dan
/
dans_cloud_terraform
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dans_cloud_terraform/main.tf

726 lines
19 KiB
HCL
Raw Blame History

terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "~> 2.11.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23.0"
}
keycloak = {
source = "mrparkers/keycloak"
version = "~> 4.3.1"
}
proxmox = {
source = "telmate/proxmox"
version = "~> 2.9.8"
}
guacamole = {
source = "techBeck03/guacamole"
version = "~> 1.4.1"
}
freeipa = {
source = "rework-space-com/freeipa"
version = "4.0.0"
}
ldap = {
source = "l-with/ldap"
version = ">= 0.4"
}
}
backend "kubernetes" {
secret_suffix = "tfstate"
config_path = "~/.kube/config"
namespace = "dan-terraform"
}
}
provider "kubernetes" {
config_path = "~/.kube/config"
}
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
provider "keycloak" {
client_id = "terraform"
client_secret = var.keycloak_client_secret
url = "https://keycloak.${var.domain_suffix}"
}
provider "guacamole" {
url = "https://guac.${var.domain_suffix}/"
# token = var.guacamole_token
# data_source = var.guacamole_datasource
username = "guacadmin"
password = "guacadmin"
}
provider "proxmox" {
pm_api_url = var.proxmox_api_url
pm_api_token_id = var.proxmox_token_id
pm_api_token_secret = var.proxmox_token
pm_tls_insecure = true
}
provider "freeipa" {
host = "${helm_release.freeipa.name}.${var.domain_suffix}"
username = "admin"
password = var.freeipa_admin_password
insecure = true
}
provider "ldap" {
alias = "ldap_provisioner"
host = "${helm_release.freeipa.name}.${var.domain_suffix}"
bind_user = "admin"
bind_password = "${var.freeipa_ds_password}"
port = 389
}
resource "helm_release" "keycloak" {
name = "keycloak"
namespace = var.keycloak_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "keycloak"
create_namespace = true
values = [
<<-EOT
auth:
adminPassword: ${var.keycloak_admin_pass}
adminUser: admin
global:
storageClass: ${var.storageclass}
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
enabled: true
hostname: keycloak.${var.domain_suffix}
tls: true
postgresql:
auth:
password: ${var.postgres_password}
proxy: edge
metrics:
enabled: true
EOT
]
}
resource "keycloak_realm" "realm" {
realm = var.keycloak_realm
display_name = var.keycloak_realm_display_name
enabled = true
default_signature_algorithm = "RS256"
}
resource "keycloak_user" "initial_keycloak_user" {
realm_id = keycloak_realm.realm.id
username = var.keycloak_user.username
enabled = true
email = var.keycloak_user.email
first_name = var.keycloak_user.firstname
last_name = var.keycloak_user.lastname
initial_password {
value = var.keycloak_user.password
temporary = false
}
}
resource "keycloak_group" "admin_group" {
realm_id = keycloak_realm.realm.id
name = "Admins"
}
resource "keycloak_user_groups" "initial_user_in_admin_group" {
exhaustive = false
realm_id = keycloak_realm.realm.id
user_id = keycloak_user.initial_keycloak_user.id
group_ids = [
keycloak_group.admin_group.id
]
}
resource "keycloak_openid_client_scope" "openid_client_scope" {
realm_id = keycloak_realm.realm.id
name = "groups"
description = "When requested, this scope will map a user's group memberships to a claim"
include_in_token_scope = true
gui_order = 1
}
resource "keycloak_openid_client" "proxmox_client" {
realm_id = keycloak_realm.realm.id
client_id = "dc-proxmox1"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = true
client_secret = var.keycloak_proxmox_secret
valid_redirect_uris = [
"https://172.29.7.12:8006",
"https://172.29.7.15:8006"
]
}
resource "keycloak_openid_client" "gitea_client" {
realm_id = keycloak_realm.realm.id
client_id = "gitea"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = true
client_secret = var.keycloak_gitea_secret
valid_redirect_uris = [
"https://git.${var.domain_suffix}/*"
]
}
resource "helm_release" "gitea" {
name = "gitea"
repository = "https://dl.gitea.com/charts/"
chart = "gitea"
namespace = var.gitea_namespace
create_namespace = true
values = [
<<-EOT
gitea:
oauth:
- autoDiscoverUrl: https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/.well-known/openid-configuration
