modularize tf infrastructure

ignition/kanidm/server.toml

@@ -0,0 +1,18 @@
+bindaddress = "[::]:8443"
+ldapbindaddress = "[::]:3636"
+trust_x_forward_for = false
+db_path = "/data/kanidm.db"
+db_arc_size = 1024
+
+tls_chain = "/data/certs/fullchain1.pem"
+tls_key = "/data/certs/privkey1.pem"
+
+log_level = "debug"
+
+domain = "kanidm.hklbgd.org"  # !!! don't modify !!!
+origin = "https://kanidm.hklbgd.org"  # webauthn origin
+#
+[online_backup]
+path = "/data/kanidm/backups/"
+schedule = "00 04 * * *"
+versions = 3  # number of backups to keep

ignition/kanidm/service.bu

@@ -0,0 +1,75 @@
+variant: fcos
+version: 1.5.0
+passwd:
+  users:
+    - name: vladan
+      ssh_authorized_keys:
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga
+      password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
+      groups:
+        - wheel
+      shell: /bin/bash
+storage:
+  disks:
+    - device: /dev/vdb
+      wipe_table: true
+      partitions:
+        - number: 1
+          label: kanidm-data
+          start_mib: 0
+          size_mib: 10000
+  filesystems:
+    - path: /var/lib/kanidm
+      device: /dev/disk/by-partlabel/kanidm-data
+      format: xfs
+      label: data
+      with_mount_unit: true
+      wipe_filesystem: true
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: kanidm.hklbgd.org
+    - path: /etc/kanidm/server.toml
+      contents:
+        local: server.toml
+      mode: 0400
+    - path: /etc/kanidm/certs/cert1.pem
+      contents:
+        local: certs/cert1.pem
+      mode: 0400
+    - path: /etc/kanidm/certs/chain1.pem
+      contents:
+        local: certs/chain1.pem
+      mode: 0400
+    - path: /etc/kanidm/certs/fullchain1.pem
+      contents:
+        local: certs/fullchain1.pem
+      mode: 0400
+    - path: /etc/kanidm/certs/privkey1.pem
+      contents:
+        local: certs/privkey1.pem
+      mode: 0400
+    - path: /etc/containers/systemd/kanidm.container
+      contents:
+        inline: |
+          [Unit]
+          Description=Kanidm - a modern and simple identity management platform written in rust.
+          After=network-online.target
+          Wants=network-online.target
+
+          [Service]
+          TimeoutStartSec=60
+
+          [Container]
+          ContainerName=kanidm
+          Image=docker.io/kanidm/server:latest
+          Volume=/var/lib/kanidm:/data:z
+          Volume=/etc/kanidm/server.toml:/data/server.toml:z
+          Volume=/etc/kanidm/certs:/data/certs:z
+          PublishPort=8443:8443
+          PublishPort=3636:3636
+
+          [Install]
+          # Start by default on boot
+          WantedBy=multi-user.target default.target