terraform {
  required_providers {
    helm = {
      source = "hashicorp/helm"
      version = "~> 2.11.0"
    }
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "~> 2.23.0"
    }
    keycloak = {
      source = "mrparkers/keycloak"
      version = "4.3.1"
    }
  }
  backend "kubernetes" {
    secret_suffix    = "tfstate"
    config_path      = "~/.kube/config"
    namespace        = "dan-terraform"
  }
}

provider "kubernetes" {
  config_path = "~/.kube/config"
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

provider "keycloak" {
  client_id = "terraform"
  client_secret = var.keycloak_client_secret
  url = "https://keycloak.${var.domain_suffix}"
}

resource "helm_release" "keycloak" {
  name                       = "keycloak"
  namespace                  = var.keycloak_namespace
  repository                 = "https://charts.bitnami.com/bitnami/"
  chart                      = "keycloak"
  create_namespace           = true

  values = [
    <<-EOT
    auth:
      adminPassword: ${var.keycloak_admin_pass}
      adminUser: admin
    global:
      storageClass: ${var.storageclass}
    ingress:
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
      enabled: true
      hostname: keycloak.${var.domain_suffix}
      tls: true
    postgresql:
      auth:
        password: ${var.postgres_password}
    proxy: edge
    EOT
  ]
}

resource "keycloak_realm" "realm" {
  realm   = var.keycloak_realm
  display_name = var.keycloak_realm_display_name
  enabled = true
  default_signature_algorithm = "RS256"
}

resource "keycloak_openid_client" "gitea_client" {
  realm_id            = keycloak_realm.realm.id
  client_id           = "gitea"

  enabled             = true

  access_type         = "CONFIDENTIAL"
  standard_flow_enabled = true
  implicit_flow_enabled = true
  client_secret = var.keycloak_gitea_secret
  valid_redirect_uris = [
    "https://git.${var.domain_suffix}/*"
  ]
}

resource "helm_release" "gitea" {
  name       = "gitea"

  repository = "https://dl.gitea.com/charts/"
  chart      = "gitea"
  namespace  = var.gitea_namespace
  create_namespace = true

  values = [
    <<-EOT
    gitea:
      oauth:
      - autoDiscoverUrl: https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/.well-known/openid-configuration
        key: ${keycloak_openid_client.gitea_client.client_id}
        name: md1clv.im
        provider: openidConnect
        secret: ${keycloak_openid_client.gitea_client.client_secret}
    global:
      storageClass: ${var.storageclass}
    ingress:
      annotations:
        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
        cert-manager.io/cluster-issuer: letsencrypt-prod
      enabled: true
      hosts:
      - host: git.${var.domain_suffix}
        paths:
        - path: /
          pathType: Prefix
      tls:
      - hosts:
        - git.${var.domain_suffix}
        secretName: tls-gitea
    persistence:
      enabled: true
      storageClass: ${var.storageclass}
    EOT
  ]
}

resource "keycloak_openid_client" "nautobot_client" {
  realm_id = keycloak_realm.realm.id
  client_id = "nautobot"
  enabled = true
  access_type = "CONFIDENTIAL"
  standard_flow_enabled = true
  implicit_flow_enabled = true
  client_secret = var.keycloak_nautobot_secret
  valid_redirect_uris = [
    "/*",
    "https://nautobot.${var.domain_suffix}",
    "https://nautobot.${var.domain_suffix}/*"
  ]
}

resource "helm_release" "nautobot" {
  name                       = "nautobot"
  namespace                  = var.nautobot_namespace
  repository                 = "https://nautobot.github.io/helm-charts/"
  chart                      = "nautobot"
  create_namespace           = true

  values = [
<<EOT
ingress:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
    cert-manager.io/cluster-issuer: letsencrypt-prod
  backendProtocol: http
  enabled: true
  hostname: nautobot.${var.domain_suffix}
  tls: true
nautobot:
  config: |
    import os
    import sys
    from nautobot.core.settings import *  # noqa F401,F403
    from nautobot.core.settings_funcs import is_truthy, parse_redis_connection
    if DATABASES["default"]["ENGINE"] == "django.db.backends.mysql":
        DATABASES["default"]["OPTIONS"] = {"charset": "utf8mb4"}
    SECRET_KEY = os.getenv("NAUTOBOT_SECRET_KEY", "#fdj#r@=om#sjb-odxae1w#!vy5&(6@tsog*&x31(1725#nwg)")
    AUTHENTICATION_BACKENDS = [ "social_core.backends.keycloak.KeycloakOAuth2", "nautobot.core.authentication.ObjectPermissionBackend", "django.contrib.auth.backends.ModelBackend" ]
    SOCIAL_AUTH_KEYCLOAK_KEY = '${keycloak_openid_client.nautobot_client.client_id}'
    SOCIAL_AUTH_KEYCLOAK_SECRET = '${var.keycloak_nautobot_secret}'
    SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0w+FSHl757PbboHKFNwK8xEKyHwYTzDN3OCy+E0uXFBfXYf+mVqABWQaz/OwVL1H9XJzBlPZmARCIqnxB14J9QXn9ZJ42RTgXIMzJaJBUv5iKHhy4kFLAY26luzvWHZx4JYTAZ4gGOG0StapvAb5ejABcCmImP3P+PF3gZco1glZg1/wj+mMPnfD6If/uxwOb6YLHvBy6xqkfon9yyDNGGlm/6EjYJgjuoKLfw501/triw3RA4YFfZpn4z2uMqNR4tSdm5MpP84z0lDXl9KwplqI7SYvc+J9aZgBIRy+EZGplIazp3tfvKsR9910yxLxPYNzSPvOr8fJib4kqKaMQIDAQAB'
    SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/auth'
    SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/token'
postgresql:
  auth:
    password: 2wsxCDE3
  global:
    storageClass: ${var.storageclass}
redis:
  auth:
    password: 3edcVFR4
EOT
  ]
}