key: ${keycloak_openid_client.gitea_client.client_id}
name: md1clv.im
provider: openidConnect
secret: ${keycloak_openid_client.gitea_client.client_secret}
global:
storageClass: ${var.storageclass}
ingress:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
cert-manager.io/cluster-issuer: letsencrypt-prod
enabled: true
hosts:
- host: git.${var.domain_suffix}
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- git.${var.domain_suffix}
secretName: tls-gitea
persistence:
enabled: true
storageClass: ${var.storageclass}
EOT
]
}
resource "keycloak_openid_client" "guac_client" {
realm_id = keycloak_realm.realm.id
client_id = "guac"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = true
valid_redirect_uris = [
"https://guac.${var.domain_suffix}/*"
]
}
resource "keycloak_openid_group_membership_protocol_mapper" "guac_group_membership_mapper" {
realm_id = keycloak_realm.realm.id
name = "groups"
claim_name = "groups"
client_id = keycloak_openid_client.guac_client.id
full_path = false
}
resource "random_password" "guac_db_pw" {
length = 16
special = false
}
resource "random_password" "guac_db_admin_pw" {
length = 16
special = false
}
resource "helm_release" "guacpg" {
name = "guacpg"
namespace = var.guac_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "postgresql"
create_namespace = true
values = [
<<EOT
global:
storageClass: ${var.storageclass}
auth:
username: guacamole
password: ${random_password.guac_db_pw.result}
postgresPassword: ${random_password.guac_db_admin_pw.result}
database: guacamole
EOT
]
}
resource "helm_release" "guac" {
name = "guac"
namespace = var.guac_namespace
repository = "https://charts.beryju.org"
chart = "guacamole"
create_namespace = true
values = [
<<EOT
guacamole:
settings:
OPENID_AUTHORIZATION_ENDPOINT: https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/auth
OPENID_JWKS_ENDPOINT: https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/certs
OPENID_ISSUER: https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}
OPENID_CLIENT_ID: ${keycloak_openid_client.guac_client.client_id}
OPENID_REDIRECT_URI: https://guac.${var.domain_suffix}/
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: guac.${var.domain_suffix}
paths:
- /
tls:
- secretName: guac-tls
hosts:
- guac.${var.domain_suffix}
postgres:
hostname: guacpg-postgresql
password: ${random_password.guac_db_pw.result}
EOT
]
depends_on = [
helm_release.guacpg
]
}
resource "guacamole_connection_group" "routers" {
parent_identifier = "ROOT"
name = "Routers"
type = "organizational"
}
resource "guacamole_user_group" "admingroup" {
identifier = "Admins"
system_permissions = ["ADMINISTER"]
connection_groups = [
guacamole_connection_group.routers.id
]
attributes {
disabled = false
}
}
resource "keycloak_openid_client" "nautobot_client" {
realm_id = keycloak_realm.realm.id
client_id = "nautobot"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = true
client_secret = var.keycloak_nautobot_secret
valid_redirect_uris = [
"/*",
"https://nautobot.${var.domain_suffix}",
"https://nautobot.${var.domain_suffix}/*"
]
}
resource "helm_release" "nautobot" {
name = "nautobot"
namespace = var.nautobot_namespace
repository = "https://nautobot.github.io/helm-charts/"
chart = "nautobot"
create_namespace = true
values = [
<<EOT
ingress:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
cert-manager.io/cluster-issuer: letsencrypt-prod
backendProtocol: http
enabled: true
hostname: nautobot.${var.domain_suffix}
tls: true
nautobot:
config: |
import os
import sys
from nautobot.core.settings import * # noqa F401,F403
from nautobot.core.settings_funcs import is_truthy, parse_redis_connection
if DATABASES["default"]["ENGINE"] == "django.db.backends.mysql":
DATABASES["default"]["OPTIONS"] = {"charset": "utf8mb4"}
SECRET_KEY = os.getenv("NAUTOBOT_SECRET_KEY", "#fdj#r@=om#sjb-odxae1w#!vy5&(6@tsog*&x31(1725#nwg)")
AUTHENTICATION_BACKENDS = [ "social_core.backends.keycloak.KeycloakOAuth2", "nautobot.core.authentication.ObjectPermissionBackend", "django.contrib.auth.backends.ModelBackend" ]
