vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixes

Browse Source
This commit is contained in:
Sébastien Huss
2023-07-26 12:48:42 +02:00
parent e715cdf9af
commit 4a2e811efc
14 changed files with 715 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
apps/nextcloud/configs.tf Normal file
View File

@@ -0,0 +1,39 @@
locals {
script-head = <<-EOF
#!/bin/bash
export user=www-data
run_as() {
if [ "$(id -u)" = 0 ]; then
su -p "$user" -s /bin/sh -c "$*"
else
sh -c "$*"
fi
}
cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/
update-ca-certificate
run_as ./occ app:install user_oidc ||:
run_as ./occ user_oidc:provider "$${OAUTH2_CONNECTOR_NAME}" --clientid="$${OAUTH2_CLIENT_ID}" \
--clientsecret="$${OAUTH2_CLIENT_SECRET}" \
--discoveryuri="$${OAUTH2_DISCOVER_URI}"
EOF
script-apps = concat(
var.apps.deck?["run_as ./occ app:install deck ||:"]:[],
var.apps.calendar?["run_as ./occ app:install calendar ||:"]:[],
var.apps.contacts?["run_as ./occ app:install contacts ||:"]:[],
var.apps.groupfolders?["run_as ./occ app:install groupfolders ||:"]:[],
var.apps.notes?["run_as ./occ app:install notes ||:"]:[],
var.apps.tasks?["run_as ./occ app:install tasks ||:"]:[],
var.apps.spreed?["run_as ./occ app:install spreed ||:"]:[])
}
resource "kubectl_manifest" "nextcloud-config" {
yaml_body = <<-EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.component}-${var.instance}-init"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
data: ${jsonencode({ "autostart.sh" = join("\n", concat([local.script-head],local.script-apps))})}
EOF
}

35
apps/nextcloud/datas.tf
View File

@@ -11,6 +11,20 @@ locals {
}
}
data "kubernetes_secret_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
data "kustomization_overlay" "data" {
namespace = var.namespace
common_labels = local.common-labels
@@ -37,6 +51,9 @@ data "kustomization_overlay" "data" {
- name: certs
secret:
secretName: "${var.instance}-cert"
- name: config
configMap:
name: ${kubectl_manifest.nextcloud-config.name}
containers:
- name: nextcloud
image: "${var.images.nextcloud.registry}/${var.images.nextcloud.repository}:${var.images.nextcloud.tag}"
@@ -60,12 +77,30 @@ data "kustomization_overlay" "data" {
value: "${var.instance}-${var.component}-redis.${var.namespace}.svc"
- name: REDIS_HOST_PORT
value: "6379"
- name: OAUTH2_CONNECTOR_NAME
value: "${var.openid-name}"
- name: OAUTH2_DISCOVER_URI
value: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/.well-known/openid-configuration"
- name: OAUTH2_CLIENT_ID
valueFrom:
secretKeyRef:
name: "${var.component}-${var.instance}-id"
key: client-id
- name: OAUTH2_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: "${var.component}-${var.instance}-secret"
key: client-secret
resources:
{}
volumeMounts:
- name: certs
mountPath: /etc/local-ca
readOnly: true
- name: config
mountPath: "/docker-entrypoint-hooks.d/before-starting/autostart.sh"
subPath: "autostart.sh"
- name: nextcloud-nginx
image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}"
imagePullPolicy: "${var.images.nginx.pullPolicy}"

156
apps/nextcloud/index.yaml
View File

@@ -6,16 +6,6 @@ metadata:
name: nextcloud
description: null
options:
sub-domain:
default: cloud
examples:
- cloud
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
storage:
default:
accessMode: ReadWriteOnce
@@ -35,6 +25,16 @@ options:
default: 10Gi
type: string
type: object
openid-name:
default: vynil
examples:
- vynil
type: string
domain:
default: your-company
examples:
- your-company
type: string
images:
default:
exporter:
@@ -138,6 +138,21 @@ options:
type: string
type: object
type: object
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
hpa:
default:
avg-cpu: 50
@@ -158,51 +173,6 @@ options:
default: 1
type: integer
type: object
postgres:
default:
replicas: 1
storage: 5Gi
version: '14'
examples:
- replicas: 1
storage: 5Gi
version: '14'
properties:
replicas:
default: 1
type: integer
storage:
default: 5Gi
type: string
version:
default: '14'
type: string
type: object
admin:
default:
name: nextcloud_admin
examples:
- name: nextcloud_admin
properties:
name:
default: nextcloud_admin
type: string
type: object
domain:
default: your-company
examples:
- your-company
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
redis:
default:
exporter:
@@ -236,6 +206,81 @@ options:
default: 2Gi
type: string
type: object
sub-domain:
default: cloud
examples:
- cloud
type: string
admin:
default:
name: nextcloud_admin
examples:
- name: nextcloud_admin
properties:
name:
default: nextcloud_admin
type: string
type: object
apps:
default:
calendar: false
contacts: false
deck: false
groupfolders: true
notes: false
spreed: false
tasks: false
examples:
- calendar: false
contacts: false
deck: false
groupfolders: true
notes: false
spreed: false
tasks: false
properties:
calendar:
default: false
type: boolean
contacts:
default: false
type: boolean
deck:
default: false
type: boolean
groupfolders:
default: true
type: boolean
notes:
default: false
type: boolean
spreed:
default: false
type: boolean
tasks:
default: false
type: boolean
type: object
postgres:
default:
replicas: 1
storage: 5Gi
version: '14'
examples:
- replicas: 1
storage: 5Gi
version: '14'
properties:
replicas:
default: 1
type: integer
storage:
default: 5Gi
type: string
version:
default: '14'
type: string
type: object
dependencies: []
providers:
kubernetes: true
@@ -244,3 +289,4 @@ providers:
postgresql: null
restapi: null
http: null
tfaddtype: null

60
apps/nextcloud/oauth2.tf Normal file
View File

@@ -0,0 +1,60 @@
resource "kubectl_manifest" "oauth2-secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-${var.instance}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.gitea_ldap]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
}
}
data "authentik_scope_mapping" "oauth2" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
]
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
resource "authentik_provider_oauth2" "oauth2" {
name = "${var.component}-${var.instance}"
client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
client_type = "confidential"
sub_mode = "user_username"
property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [
"https://${local.dns-name}/apps/user_oidc/code"
]
}
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${var.component}-${var.instance}-secret"
namespace = var.namespace
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}

2
apps/nextcloud/secret.tf
View File

@@ -1,5 +1,5 @@
resource "kubectl_manifest" "gitea_secret" {
resource "kubectl_manifest" "prj_secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"