modularize tf infrastructure

2024-03-01 16:34:20 +01:00 · 2024-03-01 16:34:20 +01:00 · 6dae248c01
commit 6dae248c01
parent 493daeeb29
14 changed files with 291 additions and 151 deletions
--- a/ignition/forgejo/app.ini
+++ b/ignition/forgejo/app.ini
@ -0,0 +1,98 @@
+APP_NAME = Hklbgd: Git forge beogradskog haklaba.
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = forge.hklbgd.org
+SSH_DOMAIN = forge.hklbgd.org
+HTTP_PORT = 3000
+ROOT_URL = http://forge.hklbgd.org:3000/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = Uw3LrBKqyOESkHJDcpfP_AM_eLE-WKWTV48inxIfqNk
+OFFLINE_MODE = false
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = sqlite3
+NAME = gitea
+USER = root
+PASSWD =
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MDg0NDAwODh9.VO3I2beskQWkE-yU5QC3WWjaVuqH80piJroJxj71-HA
+PASSWORD_HASH_ALGO = pbkdf2_hi
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+WHITELISTED_URIS = kanidm.hklbgd.org
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = squash
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = 9Xl_coahn4U31L78IxKSZk7k6z_r2uQlQ_DVDlNsKyM
--- a/ignition/forgejo/service.bu
+++ b/ignition/forgejo/service.bu
@ -0,0 +1,57 @@
+variant: fcos
+version: 1.5.0
+passwd:
+  users:
+    - name: vladan
+      ssh_authorized_keys:
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga
+      password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
+      groups:
+        - wheel
+      shell: /bin/bash
+storage:
+  disks:
+    - device: /dev/vdb
+      wipe_table: false
+      partitions:
+        - number: 1
+          label: forgejo
+          start_mib: 0
+          size_mib: 30000
+  filesystems:
+    - path: /var/lib/forgejo
+      device: /dev/disk/by-partlabel/forgejo
+      format: xfs
+      label: data
+      with_mount_unit: true
+      wipe_filesystem: false
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: forge.hklbgd.org
+    - path: /etc/forgejo/app.ini
+      contents:
+        local: app.ini
+    - path: /etc/containers/systemd/forgejo.container
+      contents:
+        inline: |
+          [Unit]
+          Description=Forgejo: Beyond coding. We forge.
+          After=network-online.target
+          Wants=network-online.target
+
+          [Service]
+          TimeoutStartSec=60
+
+          [Container]
+          ContainerName=forgejo
+          Image=codeberg.org/forgejo/forgejo:1.21.5-0
+          Volume=/var/lib/forgejo:/data:z
+          Volume=/etc/forgejo/app.ini:/data/gitea/conf/app.ini:z
+          PublishPort=3000:3000
+          PublishPort=3022:22
+
+          [Install]
+          # Start by default on boot
+          WantedBy=multi-user.target default.target
--- a/ignition/host/proxmox-coreos.bu
+++ b/ignition/host/proxmox-coreos.bu
@ -0,0 +1,61 @@
+variant: fcos
+version: 1.5.0
+passwd:
+  users:
+    - name: vladan
+      ssh_authorized_keys:
+        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga"
+      password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
+      groups:
+        - wheel
+      shell: /bin/bash
+    - name: chavi
+      ssh_authorized_keys:
+        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCz74zYGwoGjtn4jjBas2fxrFoAJgnQ8uJG5xvXQdyC3rxbsuR5ZwnpMaEBG6LOM6p4qA3E1/9Kw7XU0l09O156SYN11m4GSSaw5Br8oLEkdllsxOkHjrAXuU3hGsg/ipbVzICt/RukNKbuG1Qod43Hlf/zTKeoIsaPd0MaVpWn2rMF6dgLx+4bbe40BxPWI0XOHjXCZqjMPf0Nz/l/YUlvyRIWHvxr5PIyZtJnPGeOxyuZx9/zY7URDU6+WClzXoiRfiIQI143f8QAxMSC+Gbo0ouo91pK1VJFKhA7x9lXBeJ2m22Y9aIDoJ5gE0LEfRiPpH+YM0Gu8c0GLbqpDGT8WaHqB3VdjBkWVs2Au+1p/9P6m0oz2omLH7MUHh7jP4VnX3uVLn788SltMkjd5oyzJLqykKuJEcX4wInyynIxKAlLKl2pb9Tpk47yxkFKnRWgBy93kqkIc5ZKhnS4S/3P91mIVHhXSR9yp806VVQ3DXng2ej8TNRE9uoMoh5RB4k= ivan@ivan-ThinkPad"
+      password_hash: "$y$j9T$C/reAmIG3L0rGz0jhUSDa.$YLEh/OYaVY2hjYhzcdcrzmkbvyzTGkPp8h3FcvfGDc/"
+      groups:
+        - wheel
+      shell: /bin/bash
+    - name: random
+      ssh_authorized_keys:
+        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga"
