diff --git a/apps/gitea/index.yaml b/apps/gitea/index.yaml index 4634fc7..e0ae672 100644 --- a/apps/gitea/index.yaml +++ b/apps/gitea/index.yaml @@ -9,15 +9,35 @@ metadata: A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. options: - volume: - default: - size: 10Gi + ingress-class: + default: traefik examples: - - size: 10Gi + - traefik + type: string + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + release: + default: 8.3.0 + examples: + - 8.3.0 + type: string + webhook: + default: + allowed-hosts: private + skip-tls-verify: false + examples: + - allowed-hosts: private + skip-tls-verify: false properties: - size: - default: 10Gi + allowed-hosts: + default: private type: string + skip-tls-verify: + default: false + type: boolean type: object postgres: default: @@ -39,16 +59,91 @@ options: default: '14' type: string type: object - disable-registration: - default: true + sub-domain: + default: git examples: - - true - type: boolean + - git + type: string + replicas: + default: 1 + examples: + - 1 + type: integer + admin: + default: + email: git-admin@git.your_company.com + name: gitea_admin + examples: + - email: git-admin@git.your_company.com + name: gitea_admin + properties: + email: + default: git-admin@git.your_company.com + type: string + name: + default: gitea_admin + type: string + type: object + timezone: + default: Europe/Paris + examples: + - Europe/Paris + type: string + ssh-port: + default: 2222 + examples: + - 2222 + type: integer domain: default: your-company examples: - your-company type: string + default-branch: + default: main + examples: + - main + type: string + theme: + default: gitea-modern + examples: + - gitea-modern + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + push-create: + default: + org: 'true' + private: 'false' + user: 'true' + examples: + - org: 'true' + private: 'false' + user: 'true' + properties: + org: + default: 'true' + type: string + private: + default: 'false' + type: string + user: + default: 'true' + type: string + type: object + volume: + default: + size: 10Gi + examples: + - size: 10Gi + properties: + size: + default: 10Gi + type: string + type: object images: default: gitea: @@ -112,16 +207,21 @@ options: type: string type: object type: object - sub-domain: - default: git + disable-registration: + default: true examples: - - git - type: string - ssh-port: - default: 2222 + - true + type: boolean + load-balancer: + default: + ip: '' examples: - - 2222 - type: integer + - ip: '' + properties: + ip: + default: '' + type: string + type: object backups: default: enable: false @@ -228,106 +328,6 @@ options: default: false type: boolean type: object - push-create: - default: - org: 'true' - private: 'false' - user: 'true' - examples: - - org: 'true' - private: 'false' - user: 'true' - properties: - org: - default: 'true' - type: string - private: - default: 'false' - type: string - user: - default: 'true' - type: string - type: object - load-balancer: - default: - ip: '' - examples: - - ip: '' - properties: - ip: - default: '' - type: string - type: object - admin: - default: - email: git-admin@git.your_company.com - name: gitea_admin - examples: - - email: git-admin@git.your_company.com - name: gitea_admin - properties: - email: - default: git-admin@git.your_company.com - type: string - name: - default: gitea_admin - type: string - type: object - ingress-class: - default: traefik - examples: - - traefik - type: string - timezone: - default: Europe/Paris - examples: - - Europe/Paris - type: string - replicas: - default: 1 - examples: - - 1 - type: integer - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - default-branch: - default: main - examples: - - main - type: string - release: - default: 8.3.0 - examples: - - 8.3.0 - type: string - webhook: - default: - allowed-hosts: private - skip-tls-verify: false - examples: - - allowed-hosts: private - skip-tls-verify: false - properties: - allowed-hosts: - default: private - type: string - skip-tls-verify: - default: false - type: boolean - type: object - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - theme: - default: gitea-modern - examples: - - gitea-modern - type: string dependencies: - dist: null category: share diff --git a/apps/gitea/ldap.tf b/apps/gitea/ldap.tf index 64f0d4f..68aaffc 100644 --- a/apps/gitea/ldap.tf +++ b/apps/gitea/ldap.tf @@ -1,5 +1,7 @@ locals { + app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) + main-group = format("app-%s", local.app-name) base-dn = format("dc=%s", join(",dc=", split(".", format("%s.