vynil/domain
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-01-25 18:35:22 +01:00
parent 0727fca591
commit 8c4348d215
97 changed files with 402 additions and 402 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
share/authentik-forward/index.yaml
View File

@@ -11,7 +11,7 @@ options:
examples:
- letsencrypt-prod
type: string
ingress-class:
ingress_class:
default: traefik
examples:
- traefik
@@ -21,12 +21,12 @@ options:
examples:
- your-company
type: string
domain-name:
domain_name:
default: your_company.com
examples:
- your_company.com
type: string
sub-domain:
sub_domain:
default: null
dependencies:
- dist: null

2
share/authentik/datas.tf
View File

@@ -46,7 +46,7 @@ data "kustomization_overlay" "data" {
"AUTHENTIK_POSTGRESQL__PORT=5432",
"AUTHENTIK_POSTGRESQL__USER=${var.component}",
"AUTHENTIK_REDIS__HOST=${var.name}-${var.component}-redis",
"AUTHENTIK_BOOTSTRAP_EMAIL=${var.admin.email}@${var.domain-name}",
"AUTHENTIK_BOOTSTRAP_EMAIL=${var.admin.email}@${var.domain_name}",
]
}
patches {

6
share/authentik/index.yaml
View File

@@ -115,7 +115,7 @@ options:
examples:
- letsencrypt-prod
type: string
ingress-class:
ingress_class:
default: traefik
examples:
- traefik
@@ -183,7 +183,7 @@ options:
default: 2023.8.3
type: string
type: object
domain-name:
domain_name:
default: your_company.com
examples:
- your_company.com
@@ -198,7 +198,7 @@ options:
default: auth-admin
type: string
type: object
sub-domain:
sub_domain:
default: auth
examples:
- auth

10
share/authentik/ingress.tf
View File

@@ -1,5 +1,5 @@
locals {
dns-names = ["${var.sub-domain}.${var.domain-name}"]
dns_names = ["${var.sub_domain}.${var.domain_name}"]
middlewares = ["${var.instance}-https"]
service = {
"name" = "${var.instance}"
@@ -7,7 +7,7 @@ locals {
"number" = 80
}
}
rules = [ for v in local.dns-names : {
rules = [ for v in local.dns_names : {
"host" = "${v}"
"http" = {
"paths" = [{
@@ -31,7 +31,7 @@ resource "kubectl_manifest" "prj_certificate" {
labels: ${jsonencode(local.common-labels)}
spec:
secretName: "${var.instance}-cert"
dnsNames: ${jsonencode(local.dns-names)}
dnsNames: ${jsonencode(local.dns_names)}
issuerRef:
name: "${var.issuer}"
kind: "ClusterIssuer"
@@ -66,10 +66,10 @@ resource "kubectl_manifest" "prj_ingress" {
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules)}
tls:
- hosts: ${jsonencode(local.dns-names)}
- hosts: ${jsonencode(local.dns_names)}
secretName: "${var.instance}-cert"
EOF
}

6
share/authentik/redis.tf
View File

@@ -8,7 +8,7 @@ resource "kubectl_manifest" "authentik_redis" {
labels: ${jsonencode(local.common-labels)}
spec:
kubernetesConfig:
image: "${var.redis.image}"
image: "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
imagePullPolicy: "IfNotPresent"
redisSecret:
name: "${var.component}"
@@ -19,10 +19,10 @@ resource "kubectl_manifest" "authentik_redis" {
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: "${var.redis.storage}"
storage: "${var.storage.redis}"
redisExporter:
enabled: ${var.redis.exporter.enabled}
image: "${var.redis.exporter.image}"
image: "${var.images.redis_exporter.registry}/${var.images.redis_exporter.repository}:${var.images.redis_exporter.tag}"
securityContext:
runAsUser: 1000
fsGroup: 1000

