diff --git a/main.tf b/main.tf index 850ceabe..bad17fbf 100644 --- a/main.tf +++ b/main.tf @@ -83,6 +83,9 @@ variable "ansible_prefix" { default = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup" description = "Provisioner command" } +variable "linkwarden_postgresql_password" {} +variable "linkwarden_authentik_client_id" {} +variable "linkwarden_authentik_client_secret" {} # data "terraform_remote_state" "foo" { # backend = "kubernetes" @@ -370,6 +373,10 @@ module "kubernetes_cluster" { authentik_secret_key = var.authentik_secret_key authentik_postgres_password = var.authentik_postgres_password + + linkwarden_postgresql_password = var.linkwarden_postgresql_password + linkwarden_authentik_client_id = var.linkwarden_authentik_client_id + linkwarden_authentik_client_secret = var.linkwarden_authentik_client_secret } diff --git a/modules/kubernetes/linkwarden/main.tf b/modules/kubernetes/linkwarden/main.tf new file mode 100644 index 00000000..97722a6d --- /dev/null +++ b/modules/kubernetes/linkwarden/main.tf @@ -0,0 +1,148 @@ +variable "tls_secret_name" {} +variable "postgresql_password" {} +variable "authentik_client_id" {} +variable "authentik_client_secret" {} + +resource "kubernetes_namespace" "linkwarden" { + metadata { + name = "linkwarden" + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "linkwarden" + tls_secret_name = var.tls_secret_name +} + +resource "random_string" "secret" { + length = 32 + special = true + override_special = "/@£$" +} + +resource "kubernetes_deployment" "linkwarden" { + metadata { + name = "linkwarden" + namespace = "linkwarden" + labels = { + app = "linkwarden" + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + spec { + replicas = 1 + selector { + match_labels = { + app = "linkwarden" + } + } + template { + metadata { + labels = { + app = "linkwarden" + } + } + spec { + container { + image = "ghcr.io/linkwarden/linkwarden:latest" + name = "linkwarden" + + port { + container_port = 3000 + } + env { + name = "DATABASE_URL" + value = "postgresql://linkwarden:${var.postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/linkwarden" + } + env { + name = "NEXT_PUBLIC_AUTHENTIK_ENABLED" + value = "true" + } + env { + name = "NEXTAUTH_SECRET" + value = random_string.secret.result + } + env { + name = "NEXTAUTH_URL" + value = "https://linkwarden.viktorbarzin.me/api/v1/auth" + } + env { + name = "AUTHENTIK_ISSUER" + value = "https://authentik.viktorbarzin.me/application/o/linkwarden" + } + env { + name = "AUTHENTIK_CLIENT_ID" + value = var.authentik_client_id + } + env { + name = "AUTHENTIK_CLIENT_SECRET" + value = var.authentik_client_secret + } + } + } + } + } +} +resource "kubernetes_service" "linkwarden" { + metadata { + name = "linkwarden" + namespace = "linkwarden" + labels = { + app = "linkwarden" + } + } + + spec { + selector = { + app = "linkwarden" + } + port { + name = "linkwarden" + port = 80 + target_port = 3000 + } + } +} +resource "kubernetes_ingress_v1" "linkwarden" { + metadata { + name = "linkwarden" + namespace = "linkwarden" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + # "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" + # "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" + # "nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" + # "nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" + + # "nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid" + # "nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;" + "nginx.ingress.kubernetes.io/ssl-passthrough" : true + } + } + + spec { + tls { + hosts = ["linkwarden.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "linkwarden.viktorbarzin.me" + http { + path { + path = "/" + backend { + service { + name = "linkwarden" + port { + number = 80 + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 326d0a47..7e68f6e5 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -63,6 +63,9 @@ variable "nextcloud_db_password" {} variable "homepage_credentials" {} variable "authentik_secret_key" {} variable "authentik_postgres_password" {} +variable "linkwarden_postgresql_password" {} +variable "linkwarden_authentik_client_id" {} +variable "linkwarden_authentik_client_secret" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -522,3 +525,10 @@ module "authentik" { postgres_password = var.authentik_postgres_password } +module "linkwarden" { + source = "./linkwarden" + tls_secret_name = var.tls_secret_name + postgresql_password = var.linkwarden_postgresql_password + authentik_client_id = var.linkwarden_authentik_client_id + authentik_client_secret = var.linkwarden_authentik_client_secret +}