From 331af88869e0d6c349954234a0222bfc87188442 Mon Sep 17 00:00:00 2001 From: Tine Date: Fri, 20 Sep 2024 20:50:34 +0200 Subject: [PATCH] feat: service account --- Dockerfile | 36 ------------------------------------ terraform/node.tf | 4 ++-- terraform/serviceaccount.tf | 29 +++++++++++++++++++++++++++++ terraform/terraform.tf | 9 +++++++++ 4 files changed, 40 insertions(+), 38 deletions(-) delete mode 100644 Dockerfile create mode 100644 terraform/serviceaccount.tf diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index c8cac82..0000000 --- a/Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -ARG NGINX_VERSION=1.27.1 -FROM nginx:$NGINX_VERSION AS build - -RUN mkdir -p /var/lib/GeoIP/ - -RUN apt-get update \ - && apt-get install -y \ - build-essential \ - libpcre2-dev \ - zlib1g-dev \ - libgeoip-dev \ - libmaxminddb-dev \ - wget \ - git - -ARG GEOIP2_VERSION=3.4 -RUN cd /opt \ - && git clone --depth 1 -b $GEOIP2_VERSION --single-branch https://github.com/leev/ngx_http_geoip2_module.git \ - && wget -O - http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz | tar zxfv - \ - && mv /opt/nginx-$NGINX_VERSION /opt/nginx \ - && cd /opt/nginx \ - && ./configure --with-compat --add-dynamic-module=/opt/ngx_http_geoip2_module --with-stream \ - && make modules - -# Production -FROM nginx:$NGINX_VERSION AS production - -COPY --from=build /opt/nginx/objs/ngx_http_geoip2_module.so /usr/lib/nginx/modules -COPY --from=build /opt/nginx/objs/ngx_stream_geoip2_module.so /usr/lib/nginx/modules - -RUN apt-get update \ - && apt-get install -y --no-install-recommends --no-install-suggests libmaxminddb0 \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - && chmod -R 644 /usr/lib/nginx/modules/ngx_http_geoip2_module.so \ - && chmod -R 644 /usr/lib/nginx/modules/ngx_stream_geoip2_module.so diff --git a/terraform/node.tf b/terraform/node.tf index 8922752..0a8ff43 100644 --- a/terraform/node.tf +++ b/terraform/node.tf @@ -11,8 +11,8 @@ locals { name = each.value.name domain = each.value.domain service_account = { - username = "foo" - password = "bar" + username = authentik_user.service_account[each.value.name].username + password = authentik_token.service_account[each.value.name].token } } }) diff --git a/terraform/serviceaccount.tf b/terraform/serviceaccount.tf new file mode 100644 index 0000000..80b48f1 --- /dev/null +++ b/terraform/serviceaccount.tf @@ -0,0 +1,29 @@ +data "authentik_group" "monitoring_publisher" { + name = "monitor.tjo.cloud publisher" + include_users = false +} + +resource "authentik_user" "service_account" { + for_each = var.nodes + + username = "${each.value.name}.ingress@svc.tjo.cloud" + name = "${each.value.name}.ingress@svc.tjo.cloud" + email = "${each.value.name}.ingress@svc.tjo.cloud" + + type = "service_account" + path = "svc.tjo.cloud" + + groups = [ + data.authentik_group.monitoring_publisher.id, + ] +} + +resource "authentik_token" "service_account" { + for_each = var.nodes + + identifier = "svc.tjo.cloud-service-account-${each.value.name}" + user = authentik_user.service_account[each.value.name].id + description = "Service account for ${each.value.name} node" + expiring = false + intent = "app_password" +} diff --git a/terraform/terraform.tf b/terraform/terraform.tf index 1295d39..74df69b 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -16,11 +16,20 @@ terraform { source = "tailscale/tailscale" version = "0.16.1" } + authentik = { + source = "goauthentik/authentik" + version = "2024.8.3" + } } required_version = "~> 1.7.3" } +provider "authentik" { + url = "https://id.tjo.space" + token = var.authentik_token +} + provider "digitalocean" { token = var.digitalocean_token }