dan
/
dans_cloud_terraform
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dans_cloud_terraform/main.tf

338 lines
7.8 KiB
HCL
Raw Blame History

terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "~> 2.11.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23.0"
}
keycloak = {
source = "mrparkers/keycloak"
version = "4.3.1"
}
}
backend "kubernetes" {
secret_suffix = "tfstate"
config_path = "~/.kube/config"
namespace = "dan-terraform"
}
}
provider "kubernetes" {
config_path = "~/.kube/config"
}
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
provider "keycloak" {
client_id = "terraform"
client_secret = var.keycloak_client_secret
url = "https://keycloak.${var.domain_suffix}"
}
resource "helm_release" "gitea" {
name = "gitea"
repository = "https://dl.gitea.com/charts/"
chart = "gitea"
namespace = var.gitea_namespace
create_namespace = true
set {
name = "ingress.enabled"
value = "true"
}
set {
name = "ingress.annotations.\"cert-manager\\.io\\/cluster-issuer\""
value = "letsencrypt-prod"
}
set {
name = "ingress.hosts[0].host"
value = "git.${var.domain_suffix}"
}
set {
name = "ingress.hosts[0].paths[0].path"
value = "/"
}
set {
name = "ingress.hosts[0].paths[0].pathType"
value = "Prefix"
}
set {
name = "ingress.tls[0].secretName"
value = "tls-gitea"
}
set {
name = "ingress.tls[0].hosts[0]"
value = "git.${var.domain_suffix}"
}
set {
name = "persistence.enabled"
value = "true"
}
set {
name = "persistence.storageClass"
value = var.storageclass
}
set {
name = "global.storageClass"
value = var.storageclass
}
set {
name = "gitea.oauth[0].name"
value = "md1clv.im"
}
set {
name = "gitea.oauth[0].provider"
value = "openidConnect"
}
set {
name = "gitea.oauth[0].key"
value = "gitea"
}
set {
name = "gitea.oauth[0].secret"
value = var.keycloak_gitea_secret
}
set {
name = "gitea.oauth[0].autoDiscoverUrl"
value = "https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/.well-known/openid-configuration"
}
}
resource "helm_release" "keycloak" {
name = "keycloak"
namespace = var.keycloak_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "keycloak"
create_namespace = true
set {
name = "auth.adminPassword"
value = var.keycloak_admin_pass
}
set {
name = "auth.adminUser"
value = "admin"
}
set {
name = "global.storageClass"
value = var.storageclass
}
set {
name = "ingress.annotations.cert-manager\\.io/cluster-issuer"
value = "letsencrypt-prod"
}
set {
name = "ingress.enabled"
value = "true"
}
set {
name = "ingress.hostname"
value = "keycloak.${var.domain_suffix}"
}
set {
name = "ingress.tls"
value = "true"
}
set {
name = "postgresql.auth.password"
value = var.postgres_password
}
set {
name = "proxy"
value = "edge"
}
}
resource "keycloak_realm" "realm" {
realm = "DC_Cloud"
enabled = true
default_signature_algorithm = "RS256"
}
resource "keycloak_openid_client" "gitea_client" {
realm_id = keycloak_realm.realm.id
client_id = "gitea"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = true
client_secret = var.keycloak_gitea_secret
valid_redirect_uris = [
"https://git.${var.domain_suffix}/*"
]
}
resource "keycloak_openid_client" "nautobot_client" {
realm_id = keycloak_realm.realm.id
client_id = "nautobot"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = true
client_secret = var.keycloak_nautobot_secret
valid_redirect_uris = [
"/*",
"https://nautobot.k8s.md1clv.im",
"https://nautobot.k8s.md1clv.im/*"
]
}
resource "helm_release" "nautobot" {
