fmaury/iac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iac/modules/nextcloud/main.tf

603 lines
No EOL
15 KiB
HCL
Raw Blame History

locals {
data_device_path = "/dev/vdb"
luks_device_name = "dm-crypt0"
caddy_container_name = "caddy"
nextcloud_container_name = "nextcloud"
postgres_container_name = "psql"
valkey_container_name = "valkey"
caddyfile_dir_path = "/opt/caddy"
caddyfile_file_path = "${local.caddyfile_dir_path}/Caddyfile"
postgres_password_secret_name = "postgres-passwd"
php_fpm_config_dir_path = "/opt/php"
php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf"
caddy_data_volume_name = "caddy-data"
nextcloud_data_volume_name = "nextcloud-data"
postgres_data_volume_name = "postgres-data"
valkey_data_volume_name = "valkey-data"
caddy_image_name = "docker.io/caddy"
caddy_image_tag = "2.9.1-alpine"
nextcloud_image_name = "docker.io/nextcloud"
nextcloud_image_tag = "stable-fpm-alpine"
postgres_image_name = "docker.io/postgres"
postgres_image_tag = "12.22"
valkey_image_name = "docker.io/valkey/valkey"
valkey_image_tag = "8.0-alpine3.21"
postgres_env_file_path = "/etc/postgres.env"
data_disk = {
device = local.data_device_path
wipeTable = true
partitions = [
{
label = local.caddy_data_volume_name
number = 1
sizeMiB = 500
wipePartitionEntry = true
shouldExist = true
resize = true
},
{
label = local.nextcloud_data_volume_name
number = 2
sizeMiB = 100 * 1024
wipePartitionEntry = true
shouldExist = true
resize = true
},
{
label = local.postgres_data_volume_name
number = 3
sizeMiB = 10 * 1024
wipePartitionEntry = true
shouldExist = true
resize = true
},
{
label = local.valkey_data_volume_name
number = 4
sizeMiB = 1024
wipePartitionEntry = true
shouldExist = true
resize = true
},
]
}
caddy_data_luks = merge(
{
name = "encrypted-${local.caddy_data_volume_name}"
device = "${local.data_device_path}1"
label = "encrypted-${local.caddy_data_volume_name}"
wipeVolume = false
},
var.luks_passphrase == "" ? {} : {
keyFile = {
source = format(
"data:text/plain;base64,%s",
var.luks_passphrase
)
},
},
var.luks_use_tpm2 ? {
clevis = {
tpm2 = true
}
} : {}
)
nextcloud_data_luks = merge(
{
name = "encrypted-${local.nextcloud_data_volume_name}"
device = "${local.data_device_path}2"
label = "encrypted-${local.nextcloud_data_volume_name}"
wipeVolume = false
},
var.luks_passphrase == "" ? {} : {
keyFile = {
source = format(
"data:text/plain;base64,%s",
var.luks_passphrase
)
}
},
var.luks_use_tpm2 ? {
clevis = {
tpm2 = true
}
} : {}
)
postgres_data_luks = merge(
{
name = "encrypted-${local.postgres_data_volume_name}"
device = "${local.data_device_path}3"
label = "encrypted-${local.postgres_data_volume_name}"
wipeVolume = false
},
var.luks_passphrase == "" ? {} : {
keyFile = {
source = format(
"data:text/plain;base64,%s",
var.luks_passphrase
)
}
},
var.luks_use_tpm2 ? {
clevis = {
tpm2 = true
}
} : {}
)
valkey_data_luks = merge(
{
name = "encrypted-${local.valkey_data_volume_name}"
device = "${local.data_device_path}4"
label = "encrypted-${local.valkey_data_volume_name}"
wipeVolume = false
},
var.luks_passphrase == "" ? {} : {
keyFile = {
source = format(
"data:text/plain;base64,%s",
var.luks_passphrase
)
}
},
var.luks_use_tpm2 ? {
clevis = {
tpm2 = true
}
} : {}
)
caddy_data_filesystem = {
device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}"
format = "ext4"
label = local.caddy_data_volume_name
wipeFilesystem = false
}
nextcloud_data_filesystem = {
device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}"
format = "ext4"
label = local.nextcloud_data_volume_name
wipeFilesystem = false
}
postgres_data_filesystem = {
device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}"
format = "ext4"
label = local.postgres_data_volume_name
wipeFilesystem = false
}
valkey_data_filesystem = {
device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}"
format = "ext4"
label = local.valkey_data_volume_name
wipeFilesystem = false
options = [
"-E", "root_owner=999:999",
]
}
hostname_file = {
path = "/etc/hostname"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = "data:text/plain,nextcloud"
}
}
hosts_file = {
path = "/etc/hosts"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
append = [
{
source = format(
"data:text/plain;base64,%s",
base64encode(
"${var.reverse_proxy_ip_address} ${var.nextcloud_domain}"
)
)
}
]
}
caddy_frontend_network_file = {
path = "/etc/containers/systemd/caddy-frontend.network"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
file("${path.module}/files/caddy-frontend.network")
)
)
}
}
caddy_backend_network_file = {
path = "/etc/containers/systemd/caddy-backend.network"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
file("${path.module}/files/caddy-backend.network")
)
)
}
}
nextcloud_backend_network_file = {
path = "/etc/containers/systemd/nextcloud-backend.network"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
file("${path.module}/files/nextcloud-backend.network")
)
)
}
}
nextcloud_internet_network_file = {
path = "/etc/containers/systemd/nextcloud-internet.network"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plein;base64,%s",
base64encode(
file("${path.module}/files/nextcloud-internet.network")