%s", var.sub-domain, var.domain-name)))) base-group-dn = format("ou=groups,%s", local.base-dn) base-user-dn = format("ou=users,%s", local.base-dn) @@ -87,7 +89,8 @@ resource "authentik_application" "gitea_application" { } resource "authentik_group" "gitea_users" { - name = "gitea_users" + name = local.main-group + attributes = jsonencode({"${local.app-name}" = true}) } data "authentik_group" "vynil-admin" { @@ -96,13 +99,22 @@ data "authentik_group" "vynil-admin" { } resource "authentik_group" "gitea_admin" { - name = "gitea_admin" + name = format("admin-%s", local.app-name) parent = authentik_group.gitea_users.id + attributes = jsonencode({"${local.app-name}" = true}) +} + +resource "authentik_policy_expression" "policy" { + name = local.main-group + expression = <<-EOF + attr = request.user.group_attributes() + return attr['${local.app-name}'] if '${local.app-name}' in attr else False + EOF } resource "authentik_policy_binding" "gitea_access_users" { target = authentik_application.gitea_application.uuid - group = authentik_group.gitea_users.id + policy = authentik_policy_expression.policy.id order = 0 } resource "authentik_policy_binding" "gitea_access_vynil" { diff --git a/apps/nextcloud/application.tf b/apps/nextcloud/application.tf index d01878d..c3ad93e 100644 --- a/apps/nextcloud/application.tf +++ b/apps/nextcloud/application.tf @@ -1,12 +1,13 @@ +locals { + app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) + main-group = format("app-%s", local.app-name) +} data "authentik_group" "akadmin" { name = "authentik Admins" } resource "authentik_group" "groups" { - name = "nextcloud-users" -} -data "authentik_group" "readed_groups" { - depends_on = [ authentik_group.groups ] - name = "nextcloud-users" + name = local.main-group + attributes = jsonencode({"${local.app-name}" = true}) } resource "authentik_application" "prj_app" { @@ -17,9 +18,17 @@ resource "authentik_application" "prj_app" { meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "apps/theming/favicon") } +resource "authentik_policy_expression" "policy" { + name = local.main-group + expression = <<-EOF + attr = request.user.group_attributes() + return attr['${local.app-name}'] if '${local.app-name}' in attr else False + EOF +} + resource "authentik_policy_binding" "prj_access_users" { target = authentik_application.prj_app.uuid - group = authentik_group.groups.id + policy = authentik_policy_expression.policy.id order = 0 } resource "authentik_policy_binding" "prj_access_vynil" { diff --git a/apps/nextcloud/index.yaml b/apps/nextcloud/index.yaml index 1fcc499..cdde54a 100644 --- a/apps/nextcloud/index.yaml +++ b/apps/nextcloud/index.yaml @@ -6,36 +6,207 @@ metadata: name: nextcloud description: null options: + apps: + default: + audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true + examples: + - audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true + properties: + audioplayer: + default: false + type: boolean + bookmarks: + default: false + type: boolean + bpm: + default: false + type: boolean + calendar: + default: false + type: boolean + collabora: + default: false + type: boolean + contacts: + default: false + type: boolean + deck: + default: false + type: boolean + groupfolders: + default: true + type: boolean + mindmap: + default: false + type: boolean + music: + default: false + type: boolean + notes: + default: false + type: boolean + onlyoffice: + default: false + type: boolean + passman: + default: false + type: boolean + spreed: + default: false + type: boolean + tables: + default: false + type: boolean + tasks: + default: false + type: boolean + texteditor: + default: true + type: boolean + type: object openid-name: default: vynil examples: - vynil type: string - postgres: + backups: default: - replicas: 1 - storage: 5Gi - version: '14' + enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 30 3 * * * + check: 30 5 * * 1 + db: 30 3 * * * + prune: 30 