locals { data_device_path = "/dev/vdb" luks_device_name = "dm-crypt0" caddy_container_name = "caddy" nextcloud_container_name = "nextcloud" postgres_container_name = "psql" valkey_container_name = "valkey" caddyfile_dir_path = "/opt/caddy" caddyfile_file_path = "${local.caddyfile_dir_path}/Caddyfile" postgres_password_secret_name = "postgres-passwd" php_fpm_config_dir_path = "/opt/php" php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf" caddy_data_volume_name = "caddy-data" nextcloud_data_volume_name = "nextcloud-data" postgres_data_volume_name = "postgres-data" valkey_data_volume_name = "valkey-data" caddy_image_name = "docker.io/caddy" caddy_image_tag = "2.9.1-alpine" nextcloud_image_name = "docker.io/nextcloud" nextcloud_image_tag = "stable-fpm-alpine" postgres_image_name = "docker.io/postgres" postgres_image_tag = "12.22" valkey_image_name = "docker.io/valkey/valkey" valkey_image_tag = "8.0-alpine3.21" postgres_env_file_path = "/etc/postgres.env" data_disk = { device = local.data_device_path wipeTable = true partitions = [ { label = local.caddy_data_volume_name number = 1 sizeMiB = 500 wipePartitionEntry = true shouldExist = true resize = true }, { label = local.nextcloud_data_volume_name number = 2 sizeMiB = 100 * 1024 wipePartitionEntry = true shouldExist = true resize = true }, { label = local.postgres_data_volume_name number = 3 sizeMiB = 10 * 1024 wipePartitionEntry = true shouldExist = true resize = true }, { label = local.valkey_data_volume_name number = 4 sizeMiB = 1024 wipePartitionEntry = true shouldExist = true resize = true }, ] } caddy_data_luks = merge( { name = "encrypted-${local.caddy_data_volume_name}" device = "${local.data_device_path}1" label = "encrypted-${local.caddy_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { keyFile = { source = format( "data:text/plain;base64,%s", var.luks_passphrase ) }, }, var.luks_use_tpm2 ? { clevis = { tpm2 = true } } : {} ) nextcloud_data_luks = merge( { name = "encrypted-${local.nextcloud_data_volume_name}" device = "${local.data_device_path}2" label = "encrypted-${local.nextcloud_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { keyFile = { source = format( "data:text/plain;base64,%s", var.luks_passphrase ) } }, var.luks_use_tpm2 ? { clevis = { tpm2 = true } } : {} ) postgres_data_luks = merge( { name = "encrypted-${local.postgres_data_volume_name}" device = "${local.data_device_path}3" label = "encrypted-${local.postgres_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { keyFile = { source = format( "data:text/plain;base64,%s", var.luks_passphrase ) } }, var.luks_use_tpm2 ? { clevis = { tpm2 = true } } : {} ) valkey_data_luks = merge( { name = "encrypted-${local.valkey_data_volume_name}" device = "${local.data_device_path}4" label = "encrypted-${local.valkey_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { keyFile = { source = format( "data:text/plain;base64,%s", var.luks_passphrase ) } }, var.luks_use_tpm2 ? { clevis = { tpm2 = true } } : {} ) caddy_data_filesystem = { device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}" format = "ext4" label = local.caddy_data_volume_name wipeFilesystem = false } nextcloud_data_filesystem = { device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}" format = "ext4" label = local.nextcloud_data_volume_name wipeFilesystem = false } postgres_data_filesystem = { device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}" format = "ext4" label = local.postgres_data_volume_name wipeFilesystem = false } valkey_data_filesystem = { device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}" format = "ext4" label = local.valkey_data_volume_name wipeFilesystem = false options = [ "-E", "root_owner=999:999", ] } hostname_file = { path = "/etc/hostname" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = "data:text/plain,nextcloud" } } hosts_file = { path = "/etc/hosts" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 append = [ { source = format( "data:text/plain;base64,%s", base64encode( "${var.reverse_proxy_ip_address} ${var.nextcloud_domain}" ) ) } ] } caddy_frontend_network_file = { path = "/etc/containers/systemd/caddy-frontend.network" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( file("${path.module}/files/caddy-frontend.network") ) ) } } caddy_backend_network_file = { path = "/etc/containers/systemd/caddy-backend.network" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( file("${path.module}/files/caddy-backend.network") ) ) } } nextcloud_backend_network_file = { path = "/etc/containers/systemd/nextcloud-backend.network" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( file("${path.module}/files/nextcloud-backend.network") ) ) } } nextcloud_internet_network_file = { path = "/etc/containers/systemd/nextcloud-internet.network" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plein;base64,%s", base64encode( file("${path.module}/files/nextcloud-internet.network") ) ) } } caddy_data_volume_file = { path = "/etc/containers/systemd/caddy-data.volume" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/caddy-data.volume.tftpl", { caddy_data_volume_name = local.caddy_data_volume_name } ) ) ) } } nextcloud_data_volume_file = { path = "/etc/containers/systemd/nextcloud-data.volume" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/nextcloud-data.volume.tftpl", { nextcloud_data_volume_name = local.nextcloud_data_volume_name } ) ) ) } } postgres_data_volume_file = { path = "/etc/containers/systemd/postgres-data.volume" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/postgres-data.volume.tftpl", { postgres_data_volume_name = local.postgres_data_volume_name } ) ) ) } } valkey_data_volume_file = { path = "/etc/containers/systemd/valkey-data.volume" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/valkey-data.volume.tftpl", { valkey_data_volume_name = local.valkey_data_volume_name } ) ) ) } } caddy_container_file = { path = "/etc/containers/systemd/caddy.container" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/caddy.container.tftpl", { caddy_container_name = local.caddy_container_name caddy_image_name = local.caddy_image_name caddy_image_tag = local.caddy_image_tag caddyfile_file_path = local.caddyfile_file_path } ) ) ) } } nextcloud_container_file = { path = "/etc/containers/systemd/nextcloud.container" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/nextcloud.container.tftpl", { nextcloud_container_name = local.nextcloud_container_name nextcloud_image_name = local.nextcloud_image_name nextcloud_image_tag = local.nextcloud_image_tag postgres_env_file_path = local.postgres_env_file_path postgres_container_name = local.postgres_container_name postgres_password_secret_name = local.postgres_password_secret_name valkey_container_name = local.valkey_container_name nextcloud_trusted_domains = join(" ", var.nextcloud_trusted_domains) php_upload_limit = "2048M" # variable ? php_fpm_config_file_path = local.php_fpm_config_file_path nextcloud_trusted_proxies = "10.0.0.0/8" } ) ) ) } } postgres_container_file = { path = "/etc/containers/systemd/postgres.container" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/postgres.container.tftpl", { postgres_container_name = local.postgres_container_name postgres_image_name = local.postgres_image_name postgres_image_tag = local.postgres_image_tag postgres_env_file_path = local.postgres_env_file_path postgres_password_secret_name = local.postgres_password_secret_name } ) ) ) } } valkey_container_file = { path = "/etc/containers/systemd/valkey.container" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/valkey.container.tftpl", { valkey_container_name = local.valkey_container_name valkey_image_name = local.valkey_image_name valkey_image_tag = local.valkey_image_tag } ) ) ) } } caddyfile_dir = { path = local.caddyfile_dir_path user = { id = 0 } group = { id = 0 } mode = 493 # 0755 } caddyfile_file = { path = local.caddyfile_file_path user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/Caddyfile.tftpl", { nextcloud_domain = var.nextcloud_domain nextcloud_container_name = local.nextcloud_container_name } ) ) ) } } postgres_env_file = { path = local.postgres_env_file_path user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( templatefile( "${path.module}/files/postgres.env.tftpl", { postgres_user_name = "nextcloud" postgres_database_name = "nextcloud" } ) ) ) } } php_config_dir = { path = local.php_fpm_config_dir_path user = { id = 0 } group = { id = 0 } mode = 493 # 0755 } php_fpm_config_file = { path = "/opt/php/www.conf" user = { id = 0 } group = { id = 0 } mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode( file("${path.module}/files/php-fpm-www.conf") ) ) } } generate_secrets_systemd_unit = { name = "generate-secrets.service" enabled = true contents = templatefile( "${path.module}/files/generate-secrets.service.tftpl", { postgres_password_secret_name = local.postgres_password_secret_name } ) } nextcloud_cronjob_service_unit = { name = "nextcloud-cronjob.service" contents = templatefile( "${path.module}/files/nextcloud-cronjob.service.tftpl", { nextcloud_container_name = local.nextcloud_container_name } ) } nextcloud_cronjob_timer_unit = { name = "nextcloud-cronjob.timer" enabled = true contents = file("${path.module}/files/nextcloud-cronjob.timer") } ignition_config = { ignition = { version = "3.5.0" } storage = { luks = [ local.caddy_data_luks, local.nextcloud_data_luks, local.postgres_data_luks, local.valkey_data_luks, ] disks = [ local.data_disk, ] filesystems = [ local.caddy_data_filesystem, local.nextcloud_data_filesystem, local.postgres_data_filesystem, local.valkey_data_filesystem, ] directories = [ local.caddyfile_dir, local.php_config_dir, ] files = [ local.hostname_file, local.hosts_file, local.caddy_frontend_network_file, local.caddy_backend_network_file, local.nextcloud_backend_network_file, local.nextcloud_internet_network_file, local.caddy_data_volume_file, local.nextcloud_data_volume_file, local.postgres_data_volume_file, local.valkey_data_volume_file, local.caddy_container_file, local.nextcloud_container_file, local.postgres_container_file, local.valkey_container_file, local.caddyfile_file, local.postgres_env_file, local.php_fpm_config_file, ] } systemd = { units = [ local.generate_secrets_systemd_unit, local.nextcloud_cronjob_service_unit, local.nextcloud_cronjob_timer_unit, ] } passwd = { users = [ { name = "core" sshAuthorizedKeys = var.ssh_authorized_keys } ] } } }