name = "nautobot"
namespace = var.nautobot_namespace
repository = "https://nautobot.github.io/helm-charts/"
chart = "nautobot"
create_namespace = true
values = [
<<EOT
ingress:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
cert-manager.io/cluster-issuer: letsencrypt-prod
backendProtocol: http
enabled: true
hostname: nautobot.${var.domain_suffix}
tls: true
nautobot:
config: |
import os
import sys
from nautobot.core.settings import * # noqa F401,F403
from nautobot.core.settings_funcs import is_truthy, parse_redis_connection
if DATABASES["default"]["ENGINE"] == "django.db.backends.mysql":
DATABASES["default"]["OPTIONS"] = {"charset": "utf8mb4"}
SECRET_KEY = os.getenv("NAUTOBOT_SECRET_KEY", "#fdj#r@=om#sjb-odxae1w#!vy5&(6@tsog*&x31(1725#nwg)")
AUTHENTICATION_BACKENDS = [ "social_core.backends.keycloak.KeycloakOAuth2", "nautobot.core.authentication.ObjectPermissionBackend", "django.contrib.auth.backends.ModelBackend" ]
SOCIAL_AUTH_KEYCLOAK_KEY = 'nautobot'
SOCIAL_AUTH_KEYCLOAK_SECRET = '${var.keycloak_nautobot_secret}'
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0w+FSHl757PbboHKFNwK8xEKyHwYTzDN3OCy+E0uXFBfXYf+mVqABWQaz/OwVL1H9XJzBlPZmARCIqnxB14J9QXn9ZJ42RTgXIMzJaJBUv5iKHhy4kFLAY26luzvWHZx4JYTAZ4gGOG0StapvAb5ejABcCmImP3P+PF3gZco1glZg1/wj+mMPnfD6If/uxwOb6YLHvBy6xqkfon9yyDNGGlm/6EjYJgjuoKLfw501/triw3RA4YFfZpn4z2uMqNR4tSdm5MpP84z0lDXl9KwplqI7SYvc+J9aZgBIRy+EZGplIazp3tfvKsR9910yxLxPYNzSPvOr8fJib4kqKaMQIDAQAB'
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/auth'
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/token'
postgresql:
auth:
password: 2wsxCDE3
global:
storageClass: ${var.storageclass}
redis:
auth:
password: 3edcVFR4
EOT
]
}
resource "helm_release" "librenms" {
name = "librenms"
namespace = var.librenms_namespace
repository = "https://midokura.github.io/helm-charts-community/"
chart = "librenms"
create_namespace = true
values = [
<<EOT
app:
persistence:
storageclass: ${var.storageclass}
ingress:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
cert-manager.io/cluster-issuer: letsencrypt-prod
enabled: true
hostname: librenms.${var.domain_suffix}
tls: true
syslog:
service:
type: LoadBalancer
EOT
]
}
resource "helm_release" "prometheus" {
name = "prometheus"
namespace = var.prometheus_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "prometheus"
create_namespace = true
values = [
<<EOT
global:
storageClass: ${var.storageclass}
server:
ingress:
enabled: true
hostname: prometheus.k8s.md1clv.im
service:
type: ClusterIP
alertmanager:
service:
type: ClusterIP
EOT
]
}
resource "helm_release" "freeipa" {
name = "freeipa"
namespace = var.freeipa_namespace
repository = "https://improwised.github.io/charts/"
chart = "freeipa"
create_namespace = true
values = [
<<EOT
hostname: freeipa.${var.domain_suffix}
args:
realm: MD1CLV.IM
domain: md1clv.im
dspassword: ${var.freeipa_ds_password}
adminpassword: ${var.freeipa_admin_password}
nohostdns: true
nontp: true
setupdns: false
persistence:
enabled: true
storageclass: ${var.storageclass}
ingress:
enabled: true
hostname: freeipa.${var.domain_suffix}
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls: true
backendProtocol: http
service:
annotations:
traefik.ingress.kubernetes.io/service.serversscheme: https
traefik.ingress.kubernetes.io/service.serverstransport: default-tls-selfsigned@kubernetescrd
EOT
]
}
Reference in New Issue View Git Blame Copy Permalink