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + use-barman: false examples: - - replicas: 1 - storage: 5Gi - version: '14' + - enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 30 3 * * * + check: 30 5 * * 1 + db: 30 3 * * * + prune: 30 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + use-barman: false properties: - replicas: - default: 1 - type: integer - storage: - default: 5Gi + enable: + default: false + type: boolean + endpoint: + default: '' type: string - version: - default: '14' + key-id-key: + default: s3-id type: string + restic-key: + default: bck-password + type: string + retention: + default: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + properties: + db: + default: 30d + type: string + keepDaily: + default: 14 + type: integer + keepMonthly: + default: 12 + type: integer + keepWeekly: + default: 6 + type: integer + keepYearly: + default: 12 + type: integer + type: object + schedule: + default: + backup: 30 3 * * * + check: 30 5 * * 1 + db: 30 3 * * * + prune: 30 1 * * 0 + properties: + backup: + default: 30 3 * * * + type: string + check: + default: 30 5 * * 1 + type: string + db: + default: 30 3 * * * + type: string + prune: + default: 30 1 * * 0 + type: string + type: object + secret-key: + default: s3-secret + type: string + secret-name: + default: backup-settings + type: string + use-barman: + default: false + type: boolean type: object - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string images: default: collabora: @@ -199,111 +370,6 @@ options: type: string type: object type: object - domain: - default: your-company - examples: - - your-company - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - apps: - default: - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - examples: - - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - properties: - audioplayer: - default: false - type: boolean - bookmarks: - default: false - type: boolean - bpm: - default: false - type: boolean - calendar: - default: false - type: boolean - collabora: - default: false - type: boolean - contacts: - default: false - type: boolean - deck: - default: false - type: boolean - groupfolders: - default: true - type: boolean - mindmap: - default: false - type: boolean - music: - default: false - type: boolean - notes: - default: false - type: boolean - onlyoffice: - default: false - type: boolean - passman: - default: false - type: boolean - spreed: - default: false - type: boolean - tables: - default: false - type: boolean - tasks: - default: false - type: boolean - texteditor: - default: true - type: boolean - type: object hpa: default: avg-cpu: 50 @@ -324,145 +390,10 @@ options: default: 1 type: integer type: object - backups: - default: - enable: false - endpoint: '' - key-id-key: s3-id - restic-key: bck-password - retention: - db: 30d - keepDaily: 14 - keepMonthly: 12 - keepWeekly: 6 - keepYearly: 12 - schedule: - backup: 30 3 * * * - check: 30 5 * * 1 - db: 30 3 * * * - prune: 30 1 * * 0 - secret-key: s3-secret - secret-name: backup-settings - use-barman: false + domain-name: + default: your_company.com examples: - - enable: false - endpoint: '' - key-id-key: s3-id - restic-key: bck-password - retention: - db: 30d - keepDaily: 14 - keepMonthly: 12 - keepWeekly: 6 - keepYearly: 12 - schedule: - backup: 30 3 * * * - check: 30 5 * * 1 - db: 30 3 * * * - prune: 30 1 * * 0 - secret-key: s3-secret - secret-name: backup-settings - use-barman: false - properties: - enable: - default: false - type: boolean - endpoint: - default: '' - type: string - key-id-key: - default: s3-id - type: string - restic-key: - default: bck-password - type: string - retention: - default: - db: 30d - keepDaily: 14 - keepMonthly: 12 - keepWeekly: 6 - keepYearly: 12 - properties: - db: - default: 30d - type: string - keepDaily: - default: 14 - type: integer - keepMonthly: - default: 12 - type: integer - keepWeekly: - default: 6 - type: integer - keepYearly: - default: 12 - type: integer - type: object - schedule: - default: - backup: 30 3 * * * - check: 30 5 * * 1 - db: 30 3 * * * - prune: 30 1 * * 0 - properties: - backup: - default: 30 3 * * * - type: string - check: - default: 30 5 * * 1 - type: string - db: - default: 30 3 * * * - type: string - prune: - default: 30 1 * * 0 - type: string - type: object - secret-key: - default: s3-secret - type: string - secret-name: - default: backup-settings - type: string - use-barman: - default: false - type: boolean - type: object - admin: - default: - name: nextcloud_admin - examples: - - name: nextcloud_admin - properties: - name: - default: nextcloud_admin - type: string - type: object - storage: - default: - accessMode: ReadWriteOnce - size: 10Gi - examples: - - accessMode: ReadWriteOnce - size: 10Gi - properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi - type: string - type: object - sub-domain: - default: files - examples: - - files + - your_company.com type: string redis: default: @@ -497,6 +428,75 @@ options: default: 2Gi type: string type: object + ingress-class: + default: traefik + examples: + - traefik + type: string + sub-domain: + default: files + examples: + - files + type: string + domain: + default: your-company + examples: + - your-company + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + postgres: + default: + replicas: 1 + storage: 5Gi + version: '14' + examples: + - replicas: 1 + storage: 5Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 5Gi + type: string + version: + default: '14' + type: string + type: object + storage: + default: + accessMode: ReadWriteOnce + size: 10Gi + examples: + - accessMode: ReadWriteOnce + size: 10Gi + properties: + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 10Gi + type: string + type: object + admin: + default: + name: nextcloud_admin + examples: + - name: nextcloud_admin + properties: + name: + default: nextcloud_admin + type: string + type: object dependencies: - dist: null category: share diff --git a/share/wildduck/application.tf b/share/wildduck/application.tf index 7bed5ed..6fd11d6 100644 --- a/share/wildduck/application.tf +++ b/share/wildduck/application.tf @@ -1,12 +1,13 @@ +locals { + app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) + main-group = format("app-%s", local.app-name) +} data "authentik_group" "akadmin" { name = "authentik Admins" } resource "authentik_group" "groups" { - name = "mail-users" -} -data "authentik_group" "readed_groups" { - depends_on = [ authentik_group.groups ] - name = "mail-users" + name = local.main-group + attributes = jsonencode({"${local.app-name}" = true}) } resource "authentik_application" "prj_app" { @@ -18,9 +19,17 @@ resource "authentik_application" "prj_app" { meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "favicon-32x32.png") } +resource "authentik_policy_expression" "policy" { + name = local.main-group + expression = <<-EOF + attr = request.user.group_attributes() + return attr['${local.app-name}'] if '${local.app-name}' in attr else False + EOF +} + resource "authentik_policy_binding" "prj_access_users" { target = authentik_application.prj_app.uuid - group = authentik_group.groups.id + policy = authentik_policy_expression.policy.id order = 0 } resource "authentik_policy_binding" "prj_access_vynil" { diff --git a/share/wildduck/index.yaml b/share/wildduck/index.yaml index f3a4fcf..7fac2f9 100644 --- a/share/wildduck/index.yaml +++ b/share/wildduck/index.yaml @@ -6,10 +6,15 @@ metadata: name: wildduck description: null options: - issuer: - default: letsencrypt-prod + domain-name: + default: your_company.com examples: - - letsencrypt-prod + - your_company.com + type: string + domain: + default: your-company + examples: + - your-company type: string redis: default: @@ -44,11 +49,11 @@ options: default: 2Gi type: string type: object - domain: - default: your-company - examples: - - your-company - type: string + additional-domains: + default: [] + items: + type: string + type: array backups: default: enable: false @@ -79,26 +84,6 @@ options: default: backup-settings type: string type: object - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - sub-domain: - default: mail - examples: - - mail - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - additional-domains: - default: [] - items: - type: string - type: array images: default: haraka: @@ -308,6 +293,21 @@ options: type: string type: object type: object + sub-domain: + default: mail + examples: + - mail + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string dependencies: - dist: null category: dbo