D69D8477DE4" - } - partition { - label = "caddy_data" - number = 0 - sizemib = 1000 - startmib = 0 - type_guid = "0FC63DAF-8483-4772-8E79-3D69D8477DE4" - } + device = "/dev/disk/by-path/0000:00:0b.0" + + partition { + label = "caddy_config" + number = 0 + sizemib = 100 + startmib = 0 + type_guid = "0FC63DAF-8483-4772-8E79-3D69D8477DE4" + } + partition { + label = "caddy_data" + number = 0 + sizemib = 1000 + startmib = 0 + type_guid = "0FC63DAF-8483-4772-8E79-3D69D8477DE4" + } } data "ignition_filesystem" "caddy_config" { - device = "/dev/disk/by-label/caddy_config" - format = "btrfs" - wipe_filesystem = true - label = "caddy_config" - path = "/caddy/config" - mount_options = ["nodev", "noexec", "nosuid"] + device = "/dev/disk/by-label/caddy_config" + format = "btrfs" + wipe_filesystem = true + label = "caddy_config" + path = "/caddy/config" + mount_options = ["nodev", "noexec", "nosuid"] } data "ignition_filesystem" "caddy_data" { - device = "/dev/disk/by-label/caddy_data" - format = "btrfs" - wipe_filesystem = true - label = "caddy_data" - path = "/caddy/data" - mount_options = ["nodev", "noexec", "nosuid"] + device = "/dev/disk/by-label/caddy_data" + format = "btrfs" + wipe_filesystem = true + label = "caddy_data" + path = "/caddy/data" + mount_options = ["nodev", "noexec", "nosuid"] } data "ignition_config" "acme_server" { - disks = [ - data.ignition_disk.data.rendered, - ] - filesystems = [ - data.ignition_filesystem.caddy_config.rendered, - data.ignition_filesystem.caddy_data.rendered, - ] + disks = [ + data.ignition_disk.data.rendered, + ] + filesystems = [ + data.ignition_filesystem.caddy_config.rendered, + data.ignition_filesystem.caddy_data.rendered, + ] } diff --git a/modules/acme_server/outputs.tf b/modules/acme_server/outputs.tf index 71fa7de..cd59496 100644 --- a/modules/acme_server/outputs.tf +++ b/modules/acme_server/outputs.tf @@ -1,3 +1,3 @@ output "test" { - value = data.ignition_config.acme_server.rendered + value = data.ignition_config.acme_server.rendered } diff --git a/modules/acme_server/variables.tf b/modules/acme_server/variables.tf index fecc4f5..2ee95d7 100644 --- a/modules/acme_server/variables.tf +++ b/modules/acme_server/variables.tf @@ -1,5 +1,5 @@ variable "fcos_base_vm_id" { - type = number - nullable = false + type = number + nullable = false } diff --git a/modules/caddy_reverse/main.tf b/modules/caddy_reverse/main.tf index 1d85945..38b3349 100644 --- a/modules/caddy_reverse/main.tf +++ b/modules/caddy_reverse/main.tf @@ -1,151 +1,151 @@ locals { - data_device_path = "/dev/vdb" + data_device_path = "/dev/vdb" - caddy_version = "2.8.4-alpine" + caddy_version = "2.8.4-alpine" - caddy_config_dir_path = "/opt/caddy_config" - caddy_data_volume_name = "caddy_data" - caddy_network_name = "caddy_net" + caddy_config_dir_path = "/opt/caddy_config" + caddy_data_volume_name = "caddy_data" + caddy_network_name = "caddy_net" - data_disk = { - device = local.data_device_path - wipeTable = true - partitions = [ + data_disk = { + device = local.data_device_path + wipeTable = true + partitions = [ + { + label = local.caddy_data_volume_name + number = 1 + sizeMiB = 512 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + ] + } + + caddy_data_filesystem = { + device = "${local.data_device_path}1" + format = "ext4" + label = local.caddy_data_volume_name + } + + caddy_data_volume_file = { + path = "/etc/containers/systemd/${local.caddy_data_volume_name}.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy_data.volume.tftpl", { - label = local.caddy_data_volume_name - number = 1 - sizeMiB = 512 - wipePartitionEntry = true - shouldExist = true - resize = true - }, - ] + caddy_data_volume_name = local.caddy_data_volume_name + } + ) + ) + ) } + } - caddy_data_filesystem = { - device = "${local.data_device_path}1" - format = "ext4" - label = local.caddy_data_volume_name + caddy_config_directory = { + path = local.caddy_config_dir_path + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + } + + caddyfile_file = { + path = "${local.caddy_config_dir_path}/Caddyfile" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/Caddyfile.tftpl", + { + vhosts = var.vhosts + } + ) + ) + ) } + } - caddy_data_volume_file = { - path = "/etc/containers/systemd/${local.caddy_data_volume_name}.volume" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/caddy_data.volume.tftpl", - { - caddy_data_volume_name = local.caddy_data_volume_name - } - ) - ) - ) - } + caddy_network_file = { + path = "/etc/containers/systemd/${local.caddy_network_name}.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy.network.tftpl", + { + caddy_network_name = local.caddy_network_name + } + ) + ) + ) } + } - caddy_config_directory = { - path = local.caddy_config_dir_path - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 + caddy_container_file = { + path = "/etc/containers/systemd/caddy.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy.container.tftpl", + { + caddy_version = local.caddy_version + caddy_data_volume_name = local.caddy_data_volume_name + caddy_config_file_path = "${local.caddy_config_dir_path}/Caddyfile" + caddy_network_name = local.caddy_network_name + } + ) + ) + ) } + } - caddyfile_file = { - path = "${local.caddy_config_dir_path}/Caddyfile" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/Caddyfile.tftpl", - { - vhosts = var.vhosts - } - ) - ) - ) - } + ignition_config = jsonencode({ + ignition = { + version = "3.4.0" } - - caddy_network_file = { - path = "/etc/containers/systemd/${local.caddy_network_name}.network" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/caddy.network.tftpl", - { - caddy_network_name = local.caddy_network_name - } - ) - ) - ) - } + storage = { + disks = [ + local.data_disk, + ] + filesystems = [ + local.caddy_data_filesystem, + ] + files = [ + local.caddy_data_volume_file, + local.caddyfile_file, + local.caddy_network_file, + local.caddy_container_file, + ] + directories = [ + local.caddy_config_directory, + ] } - - caddy_container_file = { - path = "/etc/containers/systemd/caddy.container" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/caddy.container.tftpl", - { - caddy_version = local.caddy_version - caddy_data_volume_name = local.caddy_data_volume_name - caddy_config_file_path = "${local.caddy_config_dir_path}/Caddyfile" - caddy_network_name = local.caddy_network_name - } - ) - ) - ) + passwd = { + users = [ + { + name = "core" + sshAuthorizedKeys = var.ssh_authorized_keys } + ] } - - ignition_config = jsonencode({ - ignition = { - version = "3.4.0" - } - storage = { - disks = [ - local.data_disk, - ] - filesystems = [ - local.caddy_data_filesystem, - ] - files = [ - local.caddy_data_volume_file, - local.caddyfile_file, - local.caddy_network_file, - local.caddy_container_file, - ] - directories = [ - local.caddy_config_directory, - ] - } - passwd = { - users = [ - { - name = "core" - sshAuthorizedKeys = var.ssh_authorized_keys - } - ] - } - }) + }) } diff --git a/modules/caddy_reverse/outputs.tf b/modules/caddy_reverse/outputs.tf index 3f0fbc2..494575a 100644 --- a/modules/caddy_reverse/outputs.tf +++ b/modules/caddy_reverse/outputs.tf @@ -1,3 +1,3 @@ output "config" { - value = local.ignition_config + value = local.ignition_config } diff --git a/modules/caddy_reverse/variables.tf b/modules/caddy_reverse/variables.tf index 3eb1a2a..5458df9 100644 --- a/modules/caddy_reverse/variables.tf +++ b/modules/caddy_reverse/variables.tf @@ -1,16 +1,16 @@ variable "vhosts" { - type = list(object({ - domain = string - upstreams = list(string) - headers_down = optional(list(object({ - modifier = optional(string, "") - name = string - value = string - })), []) - })) + type = list(object({ + domain = string + upstreams = list(string) + headers_down = optional(list(object({ + modifier = optional(string, "") + name = string + value = string + })), []) + })) } variable "ssh_authorized_keys" { - type = list(string) - nullable = false + type = list(string) + nullable = false } diff --git a/modules/castopod/main.tf b/modules/castopod/main.tf index 2790c17..18cef12 100644 --- a/modules/castopod/main.tf +++ b/modules/castopod/main.tf @@ -1,452 +1,452 @@ locals { - caddy_frontend_network_name = "caddy-frontend" - caddy_container_name = "caddy" - caddy_version = "2.9.1-alpine" - caddy_config_dir = "/var/opt/caddy" + caddy_frontend_network_name = "caddy-frontend" + caddy_container_name = "caddy" + caddy_version = "2.9.1-alpine" + caddy_config_dir = "/var/opt/caddy" - castopod_frontend_network_name = "castopod-frontend" - castopod_backend_network_name = "castopod-backend" - castopod_media_volume_name = "castopod-media" - castopod_container_name = "castopod" + castopod_frontend_network_name = "castopod-frontend" + castopod_backend_network_name = "castopod-backend" + castopod_media_volume_name = "castopod-media" + castopod_container_name = "castopod" - castopod_db_name = "castopod" - castopod_db_user = "castopod" - castopod_base_url = var.base_url + castopod_db_name = "castopod" + castopod_db_user = "castopod" + castopod_base_url = var.base_url - valkey_container_name = "valkey" - valkey_cache_volume_name = "castopod-cache" + valkey_container_name = "valkey" + valkey_cache_volume_name = "castopod-cache" - mariadb_container_name = "mariadb" - mariadb_data_volume_name = "castopod-db" - mariadb_version = "11.5" + mariadb_container_name = "mariadb" + mariadb_data_volume_name = "castopod-db" + mariadb_version = "11.5" - secrets_part_name = "secrets" - secrets_path = "/var/opt/secrets" - secrets_path_escaped = "var-opt-secrets" + secrets_part_name = "secrets" + secrets_path = "/var/opt/secrets" + secrets_path_escaped = "var-opt-secrets" - data_device_path = "/dev/vdb" + data_device_path = "/dev/vdb" - data_disk = { - device = local.data_device_path - wipeTable = true - partitions = [ + data_disk = { + device = local.data_device_path + wipeTable = true + partitions = [ + { + label = local.secrets_part_name + number = 1 + sizeMiB = 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + { + label = local.castopod_media_volume_name + number = 2 + sizeMiB = 20 * 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + { + label = local.mariadb_data_volume_name + number = 3 + sizeMiB = 5 * 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + { + label = local.valkey_cache_volume_name + number = 4 + sizeMiB = 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + ] + } + + caddy_config_directory = { + path = local.caddy_config_dir + user = { id = 0 } + group = { id = 0 } + mode = 448 # 0700 + } + + caddy_config_file = { + path = "${local.caddy_config_dir}/Caddyfile" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/Caddyfile.tftpl", { - label = local.secrets_part_name - number = 1 - sizeMiB = 1024 - wipePartitionEntry = true - shouldExist = true - resize = true - }, - { - label = local.castopod_media_volume_name - number = 2 - sizeMiB = 20 * 1024 - wipePartitionEntry = true - shouldExist = true - resize = true - }, - { - label = local.mariadb_data_volume_name - number = 3 - sizeMiB = 5 * 1024 - wipePartitionEntry = true - shouldExist = true - resize = true - }, - { - label = local.valkey_cache_volume_name - number = 4 - sizeMiB = 1024 - wipePartitionEntry = true - shouldExist = true - resize = true - }, - ] - } - - caddy_config_directory = { - path = local.caddy_config_dir - user = {id = 0} - group = {id = 0} - mode = 448 # 0700 - } - - caddy_config_file = { - path = "${local.caddy_config_dir}/Caddyfile" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/Caddyfile.tftpl", - { - castopod_domain = var.castopod_domain - castopod_container_name = local.castopod_container_name - } - ) - ) - ) - } - } - - caddy_frontend_network_file = { - path = "/etc/containers/systemd/caddy-frontend.network" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/caddy-frontend.network.tftpl", - { - caddy_frontend_network_name = local.caddy_frontend_network_name - } - ) - ) - ) - } - } - - caddy_container_file = { - path = "/etc/containers/systemd/caddy.container" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/caddy.container.tftpl", - { - caddy_container_name = local.caddy_container_name - caddy_version = local.caddy_version - caddy_config_dir = local.caddy_config_dir - caddy_frontend_network_name = local.caddy_frontend_network_name - castopod_frontend_network_name = local.castopod_frontend_network_name - castopod_upstream_port = var.castopod_upstream_port - castopod_media_volume_name = local.castopod_media_volume_name - } - ) - ) - ) - } - } - - castopod_secrets_filesystem = { - device = "${local.data_device_path}1" - format = "ext4" - label = local.secrets_part_name - } - - castopod_secrets_directory = { - path = local.secrets_path - user = {id = 0} - group = {id = 0} - mode = 448 # 0700 - } - - castopod_secrets_mount_unit = { - name = "${local.secrets_path_escaped}.mount" - enabled = true - contents = templatefile( - "${path.module}/files/secrets.mount.tftpl", - { - secrets_part_name = local.secrets_part_name - secrets_path = local.secrets_path + castopod_domain = var.castopod_domain + castopod_container_name = local.castopod_container_name } + ) ) + ) } + } - castopod_generate_secrets_script_file = { - path = "/var/opt/generate_secrets.sh" - user = {id = 0} - group = {id = 0} - mode = 448 # 0700 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/generate_secrets.sh.tftpl", - { - secrets_path = local.secrets_path - } - ) - ) - ) - } - } - - castopod_generate_secrets_service_unit = { - name = "generate_secrets.service" - enabled = true - contents = templatefile( - "${path.module}/files/generate_secrets.service.tftpl", + caddy_frontend_network_file = { + path = "/etc/containers/systemd/caddy-frontend.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy-frontend.network.tftpl", { - secrets_path = local.secrets_path - secrets_path_escaped = local.secrets_path_escaped + caddy_frontend_network_name = local.caddy_frontend_network_name } + ) ) + ) } + } - castopod_frontend_network_file = { - path = "/etc/containers/systemd/${local.castopod_frontend_network_name}.network" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/castopod-frontend.network.tftpl", - { - castopod_frontend_network_name = local.castopod_frontend_network_name - } - ) - ) - ) - } + caddy_container_file = { + path = "/etc/containers/systemd/caddy.