commit 1192b43eac2a176dea8edf10a761687db076f33c · krasovs.ky/homelab

+8 -6

butane/fcos.yml.tftpl

···

       14
       14
        
               name: core

     

       15
       15
        
             group:

     

       16
       16
        
               name: core

     

       17
       17
       -
       

     

       18
       18
       -
           # Quadlets dir

     

       19
       17
        
           - path: /var/home/core/.config/containers

     

       20
       18
        
             user:

     

       21
       19
        
               name: core

     

       22
       20
        
             group:

     

       23
       21
        
               name: core

     

       24
       24
       -
           - path: /var/home/core/.config/containers/systemd

     

       22
       22
       +
       

     

       23
       23
       +
           # Config dirs

     

       24
       24
       +
       %{ for _, path in directories ~}

     

       25
       25
       +
           - path: /var/home/core/.config/${path}

     

       25
       26
        
             user:

     

       26
       27
        
               name: core

     

       27
       28
        
             group:

     

       28
       29
        
               name: core

     

       30
       30
       +
       %{ endfor ~}

     

       29
       31
        
       

     

       30
       32
        
           # Systemd user dir

     

       31
       33
        
           - path: /var/home/core/.config/systemd

     
···

       108
       110
        
                 driver = "overlay"

     

       109
       111
        
                 rootless_storage_path = "/var/mnt/docker/$USER"

     

       110
       112
        
       

     

       111
       111
       -
           # Quadlets block

     

       112
       112
       -
       %{ for name, content in quadlet_files ~}

     

       113
       113
       -
           - path: /var/home/core/.config/containers/systemd/${name}

     

       113
       113
       +
           # Configs block

     

       114
       114
       +
       %{ for name, content in config_files ~}

     

       115
       115
       +
           - path: /var/home/core/.config/${name}

     

       114
       116
        
             contents:

     

       115
       117
        
               inline: |

     

       116
       118
        
                 ${indent(10, content)}

+9

configs/traefik/file/oauth2-proxy.yml

···

       1
       1
       +
       http:

     

       2
       2
       +
         middlewares:

     

       3
       3
       +
           oauth2-proxy:

     

       4
       4
       +
             forwardAuth:

     

       5
       5
       +
               address: http://oauth2-proxy:4180/

     

       6
       6
       +
               trustForwardHeader: true

     

       7
       7
       +
               authResponseHeaders:

     

       8
       8
       +
                 - X-Auth-Request-Access-Token

     

       9
       9
       +
                 - Authorization

+8

configs/traefik/file/security-headers.yml

···

       1
       1
       +
       http:

     

       2
       2
       +
         middlewares:

     

       3
       3
       +
           security-headers:

     

       4
       4
       +
             headers:

     

       5
       5
       +
               stsSeconds: 31536000

     

       6
       6
       +
               stsIncludeSubdomains: true

     

       7
       7
       +
               forceSTSHeader: true

     

       8
       8
       +
               contentTypeNosniff: true

+16

configs/traefik/file/tcp.yml.tftpl

···

       1
       1
       +
       {{ $baseDomain := ".${base_domain}" }}

     

       2
       2
       +
       {{ $rules := dict "pve.${base_domain}" "${proxmox_ip}:8006" "truenas.${base_domain}" "${truenas_ip}:443" }}

     

       3
       3
       +
       tcp:

     

       4
       4
       +
         routers:

     

       5
       5
       +
           {{ range $key, $value := $rules }}{{ $name := trimSuffix $baseDomain $key }}{{ $name }}:

     

       6
       6
       +
             rule: HostSNI(`{{ $key }}`)

     

       7
       7
       +
             service: {{ $name }}

     

       8
       8
       +
             tls:

     

       9
       9
       +
               passthrough: true

     

       10
       10
       +
           {{ end }}

     

       11
       11
       +
         services:

     

       12
       12
       +
           {{ range $key, $value := $rules }}{{ trimSuffix $baseDomain $key }}:

     

       13
       13
       +
             loadBalancer:

     

       14
       14
       +
               servers:

     

       15
       15
       +
                 - address: {{ $value }}

     

       16
       16
       +
           {{ end }}

+45

configs/traefik/traefik.yml

···

       1
       1
       +
       entryPoints:

     

       2
       2
       +
         web:

     

       3
       3
       +
           address: ":80"

     

       4
       4
       +
           http:

     

       5
       5
       +
             redirections:

     

       6
       6
       +
               entryPoint:

     

       7
       7
       +
                 to: websecure

     