resource "helm_release" "librenms" {
  name = "librenms"
  namespace = var.librenms_namespace
  repository = "https://midokura.github.io/helm-charts-community/"
  chart = "librenms"
  create_namespace = true
  values = [
<<EOT
app:
  persistence:
    storageclass: ${var.storageclass}
ingress:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
    cert-manager.io/cluster-issuer: letsencrypt-prod
  enabled: true
  hostname: librenms.${var.domain_suffix}
  ingressClassName: traefik
  tls: true
syslog:
  service:
    type: LoadBalancer
EOT
  ]
}

resource "helm_release" "prometheus" {
  name = "prometheus"
  namespace = var.prometheus_namespace
  repository = "https://charts.bitnami.com/bitnami/"
  chart = "prometheus"
  create_namespace = true
  values = [
<<EOT
global:
  storageClass: ${var.storageclass}
server:
  ingress:
    enabled: true
    hostname: prometheus.${var.domain_suffix}
  service:
    type: ClusterIP
alertmanager:
  service:
    type: ClusterIP
EOT
  ]
}

resource "helm_release" "influxdb" {
  name = "influxdb"
  namespace = var.influxdb_namespace
  repository = "https://charts.bitnami.com/bitnami/"
  chart = "influxdb"
  create_namespace = true
  values = [
    <<-EOT
    auth:
      admin:
        password: ${var.default_password}
        token: ${var.influxdb_admin_token}
    global:
      storageClass: ${var.storageclass}
    influxdb:
      server:
        service:
          type: ClusterIP
    ingress:
      enabled: true
      hostname: influxdb.${var.domain_suffix}
    EOT
  ]
}

resource "keycloak_openid_client" "grafana_client" {
  realm_id = keycloak_realm.realm.id
  client_id = "grafana"
  enabled = true
  access_type = "CONFIDENTIAL"
  standard_flow_enabled = true
  implicit_flow_enabled = false
  use_refresh_tokens = false
  client_secret = var.keycloak_grafana_secret
  valid_redirect_uris = [
    "https://grafana.${var.domain_suffix}/login/generic_oauth"
  ]
}

resource "kubernetes_config_map" "grafana_ini" {
  metadata {
    name = "grafana-ini"
    namespace = var.grafana_namespace
  }
  data = {
    "grafana.ini" = <<-EOT
      [server]
      root_url = https://grafana.${var.domain_suffix}/
      [auth.generic_oauth]
      enabled = true
      name = md1clv.im
      allow_sign_up = true
      client_id = ${keycloak_openid_client.grafana_client.client_id}
      client_secret = ${keycloak_openid_client.grafana_client.client_secret}
      scopes = openid email profile offline_access roles
      email_attribute_path = email
      login_attribute_path = username
      name_attribute_path = full_name
      auth_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/auth
      token_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/token
      api_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/userinfo
      signout_redirect_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fgrafana.${var.domain_suffix}%2Flogin
      role_attribute_path = contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
      allow_assign_grafana_admin = true
      groups_attribute_path = groups
    EOT
  }
}

resource "helm_release" "grafana" {
  name = "grafana"
  namespace = var.grafana_namespace
  repository = "https://charts.bitnami.com/bitnami/"
  chart = "grafana"
  create_namespace = true
  values = [
    <<-EOT
    admin:
      password: ${var.default_password}
    config:
      grafanaIniConfigMap: grafana-ini
      useGrafanaIniFile: true
    datasources:
      secretDefinition:
        apiVersion: 1
        datasources:
        - isDefault: true
          name: InfluxDB
          type: influxdb
          url: http://influxdb.${var.influxdb_namespace}.svc.cluster.local:8006
        - name: Prometheus
          type: prometheus
          url: http://prometheus.${var.prometheus_namespace}.svc.cluster.local
    global:
      storageClass: ${var.storageclass}
    ingress:
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
      enabled: true
      hostname: grafana.${var.domain_suffix}
      tls: true
    EOT
  ]
}

resource "helm_release" "freeipa" {
  name = "freeipa"
  namespace = var.freeipa_namespace
  repository = "https://improwised.github.io/charts/"
  chart = "freeipa"
  create_namespace = true
  values = [
<<EOT
hostname: freeipa.${var.domain_suffix}
args:
  realm: MD1CLV.IM
  domain: md1clv.im
  dspassword: ${var.freeipa_ds_password}
  adminpassword: ${var.freeipa_admin_password}
  nohostdns: true
  nontp: true
  setupdns: false
persistence:
  enabled: true
  storageclass: ${var.storageclass}
ingress:
  enabled: true
  hostname: freeipa.${var.domain_suffix}
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls: true
  backendProtocol: http
service:
  annotations:
    traefik.ingress.kubernetes.io/service.serversscheme: https
    traefik.ingress.kubernetes.io/service.serverstransport: default-tls-selfsigned@kubernetescrd
EOT
  ]
}