feat: service account

2024-09-20 20:50:34 +02:00 · 2024-09-20 20:50:34 +02:00 · 331af88869
commit 331af88869
parent 64036546ea
4 changed files with 40 additions and 38 deletions
--- a/36
+++ b/36
@ -1,36 +0,0 @@
-ARG NGINX_VERSION=1.27.1
-FROM nginx:$NGINX_VERSION AS build
-
-RUN mkdir -p /var/lib/GeoIP/
-
-RUN apt-get update \
-    && apt-get install -y \
-        build-essential \
-        libpcre2-dev \
-        zlib1g-dev \
-        libgeoip-dev \
-        libmaxminddb-dev \
-        wget \
-        git
-
-ARG GEOIP2_VERSION=3.4
-RUN cd /opt \
-    && git clone --depth 1 -b $GEOIP2_VERSION --single-branch https://github.com/leev/ngx_http_geoip2_module.git \
-    && wget -O - http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz | tar zxfv - \
-    && mv /opt/nginx-$NGINX_VERSION /opt/nginx \
-    && cd /opt/nginx \
-    && ./configure --with-compat --add-dynamic-module=/opt/ngx_http_geoip2_module --with-stream \
-    && make modules
-
-# Production
-FROM nginx:$NGINX_VERSION AS production
-
-COPY --from=build /opt/nginx/objs/ngx_http_geoip2_module.so /usr/lib/nginx/modules
-COPY --from=build /opt/nginx/objs/ngx_stream_geoip2_module.so /usr/lib/nginx/modules
-
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends --no-install-suggests libmaxminddb0 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
-    && chmod -R 644 /usr/lib/nginx/modules/ngx_http_geoip2_module.so \
-    && chmod -R 644 /usr/lib/nginx/modules/ngx_stream_geoip2_module.so
--- a/terraform/node.tf
+++ b/terraform/node.tf
@ -11,8 +11,8 @@ locals {
        name   = each.value.name
        domain = each.value.domain
        service_account = {
-          username = "foo"
-          password = "bar"
+          username = authentik_user.service_account[each.value.name].username
+          password = authentik_token.service_account[each.value.name].token
        }
      }
    })
--- a/terraform/serviceaccount.tf
+++ b/terraform/serviceaccount.tf
@ -0,0 +1,29 @@
+data "authentik_group" "monitoring_publisher" {
+  name          = "monitor.tjo.cloud publisher"
+  include_users = false
+}
+
+resource "authentik_user" "service_account" {
+  for_each = var.nodes
+
+  username = "${each.value.name}.ingress@svc.tjo.cloud"
+  name     = "${each.value.name}.ingress@svc.tjo.cloud"
+  email    = "${each.value.name}.ingress@svc.tjo.cloud"
+
+  type = "service_account"
+  path = "svc.tjo.cloud"
+
+  groups = [
+    data.authentik_group.monitoring_publisher.id,
+  ]
+}
+
+resource "authentik_token" "service_account" {
+  for_each = var.nodes
+
+  identifier  = "svc.tjo.cloud-service-account-${each.value.name}"
+  user        = authentik_user.service_account[each.value.name].id
+  description = "Service account for ${each.value.name} node"
+  expiring    = false
+  intent      = "app_password"
+}
--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@ -16,11 +16,20 @@ terraform {
      source  = "tailscale/tailscale"
      version = "0.16.1"
    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.8.3"
+    }
  }

  required_version = "~> 1.7.3"
 }

+provider "authentik" {
+  url   = "https://id.tjo.space"
+  token = var.authentik_token
+}
+
 provider "digitalocean" {
  token = var.digitalocean_token
 }