diff --git a/main.tf b/main.tf index 888a81c6..b9dfe94a 100644 --- a/main.tf +++ b/main.tf @@ -98,6 +98,7 @@ variable "cloudflare_non_proxied_names" {} variable "cloudflare_tunnel_token" {} variable "owntracks_credentials" {} variable "dawarich_database_password" {} +variable "tandoor_database_password" {} # data "terraform_remote_state" "foo" { # backend = "kubernetes" @@ -406,6 +407,9 @@ module "kubernetes_cluster" { owntracks_credentials = var.owntracks_credentials dawarich_database_password = var.dawarich_database_password + + tandoor_database_password = var.tandoor_database_password + tandoor_email_password = var.mailserver_accounts["info@viktorbarzin.me"] } diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf new file mode 100644 index 00000000..f629611a --- /dev/null +++ b/modules/kubernetes/ingress_factory/main.tf @@ -0,0 +1,113 @@ + +variable "name" { type = string } // must match service name; translates to host +variable "namespace" { type = string } +variable "external_name" { + type = string + default = null +} +variable "port" { + default = "80" +} +variable "tls_secret_name" {} +variable "backend_protocol" { + default = "HTTP" +} +variable "protected" { + type = bool + default = false +} +variable "ingress_path" { + type = list(string) + default = ["/"] +} +variable "max_body_size" { + type = string + default = "50m" +} +variable "use_proxy_protocol" { + type = bool + default = true +} +variable "proxy_timeout" { + type = number + default = 60 +} +variable "extra_annotations" { + default = {} +} + + +resource "kubernetes_service" "proxied-service" { + count = var.external_name == null ? 0 : 1 + metadata { + name = var.name + namespace = var.namespace + labels = { + "app" = var.name + } + } + + spec { + type = var.external_name != null ? "ExternalName" : "ClusterIP" + external_name = var.name + + port { + name = "${var.name}-web" + port = var.port + protocol = "TCP" + target_port = var.port + } + } +} + +resource "kubernetes_ingress_v1" "proxied-ingress" { + metadata { + name = var.name + namespace = var.namespace + annotations = merge({ + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}" + + "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" : null + "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" : null + "nginx.ingress.kubernetes.io/auth-snippet" : var.protected ? "proxy_set_header X-Forwarded-Host $http_host;" : null + + "nginx.ingress.kubernetes.io/proxy-body-size" : var.max_body_size + "nginx.ingress.kubernetes.io/use-proxy-protocol" : var.use_proxy_protocol + "nginx.ingress.kubernetes.io/proxy-connect-timeout" : var.proxy_timeout + "nginx.ingress.kubernetes.io/proxy-send-timeout" : var.proxy_timeout + "nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout + + }, var.extra_annotations) + } + + spec { + tls { + hosts = ["${var.name}.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "${var.name}.viktorbarzin.me" + http { + dynamic "path" { + # for_each = { for pr in var.ingress_path : pr => pr } + for_each = var.ingress_path + + content { + path = path.value + backend { + service { + + name = var.name + port { + number = var.port + } + } + } + } + } + } + } + } +} + diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 8b3a6d61..5c8991db 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -77,6 +77,8 @@ variable "cloudflare_proxied_names" {} variable "cloudflare_non_proxied_names" {} variable "owntracks_credentials" {} variable "dawarich_database_password" {} +variable "tandoor_database_password" {} +variable "tandoor_email_password" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -575,3 +577,9 @@ module "changedetection" { source = "./changedetection" tls_secret_name = var.tls_secret_name } +module "tandoor" { + source = "./tandoor" + tls_secret_name = var.tls_secret_name + tandoor_database_password = var.tandoor_database_password + tandoor_email_password = var.tandoor_email_password +} diff --git a/modules/kubernetes/tandoor/main.tf b/modules/kubernetes/tandoor/main.tf new file mode 100644 index 00000000..984181af --- /dev/null +++ b/modules/kubernetes/tandoor/main.tf @@ -0,0 +1,169 @@ +variable "tls_secret_name" {} +variable "tandoor_database_password" {} +variable "tandoor_email_password" {} + +resource "kubernetes_namespace" "tandoor" { + metadata { + name = "tandoor" + labels = { + "istio-injection" : "disabled" + } + } +} +resource "random_password" "secret_key" { + length = 128 + special = false +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "tandoor" + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_deployment" "tandoor" { + metadata { + name = "tandoor" + namespace = "tandoor" + labels = { + app = "tandoor" + } + } + spec { + replicas = 1 + strategy { + type = "Recreate" + } + selector { + match_labels = { + app = "tandoor" + } + } + template { + metadata { + labels = { + app = "tandoor" + } + } + spec { + container { + name = "recipes" + image = "vabene1111/recipes" + image_pull_policy = "IfNotPresent" + env { + name = "SECRET_KEY" + value = base64encode(random_password.secret_key.result) + } + env { + name = "DB_ENGINE" + value = "django.db.backends.postgresql" + } + env { + name = "POSTGRES_HOST" + value = "postgresql.dbaas.svc.cluster.local" + } + env { + name = "POSTGRES_PORT" + value = 5432 + } + env { + name = "POSTGRES_USER" + value = "tandoor" + } + env { + name = "POSTGRES_PASSWORD" + value = var.tandoor_database_password + } + env { + name = "TANDOOR_PORT" + value = 8080 + } + env { + name = "ENABLE_SIGNUP" + value = 1 + } + env { + name = "ALLOWED_HOSTS" + value = "tandoor.viktorbarzin.me" + } + env { + name = "POSTGRES_DB" + value = "tandoor" + } + env { + name = "EMAIL_HOST" + value = "mail.viktorbarzin.me" + } + env { + name = "EMAIL_HOST_USER" + value = "info@viktorbarzin.me" + } + env { + name = "EMAIL_HOST_PASSWORD" + value = var.tandoor_email_password + } + env { + name = "EMAIL_USE_TLS" + value = "1" + } + env { + name = "DEFAULT_FROM_EMAIL" + value = "info@viktorbarzin.me" + } + env { + name = "EMAIL_PORT" + value = 587 + } + port { + name = "http" + container_port = 8080 + protocol = "TCP" + } + volume_mount { + name = "data" + mount_path = "/opt/recipes/mediafiles" + } + volume_mount { + name = "data" + mount_path = "/opt/recipes/staticfiles" + } + } + + volume { + name = "data" + nfs { + path = "/mnt/main/tandoor" + server = "10.0.10.15" + } + } + } + } + } +} + +resource "kubernetes_service" "tandoor" { + metadata { + name = "tandoor" + namespace = "tandoor" + labels = { + "app" = "tandoor" + } + } + + spec { + selector = { + app = "tandoor" + } + port { + port = 80 + target_port = 8080 + } + } +} + +module "ingress" { + source = "../ingress_factory" + namespace = "tandoor" + name = "tandoor" + tls_secret_name = var.tls_secret_name +} diff --git a/terraform.tfstate b/terraform.tfstate index ca2f4641..dffeacd4 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 632ddfb1..fa3fe417 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