From ead57fe29b2eb29c61d06ac727056c33135af121 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 18 Aug 2024 18:14:17 +0000
Subject: [PATCH] add meshcentral and diun[ci skip]

---
 main.tf                                       |   5 +
 modules/kubernetes/diun/main.tf               |   9 +
 modules/kubernetes/main.tf                    |   9 +
 modules/kubernetes/meshcentral/main.tf        | 173 ++++++++++++++++++
 .../monitoring/prometheus_chart_values.tpl    |   2 +-
 5 files changed, 197 insertions(+), 1 deletion(-)
 create mode 100644 modules/kubernetes/meshcentral/main.tf

diff --git a/main.tf b/main.tf
index ed16d7d5..5f463516 100644
--- a/main.tf
+++ b/main.tf
@@ -70,6 +70,8 @@ variable "resume_database_url" {}
 variable "resume_redis_url" {}
 variable "frigate_valchedrym_camera_credentials" { default = "" }
 variable "paperless_db_password" {}
+variable "diun_nfty_token" {}
+variable "docker_config" {}
 
 variable "ansible_prefix" {
   default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@@ -353,6 +355,9 @@ module "kubernetes_cluster" {
   technitium_password = var.technitium_password
 
   paperless_db_password = var.paperless_db_password
+
+  diun_nfty_token = var.diun_nfty_token
+  docker_config   = var.docker_config
 }
 
 
diff --git a/modules/kubernetes/diun/main.tf b/modules/kubernetes/diun/main.tf
index 29f2616d..33244815 100644
--- a/modules/kubernetes/diun/main.tf
+++ b/modules/kubernetes/diun/main.tf
@@ -1,4 +1,6 @@
 variable "tls_secret_name" {}
+variable "diun_nfty_token" {}
+variable "docker_config" {}
 
 resource "kubernetes_namespace" "diun" {
   metadata {
@@ -28,6 +30,9 @@ resource "kubernetes_config_map" "docker-config" {
     }
   }
 
+  data = {
+    "config.json" = var.docker_config
+  }
 }
 
 resource "kubernetes_service_account" "diun" {
@@ -125,6 +130,10 @@ resource "kubernetes_deployment" "diun" {
             name  = "DIUN_NOTIF_NTFY_TOPIC"
             value = "diun-updates"
           }
+          env {
+            name  = "DIUN_NOTIF_NTFY_TOKEN"
+            value = var.diun_nfty_token
+          }
           env {
             name  = "LOG_LEVEL"
             value = "debug"
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 82d335b6..212abde7 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -57,6 +57,8 @@ variable "resume_database_url" {}
 variable "resume_redis_url" {}
 variable "frigate_valchedrym_camera_credentials" { default = "" }
 variable "paperless_db_password" {}
+variable "diun_nfty_token" {}
+variable "docker_config" {}
 
 resource "null_resource" "core_services" {
   # List all the core modules that must be provisioned first
@@ -469,4 +471,11 @@ module "cyberchef" {
 module "diun" {
   source          = "./diun"
   tls_secret_name = var.tls_secret_name
+  diun_nfty_token = var.diun_nfty_token
+  docker_config   = var.docker_config
+}
+
+module "meshcentral" {
+  source          = "./meshcentral"
+  tls_secret_name = var.tls_secret_name
 }
diff --git a/modules/kubernetes/meshcentral/main.tf b/modules/kubernetes/meshcentral/main.tf
new file mode 100644
index 00000000..b0be8eda
--- /dev/null
+++ b/modules/kubernetes/meshcentral/main.tf
@@ -0,0 +1,173 @@
+variable "tls_secret_name" {}
+
+resource "kubernetes_namespace" "meshcentral" {
+  metadata {
+    name = "meshcentral"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "meshcentral"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "meshcentral" {
+  metadata {
+    name      = "meshcentral"
+    namespace = "meshcentral"
+    labels = {
+      app = "meshcentral"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+      "meshcentral.enable"           = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "meshcentral"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "meshcentral"
+        }
+      }
+      spec {
+
+        container {
+          image = "typhonragewind/meshcentral:latest"
+          name  = "meshcentral"
+          port {
+            name           = "https"
+            container_port = 443
+          }
+          env {
+            name  = "TZ"
+            value = "Europe/Sofia"
+          }
+          env {
+            name  = "HOSTNAME"
+            value = "meshcentral.viktorbarzin.me"
+          }
+          env {
+            name  = "REVERSE_PROXY"
+            value = "true"
+          }
+          env {
+            name  = "ALLOW_NEW_ACCOUNTS"
+            value = "true"
+          }
+          env {
+            name  = "WEBRTC"
+            value = "false"
+          }
+
+          volume_mount {
+            name       = "data"
+            mount_path = "/opt/meshcentral/meshcentral-data"
+          }
+          volume_mount {
+            name       = "files"
+            mount_path = "/opt/meshcentral/meshcentral-files"
+          }
+          volume_mount {
+            name       = "backups"
+            mount_path = "/opt/meshcentral/meshcentral-backups"
+          }
+        }
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/meshcentral/meshcentral-data"
+            server = "10.0.10.15"
+          }
+        }
+        volume {
+          name = "files"
+          nfs {
+            path   = "/mnt/main/meshcentral/meshcentral-files"
+            server = "10.0.10.15"
+          }
+        }
+        volume {
+          name = "backups"
+          nfs {
+            path   = "/mnt/main/meshcentral/meshcentral-backups"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+
+resource "kubernetes_service" "meshcentral" {
+  metadata {
+    name      = "meshcentral"
+    namespace = "meshcentral"
+    labels = {
+      "app" = "meshcentral"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "meshcentral"
+    }
+    port {
+      name     = "https"
+      port     = "443"
+      protocol = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "meshcentral" {
+  metadata {
+    name      = "meshcentral"
+    namespace = "meshcentral"
+    annotations = {
+      "kubernetes.io/ingress.class"          = "nginx"
+      "nginx.ingress.kubernetes.io/affinity" = "cookie"
+      "nginx.ingress.kubernetes.io/proxy-read-timeout" : "600s",
+      "nginx.ingress.kubernetes.io/proxy-send-timeout" : "600s",
+      "nginx.ingress.kubernetes.io/proxy-connect-timeout" : "600s"
+      # "nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["meshcentral.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "meshcentral.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "meshcentral"
+              port {
+                number = 443
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/kubernetes/monitoring/prometheus_chart_values.tpl b/modules/kubernetes/monitoring/prometheus_chart_values.tpl
index fff54f7b..b0950b63 100644
--- a/modules/kubernetes/monitoring/prometheus_chart_values.tpl
+++ b/modules/kubernetes/monitoring/prometheus_chart_values.tpl
@@ -74,7 +74,7 @@ server:
     # enabled: false
     existingClaim: prometheus-iscsi-pvc
     # storageClass: rook-cephfs
-  retention: "8w" # ~70GB storage
+  retention: "4w"
   strategy:
     type: Recreate
   baseURL: "https://prometheus.viktorbarzin.me"