add meshcentral and diun[ci skip]

2024-08-18 18:14:17 +00:00 · 2024-08-18 18:14:17 +00:00 · b54fbf72fd
commit b54fbf72fd
parent 64ba541412
7 changed files with 197 additions and 1 deletions
--- a/main.tf
+++ b/main.tf
@ -70,6 +70,8 @@ variable "resume_database_url" {}
 variable "resume_redis_url" {}
 variable "frigate_valchedrym_camera_credentials" { default = "" }
 variable "paperless_db_password" {}
+variable "diun_nfty_token" {}
+variable "docker_config" {}

 variable "ansible_prefix" {
  default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@ -353,6 +355,9 @@ module "kubernetes_cluster" {
  technitium_password = var.technitium_password

  paperless_db_password = var.paperless_db_password
+
+  diun_nfty_token = var.diun_nfty_token
+  docker_config   = var.docker_config
 }


--- a/modules/kubernetes/diun/main.tf
+++ b/modules/kubernetes/diun/main.tf
@ -1,4 +1,6 @@
 variable "tls_secret_name" {}
+variable "diun_nfty_token" {}
+variable "docker_config" {}

 resource "kubernetes_namespace" "diun" {
  metadata {
@ -28,6 +30,9 @@ resource "kubernetes_config_map" "docker-config" {
    }
  }

+  data = {
+    "config.json" = var.docker_config
+  }
 }

 resource "kubernetes_service_account" "diun" {
@ -125,6 +130,10 @@ resource "kubernetes_deployment" "diun" {
            name  = "DIUN_NOTIF_NTFY_TOPIC"
            value = "diun-updates"
          }
+          env {
+            name  = "DIUN_NOTIF_NTFY_TOKEN"
+            value = var.diun_nfty_token
+          }
          env {
            name  = "LOG_LEVEL"
            value = "debug"
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -57,6 +57,8 @@ variable "resume_database_url" {}
 variable "resume_redis_url" {}
 variable "frigate_valchedrym_camera_credentials" { default = "" }
 variable "paperless_db_password" {}
+variable "diun_nfty_token" {}
+variable "docker_config" {}

 resource "null_resource" "core_services" {
  # List all the core modules that must be provisioned first
@ -469,4 +471,11 @@ module "cyberchef" {
 module "diun" {
  source          = "./diun"
  tls_secret_name = var.tls_secret_name
+  diun_nfty_token = var.diun_nfty_token
+  docker_config   = var.docker_config
+}
+
+module "meshcentral" {
+  source          = "./meshcentral"
+  tls_secret_name = var.tls_secret_name
 }
--- a/modules/kubernetes/meshcentral/main.tf
+++ b/modules/kubernetes/meshcentral/main.tf
@ -0,0 +1,173 @@
+variable "tls_secret_name" {}
+
+resource "kubernetes_namespace" "meshcentral" {
+  metadata {
+    name = "meshcentral"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "meshcentral"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "meshcentral" {
+  metadata {
+    name      = "meshcentral"
+    namespace = "meshcentral"
+    labels = {
+      app = "meshcentral"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+      "meshcentral.enable"           = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "meshcentral"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "meshcentral"
+        }
+      }
+      spec {
+
+        container {
+          image = "typhonragewind/meshcentral:latest"
+          name  = "meshcentral"
+          port {
+            name           = "https"
+            container_port = 443
+          }
+          env {
+            name  = "TZ"
+            value = "Europe/Sofia"
+          }
+          env {
+            name  = "HOSTNAME"
+            value = "meshcentral.viktorbarzin.me"
+          }
+          env {
+            name  = "REVERSE_PROXY"
+            value = "true"
+          }
+          env {
+            name  = "ALLOW_NEW_ACCOUNTS"
+            value = "true"
+          }
+          env {
+            name  = "WEBRTC"
+            value = "false"
+          }
+
+          volume_mount {
+            name       = "data"
+            mount_path = "/opt/meshcentral/meshcentral-data"
+          }
+          volume_mount {
+            name       = "files"
+            mount_path = "/opt/meshcentral/meshcentral-files"
+          }
+          volume_mount {
+            name       = "backups"
+            mount_path = "/opt/meshcentral/meshcentral-backups"
+          }
+        }
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/meshcentral/meshcentral-data"
+            server = "10.0.10.15"
+          }
+        }
+        volume {
+          name = "files"
+          nfs {
+            path   = "/mnt/main/meshcentral/meshcentral-files"
+            server = "10.0.10.15"
+          }
+        }
+        volume {
+          name = "backups"
+          nfs {
+            path   = "/mnt/main/meshcentral/meshcentral-backups"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+
+resource "kubernetes_service" "meshcentral" {
+  metadata {
+    name      = "meshcentral"
+    namespace = "meshcentral"
+    labels = {
+      "app" = "meshcentral"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "meshcentral"
+    }
+    port {
+      name     = "https"
+      port     = "443"
+      protocol = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "meshcentral" {
+  metadata {
+    name      = "meshcentral"
+    namespace = "meshcentral"
+    annotations = {
+      "kubernetes.io/ingress.class"          = "nginx"
+      "nginx.ingress.kubernetes.io/affinity" = "cookie"
+      "nginx.ingress.kubernetes.io/proxy-read-timeout" : "600s",
+      "nginx.ingress.kubernetes.io/proxy-send-timeout" : "600s",
+      "nginx.ingress.kubernetes.io/proxy-connect-timeout" : "600s"
+      # "nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["meshcentral.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "meshcentral.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "meshcentral"
+              port {
+                number = 443
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/modules/kubernetes/monitoring/prometheus_chart_values.tpl
+++ b/modules/kubernetes/monitoring/prometheus_chart_values.tpl
@ -74,7 +74,7 @@ server:
    # enabled: false
    existingClaim: prometheus-iscsi-pvc
    # storageClass: rook-cephfs
-  retention: "8w" # ~70GB storage
+  retention: "4w"
  strategy:
    type: Recreate
  baseURL: "https://prometheus.viktorbarzin.me"
--- a/terraform.tfstate
+++ b/terraform.tfstate
--- a/terraform.tfvars
+++ b/terraform.tfvars