SOCIAL_AUTH_KEYCLOAK_KEY = '${keycloak_openid_client.nautobot_client.client_id}'
SOCIAL_AUTH_KEYCLOAK_SECRET = '${var.keycloak_nautobot_secret}'
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0w+FSHl757PbboHKFNwK8xEKyHwYTzDN3OCy+E0uXFBfXYf+mVqABWQaz/OwVL1H9XJzBlPZmARCIqnxB14J9QXn9ZJ42RTgXIMzJaJBUv5iKHhy4kFLAY26luzvWHZx4JYTAZ4gGOG0StapvAb5ejABcCmImP3P+PF3gZco1glZg1/wj+mMPnfD6If/uxwOb6YLHvBy6xqkfon9yyDNGGlm/6EjYJgjuoKLfw501/triw3RA4YFfZpn4z2uMqNR4tSdm5MpP84z0lDXl9KwplqI7SYvc+J9aZgBIRy+EZGplIazp3tfvKsR9910yxLxPYNzSPvOr8fJib4kqKaMQIDAQAB'
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/auth'
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/token'
postgresql:
auth:
password: 2wsxCDE3
global:
storageClass: ${var.storageclass}
redis:
auth:
password: 3edcVFR4
EOT
]
}
resource "helm_release" "librenms" {
name = "librenms"
namespace = var.librenms_namespace
repository = "https://midokura.github.io/helm-charts-community/"
chart = "librenms"
create_namespace = true
values = [
<<EOT
app:
persistence:
storageclass: ${var.storageclass}
ingress:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
cert-manager.io/cluster-issuer: letsencrypt-prod
enabled: true
hostname: librenms.${var.domain_suffix}
ingressClassName: traefik
tls: true
syslog:
service:
type: LoadBalancer
EOT
]
}
resource "helm_release" "prometheus" {
name = "prometheus"
namespace = var.prometheus_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "prometheus"
create_namespace = true
values = [
<<EOT
global:
storageClass: ${var.storageclass}
server:
ingress:
enabled: true
hostname: prometheus.${var.domain_suffix}
service:
type: ClusterIP
extraScrapeConfigs:
- job_name: pushgateway
scrape_interval: 300s
honor_labels: true
static_configs:
- targets: ['${helm_release.prometheus_pushgw.name}-${helm_release.prometheus_pushgw.chart}.${helm_release.prometheus_pushgw.namespace}.svc.cluster.local:9091']
alertmanager:
service:
type: ClusterIP
EOT
]
}
resource "helm_release" "prometheus_pushgw" {
name = "prometheus-pushgw"
namespace = var.prometheus_namespace
repository = "https://prometheus-community.github.io/helm-charts"
chart = "prometheus-pushgateway"
create_namespace = true
values = [
<<EOT
ingress:
enabled: true
hosts:
- pushgw.${var.domain_suffix}
tls:
- secretName: pushgw-tls
hosts:
- pushgw.${var.domain_suffix}
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
persistentVolume:
enabled: true
storageClass: ${var.storageclass}
EOT
]
}
resource "helm_release" "influxdb" {
name = "influxdb"
namespace = var.influxdb_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "influxdb"
create_namespace = true
values = [
<<-EOT
auth:
admin:
password: ${var.default_password}
token: ${var.influxdb_admin_token}
global:
storageClass: ${var.storageclass}
influxdb:
server:
service:
type: ClusterIP
ingress:
enabled: true
hostname: influxdb.${var.domain_suffix}
EOT
]
}
resource "keycloak_openid_client" "grafana_client" {
realm_id = keycloak_realm.realm.id
client_id = "grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
implicit_flow_enabled = false
use_refresh_tokens = false
client_secret = var.keycloak_grafana_secret
valid_redirect_uris = [
"https://grafana.${var.domain_suffix}/login/generic_oauth"
]
}
resource "kubernetes_config_map" "grafana_ini" {
metadata {
name = "grafana-ini"
namespace = var.grafana_namespace
}
data = {
"grafana.ini" = <<-EOT
[server]
root_url = https://grafana.${var.domain_suffix}/
[auth.generic_oauth]
enabled = true
name = md1clv.im
allow_sign_up = true
client_id = ${keycloak_openid_client.grafana_client.client_id}
client_secret = ${keycloak_openid_client.grafana_client.client_secret}
scopes = openid email profile offline_access roles
email_attribute_path = email
login_attribute_path = username
name_attribute_path = full_name
auth_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/auth
token_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/token
api_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/userinfo
signout_redirect_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fgrafana.${var.domain_suffix}%2Flogin
