From 7d8110f41d389ecf96d1b21825582d3ff6737bf9 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 3 Nov 2023 23:27:12 +0000
Subject: [PATCH] add option to specify which ingresses are protected and also
 expose list of paths to allow [ci skip]

---
 .../kubernetes/reverse_proxy/factory/main.tf  | 35 ++++++++++++++-----
 modules/kubernetes/reverse_proxy/main.tf      | 12 +++++++
 2 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf
index c1c265eb..36cfa241 100644
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@@ -10,6 +10,14 @@ variable "tls_secret_name" {}
 variable "backend_protocol" {
   default = "HTTP"
 }
+variable "protected" {
+  type    = bool
+  default = true
+}
+variable "ingress_path" {
+  type    = list(string)
+  default = ["/"]
+}
 
 
 resource "kubernetes_service" "proxied-service" {
@@ -41,8 +49,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
     annotations = {
       "nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}"
       "kubernetes.io/ingress.class"                  = "nginx"
-      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
-      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+      "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/auth" : null
+      "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" : null
     }
   }
 
@@ -54,18 +62,27 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
     rule {
       host = "${var.name}.viktorbarzin.me"
       http {
-        path {
-          path = "/"
-          backend {
-            service {
+        dynamic "path" {
+          # for_each = { for pr in var.ingress_path : pr => pr }
+          for_each = var.ingress_path
 
-              name = var.name
-              port {
-                number = var.port
+          content {
+            path = path.value
+            backend {
+              service {
+
+                name = var.name
+                port {
+                  number = var.port
+                }
               }
             }
           }
         }
+        # path {
+        #   # path = var.ingress_path
+        #   path = each.value
+        # }
       }
     }
   }
diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf
index 79f5e938..7842e682 100644
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@@ -35,6 +35,18 @@ module "nas" {
   backend_protocol = "HTTPS"
 }
 
+# https://files.viktorbarzin.me/
+module "nas-files" {
+  source           = "./factory"
+  name             = "files"
+  external_name    = "nas.viktorbarzin.lan"
+  port             = 5001
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+  protected        = false # allow anyone to download files
+  ingress_path     = ["/sharing", "/scripts", "/webman", "/wfmlogindialog.js"]
+}
+
 # https://idrac.viktorbarzin.me/
 module "idrac" {
   source           = "./factory"