26
share/dataset-pg/directus.tf
View File

@@ -5,7 +5,7 @@ locals {
"app.kubernetes.io/component" = "directus"
})
directus-icon = "admin/img/directus-white.png"
directus-dns-name = "directus.${local.dns-name}"
directus-dns_name = "directus.${local.dns_name}"
directus-service = {
"name" = "directus-${var.instance}"
"port" = {
@@ -45,15 +45,15 @@ resource "kubectl_manifest" "directus_config" {
DB_PORT: "5432"
STORAGE_LOCATIONS: "local"
STORAGE_LOCAL_ROOT: "/var/store"
ADMIN_EMAIL: "admin@${var.domain-name}"
ADMIN_EMAIL: "admin@${var.domain_name}"
NODE_EXTRA_CA_CERTS: "/etc/local-ca/ca.crt"
TELEMETRY: "false"
AUTH_PROVIDERS: "VYNIL"
AUTH_VYNIL_DRIVER: "openid"
AUTH_VYNIL_ALLOW_PUBLIC_REGISTRATION: "true"
AUTH_VYNIL_ISSUER_URL: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/directus-${replace(var.sub-domain, ".", "-")}-${var.instance}/.well-known/openid-configuration"
AUTH_VYNIL_ISSUER_URL: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/directus-${replace(var.sub_domain, ".", "-")}-${var.instance}/.well-known/openid-configuration"
AUTH_VYNIL_IDENTIFIER_KEY: "email"
PUBLIC_URL: "https://${local.directus-dns-name}"
PUBLIC_URL: "https://${local.directus-dns_name}"
EOF
}
@@ -133,12 +133,12 @@ resource "kubectl_manifest" "directus_deploy" {
valueFrom:
secretKeyRef:
key: "client-id"
name: "directus-${replace(var.sub-domain, ".", "-")}-${var.instance}-id"
name: "directus-${replace(var.sub_domain, ".", "-")}-${var.instance}-id"
- name: AUTH_VYNIL_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: "client-secret"
name: "directus-${replace(var.sub-domain, ".", "-")}-${var.instance}-secret"
name: "directus-${replace(var.sub_domain, ".", "-")}-${var.instance}-secret"
- name: DB_USER
valueFrom:
secretKeyRef:
@@ -216,9 +216,9 @@ module "directus-ingress" {
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
ingress_class = var.ingress_class
labels = local.directus-labels
dns-names = [local.directus-dns-name]
dns_names = [local.directus-dns_name]
create-redirect = true
middlewares = []
service = local.directus-service
@@ -230,10 +230,10 @@ module "directus-ingress" {
module "directus-application" {
count = var.extentions.directus.enable ? 1 : 0
source = "/dist/modules/application"
component = "directus-${replace(var.sub-domain, ".", "-")}"
component = "directus-${replace(var.sub_domain, ".", "-")}"
instance = var.instance
app-group = var.app-group
dns-name = local.directus-dns-name
app_group = var.app_group
dns_name = local.directus-dns_name
icon = local.directus-icon
protocol_provider = module.directus-oauth2[0].provider-id
providers = {
@@ -244,11 +244,11 @@ module "directus-application" {
module "directus-oauth2" {
count = var.extentions.directus.enable ? 1 : 0
source = "/dist/modules/oauth2"
component = "directus-${replace(var.sub-domain, ".", "-")}"
component = "directus-${replace(var.sub_domain, ".", "-")}"
instance = var.instance
namespace = var.namespace
labels = local.directus-labels
dns-name = local.directus-dns-name
dns_name = local.directus-dns_name
redirect-path = "auth/login/VYNIL/callback"
providers = {
kubernetes = kubernetes

8
share/dataset-pg/index.yaml
View File

@@ -65,17 +65,17 @@ options:
examples:
- your-company
type: string
sub-domain:
sub_domain:
default: dataset-pg
examples:
- dataset-pg
type: string
app-group:
app_group:
default: api
examples:
- api
type: string
domain-name:
domain_name:
default: your_company.com
examples:
- your_company.com
@@ -85,7 +85,7 @@ options:
examples:
- 8Gi
type: string
ingress-class:
ingress_class:
default: traefik
examples:
- traefik

2
share/dataset-pg/postgresql.tf
View File

@@ -1,5 +1,5 @@
locals {
dns-name = "${var.instance}.${var.sub-domain}.${var.domain-name}"
dns_name = "${var.instance}.${var.sub_domain}.${var.domain_name}"
pg-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "postgresql"
})

