add postgresql to dbaas [ci skip]

main.tf

@@ -28,6 +28,8 @@ variable "bind_named_conf_options" {}
 variable "alertmanager_account_password" {}
 variable "wireguard_wg_0_key" {}
 variable "dbaas_root_password" {}
+variable "dbaas_postgresql_root_password" {}
+variable "dbaas_pgadmin_password" {}
 variable "drone_github_client_id" {}
 variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
@@ -58,6 +60,8 @@ variable "headscale_config" {}
 variable "immich_postgresql_password" {}
 variable "ingress_honeypotapikey" {}
 variable "vaultwarden_smtp_password" {}
+variable "resume_database_url" {}
+variable "resume_redis_url" {}
 
 variable "ansible_prefix" {
   default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@@ -264,7 +268,9 @@ module "kubernetes_cluster" {
   url_shortener_mysql_password      = var.url_shortener_mysql_password
 
   # dbaas
-  dbaas_root_password = var.dbaas_root_password
+  dbaas_root_password            = var.dbaas_root_password
+  dbaas_postgresql_root_password = var.dbaas_postgresql_root_password
+  dbaas_pgadmin_password         = var.dbaas_pgadmin_password
 
   # home-assistant
   home_assistant_configuration = var.home_assistant_configuration
@@ -286,6 +292,9 @@ module "kubernetes_cluster" {
   ingress_honeypotapikey = var.ingress_honeypotapikey
 
   vaultwarden_smtp_password = var.vaultwarden_smtp_password
+
+  resume_redis_url    = var.resume_redis_url
+  resume_database_url = var.resume_database_url
 }
 
 

modules/kubernetes/dbaas/main.tf

@@ -4,6 +4,8 @@ variable "dbaas_root_password" {}
 variable "cluster_master_service" {
   default = "mysql"
 }
+variable "postgresql_root_password" {}
+variable "pgadmin_password" {}
 variable "prod" {
   default = false
   type    = bool
@@ -403,7 +405,6 @@ resource "kubernetes_ingress_v1" "phpmyadmin" {
       }
     }
   }
-
 }
 
 
@@ -641,3 +642,200 @@ resource "kubernetes_ingress_v1" "phpmyadmin" {
 #             status: {}
 #   EOF
 # }
+
+resource "kubernetes_deployment" "postgres" {
+  metadata {
+    name      = "postgresql"
+    namespace = "dbaas"
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    selector {
+      match_labels = {
+        app = "postgresql"
+      }
+    }
+    strategy {
+      type = "Recreate"
+    }
+    template {
+      metadata {
+        labels = {
+          app = "postgresql"
+        }
+      }
+      spec {
+        container {
+          image = "postgres"
+          name  = "postgresql"
+          env {
+            name  = "POSTGRES_PASSWORD"
+            value = var.postgresql_root_password
+          }
+          env {
+            name  = "POSTGRES_USER"
+            value = "root"
+          }
+          port {
+            container_port = 5432
+            protocol       = "TCP"
+            name           = "postgresql"
+          }
+          volume_mount {
+            name       = "postgresql-persistent-storage"
+            mount_path = "/var/lib/postgresql/data"
+          }
+          # volume_mount {
+          #   name       = "mycnf"
+          #   mount_path = "/etc/my.cnf"
+          #   sub_path   = "my.cnf"
+          # }
+        }
+        volume {
+          name = "postgresql-persistent-storage"
+          nfs {
+            path   = "/mnt/main/postgresql/data"
+            server = "10.0.10.15"
+          }
+        }
+        # volume {
+        #   name = "mycnf"
+
+        #   config_map {
+        #     name = "mycnf"
+        #   }
+        # }
+      }
+    }
+  }
+}
+resource "kubernetes_service" "postgresql" {
+  metadata {
+    name      = "postgresql"
+    namespace = "dbaas"
+  }
+  spec {
+    selector = {
+      "app" = "postgresql"
+    }
+    port {
+      name        = "postgresql"
+      port        = 5432
+      target_port = 5432
+    }
+  }
+}
+
+#### PGADMIN
+
+resource "kubernetes_deployment" "pgadmin" {
+  metadata {
+    name      = "pgadmin"
+    namespace = "dbaas"
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    selector {
+      match_labels = {
+        app = "pgadmin"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "pgadmin"
+        }
+      }
+      spec {
+        container {
+          image = "dpage/pgadmin4"
+          name  = "pgadmin"
+          env {
+            name  = "PGADMIN_DEFAULT_EMAIL"
+            value = "me@viktorbarzin.me"
+          }
+          env {
+            name = "PGADMIN_DEFAULT_PASSWORD"
+            # Changed at startup
+            value = var.pgadmin_password
+          }
+          port {
+            container_port = 80
+            name           = "web"
+          }
+          volume_mount {
+            name       = "pgadmin"
+            mount_path = "/var/lib/pgadmin/"
+          }
+
+        }
+        volume {
+          name = "pgadmin"
+          # config_map {
+          #   name = "pgadmin-config"
+          # }
+          nfs {
+            path   = "/mnt/main/postgresql/pgadmin"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+resource "kubernetes_service" "pgadmin" {
+  metadata {
+    name      = "pgadmin"
+    namespace = "dbaas"
+  }
+  spec {
+    selector = {
+      "app" = "pgadmin"
+    }
+    port {
+      name = "pgadmin"
+      port = 80
+    }
+  }
+}
+resource "kubernetes_ingress_v1" "pgadmin" {
+  metadata {
+    name      = "pgadmin"
+    namespace = "dbaas"
+
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+      # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
+      # "nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
+      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+      "nginx.ingress.kubernetes.io/proxy-body-size" : "50m"
+    }
+  }
+  spec {
+    tls {
+      hosts       = ["pgadmin.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "pgadmin.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "pgadmin"
+              port {
+                number = 80
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

modules/kubernetes/main.tf

@@ -16,6 +16,8 @@ variable "bind_db_viktorbarzin_lan" {}
 variable "bind_named_conf_options" {}
 variable "alertmanager_account_password" {}
 variable "dbaas_root_password" {}
+variable "dbaas_postgresql_root_password" {}
+variable "dbaas_pgadmin_password" {}
 variable "drone_github_client_id" {}
 variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
@@ -45,6 +47,8 @@ variable "headscale_config" {}
 variable "immich_postgresql_password" {}
 variable "ingress_honeypotapikey" {}
 variable "vaultwarden_smtp_password" {}
+variable "resume_database_url" {}
+variable "resume_redis_url" {}
 
 resource "null_resource" "core_services" {
   # List all the core modules that must be provisioned first
@@ -67,10 +71,12 @@ module "blog" {
 # }
 
 module "dbaas" {
-  source              = "./dbaas"
+  source                   = "./dbaas"
-  prod                = var.prod
+  prod                     = var.prod
-  tls_secret_name     = var.tls_secret_name
+  tls_secret_name          = var.tls_secret_name
-  dbaas_root_password = var.dbaas_root_password
+  dbaas_root_password      = var.dbaas_root_password
+  postgresql_root_password = var.dbaas_postgresql_root_password
+  pgadmin_password = var.dbaas_pgadmin_password
 }
 
 module "descheduler" {
@@ -352,3 +358,11 @@ module "crowdsec" {
   source          = "./crowdsec"
   tls_secret_name = var.tls_secret_name
 }
+
+# Seems like it needs S3 even if pg is local...
+# module "resume" {
+#   source          = "./resume"
+#   tls_secret_name = var.tls_secret_name
+#   redis_url       = var.resume_redis_url
+#   database_url    = var.resume_database_url
+# }