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy.container.tftpl", + { + caddy_container_name = local.caddy_container_name + caddy_version = local.caddy_version + caddy_config_dir = local.caddy_config_dir + caddy_frontend_network_name = local.caddy_frontend_network_name + castopod_frontend_network_name = local.castopod_frontend_network_name + castopod_upstream_port = var.castopod_upstream_port + castopod_media_volume_name = local.castopod_media_volume_name + } + ) + ) + ) } + } - castopod_backend_network_file = { - path = "/etc/containers/systemd/${local.castopod_backend_network_name}.network" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/castopod-backend.network.tftpl", - { - castopod_backend_network_name = local.castopod_backend_network_name - } - ) - ) - ) - } + castopod_secrets_filesystem = { + device = "${local.data_device_path}1" + format = "ext4" + label = local.secrets_part_name + } + + castopod_secrets_directory = { + path = local.secrets_path + user = { id = 0 } + group = { id = 0 } + mode = 448 # 0700 + } + + castopod_secrets_mount_unit = { + name = "${local.secrets_path_escaped}.mount" + enabled = true + contents = templatefile( + "${path.module}/files/secrets.mount.tftpl", + { + secrets_part_name = local.secrets_part_name + secrets_path = local.secrets_path + } + ) + } + + castopod_generate_secrets_script_file = { + path = "/var/opt/generate_secrets.sh" + user = { id = 0 } + group = { id = 0 } + mode = 448 # 0700 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/generate_secrets.sh.tftpl", + { + secrets_path = local.secrets_path + } + ) + ) + ) } + } - castopod_media_volume_filesystem = { - device = "${local.data_device_path}2" - format = "ext4" - label = local.castopod_media_volume_name - options = [ - "-E", "root_owner=33:33", - ] + castopod_generate_secrets_service_unit = { + name = "generate_secrets.service" + enabled = true + contents = templatefile( + "${path.module}/files/generate_secrets.service.tftpl", + { + secrets_path = local.secrets_path + secrets_path_escaped = local.secrets_path_escaped + } + ) + } + + castopod_frontend_network_file = { + path = "/etc/containers/systemd/${local.castopod_frontend_network_name}.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/castopod-frontend.network.tftpl", + { + castopod_frontend_network_name = local.castopod_frontend_network_name + } + ) + ) + ) } + } - castopod_media_volume_file = { - path = "/etc/containers/systemd/${local.castopod_media_volume_name}.volume" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/castopod-media.volume.tftpl", - { - castopod_media_volume_name = local.castopod_media_volume_name - } - ) - ) - ) - } + castopod_backend_network_file = { + path = "/etc/containers/systemd/${local.castopod_backend_network_name}.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/castopod-backend.network.tftpl", + { + castopod_backend_network_name = local.castopod_backend_network_name + } + ) + ) + ) } + } - mariadb_data_volume_filesystem = { - device = "${local.data_device_path}3" - format = "ext4" - label = local.mariadb_data_volume_name - options = [ - "-E", "root_owner=999:999", - ] + castopod_media_volume_filesystem = { + device = "${local.data_device_path}2" + format = "ext4" + label = local.castopod_media_volume_name + options = [ + "-E", "root_owner=33:33", + ] + } + castopod_media_volume_file = { + path = "/etc/containers/systemd/${local.castopod_media_volume_name}.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/castopod-media.volume.tftpl", + { + castopod_media_volume_name = local.castopod_media_volume_name + } + ) + ) + ) } + } - mariadb_data_volume_file = { - path = "/etc/containers/systemd/${local.mariadb_data_volume_name}.volume" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/mariadb-data.volume.tftpl", - { - mariadb_data_volume_name = local.mariadb_data_volume_name - } - ) - ) - ) - } + mariadb_data_volume_filesystem = { + device = "${local.data_device_path}3" + format = "ext4" + label = local.mariadb_data_volume_name + options = [ + "-E", "root_owner=999:999", + ] + + } + + mariadb_data_volume_file = { + path = "/etc/containers/systemd/${local.mariadb_data_volume_name}.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/mariadb-data.volume.tftpl", + { + mariadb_data_volume_name = local.mariadb_data_volume_name + } + ) + ) + ) } + } - mariadb_container_file = { - path = "/etc/containers/systemd/${local.mariadb_container_name}.container" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/mariadb.container.tftpl", - { - mariadb_container_name = local.mariadb_container_name - mariadb_version = local.mariadb_version - mariadb_data_volume_name = local.mariadb_data_volume_name - castopod_backend_network_name = local.castopod_backend_network_name - castopod_db_name = local.castopod_db_name - castopod_db_user = local.castopod_db_user - secrets_path = local.secrets_path - } - ) - ) - ) - } + mariadb_container_file = { + path = "/etc/containers/systemd/${local.mariadb_container_name}.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/mariadb.container.tftpl", + { + mariadb_container_name = local.mariadb_container_name + mariadb_version = local.mariadb_version + mariadb_data_volume_name = local.mariadb_data_volume_name + castopod_backend_network_name = local.castopod_backend_network_name + castopod_db_name = local.castopod_db_name + castopod_db_user = local.castopod_db_user + secrets_path = local.secrets_path + } + ) + ) + ) } + } - valkey_cache_volume_filesystem = { - device = "${local.data_device_path}4" - format = "ext4" - label = local.valkey_cache_volume_name - options = [ - "-E", "root_owner=999:999", - ] + valkey_cache_volume_filesystem = { + device = "${local.data_device_path}4" + format = "ext4" + label = local.valkey_cache_volume_name + options = [ + "-E", "root_owner=999:999", + ] + } + + valkey_cache_volume_file = { + path = "/etc/containers/systemd/${local.valkey_cache_volume_name}.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/valkey.volume.tftpl", + { + valkey_cache_volume_name = local.valkey_cache_volume_name + } + ) + ) + ) } + } - valkey_cache_volume_file = { - path = "/etc/containers/systemd/${local.valkey_cache_volume_name}.volume" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/valkey.volume.tftpl", - { - valkey_cache_volume_name = local.valkey_cache_volume_name - } - ) - ) - ) - } + valkey_container_file = { + path = "/etc/containers/systemd/${local.valkey_container_name}.