14
share/dataset-pg/postgrest.tf
View File

@@ -2,7 +2,7 @@ locals {
prest-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "postgrest"
})
prest-dns-name = "api.${local.dns-name}"
prest-dns_name = "api.${local.dns_name}"
prest-service = {
"name" = "postgrest-${var.instance}"
"port" = {
@@ -32,9 +32,9 @@ resource "kubectl_manifest" "postgrest_config" {
PGPORT: "5432"
PGRST_DB_SCHEMA: public
PGRST_DB_ANON_ROLE: anonymous
PGRST_OPENAPI_SERVER_PROXY_URI: "https://${local.prest-dns-name}"
PGRST_OPENAPI_SERVER_PROXY_URI: "https://${local.prest-dns_name}"
PGRST_ADMIN_SERVER_PORT: "9000"
API_URL: "https://${local.prest-dns-name}"
API_URL: "https://${local.prest-dns_name}"
BASE_URL: "/ui"
EOF
}
@@ -152,9 +152,9 @@ module "postgrest-ingress" {
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
ingress_class = var.ingress_class
labels = local.prest-labels
dns-names = [local.prest-dns-name]
dns_names = [local.prest-dns_name]
create-redirect = true
middlewares = []
service = local.prest-service
@@ -184,9 +184,9 @@ module "swagger-ingress" {
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
ingress_class = var.ingress_class
labels = local.prest-labels
dns-names = [local.prest-dns-name]
dns_names = [local.prest-dns_name]
middlewares = []
create-cert = false
sub-path = "ui"

4
share/dns/config.tf
View File

@@ -23,13 +23,13 @@ locals {
}
EOF
soa-ns = <<-EOF
@ IN SOA ${var.sub-domain}.${var.domain-name}. ${var.domain-name}. (
@ IN SOA ${var.sub_domain}.${var.domain_name}. ${var.domain_name}. (
${formatdate("YYYYMMDDhh",timestamp())} ; Serial
4H ; Refresh
1H ; Retry
7D ; Expire
4H ) ; Negative Cache TTL
@ IN NS ${var.sub-domain}.${var.domain-name}.
@ IN NS ${var.sub_domain}.${var.domain_name}.
EOF
files = merge({
"Corefile" = join("\n", concat([local.begin-core],[for z in var.zones: format("file /etc/coredns/%s.db %s", z.name,z.name)],[local.end-core]))

4
share/dns/index.yaml
View File

@@ -6,12 +6,12 @@ metadata:
name: dns
description: null
options:
domain-name:
domain_name:
default: your_company.com
examples:
- your_company.com
type: string
sub-domain:
sub_domain:
default: dns
examples:
- dns

2
share/organisation/gitea-user.tf
View File

@@ -83,7 +83,7 @@ resource "gitea_user" "user-ci" {
username = "${var.instance}-ci"
login_name = "${var.instance}-ci"
password = random_password.password.result
email = "${var.instance}-ci@${var.domain-name}"
email = "${var.instance}-ci@${var.domain_name}"
must_change_password = true
}

6
share/organisation/index.yaml
View File

@@ -27,7 +27,7 @@ options:
type: string
type: object
type: array
ingress-class:
ingress_class:
default: traefik
examples:
- traefik
@@ -87,12 +87,12 @@ options:
default: backup-settings
type: string
type: object
app-group:
app_group:
default: dev
examples:
- dev
type: string
domain-name:
domain_name:
default: your_company.com
examples:
- your_company.com

12
share/organisation/stages.tf
View File

@@ -1,17 +1,17 @@
locals {
annotations = {
"vynil.solidite.fr/name" = "${var.component}"
"vynil.solidite.fr/domain" = var.domain-name
"vynil.solidite.fr/domain" = var.domain_name
"vynil.solidite.fr/issuer" = var.issuer
"vynil.solidite.fr/ingress" = var.ingress-class
"vynil.solidite.fr/ingress" = var.ingress_class
}
global = {
"domain" = var.namespace
"domain-name" = var.domain-name
"domain_name" = var.domain_name
"issuer" = var.issuer
"ingress-class" = var.ingress-class
"ingress_class" = var.ingress_class
"backups" = var.backups
"app-group" = var.app-group
"app_group" = var.app_group
}
sorted-stage-name = reverse(distinct(sort([for s in var.stages: s.name])))
sorted-dataset-name = reverse(distinct(sort([for d in var.datasets: d.name])))
@@ -26,7 +26,7 @@ locals {
for name in local.sorted-dataset-name: [
for ds in var.datasets:
merge(ds,{
"sub-domain" = "${stage}.${var.instance}"
"sub_domain" = "${stage}.${var.instance}"
"namespace" = "${var.domain}-${var.instance}-${stage}"
}) if ds.name == name
]

