locals { caddy_frontend_network_name = "caddy-frontend" caddy_container_name = "caddy" caddy_version = "2.9.1-alpine" caddy_config_dir = "/var/opt/caddy" castopod_frontend_network_name = "castopod-frontend" castopod_backend_network_name = "castopod-backend" castopod_media_volume_name = "castopod-media" castopod_container_name = "castopod" castopod_db_name = "castopod" castopod_db_user = "castopod" castopod_base_url = var.base_url valkey_container_name = "valkey" valkey_cache_volume_name = "castopod-cache" mariadb_container_name = "mariadb" mariadb_data_volume_name = "castopod-db" mariadb_version = "11.5" secrets_part_name = "secrets" secrets_path = "/var/opt/secrets" secrets_path_escaped = "var-opt-secrets" data_device_path = "/dev/vdb" data_disk = { device = local.data_device_path wipeTable = true partitions = [ { label = local.secrets_part_name number = 1 sizeMiB = 1024 wipePartitionEntry = true shouldExist = true resize = true }, { label = local.castopod_media_volume_name number = 2 sizeMiB = 20 * 1024 wipePartitionEntry = true shouldExist = true resize = true }, { label = local.mariadb_data_volume_name number = 3 sizeMiB = 5 * 1024 wipePartitionEntry = true shouldExist = true resize = true }, { label = local.valkey_cache_volume_name number = 4 sizeMiB = 1024 wipePartitionEntry = true shouldExist = true resize = true }, ] } caddy_config_directory = { path = local.caddy_config_dir user = {id = 0} group = {id = 0} mode = 448 # 0700 } caddy_config_file = { path = "${local.caddy_config_dir}/Caddyfile" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/Caddyfile.tftpl", { castopod_domain = var.castopod_domain castopod_container_name = local.castopod_container_name } ) ) ) } } caddy_frontend_network_file = { path = "/etc/containers/systemd/caddy-frontend.network" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/caddy-frontend.network.tftpl", { caddy_frontend_network_name = local.caddy_frontend_network_name } ) ) ) } } caddy_container_file = { path = "/etc/containers/systemd/caddy.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/caddy.container.tftpl", { caddy_container_name = local.caddy_container_name caddy_version = local.caddy_version caddy_config_dir = local.caddy_config_dir caddy_frontend_network_name = local.caddy_frontend_network_name castopod_frontend_network_name = local.castopod_frontend_network_name castopod_upstream_port = var.castopod_upstream_port castopod_media_volume_name = local.castopod_media_volume_name } ) ) ) } } castopod_secrets_filesystem = { device = "${local.data_device_path}1" format = "ext4" label = local.secrets_part_name } castopod_secrets_directory = { path = local.secrets_path user = {id = 0} group = {id = 0} mode = 448 # 0700 } castopod_secrets_mount_unit = { name = "${local.secrets_path_escaped}.mount" enabled = true contents = templatefile( "${path.module}/files/secrets.mount.tftpl", { secrets_part_name = local.secrets_part_name secrets_path = local.secrets_path } ) } castopod_generate_secrets_script_file = { path = "/var/opt/generate_secrets.sh" user = {id = 0} group = {id = 0} mode = 448 # 0700 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/generate_secrets.sh.tftpl", { secrets_path = local.secrets_path } ) ) ) } } castopod_generate_secrets_service_unit = { name = "generate_secrets.service" enabled = true contents = templatefile( "${path.module}/files/generate_secrets.service.tftpl", { secrets_path = local.secrets_path secrets_path_escaped = local.secrets_path_escaped } ) } castopod_frontend_network_file = { path = "/etc/containers/systemd/${local.castopod_frontend_network_name}.network" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/castopod-frontend.network.tftpl", { castopod_frontend_network_name = local.castopod_frontend_network_name } ) ) ) } } castopod_backend_network_file = { path = "/etc/containers/systemd/${local.castopod_backend_network_name}.network" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/castopod-backend.network.tftpl", { castopod_backend_network_name = local.castopod_backend_network_name } ) ) ) } } castopod_media_volume_filesystem = { device = "${local.data_device_path}2" format = "ext4" label = local.castopod_media_volume_name options = [ "-E", "root_owner=33:33", ] } castopod_media_volume_file = { path = "/etc/containers/systemd/${local.castopod_media_volume_name}.volume" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/castopod-media.volume.tftpl", { castopod_media_volume_name = local.castopod_media_volume_name } ) ) ) } } mariadb_data_volume_filesystem = { device = "${local.data_device_path}3" format = "ext4" label = local.mariadb_data_volume_name options = [ "-E", "root_owner=999:999", ] } mariadb_data_volume_file = { path = "/etc/containers/systemd/${local.mariadb_data_volume_name}.volume" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/mariadb-data.volume.tftpl", { mariadb_data_volume_name = local.mariadb_data_volume_name } ) ) ) } } mariadb_container_file = { path = "/etc/containers/systemd/${local.mariadb_container_name}.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/mariadb.container.tftpl", { mariadb_container_name = local.mariadb_container_name mariadb_version = local.mariadb_version mariadb_data_volume_name = local.mariadb_data_volume_name castopod_backend_network_name = local.castopod_backend_network_name castopod_db_name = local.castopod_db_name castopod_db_user = local.castopod_db_user secrets_path = local.secrets_path } ) ) ) } } valkey_cache_volume_filesystem = { device = "${local.data_device_path}4" format = "ext4" label = local.valkey_cache_volume_name options = [ "-E", "root_owner=999:999", ] } valkey_cache_volume_file = { path = "/etc/containers/systemd/${local.valkey_cache_volume_name}.volume" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/valkey.volume.tftpl", { valkey_cache_volume_name = local.valkey_cache_volume_name } ) ) ) } } valkey_container_file = { path = "/etc/containers/systemd/${local.valkey_container_name}.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/valkey.container.tftpl", { valkey_container_name = local.valkey_container_name valkey_version = "8.0-alpine" valkey_cache_volume_name = local.valkey_cache_volume_name castopod_backend_network_name = local.castopod_backend_network_name secrets_path = local.secrets_path } ) ) ) } } castopod_container_file = { path = "/etc/containers/systemd/${local.castopod_container_name}.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile("${path.module}/files/castopod.container.tftpl", { castopod_version = "1.13.2", castopod_container_name = local.castopod_container_name castopod_frontend_network_name = local.castopod_frontend_network_name castopod_backend_network_name = local.castopod_backend_network_name castopod_media_volume_name = local.castopod_media_volume_name castopod_db_name = local.castopod_db_name castopod_db_user = local.castopod_db_user castopod_base_url = var.base_url mariadb_container_name = local.mariadb_container_name valkey_container_name = local.valkey_container_name secrets_path = local.secrets_path }) ) ) } } ignition_config = jsonencode({ ignition = { version = "3.4.0" } storage = { disks = [ local.data_disk, ] filesystems = [ local.castopod_secrets_filesystem, local.castopod_media_volume_filesystem, local.mariadb_data_volume_filesystem, local.valkey_cache_volume_filesystem, ] files = [ local.caddy_config_file, local.caddy_frontend_network_file, local.caddy_container_file, local.castopod_generate_secrets_script_file, local.castopod_frontend_network_file, local.castopod_backend_network_file, local.castopod_media_volume_file, local.mariadb_data_volume_file, local.mariadb_container_file, local.valkey_cache_volume_file, local.valkey_container_file, local.castopod_container_file, ] directories = [ local.caddy_config_directory, local.castopod_secrets_directory, ] } systemd = { units = [ local.castopod_secrets_mount_unit, local.castopod_generate_secrets_service_unit, ] } passwd = { users = [ { name = "core" sshAuthorizedKeys = var.ssh_authorized_keys } ] } }) }