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/valkey.container.tftpl", + { + valkey_container_name = local.valkey_container_name + valkey_version = "8.0-alpine" + valkey_cache_volume_name = local.valkey_cache_volume_name + castopod_backend_network_name = local.castopod_backend_network_name + secrets_path = local.secrets_path + } + ) + ) + ) } + } - valkey_container_file = { - path = "/etc/containers/systemd/${local.valkey_container_name}.container" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile( - "${path.module}/files/valkey.container.tftpl", - { - valkey_container_name = local.valkey_container_name - valkey_version = "8.0-alpine" - valkey_cache_volume_name = local.valkey_cache_volume_name - castopod_backend_network_name = local.castopod_backend_network_name - secrets_path = local.secrets_path - } - ) - ) - ) - } + castopod_container_file = { + path = "/etc/containers/systemd/${local.castopod_container_name}.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile("${path.module}/files/castopod.container.tftpl", { + castopod_version = "1.13.2", + castopod_container_name = local.castopod_container_name + castopod_frontend_network_name = local.castopod_frontend_network_name + castopod_backend_network_name = local.castopod_backend_network_name + castopod_media_volume_name = local.castopod_media_volume_name + castopod_db_name = local.castopod_db_name + castopod_db_user = local.castopod_db_user + castopod_base_url = var.base_url + mariadb_container_name = local.mariadb_container_name + valkey_container_name = local.valkey_container_name + secrets_path = local.secrets_path + }) + ) + ) } + } - castopod_container_file = { - path = "/etc/containers/systemd/${local.castopod_container_name}.container" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode( - templatefile("${path.module}/files/castopod.container.tftpl", { - castopod_version = "1.13.2", - castopod_container_name = local.castopod_container_name - castopod_frontend_network_name = local.castopod_frontend_network_name - castopod_backend_network_name = local.castopod_backend_network_name - castopod_media_volume_name = local.castopod_media_volume_name - castopod_db_name = local.castopod_db_name - castopod_db_user = local.castopod_db_user - castopod_base_url = var.base_url - mariadb_container_name = local.mariadb_container_name - valkey_container_name = local.valkey_container_name - secrets_path = local.secrets_path - }) - ) - ) - } + ignition_config = jsonencode({ + ignition = { + version = "3.4.0" } - - ignition_config = jsonencode({ - ignition = { - version = "3.4.0" + storage = { + disks = [ + local.data_disk, + ] + filesystems = [ + local.castopod_secrets_filesystem, + local.castopod_media_volume_filesystem, + local.mariadb_data_volume_filesystem, + local.valkey_cache_volume_filesystem, + ] + files = [ + local.caddy_config_file, + local.caddy_frontend_network_file, + local.caddy_container_file, + local.castopod_generate_secrets_script_file, + local.castopod_frontend_network_file, + local.castopod_backend_network_file, + local.castopod_media_volume_file, + local.mariadb_data_volume_file, + local.mariadb_container_file, + local.valkey_cache_volume_file, + local.valkey_container_file, + local.castopod_container_file, + ] + directories = [ + local.caddy_config_directory, + local.castopod_secrets_directory, + ] + } + systemd = { + units = [ + local.castopod_secrets_mount_unit, + local.castopod_generate_secrets_service_unit, + ] + } + passwd = { + users = [ + { + name = "core" + sshAuthorizedKeys = var.ssh_authorized_keys } - storage = { - disks = [ - local.data_disk, - ] - filesystems = [ - local.castopod_secrets_filesystem, - local.castopod_media_volume_filesystem, - local.mariadb_data_volume_filesystem, - local.valkey_cache_volume_filesystem, - ] - files = [ - local.caddy_config_file, - local.caddy_frontend_network_file, - local.caddy_container_file, - local.castopod_generate_secrets_script_file, - local.castopod_frontend_network_file, - local.castopod_backend_network_file, - local.castopod_media_volume_file, - local.mariadb_data_volume_file, - local.mariadb_container_file, - local.valkey_cache_volume_file, - local.valkey_container_file, - local.castopod_container_file, - ] - directories = [ - local.caddy_config_directory, - local.castopod_secrets_directory, - ] - } - systemd = { - units = [ - local.castopod_secrets_mount_unit, - local.castopod_generate_secrets_service_unit, - ] - } - passwd = { - users = [ - { - name = "core" - sshAuthorizedKeys = var.ssh_authorized_keys - } - ] - } - }) + ] + } + }) } diff --git a/modules/castopod/outputs.tf b/modules/castopod/outputs.tf index 3f0fbc2..494575a 100644 --- a/modules/castopod/outputs.tf +++ b/modules/castopod/outputs.tf @@ -1,3 +1,3 @@ output "config" { - value = local.ignition_config + value = local.ignition_config } diff --git a/modules/castopod/variables.tf b/modules/castopod/variables.tf index c2c94d6..c9af235 100644 --- a/modules/castopod/variables.tf +++ b/modules/castopod/variables.tf @@ -1,19 +1,19 @@ variable "ssh_authorized_keys" { - type = list(string) - nullable = false + type = list(string) + nullable = false } variable "base_url" { - type = string - nullable = false + type = string + nullable = false } variable "castopod_domain" { - type = string - nullable = false + type = string + nullable = false } variable "castopod_upstream_port" { - type = number - nullable = false + type = number + nullable = false } diff --git a/modules/dns_resolver/main.tf b/modules/dns_resolver/main.tf index 5854652..9ecda81 100644 --- a/modules/dns_resolver/main.tf +++ b/modules/dns_resolver/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { proxmox = { - source = "bpg/proxmox" + source = "bpg/proxmox" version = "~>0.56.1" } } @@ -10,159 +10,159 @@ terraform { locals { - core_user = { - name = "core" - password_hash = "$6$vDMAZf/yOO6mEbcs$6VE7WD8T9/PeotszMFxatOQxB/rFmLDWsNajg4sI0O47OikSuVpqPjkxRbzcueiXn6rBUY1ubCHlp0nnoZ1VI1" - } + core_user = { + name = "core" + password_hash = "$6$vDMAZf/yOO6mEbcs$6VE7WD8T9/PeotszMFxatOQxB/rFmLDWsNajg4sI0O47OikSuVpqPjkxRbzcueiXn6rBUY1ubCHlp0nnoZ1VI1" + } - hostname_file = { - path = "/etc/hostname" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { + hostname_file = { + path = "/etc/hostname" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode(var.instance_name) + ) + } + } + + ignition_configuration = jsonencode({ + ignition = { + version = "3.4.0" + } + storage = { + files = [ + { + path = "/etc/hostname" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { source = format( - "data:text/plain;base64,%s", - base64encode(var.instance_name) + "data:text/plain;base64,%s", + base64encode(var.instance_name) ) - } + } + }, + ] } - - ignition_configuration = jsonencode({ - ignition = { - version = "3.4.0" - } - storage = { - files = [ - { - path = "/etc/hostname" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode(var.instance_name) - ) - } - }, - ] - } - passwd = { - users = [ - local.core_user, - ] - } - }) + passwd = { + users = [ + local.core_user, + ] + } + }) } resource "random_pet" "config_name" { - length = 4 + length = 4 } locals { - generated_ignition_config_file = "${path.module}/dns_resolver_ignition_config_${random_pet.config_name.id}.ign" + generated_ignition_config_file = "${path.module}/dns_resolver_ignition_config_${random_pet.config_name.id}.ign" } resource "local_file" "sftp_script_for_ignition_file" { - content = <}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" + +; A list of request_uri values which