       8
       8
       +
         websecure:

     

       9
       9
       +
           address: ":443"

     

       10
       10
       +
           http:

     

       11
       11
       +
             middlewares:

     

       12
       12
       +
               - security-headers@file

     

       13
       13
       +
             tls:

     

       14
       14
       +
               certResolver: leresolver

     

       15
       15
       +
         metrics:

     

       16
       16
       +
           address: ":8082"

     

       17
       17
       +
       

     

       18
       18
       +
       providers:

     

       19
       19
       +
         docker:

     

       20
       20
       +
           exposedByDefault: false

     

       21
       21
       +
         file:

     

       22
       22
       +
           directory: /etc/traefik/file

     

       23
       23
       +
           watch: true

     

       24
       24
       +
       

     

       25
       25
       +
       certificatesResolvers:

     

       26
       26
       +
         leresolver:

     

       27
       27
       +
           acme:

     

       28
       28
       +
             email: ${email}

     

       29
       29
       +
             storage: /etc/traefik/acme/acme.json

     

       30
       30
       +
             dnsChallenge:

     

       31
       31
       +
               provider: cloudflare

     

       32
       32
       +
             keyType: EC256

     

       33
       33
       +
       

     

       34
       34
       +
       api:

     

       35
       35
       +
         dashboard: true

     

       36
       36
       +
       

     

       37
       37
       +
       metrics:

     

       38
       38
       +
         prometheus:

     

       39
       39
       +
           entryPoint: metrics

     

       40
       40
       +
       

     

       41
       41
       +
       log:

     

       42
       42
       +
         format: json

     

       43
       43
       +
       

     

       44
       44
       +
       accessLog:

     

       45
       45
       +
         format: json

+37 -20

fcos.tf

···

       1
       1
        
       data "bitwarden_secret" "victoria_bearer_token" {

     

       2
       2
       -
         id = var.quadlets_secret_config.victoria_bearer_token

     

       2
       2
       +
         id = var.containers_secret_config.victoria_bearer_token

     

       3
       3
        
       }

     

       4
       4
        
       

     

       5
       5
        
       data "bitwarden_secret" "immich_map_key" {

     

       6
       6
       -
         id = var.quadlets_secret_config.immich_map_key

     

       6
       6
       +
         id = var.containers_secret_config.immich_map_key

     

       7
       7
        
       }

     

       8
       8
        
       

     

       9
       9
        
       locals {

     

       10
       10
        
         // Add secrets into quadlets config

     

       11
       11
       -
         quadlets_config = merge(var.quadlets_config, {

     

       12
       12
       -
           secrets: {

     

       13
       13
       -
             victoria_bearer_token: data.bitwarden_secret.victoria_bearer_token.value

     

       11
       11
       +
         containers_config = merge(var.containers_config, {

     

       12
       12
       +
           email : var.containers_config.email,

     

       13
       13
       +
           proxmox_ip : var.proxmox_config.host,

     

       14
       14
       +
           truenas_ip : var.fcos_config.truenas_ip,

     

       15
       15
       +
           secrets : {

     

       16
       16
       +
             victoria_bearer_token : data.bitwarden_secret.victoria_bearer_token.value

     

       14
       17
        
             immich_map_key = data.bitwarden_secret.immich_map_key.value

     

       15
       18
        
           }

     

       16
       19
        
         })

     

       17
       20
        
       

     

       18
       21
        
         # Get a list of all files in the specified directory

     

       19
       19
       -
         quadlet_paths = fileset(path.module, "quadlets/**")

     

       20
       20
       -
         quadlet_files = {

     

       21
       21
       -
           for path in local.quadlet_paths :

     

       22
       22
       -
           replace(basename(path), ".tftpl", "") => templatefile(path, local.quadlets_config)

     

       22
       22
       +
         config_paths = fileset(path.module, "configs/**")

     

       23
       23
       +
         config_files = {

     

       24
       24
       +
           for path in local.config_paths :

     

       25
       25
       +
           replace(trimprefix(path, "configs/"), ".tftpl", "") => templatefile(path, local.containers_config)

     

       23
       26
        
         }

     

       24
       27
        
       

     

       28
       28
       +
         // I use trimsuffix+basename instead of dirname because on Windows dirname replaces slashes with backslashes.

     

       29
       29
       +
         possible_paths = [

     

       30
       30
       +
           for path in fileset(path.module, "configs/**") :trimsuffix(trimprefix(path, "configs/"), "/${basename(path)}")

     

       31
       31
       +
         ]

     

       32
       32
       +
         // Because Terraform/Tofu doesn't interacting with real filesystem, I cannot check if directory is actually directory.