role_attribute_path = contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
allow_assign_grafana_admin = true
groups_attribute_path = groups
EOT
}
}
resource "helm_release" "grafana" {
name = "grafana"
namespace = var.grafana_namespace
repository = "https://charts.bitnami.com/bitnami/"
chart = "grafana"
create_namespace = true
values = [
<<-EOT
admin:
password: ${var.default_password}
config:
grafanaIniConfigMap: grafana-ini
useGrafanaIniFile: true
datasources:
secretDefinition:
apiVersion: 1
datasources:
- isDefault: true
name: InfluxDB
type: influxdb
url: http://influxdb.${var.influxdb_namespace}.svc.cluster.local:8006
- name: Prometheus
type: prometheus
url: http://prometheus-server.${var.prometheus_namespace}.svc.cluster.local
global:
storageClass: ${var.storageclass}
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
enabled: true
hostname: grafana.${var.domain_suffix}
tls: true
EOT
]
}
resource "helm_release" "freeipa" {
name = "freeipa"
namespace = var.freeipa_namespace
# repository = "https://improwised.github.io/charts/"
repository = "https://git.k8s.md1clv.im/api/packages/dan/helm"
chart = "freeipa"
create_namespace = true
values = [
<<EOT
hostname: freeipa.${var.domain_suffix}
args:
realm: ${var.ldap.realm}
domain: ${var.ldap.domain}
dspassword: ${var.freeipa_ds_password}
adminpassword: ${var.freeipa_admin_password}
nohostdns: true
nontp: true
setupdns: false
persistence:
enabled: true
storageclass: ${var.storageclass}
ingress:
enabled: true
hostname: freeipa.${var.domain_suffix}
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls: true
backendProtocol: https
service:
annotations:
traefik.ingress.kubernetes.io/service.serversscheme: https
traefik.ingress.kubernetes.io/service.serverstransport: default-tls-selfsigned@kubernetescrd
EOT
]
}
#resource "ldap_entry" "bind_user" {
# provider = ldap.ldap_provisioner
# dn = "uid=system,cn=sysaccounts,cn=etc,${var.ldap.base_dn}"
# data_json = jsonencode({
# objectClass = ["account","simplesecurityobject"]
# uid = [var.ldap.bind_user]
# userPassword= [var.ldap.bind_password]
# })
#}
# resource freeipa_user "freeipa_users" {
# first_name = var.keycloak_user.firstname
# last_name = var.keycloak_user.lastname
# name = var.keycloak_user.username
# telephone_numbers = [var.keycloak_user.phone]
# email_address = [var.keycloak_user.email]
# userpassword = var.keycloak_user.password
# }
resource "helm_release" "ntfy" {
name = "ntfy"
namespace = "ntfy"
repository = "https://charts.sarabsingh.com"
chart = "ntfy"
create_namespace = true
values = [
<<EOT
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
hosts:
- host: ntfy.${var.domain_suffix}
paths:
- path: /
pathType: Prefix
tls:
- secretName: ntfy-tls
hosts:
- ntfy.${var.domain_suffix}
config:
enabled: true
data:
base-url: "https://ntfy.${var.domain_suffix}"
behind-proxy: true
persistence:
enabled: true
size: 500Mi
EOT
]
}
resource "random_integer" "proxmox_node" {
min=1
max=2
count=var.num_routers
}
resource "proxmox_vm_qemu" "vyos_router" {
count = var.num_routers
name = "vyos-${count.index + 1}" #count.index starts at 0, so + 1 means this VM will be named test-vm-1 in proxmox
target_node = "${var.proxmox_host_prefix}${random_integer.proxmox_node[count.index].result}"
clone = var.vyos_template_name
agent = 1
os_type = "cloud-init"
cores = 2
sockets = 1
cpu = "host"
memory = 2048
scsihw = "virtio-scsi-single"
bootdisk = "scsi0"
disk {
slot = 0
size = "10G"
type = "scsi"
storage = "NFS-BIG"
iothread = 1
}
network {
model = "virtio"
bridge = "vmbr0"
}
network {
model = "virtio"
bridge = "TestNet1"
}
lifecycle {
ignore_changes = [
network,
]
}
ipconfig0 = "ip=dhcp"
sshkeys = <<EOF
${var.ssh_key}
EOF
}
resource "guacamole_connection_ssh" "vyos_vms" {
for_each = { for x in proxmox_vm_qemu.vyos_router: x.name => x }
name = each.value.name
parent_identifier = guacamole_connection_group.routers.identifier
parameters {
hostname = each.value.default_ipv4_address
username = "vyos"
private_key = var.ssh_private_key
}
}
Reference in New Issue View Git Blame Copy Permalink