should be filtered from the access log. +; +; As a security precuation, this setting will be ignored if: +; - the request method is not GET or HEAD; or +; - there is a request body; or +; - there are query parameters; or +; - the response code is outwith the successful range of 200 to 299 +; +; Note: The paths are matched against the output of the access.format tag "%r". +; On common configurations, this may look more like SCRIPT_NAME than the +; expected pre-rewrite URI. +; +; Default Value: not set +;access.suppress_path[] = /ping +;access.suppress_path[] = /health_check.php + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr/local) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/modules/nextcloud/files/postgres-data.volume.tftpl b/modules/nextcloud/files/postgres-data.volume.tftpl new file mode 100644 index 0000000..42c5785 --- /dev/null +++ b/modules/nextcloud/files/postgres-data.volume.tftpl @@ -0,0 +1,11 @@ +[Unit] +Description = Postgresql Data Volume + +[Volume] +VolumeName = ${postgres_data_volume_name} +Device=/dev/disk/by-label/${postgres_data_volume_name} +Options=nodev,noexec,nosuid,rootcontext=system_u:object_r:container_file_t:s0 +Type=ext4 + +[Install] +WantedBy=default.target diff --git a/modules/nextcloud/files/postgres.container.tftpl b/modules/nextcloud/files/postgres.container.tftpl new file mode 100644 index 0000000..7b87db8 --- /dev/null +++ b/modules/nextcloud/files/postgres.container.tftpl @@ -0,0 +1,23 @@ +[Unit] +Description = Postgresql + +Wants=generate-secrets.service +After=generate-secrets.service + +[Container] +ContainerName = ${postgres_container_name} +Image = ${postgres_image_name}:${postgres_image_tag} + +Volume = postgres-data.volume:/var/lib/postgresql/data:z + +Network = nextcloud-backend.network + +EnvironmentFile=${postgres_env_file_path} +Environment=PGDATA=/var/lib/postgresql/data/pgdata +Secret=${postgres_password_secret_name} + +[Service] +Restart=on-failure + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/modules/nextcloud/files/postgres.env.tftpl b/modules/nextcloud/files/postgres.env.tftpl new file mode 100644 index 0000000..3c66d8b --- /dev/null +++ b/modules/nextcloud/files/postgres.env.tftpl @@ -0,0 +1,3 @@ +POSTGRES_USER=${postgres_user_name} +POSTGRES_DB=${postgres_database_name} +POSTGRES_PASSWORD_FILE=/run/secrets/postgres-passwd \ No newline at end of file diff --git a/modules/nextcloud/files/valkey-data.volume.tftpl b/modules/nextcloud/files/valkey-data.volume.tftpl new file mode 100644 index 0000000..51d8e4f --- /dev/null +++ b/modules/nextcloud/files/valkey-data.volume.tftpl @@ -0,0 +1,8 @@ +[Unit] +Description = "Valkey Volume" + +[Volume] +VolumeName = ${valkey_data_volume_name} +Device=/dev/disk/by-label/${valkey_data_volume_name} +Options=nodev,noexec,nosuid,rootcontext=system_u:object_r:container_file_t:s0 +Type=ext4 diff --git a/modules/nextcloud/files/valkey.container.tftpl b/modules/nextcloud/files/valkey.container.tftpl new file mode 100644 index 0000000..037b5f1 --- /dev/null +++ b/modules/nextcloud/files/valkey.container.tftpl @@ -0,0 +1,20 @@ +[Unit] +Description = "Valkey Container" + +[Container] +ContainerName = "${valkey_container_name}" +Image = "${valkey_image_name}:${valkey_image_tag}" + +Network = nextcloud-backend.network + +Volume = valkey-data.volume:/data:z + +# skips find/chown in docker entrypoint which tries to chown lost+found and receive a perm denied +User=valkey +Group=valkey + +[Service] +Restart=on-failure + +[Install] +WantedBy=default.target diff --git a/modules/nextcloud/main.tf b/modules/nextcloud/main.tf new file mode 100644 index 0000000..a83b561 --- /dev/null +++ b/modules/nextcloud/main.tf @@ -0,0 +1,603 @@ +locals { + data_device_path = "/dev/vdb" + luks_device_name = "dm-crypt0" + + caddy_container_name = "caddy" + nextcloud_container_name = "nextcloud" + postgres_container_name = "psql" + valkey_container_name = "valkey" + + caddyfile_dir_path = "/opt/caddy" + caddyfile_file_path = "${local.caddyfile_dir_path}/Caddyfile" + postgres_password_secret_name = "postgres-passwd" + php_fpm_config_dir_path = "/opt/php" + php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf" + + caddy_data_volume_name = "caddy-data" + nextcloud_data_volume_name = "nextcloud-data" + postgres_data_volume_name = "postgres-data" + valkey_data_volume_name = "valkey-data" + + caddy_image_name = "docker.io/caddy" + caddy_image_tag = "2.9.1-alpine" + + nextcloud_image_name = "docker.io/nextcloud" + nextcloud_image_tag = "stable-fpm-alpine" + + postgres_image_name = "docker.io/postgres" + postgres_image_tag = "12.22" + + valkey_image_name = "docker.io/valkey/valkey" + valkey_image_tag = "8.0-alpine3.21" + + postgres_env_file_path = "/etc/postgres.env" + + data_disk = { + device = local.data_device_path + wipeTable = true + partitions = [ + { + label = local.caddy_data_volume_name + number = 1 + sizeMiB = 500 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + { + label = local.nextcloud_data_volume_name + number = 2 + sizeMiB = 100 * 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + { + label = local.postgres_data_volume_name + number = 3 + sizeMiB = 10 * 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + { + label = local.valkey_data_volume_name + number = 4 + sizeMiB = 1024 + wipePartitionEntry = true + shouldExist = true + resize = true + }, + ] + } + + caddy_data_luks = merge( + { + name = "encrypted-${local.caddy_data_volume_name}" + device = "${local.data_device_path}1" + label = "encrypted-${local.caddy_data_volume_name}" + wipeVolume = false + }, + var.luks_passphrase == "" ? {} : { + keyFile = { + source = format( + "data:text/plain;base64,%s", + var.luks_passphrase + ) + }, + }, + var.luks_use_tpm2 ? { + clevis = { + tpm2 = true + } + } : {} + ) + + nextcloud_data_luks = merge( + { + name = "encrypted-${local.nextcloud_data_volume_name}" + device = "${local.data_device_path}2" + label = "encrypted-${local.nextcloud_data_volume_name}" + wipeVolume = false + }, + var.luks_passphrase == "" ? {} : { + keyFile = { + source = format( + "data:text/plain;base64,%s", + var.luks_passphrase + ) + } + }, + var.luks_use_tpm2 ? { + clevis = { + tpm2 = true + } + } : {} + ) + + postgres_data_luks = merge( + { + name = "encrypted-${local.postgres_data_volume_name}" + device = "${local.data_device_path}3" + label = "encrypted-${local.postgres_data_volume_name}" + wipeVolume = false + }, + var.luks_passphrase == "" ? {} : { + keyFile = { + source = format( + "data:text/plain;base64,%s", + var.luks_passphrase + ) + } + }, + var.luks_use_tpm2 ? { + clevis = { + tpm2 = true + } + } : {} + ) + + valkey_data_luks = merge( + { + name = "encrypted-${local.valkey_data_volume_name}" + device = "${local.data_device_path}4" + label = "encrypted-${local.valkey_data_volume_name}" + wipeVolume = false + }, + var.luks_passphrase == "" ? {} : { + keyFile = { + source = format( + "data:text/plain;base64,%s", + var.luks_passphrase + ) + } + }, + var.luks_use_tpm2 ? { + clevis = { + tpm2 = true + } + } : {} + ) + + caddy_data_filesystem = { + device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}" + format = "ext4" + label = local.caddy_data_volume_name + wipeFilesystem = false + } + + nextcloud_data_filesystem = { + device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}" + format = "ext4" + label = local.nextcloud_data_volume_name + wipeFilesystem = false + } + + postgres_data_filesystem = { + device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}" + format = "ext4" + label = local.postgres_data_volume_name + wipeFilesystem = false + } + + valkey_data_filesystem = { + device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}" + format = "ext4" + label = local.valkey_data_volume_name + wipeFilesystem = false + options = [ + "-E", "root_owner=999:999", + ] + } + + hostname_file = { + path = "/etc/hostname" + user = {id = 0} + group = {id = 0} + mode = 420 # 0644 + contents = { + source = "data:text/plain,nextcloud" + } + } + + hosts_file = { + path = "/etc/hosts" + user = {id = 0} + group = {id = 0} + mode = 420 # 0644 + append = [ + { + source = format( + "data:text/plain;base64,%s", + base64encode( + "${var.reverse_proxy_ip_address} ${var.nextcloud_domain}" + ) + ) + } + ] + } + + caddy_frontend_network_file = { + path = "/etc/containers/systemd/caddy-frontend.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + file("${path.module}/files/caddy-frontend.network") + ) + ) + } + } + + caddy_backend_network_file = { + path = "/etc/containers/systemd/caddy-backend.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + file("${path.module}/files/caddy-backend.network") + ) + ) + } + } + + nextcloud_backend_network_file = { + path = "/etc/containers/systemd/nextcloud-backend.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + file("${path.module}/files/nextcloud-backend.network") + ) + ) + } + } + + nextcloud_internet_network_file = { + path = "/etc/containers/systemd/nextcloud-internet.network" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plein;base64,%s", + base64encode( + file("${path.module}/files/nextcloud-internet.network") + ) + ) + } + } + + caddy_data_volume_file = { + path = "/etc/containers/systemd/caddy-data.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy-data.volume.tftpl", + { + caddy_data_volume_name = local.caddy_data_volume_name + + } + ) + ) + ) + } + } + + nextcloud_data_volume_file = { + path = "/etc/containers/systemd/nextcloud-data.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/nextcloud-data.volume.tftpl", + { + nextcloud_data_volume_name = local.nextcloud_data_volume_name + + } + ) + ) + ) + } + } + + postgres_data_volume_file = { + path = "/etc/containers/systemd/postgres-data.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/postgres-data.volume.tftpl", + { + postgres_data_volume_name = local.postgres_data_volume_name + + } + ) + ) + ) + } + } + + valkey_data_volume_file = { + path = "/etc/containers/systemd/valkey-data.volume" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/valkey-data.volume.tftpl", + { + valkey_data_volume_name = local.valkey_data_volume_name + + } + ) + ) + ) + } + } + + caddy_container_file = { + path = "/etc/containers/systemd/caddy.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/caddy.container.tftpl", + { + caddy_container_name = local.caddy_container_name + caddy_image_name = local.caddy_image_name + caddy_image_tag = local.caddy_image_tag + caddyfile_file_path = local.caddyfile_file_path + } + ) + ) + ) + } + } + + nextcloud_container_file = { + path = "/etc/containers/systemd/nextcloud.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/nextcloud.container.tftpl", + { + nextcloud_container_name = local.nextcloud_container_name + nextcloud_image_name = local.nextcloud_image_name + nextcloud_image_tag = local.nextcloud_image_tag + postgres_env_file_path = local.postgres_env_file_path + postgres_container_name = local.postgres_container_name + postgres_password_secret_name = local.postgres_password_secret_name + valkey_container_name = local.valkey_container_name + nextcloud_trusted_domains = join(" ", var.nextcloud_trusted_domains) + php_upload_limit = "2048M" # variable ? + php_fpm_config_file_path = local.php_fpm_config_file_path + nextcloud_trusted_proxies = "10.0.0.0/8" + } + ) + ) + ) + } + } + + postgres_container_file = { + path = "/etc/containers/systemd/postgres.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/postgres.container.tftpl", + { + postgres_container_name = local.postgres_container_name + postgres_image_name = local.postgres_image_name + postgres_image_tag = local.postgres_image_tag + postgres_env_file_path = local.postgres_env_file_path + postgres_password_secret_name = local.postgres_password_secret_name + } + ) + ) + ) + } + } + + valkey_container_file = { + path = "/etc/containers/systemd/valkey.container" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/valkey.container.tftpl", + { + valkey_container_name = local.valkey_container_name + valkey_image_name = local.valkey_image_name + valkey_image_tag = local.valkey_image_tag + } + ) + ) + ) + } + } + + caddyfile_dir = { + path = local.caddyfile_dir_path + user = { id = 0 } + group = { id = 0 } + mode = 493 # 0755 + } + + caddyfile_file = { + path = local.caddyfile_file_path + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/Caddyfile.tftpl", + { + nextcloud_domain = var.nextcloud_domain + nextcloud_container_name = local.nextcloud_container_name + } + ) + ) + ) + } + } + + postgres_env_file = { + path = local.postgres_env_file_path + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + templatefile( + "${path.module}/files/postgres.env.tftpl", + { + postgres_user_name = "nextcloud" + postgres_database_name = "nextcloud" + } + ) + ) + ) + } + } + + php_config_dir = { + path = local.php_fpm_config_dir_path + user = { id = 0 } + group = { id = 0 } + mode = 493 # 0755 + } + + php_fpm_config_file = { + path = "/opt/php/www.conf" + user = {id = 0} + group = {id = 0} + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode( + file("${path.module}/files/php-fpm-www.conf") + ) + ) + } + } + + generate_secrets_systemd_unit = { + name = "generate-secrets.service" + enabled = true + contents = templatefile( + "${path.module}/files/generate-secrets.service.tftpl", + { + postgres_password_secret_name = local.postgres_password_secret_name + } + ) + } + + ignition_config = { + ignition = { + version = "3.5.0" + } + storage = { + luks = [ + local.caddy_data_luks, + local.nextcloud_data_luks, + local.postgres_data_luks, + local.valkey_data_luks, + ] + disks = [ + local.data_disk, + ] + filesystems = [ + local.caddy_data_filesystem, + local.nextcloud_data_filesystem, + local.postgres_data_filesystem, + local.valkey_data_filesystem, + ] + directories = [ + local.caddyfile_dir, + local.php_config_dir, + ] + files = [ + local.hostname_file, + local.hosts_file, + local.caddy_frontend_network_file, + local.caddy_backend_network_file, + local.nextcloud_backend_network_file, + local.nextcloud_internet_network_file, + local.caddy_data_volume_file, + local.nextcloud_data_volume_file, + local.postgres_data_volume_file, + local.valkey_data_volume_file, + local.caddy_container_file, + local.nextcloud_container_file, + local.postgres_container_file, + local.valkey_container_file, + local.caddyfile_file, + local.postgres_env_file, + local.php_fpm_config_file, + ] + } + systemd = { + units = [ + local.generate_secrets_systemd_unit, + ] + } + passwd = { + users = [ + { + name = "core" + sshAuthorizedKeys = var.ssh_authorized_keys + } + ] + } + } +} \ No newline at end of file diff --git a/modules/nextcloud/outputs.tf b/modules/nextcloud/outputs.tf new file mode 100644 index 0000000..1dbf650 --- /dev/null +++ b/modules/nextcloud/outputs.tf @@ -0,0 +1,3 @@ +output "config" { + value = jsonencode(local.ignition_config) +} diff --git a/modules/nextcloud/variables.tf b/modules/nextcloud/variables.tf new file mode 100644 index 0000000..6b54de2 --- /dev/null +++ b/modules/nextcloud/variables.tf @@ -0,0 +1,30 @@ +variable "ssh_authorized_keys" { + type = list(string) + nullable = false +} + +variable "nextcloud_domain" { + type = string + nullable = false +} + +variable "nextcloud_trusted_domains" { + type = list(string) + nullable = false +} + +variable "reverse_proxy_ip_address" { + type = string + nullable = false +} + +variable "luks_passphrase" { + type = string + nullable = false + sensitive = true +} + +variable "luks_use_tpm2" { + type = bool + nullable = false +} diff --git a/modules/poc/main.tf b/modules/poc/main.tf index 8f24063..602aa57 100644 --- a/modules/poc/main.tf +++ b/modules/poc/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { proxmox = { - source = "bpg/proxmox" + source = "bpg/proxmox" version = "~>0.56.1" } } @@ -10,162 +10,162 @@ terraform { locals { - core_user = { - name = "core" - sshAuthorizedKeys = [ - var.admin_ssh_public_key - ] - } + core_user = { + name = "core" + sshAuthorizedKeys = [ + var.admin_ssh_public_key + ] + } - hostname_file = { - path = "/etc/hostname" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { + hostname_file = { + path = "/etc/hostname" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { + source = format( + "data:text/plain;base64,%s", + base64encode(var.instance_name) + ) + } + } + + ignition_configuration = jsonencode({ + ignition = { + version = "3.4.0" + } + storage = { + files = [ + { + path = "/etc/hostname" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 + contents = { source = format( - "data:text/plain;base64,%s", - base64encode(var.instance_name) + "data:text/plain;base64,%s", + base64encode(var.instance_name) ) - } + } + }, + ] } - - ignition_configuration = jsonencode({ - ignition = { - version = "3.4.0" - } - storage = { - files = [ - { - path = "/etc/hostname" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 - contents = { - source = format( - "data:text/plain;base64,%s", - base64encode(var.instance_name) - ) - } - }, - ] - } - passwd = { - users = [ - local.core_user - ] - } - }) + passwd = { + users = [ + local.core_user + ] + } + }) } resource "random_pet" "config_name" { - length = 4 + length = 4 } locals { - generated_ignition_config_file = "${path.module}/poc_ignition_config_${random_pet.config_name.id}.ign" + generated_ignition_config_file = "${path.module}/poc_ignition_config_${random_pet.config_name.id}.ign" } resource "local_file" "sftp_script_for_ignition_file" { - content = < 0 && var.listen_port < 65536 - error_message = "Invalid port." - } + type = number + nullable = false + default = 22 + validation { + condition = var.listen_port > 0 && var.listen_port < 65536 + error_message = "Invalid port." + } } variable "ciphers_algos" { - type = list(string) - nullable = false - default = ["chacha20-poly1305@openssh.com"] + type = list(string) + nullable = false + default = ["chacha20-poly1305@openssh.com"] } variable "macs_algos" { - type = list(string) - nullable = false - default = ["hmac-sha2-512-etm@openssh.com"] + type = list(string) + nullable = false + default = ["hmac-sha2-512-etm@openssh.com"] } variable "key_exchange_algos" { - type = list(string) - nullable = false - default = ["sntrup761x25519-sha512@openssh.com", "curve25519-sha256"] + type = list(string) + nullable = false + default = ["sntrup761x25519-sha512@openssh.com", "curve25519-sha256"] } variable "host_key_algorithms" { - type = list(string) - nullable = false - default = ["ssh-ed25519"] + type = list(string) + nullable = false + default = ["ssh-ed25519"] } variable "host_keys" { - type = list(string) - nullable = false - default = [] + type = list(string) + nullable = false + default = [] } variable "pub_key_accepted_algorithms" { - type = list(string) - nullable = false - default = ["ssh-ed25519"] + type = list(string) + nullable = false + default = ["ssh-ed25519"] } variable "rekey_limit" { - type = object({ - size = string - time = string - }) - nullable = false - default = { - size = "1G" - time = "1H" - } + type = object({ + size = string + time = string + }) + nullable = false + default = { + size = "1G" + time = "1H" + } } variable "allow_users" { - type = list(string) - nullable = false - default = [] + type = list(string) + nullable = false + default = [] } variable "allow_groups" { - type = list(string) - nullable = false - default = [] + type = list(string) + nullable = false + default = [] } variable "sftp_only" { - type = bool - nullable = false - default = true + type = bool + nullable = false + default = true } variable "allow_tcp_forwarding" { - type = bool - nullable = false - default = false + type = bool + nullable = false + default = false } variable "chrooted_users" { - type = list(object({ - username = string - chroot = string - ssh_public_key = string - })) - nullable = false - default = [] + type = list(object({ + username = string + chroot = string + ssh_public_key = string + })) + nullable = false + default = [] } variable "client_alive_count_max" { - type = number - nullable = false - default = 6 - validation { - condition = var.client_alive_count_max > 0 - error_message = "Invalid Client Alive Count Max." - } + type = number + nullable = false + default = 6 + validation { + condition = var.client_alive_count_max > 0 + error_message = "Invalid Client Alive Count Max." + } } variable "client_alive_interval" { - type = number - nullable = false - default = 10 - validation { - condition = var.client_alive_interval > 0 - error_message = "Invalid Client Alive Interval." - } + type = number + nullable = false + default = 10 + validation { + condition = var.client_alive_interval > 0 + error_message = "Invalid Client Alive Interval." + } } variable "max_auth_tries" { - type = number - nullable = false - default = 10 - validation { - condition = var.max_auth_tries > 2 - error_message = "Invalid or insufficient Max Auth Tries." - } + type = number + nullable = false + default = 10 + validation { + condition = var.max_auth_tries > 2 + error_message = "Invalid or insufficient Max Auth Tries." + } } variable "max_sessions" { - type = number - nullable = false - default = 10 - validation { - condition = var.max_sessions >= 0 - error_message = "Invalid or insufficient Max