     

       33
       33
       +
         directories = distinct([

     

       34
       34
       +
           for path in local.possible_paths : path if !strcontains(basename(path), ".")

     

       35
       35
       +
         ])

     

       36
       36
       +
       

     

       25
       37
        
         butane_config = merge(var.fcos_config, {

     

       26
       26
       -
           quadlet_files = local.quadlet_files

     

       38
       38
       +
           config_files  = local.config_files

     

       39
       39
       +
           directories   = local.directories,

     

       27
       40
        
         })

     

       28
       41
        
       

     

       29
       42
        
         init_script_path = "${path.module}/scripts/init_fcos.sh.tftpl"

     

       30
       43
        
       }

     

       31
       44
        
       

     

       45
       45
       +
       output "test" {

     

       46
       46
       +
         value = local.directories

     

       47
       47
       +
       }

     

       48
       48
       +
       

     

       32
       49
        
       data "ct_config" "fcos_ignition" {

     

       33
       50
        
         content = templatefile("${path.module}/butane/fcos.yml.tftpl", local.butane_config)

     

       34
       51
        
         strict = true

     
···

       49
       66
        
       

     

       50
       67
        
         cpu {

     

       51
       68
        
           cores = 8

     

       52
       52
       -
           type = "host"

     

       69
       69
       +
           type  = "host"

     

       53
       70
        
         }

     

       54
       71
        
       

     

       55
       72
        
         memory {

     
···

       74
       91
        
         }

     

       75
       92
        
       

     

       76
       93
        
         network_device {

     

       77
       77
       -
           bridge = "vmbr0"

     

       78
       78
       -
           vlan_id = 100

     

       94
       94
       +
           bridge      = "vmbr0"

     

       95
       95
       +
           vlan_id     = 100

     

       79
       96
        
           mac_address = var.fcos_config.mac_address

     

       80
       97
        
         }

     

       81
       98
        
       

     
···

       115
       132
        
         }

     

       116
       133
        
       

     

       117
       134
        
         connection {

     

       118
       118
       -
           type = "ssh"

     

       119
       119
       -
           user = "core"

     

       135
       135
       +
           type  = "ssh"

     

       136
       136
       +
           user  = "core"

     

       120
       137
        
           agent = true

     

       121
       121
       -
           host = var.fcos_config.ip

     

       138
       138
       +
           host  = var.fcos_config.ip

     

       122
       139
        
         }

     

       123
       140
        
       

     

       124
       141
        
         provisioner "file" {

     

       125
       142
        
           destination = "/tmp/init.sh"

     

       126
       143
        
           content = templatefile(local.init_script_path, {

     

       127
       127
       -
             bws_access_token: var.bws_access_token

     

       128
       128
       -
             quadlet_files: local.quadlet_files

     

       129
       129
       -
             secrets: var.quadlets_secret_config

     

       144
       144
       +
             bws_access_token : var.bws_access_token

     

       145
       145
       +
             config_files : local.config_files

     

       146
       146
       +
             secrets : var.containers_secret_config

     

       130
       147
        
           })

     

       131
       148
        
         }

     

       132
       149
        
       

     
···

       134
       151
        
           inline = ["sh /tmp/init.sh"]

     

       135
       152
        
           on_failure = fail

     

       136
       153
        
         }

     

       137
       137
       -
       }
     

       154
       154
       +
       }

+1 -1

main.tf

···

       35
       35
        
       }

     

       36
       36
        
       

     

       37
       37
        
       provider "proxmox" {

     

       38
       38
       -
         endpoint = var.proxmox_config.endpoint

     

       38
       38
       +
         endpoint = "https://${var.proxmox_config.host}:8006"

     

       39
       39
        
         insecure = true

     

       40
       40
        
       

     

       41
       41
        
         // Unfortunately Proxmox can execute a lot of actions only under root user...

quadlets/actual-budget.container.tftpl configs/containers/systemd/actual-budget.container.tftpl

-1

quadlets/bluesky-pds.container.tftpl configs/containers/systemd/bluesky-pds.container.tftpl

···

       37
       37
        
       Label="traefik.http.routers.pds.entrypoints=websecure"

     

       38
       38
        
       Label="traefik.http.routers.pds.tls.domains[0].main=pds.${base_domain}"

     

       39
       39
        
       Label="traefik.http.routers.pds.tls.domains[0].sans=*.pds.${base_domain}"