)
)
}
}
caddy_data_volume_file = {
path = "/etc/containers/systemd/caddy-data.volume"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/caddy-data.volume.tftpl",
{
caddy_data_volume_name = local.caddy_data_volume_name
}
)
)
)
}
}
nextcloud_data_volume_file = {
path = "/etc/containers/systemd/nextcloud-data.volume"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/nextcloud-data.volume.tftpl",
{
nextcloud_data_volume_name = local.nextcloud_data_volume_name
}
)
)
)
}
}
postgres_data_volume_file = {
path = "/etc/containers/systemd/postgres-data.volume"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/postgres-data.volume.tftpl",
{
postgres_data_volume_name = local.postgres_data_volume_name
}
)
)
)
}
}
valkey_data_volume_file = {
path = "/etc/containers/systemd/valkey-data.volume"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/valkey-data.volume.tftpl",
{
valkey_data_volume_name = local.valkey_data_volume_name
}
)
)
)
}
}
caddy_container_file = {
path = "/etc/containers/systemd/caddy.container"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/caddy.container.tftpl",
{
caddy_container_name = local.caddy_container_name
caddy_image_name = local.caddy_image_name
caddy_image_tag = local.caddy_image_tag
caddyfile_file_path = local.caddyfile_file_path
}
)
)
)
}
}
nextcloud_container_file = {
path = "/etc/containers/systemd/nextcloud.container"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/nextcloud.container.tftpl",
{
nextcloud_container_name = local.nextcloud_container_name
nextcloud_image_name = local.nextcloud_image_name
nextcloud_image_tag = local.nextcloud_image_tag
postgres_env_file_path = local.postgres_env_file_path
postgres_container_name = local.postgres_container_name
postgres_password_secret_name = local.postgres_password_secret_name
valkey_container_name = local.valkey_container_name
nextcloud_trusted_domains = join(" ", var.nextcloud_trusted_domains)
php_upload_limit = "2048M" # variable ?
php_fpm_config_file_path = local.php_fpm_config_file_path
nextcloud_trusted_proxies = "10.0.0.0/8"
}
)
)
)
}
}
postgres_container_file = {
path = "/etc/containers/systemd/postgres.container"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/postgres.container.tftpl",
{
postgres_container_name = local.postgres_container_name
postgres_image_name = local.postgres_image_name
postgres_image_tag = local.postgres_image_tag
postgres_env_file_path = local.postgres_env_file_path
postgres_password_secret_name = local.postgres_password_secret_name
}
)
)
)
}
}
valkey_container_file = {
path = "/etc/containers/systemd/valkey.container"
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/valkey.container.tftpl",
{
valkey_container_name = local.valkey_container_name
valkey_image_name = local.valkey_image_name
valkey_image_tag = local.valkey_image_tag
}
)
)
)
}
}
caddyfile_dir = {
path = local.caddyfile_dir_path
user = { id = 0 }
group = { id = 0 }
mode = 493 # 0755
}
caddyfile_file = {
path = local.caddyfile_file_path
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/Caddyfile.tftpl",
{
nextcloud_domain = var.nextcloud_domain
nextcloud_container_name = local.nextcloud_container_name
}
)
)
)
}
}
postgres_env_file = {
path = local.postgres_env_file_path
user = { id = 0 }
group = { id = 0 }
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
templatefile(
"${path.module}/files/postgres.env.tftpl",
{
postgres_user_name = "nextcloud"
postgres_database_name = "nextcloud"
}
)
)
)
}
}
php_config_dir = {
path = local.php_fpm_config_dir_path
user = { id = 0 }
group = { id = 0 }
mode = 493 # 0755
}
php_fpm_config_file = {
path = "/opt/php/www.conf"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(
file("${path.module}/files/php-fpm-www.conf")
)
)
}
}
generate_secrets_systemd_unit = {
name = "generate-secrets.service"
enabled = true
contents = templatefile(
"${path.module}/files/generate-secrets.service.tftpl",
{
postgres_password_secret_name = local.postgres_password_secret_name
}
)
}
ignition_config = {
ignition = {
version = "3.5.0"
}
storage = {
luks = [
local.caddy_data_luks,
local.nextcloud_data_luks,
local.postgres_data_luks,
local.valkey_data_luks,
]
disks = [
local.data_disk,
]
filesystems = [
local.caddy_data_filesystem,
local.nextcloud_data_filesystem,
local.postgres_data_filesystem,
local.valkey_data_filesystem,
]
directories = [
local.caddyfile_dir,
local.php_config_dir,
]
files = [
local.hostname_file,
local.hosts_file,
local.caddy_frontend_network_file,
local.caddy_backend_network_file,
local.nextcloud_backend_network_file,
local.nextcloud_internet_network_file,
local.caddy_data_volume_file,
local.nextcloud_data_volume_file,
local.postgres_data_volume_file,
local.valkey_data_volume_file,
local.caddy_container_file,
local.nextcloud_container_file,
local.postgres_container_file,
local.valkey_container_file,
local.caddyfile_file,
local.postgres_env_file,
local.php_fpm_config_file,
]
}
systemd = {
units = [
local.generate_secrets_systemd_unit,
]
}
passwd = {
users = [
{
name = "core"
sshAuthorizedKeys = var.ssh_authorized_keys
}
]
}
}
}
Reference in a new issue View git blame Copy permalink