+        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCz74zYGwoGjtn4jjBas2fxrFoAJgnQ8uJG5xvXQdyC3rxbsuR5ZwnpMaEBG6LOM6p4qA3E1/9Kw7XU0l09O156SYN11m4GSSaw5Br8oLEkdllsxOkHjrAXuU3hGsg/ipbVzICt/RukNKbuG1Qod43Hlf/zTKeoIsaPd0MaVpWn2rMF6dgLx+4bbe40BxPWI0XOHjXCZqjMPf0Nz/l/YUlvyRIWHvxr5PIyZtJnPGeOxyuZx9/zY7URDU6+WClzXoiRfiIQI143f8QAxMSC+Gbo0ouo91pK1VJFKhA7x9lXBeJ2m22Y9aIDoJ5gE0LEfRiPpH+YM0Gu8c0GLbqpDGT8WaHqB3VdjBkWVs2Au+1p/9P6m0oz2omLH7MUHh7jP4VnX3uVLn788SltMkjd5oyzJLqykKuJEcX4wInyynIxKAlLKl2pb9Tpk47yxkFKnRWgBy93kqkIc5ZKhnS4S/3P91mIVHhXSR9yp806VVQ3DXng2ej8TNRE9uoMoh5RB4k= ivan@ivan-ThinkPad"
+      password_hash: "$y$j9T$qi3pFCD77.Vb8JxbamPgo1$po2Xt0NDCMa1E6evdyRhmyoWBt1no3TLM8FcDvrdDXD"
+      shell: /bin/bash
+storage:
+  disks:
+    - device: /dev/sdb
+      wipe_table: false
+      partitions:
+        - number: 1
+          label: SD_GPT_VAR
+          guid: "4d21b016-b534-45c2-a9fb-5c16e091fd2d"
+  filesystems:
+    - path: /var
+      device: /dev/disk/by-partlabel/SD_GPT_VAR
+      format: xfs
+      wipe_filesystem: false
+      label: var
+      with_mount_unit: true
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: proxmox-coreos
+systemd:
+  units:
+    - name: install-virt.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Layer virt rpm-ostree
+
+        Wants=network-online.target
+        After=network-online.target
+        Before=zincati.service
+        ConditionPathExists=!/usr/sbin/libvirtd
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/usr/bin/rpm-ostree install libvirt qemu
--- a/ignition/kanidm/server.toml
+++ b/ignition/kanidm/server.toml
@ -0,0 +1,18 @@
+bindaddress = "[::]:8443"
+ldapbindaddress = "[::]:3636"
+trust_x_forward_for = false
+db_path = "/data/kanidm.db"
+db_arc_size = 1024
+
+tls_chain = "/data/certs/fullchain1.pem"
+tls_key = "/data/certs/privkey1.pem"
+
+log_level = "debug"
+
+domain = "kanidm.hklbgd.org"  # !!! don't modify !!!
+origin = "https://kanidm.hklbgd.org"  # webauthn origin
+#
+[online_backup]
+path = "/data/kanidm/backups/"
+schedule = "00 04 * * *"
+versions = 3  # number of backups to keep
--- a/ignition/kanidm/service.bu
+++ b/ignition/kanidm/service.bu
@ -0,0 +1,75 @@
+variant: fcos
+version: 1.5.0
+passwd:
+  users:
+    - name: vladan
+      ssh_authorized_keys:
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga
+      password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
+      groups:
+        - wheel
+      shell: /bin/bash
+storage:
+  disks:
+    - device: /dev/vdb
+      wipe_table: true
+      partitions:
+        - number: 1
+          label: kanidm-data
+          start_mib: 0
+          size_mib: 10000
+  filesystems:
+    - path: /var/lib/kanidm
+      device: /dev/disk/by-partlabel/kanidm-data
+      format: xfs
+      label: data
+      with_mount_unit: true
+      wipe_filesystem: true
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: kanidm.hklbgd.org
+    - path: /etc/kanidm/server.toml
+      contents:
+        local: server.toml
+      mode: 0400
+    - path: /etc/kanidm/certs/cert1.pem
+      contents:
+        local: certs/cert1.pem
+      mode: 0400
+    - path: /etc/kanidm/certs/chain1.pem
+      contents:
+        local: certs/chain1.pem
+      mode: 0400
+    - path: /etc/kanidm/certs/fullchain1.pem
+      contents:
+        local: certs/fullchain1.pem
+      mode: 0400
+    - path: /etc/kanidm/certs/privkey1.pem
+      contents:
+        local: certs/privkey1.pem
+      mode: 0400
+    - path: /etc/containers/systemd/kanidm.container
+      contents:
+        inline: |
+          [Unit]
+          Description=Kanidm - a modern and simple identity management platform written in rust.
+          After=network-online.target
+          Wants=network-online.target
+
+          [Service]
+          TimeoutStartSec=60
+
+          [Container]
+          ContainerName=kanidm
+          Image=docker.io/kanidm/server:latest
+          Volume=/var/lib/kanidm:/data:z
+          Volume=/etc/kanidm/server.toml:/data/server.toml:z
+          Volume=/etc/kanidm/certs:/data/certs:z
+          PublishPort=8443:8443
+          PublishPort=3636:3636
+
+          [Install]
+          # Start by default on boot
+          WantedBy=multi-user.target default.target