     

       40
       40
       -
       Label="traefik.http.routers.pds.tls.options=http3@file"

     

       41
       40
        
       Label="traefik.http.routers.pds.tls.certresolver=leresolver"

     

       42
       41
        
       

     

       43
       42
        
       Volume=/var/mnt/docker/app_data/bluesky/pds:/pds:Z

quadlets/glance.container.tftpl configs/containers/systemd/glance.container.tftpl

quadlets/grafana-alloy.container.tftpl configs/containers/systemd/grafana-alloy.container.tftpl

quadlets/grafana.container.tftpl configs/containers/systemd/grafana.container.tftpl

quadlets/hoarder/hoarder-chrome.container.tftpl configs/containers/systemd/hoarder/hoarder-chrome.container.tftpl

quadlets/hoarder/hoarder-meilisearch.container.tftpl configs/containers/systemd/hoarder/hoarder-meilisearch.container.tftpl

quadlets/hoarder/hoarder-server.container.tftpl configs/containers/systemd/hoarder/hoarder-server.container.tftpl

quadlets/immich/immich-machine-learning.container.tftpl configs/containers/systemd/immich/immich-machine-learning.container.tftpl

quadlets/immich/immich-postgres.container.tftpl configs/containers/systemd/immich/immich-postgres.container.tftpl

quadlets/immich/immich-redis.container.tftpl configs/containers/systemd/immich/immich-redis.container.tftpl

quadlets/immich/immich-server.container.tftpl configs/containers/systemd/immich/immich-server.container.tftpl

quadlets/immich/immich-static-web-server.container.tftpl configs/containers/systemd/immich/immich-static-web-server.container.tftpl

quadlets/miniflux/miniflux-postgres.container.tftpl configs/containers/systemd/miniflux/miniflux-postgres.container.tftpl

quadlets/miniflux/miniflux-server.container.tftpl configs/containers/systemd/miniflux/miniflux-server.container.tftpl

quadlets/networks/hoarder.network configs/containers/systemd/networks/hoarder.network

quadlets/networks/immich.network configs/containers/systemd/networks/immich.network

quadlets/networks/miniflux.network configs/containers/systemd/networks/miniflux.network

quadlets/networks/outline.network configs/containers/systemd/networks/outline.network

quadlets/networks/reverse-proxy.network configs/containers/systemd/networks/reverse-proxy.network

quadlets/networks/victoria.network configs/containers/systemd/networks/victoria.network

quadlets/oauth2-proxy.container.tftpl configs/containers/systemd/oauth2-proxy.container.tftpl

quadlets/open-webui.container.tftpl configs/containers/systemd/open-webui.container.tftpl

quadlets/outline/outline-postgres.container.tftpl configs/containers/systemd/outline/outline-postgres.container.tftpl

quadlets/outline/outline-redis.container.tftpl configs/containers/systemd/outline/outline-redis.container.tftpl

quadlets/outline/outline-server.container.tftpl configs/containers/systemd/outline/outline-server.container.tftpl

quadlets/plex.container.tftpl configs/containers/systemd/plex.container.tftpl

quadlets/pocket-id.container.tftpl configs/containers/systemd/pocket-id.container.tftpl

quadlets/pods/hoarder.pod configs/containers/systemd/pods/hoarder.pod

quadlets/pods/immich.pod configs/containers/systemd/pods/immich.pod

quadlets/pods/miniflux.pod configs/containers/systemd/pods/miniflux.pod

quadlets/pods/outline.pod configs/containers/systemd/pods/outline.pod

quadlets/pods/victoria.pod configs/containers/systemd/pods/victoria.pod

quadlets/qbittorrent.container.tftpl configs/containers/systemd/qbittorrent.container.tftpl

quadlets/step-ca.container.tftpl configs/containers/systemd/step-ca.container.tftpl

+7 -3

quadlets/traefik.container.tftpl configs/containers/systemd/traefik.container.tftpl

···

       11
       11
        
       User=1000:1000

     

       12
       12
        
       UserNS=keep-id:uid=1000,gid=1000

     

       13
       13
        
       

     

       14
       14
       +
       # I use CNAMEs to point to my homelab;

     

       15
       15
       +
       # Variable name could be misleading, since overwise

     

       16
       16
       +
       # Lego tries to issue cert for you CNAME host.