14
share/wildduck/application.tf
View File

@@ -1,30 +1,30 @@
locals {
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main-group = format("app-%s", local.app-name)
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main-group = format("app-%s", local.app_name)
}
data "authentik_group" "akadmin" {
name = "authentik Admins"
}
resource "authentik_group" "groups" {
name = local.main-group
attributes = jsonencode({"${local.app-name}" = true})
attributes = jsonencode({"${local.app_name}" = true})
}
resource "authentik_application" "prj_app" {
name = "${var.instance}"
slug = "${var.component}-${var.instance}"
#protocol_provider = authentik_provider_oauth2.oauth2.id
group = var.app-group
group = var.app_group
backchannel_providers = [authentik_provider_scim.scim.id]
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "favicon-32x32.png")
meta_launch_url = format("https://%s.%s", var.sub_domain, var.domain_name)
meta_icon = format("https://%s.%s/%s", var.sub_domain, var.domain_name, "favicon-32x32.png")
}
resource "authentik_policy_expression" "policy" {
name = local.main-group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app-name}'] if '${local.app-name}' in attr else False
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}

8
share/wildduck/haraka.tf
View File

@@ -96,11 +96,11 @@ resource "kubernetes_config_map_v1" "haraka_config" {
}
data = yamldecode(<<-EOF
me: |-
${var.sub-domain}.${var.domain-name}
${var.sub_domain}.${var.domain_name}
host_list: |-
# add hosts in here we want to accept mail for
${var.sub-domain}.${var.domain-name}
${var.domain-name}
${var.sub_domain}.${var.domain_name}
${var.domain_name}
${join("\n ",var.additional-domains)}
rspamd.ini: |-
host = ${var.instance}-rspamd.${var.namespace}.svc.cluster.local
@@ -188,7 +188,7 @@ resource "kubernetes_config_map_v1" "haraka_config" {
dkim_sign.ini: |-
disabled = true
selector = mail
domain = ${var.domain-name}
domain = ${var.domain_name}
headers_to_sign = From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version
wildduck.yaml: |-
redis:

8
share/wildduck/index.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: wildduck
description: null
options:
ingress-class:
ingress_class:
default: traefik
examples:
- traefik
@@ -255,7 +255,7 @@ options:
examples:
- your-company
type: string
app-group:
app_group:
default: ''
examples:
- ''
@@ -298,7 +298,7 @@ options:
default: 2Gi
type: string
type: object
domain-name:
domain_name:
default: your_company.com
examples:
- your_company.com
@@ -308,7 +308,7 @@ options:
examples:
- letsencrypt-prod
type: string
sub-domain:
sub_domain:
default: mail
examples:
- mail

10
share/wildduck/ingress.tf
View File

@@ -1,6 +1,6 @@
locals {
dns-names = ["${var.sub-domain}.${var.domain-name}"]
cert-names = concat(local.dns-names, ["${var.domain-name}"])
dns_names = ["${var.sub_domain}.${var.domain_name}"]
cert-names = concat(local.dns_names, ["${var.domain_name}"])
middlewares = ["${var.instance}-https"]
service = {
"name" = "${var.instance}-webmail"
@@ -8,7 +8,7 @@ locals {
"number" = 80
}
}
rules = [ for v in local.dns-names : {
rules = [ for v in local.dns_names : {
"host" = "${v}"
"http" = {
"paths" = [{
@@ -67,10 +67,10 @@ resource "kubectl_manifest" "prj_ingress" {
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules)}
tls:
- hosts: ${jsonencode(local.dns-names)}
- hosts: ${jsonencode(local.dns_names)}
secretName: "${var.instance}-cert"
EOF
}