Sessions." - } + type = number + nullable = false + default = 10 + validation { + condition = var.max_sessions >= 0 + error_message = "Invalid or insufficient Max Sessions." + } } variable "max_startup" { - type = string - nullable = false - default = "100:70:1000" + type = string + nullable = false + default = "100:70:1000" } diff --git a/outputs.tf b/outputs.tf index 36418ff..e6fe28d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,7 +1,12 @@ output "castopod_config" { - value = module.castopod_config.config + value = module.castopod_config.config } output "caddy_config" { - value = module.caddy_config.config + value = module.caddy_config.config +} + +output "nextcloud_config" { + value = module.nextcloud_config.config + sensitive = true } diff --git a/settings.auto.tfvars b/settings.auto.tfvars index 7cc1c7e..8e551d6 100644 --- a/settings.auto.tfvars +++ b/settings.auto.tfvars @@ -1,14 +1,19 @@ -pve_api_base_url = "https://proxmox.broken-by-design.fr:8006/" -pve_node_name = "ns3152888" -pve_storage_id = "local" -pve_ssh_user = "root" -pve_ssh_host = "proxmox.broken-by-design.fr" +pve_api_base_url = "https://proxmox.broken-by-design.fr:8006/" +pve_node_name = "ns3152888" +pve_storage_id = "local" +pve_ssh_user = "root" +pve_ssh_host = "proxmox.broken-by-design.fr" ssh_public_key_opentofu_netboot_server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQnLSYLGzUVmDMMGgEKCNgfAOkIuqhOMGGuvgskACum fmaury@fedora-home-1" -ssh_public_key_admin_netboot_server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQnLSYLGzUVmDMMGgEKCNgfAOkIuqhOMGGuvgskACum fmaury@fedora-home-1" +ssh_public_key_admin_netboot_server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQnLSYLGzUVmDMMGgEKCNgfAOkIuqhOMGGuvgskACum fmaury@fedora-home-1" -admin_network_name = "admin" +admin_network_name = "admin" admin_network_prefix = "10.110.0.0/24" -prod_network_name = "prod" -prod_network_prefix = "10.109.0.0/24" -monit_network_name = "monit" +prod_network_name = "prod" +prod_network_prefix = "10.109.0.0/24" +monit_network_name = "monit" monit_network_prefix = "10.111.0.0/24" + +nextcloud_luks_passphrase = "tititoto" +ssh_authorized_keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0WaC412cZLVwUXN/MyIl7nHjAd5rW5dn0wsZczjwCm fmaury@fedora-2.home" +] diff --git a/variables.tf b/variables.tf index cd27553..0b10132 100644 --- a/variables.tf +++ b/variables.tf @@ -1,100 +1,111 @@ variable "pve_api_base_url" { - description = "API URL to the Proxmox cluster" - type = string - nullable = false + description = "API URL to the Proxmox cluster" + type = string + nullable = false } variable "pve_api_token" { - description = "API token used to connect to the Proxmox cluster" - type = string - nullable = false - sensitive = true + description = "API token used to connect to the Proxmox cluster" + type = string + nullable = false + sensitive = true } variable "pve_node_name" { - description = "Name of the Proxmox node on which files and VMs should be created" - type = string - nullable = false + description = "Name of the Proxmox node on which files and VMs should be created" + type = string + nullable = false } variable "pve_storage_id" { - description = "Name of the Proxmox Storage on which files (ISOs) and VM disks should be created" - type = string - nullable = false + description = "Name of the Proxmox Storage on which files (ISOs) and VM disks should be created" + type = string + nullable = false } variable "pve_ssh_user" { - description = "User used to connect with SSH to the hypervisor to port-forward to the netboot server" - type = string - nullable = false + description = "User used to connect with SSH to the hypervisor to port-forward to the netboot server" + type = string + nullable = false } variable "pve_ssh_host" { - description = "Address of the hypervisor to connect to to port-forward to the netboot server" - type = string - nullable = false + description = "Address of the hypervisor to connect to to port-forward to the netboot server" + type = string + nullable = false } variable "admin_network_name" { - description = "Admin Network Name" - type = string - nullable = false - default = "admin" + description = "Admin Network Name" + type = string + nullable = false + default = "admin" } variable "admin_network_prefix" { - description = "Network prefix associated with the Admin network" - type = string - nullable = false - validation { - condition = can(cidrnetmask(var.admin_network_prefix)) - error_message = "Invalid Admin network prefix" - } + description = "Network prefix associated with the Admin network" + type = string + nullable = false + validation { + condition = can(cidrnetmask(var.admin_network_prefix)) + error_message = "Invalid Admin network prefix" + } } variable "prod_network_name" { - description = "Production Network Name" - type = string - nullable = false - default = "prod" + description = "Production Network Name" + type = string + nullable = false + default = "prod" } variable "prod_network_prefix" { - description = "Network prefix associated with the prod network" - type = string - nullable = false - validation { - condition = can(cidrnetmask(var.prod_network_prefix)) - error_message = "Invalid Prod network prefix" - } + description = "Network prefix associated with the prod network" + type = string + nullable = false + validation { + condition = can(cidrnetmask(var.prod_network_prefix)) + error_message = "Invalid Prod network prefix" + } } variable "monit_network_name" { - description = "Monitoring Network Name" - type = string - nullable = false - default = "monit" + description = "Monitoring Network Name" + type = string + nullable = false + default = "monit" } variable "monit_network_prefix" { - description = "Network prefix associated with the monit network" - type = string - nullable = false - validation { - condition = can(cidrnetmask(var.monit_network_prefix)) - error_message = "Invalid monitoring network prefix" - } + description = "Network prefix associated with the monit network" + type = string + nullable = false + validation { + condition = can(cidrnetmask(var.monit_network_prefix)) + error_message = "Invalid monitoring network prefix" + } } variable "ssh_public_key_opentofu_netboot_server" { - description = "SSH public key used by Opentofu to connect to the terraform_dhcp and terraform_ignition SFTP accounts" - type = string - nullable = false + description = "SSH public key used by Opentofu to connect to the terraform_dhcp and terraform_ignition SFTP accounts" + type = string + nullable = false } variable "ssh_public_key_admin_netboot_server" { - description = "SSH public key used to connect to the core account on the netboot_server instance" - type = string - nullable = false + description = "SSH public key used to connect to the core account on the netboot_server instance" + type = string + nullable = false +} + +variable "nextcloud_luks_passphrase" { + type = string + nullable = false + sensitive = true +} + +variable "ssh_authorized_keys" { + type = list(string) + nullable = false } \ No newline at end of file