     

       14
       17
        
       Environment=LEGO_DISABLE_CNAME_SUPPORT=true

     

       18
       18
       +
       Secret=traefik-cf-dns-api-token,type=env,target=CF_DNS_API_TOKEN

     

       15
       19
        
       

     

       16
       20
        
       Label="glance.name=Traefik"

     

       17
       21
        
       Label="glance.icon=di:traefik"

     
···

       26
       30
        
       Label="traefik.http.routers.dashboard-auth.rule=Host(`traefik.${base_domain}`) && PathPrefix(`/oauth2/`)"

     

       27
       31
        
       Label="traefik.http.routers.dashboard-auth.service=oauth2-proxy"

     

       28
       32
        
       

     

       29
       29
       -
       Secret=traefik-cf-dns-api-token,type=env,target=CF_DNS_API_TOKEN

     

       33
       33
       +
       Volume=%E/traefik/traefik.yml:/etc/traefik/traefik.yml:Z

     

       34
       34
       +
       Volume=%E/traefik/file:/etc/traefik/file:Z

     

       35
       35
       +
       Volume=/var/mnt/docker/app_data/traefik/acme:/etc/traefik/acme:Z

     

       30
       36
        
       

     

       31
       31
       -
       Volume=/var/mnt/docker/app_data/traefik/traefik.yml:/etc/traefik/traefik.yml:Z

     

       32
       32
       -
       Volume=/var/mnt/docker/app_data/traefik/data:/data:Z

     

       33
       37
        
       Volume=%t/podman/podman.sock:/var/run/docker.sock

     

       34
       38
        
       

     

       35
       39
        
       Network=reverse-proxy.network

quadlets/victoria/victoria-logs.container.tftpl configs/containers/systemd/victoria/victoria-logs.container.tftpl

quadlets/victoria/victoria-metrics.container.tftpl configs/containers/systemd/victoria/victoria-metrics.container.tftpl

quadlets/victoria/victoria-vmauth.container.tftpl configs/containers/systemd/victoria/victoria-vmauth.container.tftpl

quadlets/volumes/immich-machine-learning.volume configs/containers/systemd/volumes/immich-machine-learning.volume

+5 -5

scripts/init_fcos.sh.tftpl

···

       12
       12
        
       

     

       13
       13
        
       echo "Starting Quadlets..."

     

       14
       14
        
       # Quadlets are "enabled" using their configurations, it's enough to just start them.

     

       15
       15
       -
       %{ for name, content in quadlet_files ~}

     

       16
       16
       -
       %{ if strcontains(name, ".container") && !strcontains(content, "\nPod=") ~}

     

       17
       17
       -
       systemctl --user start ${replace(name, ".container", "")}

     

       15
       15
       +
       %{ for path, content in config_files ~}

     

       16
       16
       +
       %{ if strcontains(basename(path), ".container") && !strcontains(content, "\nPod=") ~}

     

       17
       17
       +
       systemctl --user start ${replace(basename(path), ".container", "")}

     

       18
       18
        
       %{ endif ~}

     

       19
       19
       -
       %{ if strcontains(name, ".pod") ~}

     

       20
       20
       -
       systemctl --user start ${replace(name, ".pod", "")}-pod

     

       19
       19
       +
       %{ if strcontains(basename(path), ".pod") ~}

     

       20
       20
       +
       systemctl --user start ${replace(basename(path), ".pod", "")}-pod

     

       21
       21
        
       %{ endif ~}

     

       22
       22
        
       %{ endfor ~}

+5 -5

variables.tf

···

       7
       7
        
       variable "proxmox_config" {

     

       8
       8
        
         description = "Proxmox credentials"

     

       9
       9
        
         type = object({

     

       10
       10
       -
           endpoint = string

     

       10
       10
       +
           host = string

     

       11
       11
        
           password_secret_id = string

     

       12
       12
        
         })

     

       13
       13
        
       }

     

       14
       14
        
       

     

       15
       15
       -
       # Just base domain for now

     

       16
       16
       -
       variable "quadlets_config" {

     

       17
       17
       -
         description = "Shared Quadlets configuration"

     

       15
       15
       +
       variable "containers_config" {

     

       16
       16
       +
         description = "Shared configuration"

     

       18
       17
        
         type = object({

     

       18
       18
       +
           email = string

     

       19
       19
        
           base_domain = string

     

       20
       20
        
         })

     

       21
       21
        
       }

     

       22
       22
        
       

     

       23
       23
       -
       variable "quadlets_secret_config" {

     

       23
       23
       +
       variable "containers_secret_config" {

     

       24
       24
        
         description = "Quadlet Ssecret"

     

       25
       25
        
         type = map(string)

     

       26
       26
        
         default = {