6
share/wildduck/redis.tf
View File

@@ -13,7 +13,7 @@ resource "kubectl_manifest" "prj_redis" {
labels: ${jsonencode(local.redis-labels)}
spec:
kubernetesConfig:
image: "${var.redis.image}"
image: "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
imagePullPolicy: "IfNotPresent"
storage:
volumeClaimTemplate:
@@ -21,10 +21,10 @@ resource "kubectl_manifest" "prj_redis" {
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: "${var.redis.storage}"
storage: "${var.storage.redis}"
redisExporter:
enabled: ${var.redis.exporter.enabled}
image: "${var.redis.exporter.image}"
image: "${var.images.redis_exporter.registry}/${var.images.redis_exporter.repository}:${var.images.redis_exporter.tag}"
securityContext:
runAsUser: 1000
fsGroup: 1000

2
share/wildduck/scimgateway.tf
View File

@@ -55,7 +55,7 @@ resource "kubectl_manifest" "scimgateway_deploy" {
- name: "PORT"
value: "8880"
- name: "WILDDUCK_DOMAIN"
value: "${var.domain-name}"
value: "${var.domain_name}"
- name: "WILDDUCK_API"
value: "http://${var.instance}-wildduck-api.${var.namespace}.svc"
- name: SEED

12
share/wildduck/webmail.tf
View File

@@ -92,7 +92,7 @@ resource "kubernetes_config_map_v1" "webmail_config" {
[service]
# email domain for new users
domain="${var.domain-name}"
domain="${var.domain_name}"
# default quotas for new users
quota=1024
recipients=2000
@@ -102,7 +102,7 @@ resource "kubernetes_config_map_v1" "webmail_config" {
allowJoin=false
enableSpecial=false # if true the allow creating addresses with special usernames
# allowed domains for new addresses
domains=["${var.domain-name}"]
domains=["${var.domain_name}"]
generalNotification="" # static notification to show on top of the page
@@ -145,7 +145,7 @@ resource "kubernetes_config_map_v1" "webmail_config" {
# set to false if not using HTTPS
enabled=true
# must be https url or use default
appId="https://${var.domain-name}"
appId="https://${var.domain_name}"
[log]
level="silly"
@@ -154,15 +154,15 @@ resource "kubernetes_config_map_v1" "webmail_config" {
[setup]
# these values are shown in the configuration help page
[setup.imap]
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
secure=true
port=143
[setup.pop3]
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
secure=true
port=110
[setup.smtp]
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
secure=true
port=25
EOF

6
share/wildduck/wildduck.tf
View File

@@ -173,7 +173,7 @@ resource "kubernetes_config_map_v1" "wildduck_config" {
enabled=true
[smtp.setup]
# Public configuration for SMTP MDA, needed for mobileconfig files
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
secure=true
port=465
[webhooks]
@@ -312,7 +312,7 @@ resource "kubernetes_config_map_v1" "wildduck_config" {
autoExpunge=true
[setup]
# Public configuration for IMAP
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
secure=true
# port defaults to imap.port
port=9930
@@ -360,7 +360,7 @@ resource "kubernetes_config_map_v1" "wildduck_config" {
cert="/var/opt/certs/tls.crt"
[setup]
# Public configuration for POP3
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
secure=true
# port defaults to pop3.port
port=995

6
share/wildduck/zonemta.tf
View File

@@ -128,7 +128,7 @@ resource "kubernetes_config_map_v1" "zonemta_config" {
# Server process must be able to locally bind to these addresses
[[default]]
address="0.0.0.0"
name="${var.sub-domain}.${var.domain-name}"
name="${var.sub_domain}.${var.domain_name}"
#
#[[default]]
#address="1.2.3.5"
@@ -145,7 +145,7 @@ resource "kubernetes_config_map_v1" "zonemta_config" {
interfaces=["feeder"]
# optional hostname to be used in headers
# defaults to os.hostname()
hostname="${var.sub-domain}.${var.domain-name}"
hostname="${var.sub_domain}.${var.domain_name}"
# How long to keep auth records in log
authlogExpireDays=30
# default smtp recipients for 24h (can be overriden per user)
@@ -161,7 +161,7 @@ resource "kubernetes_config_map_v1" "zonemta_config" {
# SRS secret value. Must be the same as in the MX side
secret="${local.secrets.srs}"
# SRS domain, must resolve back to MX
rewriteDomain="${var.domain-name}"
rewriteDomain="${var.domain_name}"
# DKIM Settings
# -------------
["modules/zonemta-wildduck".dkim]