grey/Opinionated.tf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions1

Merge branch 'main' of github.com:matthewbaggett/terraform_modules

Browse source
This commit is contained in:
Greyscale 2025-01-29 19:20:57 +01:00
commit 4ff88bb5c9
Signed by: grey
GPG key ID: DDB392AE64B32D89
32 changed files with 308 additions and 197 deletions

24
.trunk/trunk.yaml
View file

@ -2,17 +2,18 @@
# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
version: 0.1
cli:
version: 1.22.2
version: 1.22.9
# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
plugins:
sources:
- id: trunk
ref: v1.6.1
ref: v1.6.6
uri: https://github.com/trunk-io/plugins
# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
runtimes:
enabled:
- node@18.12.1
- go@1.21.0
- node@18.20.5
- python@3.10.8
# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
lint:
@ -21,14 +22,17 @@ lint:
paths:
- LICENCE.md
enabled:
- actionlint@1.7.1
- checkov@3.2.216
- hadolint@2.12.1-beta
- shellcheck@0.10.0
- shfmt@3.6.0
- actionlint@1.7.7
- checkov@3.2.357
- git-diff-check
- markdownlint@0.41.0
- prettier@3.3.3
- tflint@0.52.0
- trivy@0.54.0
- trufflehog@3.80.3
- markdownlint@0.43.0
- prettier@3.4.2
- tflint@0.55.0
- trivy@0.58.2
- trufflehog@3.88.2
- yamllint@1.35.1
actions:
enabled:

BIN
bin/expose Executable file
View file

Binary file not shown.

6
cloud/aws/efs_file_system/security-groups.tf
View file

@ -13,6 +13,7 @@ resource "aws_security_group" "efs" {
})
}
resource "aws_vpc_security_group_ingress_rule" "nfs" {
description = "Allow NFS traffic from EFS"
ip_protocol = "tcp"
from_port = 2049
to_port = 2049
@ -23,6 +24,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs" {
})
}
resource "aws_vpc_security_group_egress_rule" "nfs" {
description = "Allow NFS traffic to EFS"
ip_protocol = "tcp"
from_port = 2049
to_port = 2049
@ -32,7 +34,11 @@ resource "aws_vpc_security_group_egress_rule" "nfs" {
Name = "NFS/EFS Egress"
})
}
# checkov:skip=CKV_AWS_24: checkov is mis-detecting this as exposing port 22 to 0.0.0.0
# checkov:skip=CKV_AWS_25: checkov is mis-detecting this as exposing port 3389 to 0.0.0.0
# checkov:skip=CKV_AWS_260: checkov is mis-detecting this as exposing port 80 to 0.0.0.0
resource "aws_vpc_security_group_ingress_rule" "ping" {
description = "Allow ping"
ip_protocol = "icmp"
from_port = 0
to_port = 0

2
products/bastion/README.md
View file

@ -1 +1 @@
Heavy use of code pilfered from https://github.com/binlab/docker-bastion/blob/master/Dockerfile
Heavy use of code pilfered from https://github.com/binlab/docker-bastion/blob/master/Dockerfile

105
products/bastion/bastion.sh
View file

@ -1,90 +1,89 @@
#!/usr/bin/env sh
#!/usr/bin/env bash
HOST_KEYS_PATH_PREFIX="${HOST_KEYS_PATH_PREFIX:='/'}"
HOST_KEYS_PATH="${HOST_KEYS_PATH:='/etc/ssh'}"
if [ "$PUBKEY_AUTHENTICATION" == "false" ]; then
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no"
if [[ ${PUBKEY_AUTHENTICATION} == "false" ]]; then
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no"
else
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes"
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes"
fi
if [ -n "$AUTHORIZED_KEYS" ]; then
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=$AUTHORIZED_KEYS"
if [[ -n ${AUTHORIZED_KEYS} ]]; then
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=${AUTHORIZED_KEYS}"
else
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=authorized_keys"
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=authorized_keys"
fi
if [ -n "$TRUSTED_USER_CA_KEYS" ]; then
CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=$TRUSTED_USER_CA_KEYS"
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
if [[ -n ${TRUSTED_USER_CA_KEYS} ]]; then
CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=${TRUSTED_USER_CA_KEYS}"
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
else
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
fi
if [ "$GATEWAY_PORTS" == "true" ]; then
CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
if [[ ${GATEWAY_PORTS} == "true" ]]; then
CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
else
CONFIG_GATEWAY_PORTS="-o GatewayPorts=no"
CONFIG_GATEWAY_PORTS="-o GatewayPorts=no"
fi
if [ "$PERMIT_TUNNEL" == "true" ]; then
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes"
if [[ ${PERMIT_TUNNEL} == "true" ]]; then
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes"
else
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no"
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no"
fi
if [ "$X11_FORWARDING" == "true" ]; then
CONFIG_X11_FORWARDING="-o X11Forwarding=yes"
if [[ ${X11_FORWARDING} == "true" ]]; then
CONFIG_X11_FORWARDING="-o X11Forwarding=yes"
else
CONFIG_X11_FORWARDING="-o X11Forwarding=no"
CONFIG_X11_FORWARDING="-o X11Forwarding=no"
fi
if [ "$TCP_FORWARDING" == "false" ]; then
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=no"
if [[ ${TCP_FORWARDING} == "false" ]]; then
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=no"
else
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=yes"
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=yes"
fi
if [ "$AGENT_FORWARDING" == "false" ]; then
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=no"
if [[ ${AGENT_FORWARDING} == "false" ]]; then
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=no"
else
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=yes"
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=yes"
fi
if [ ! -f "$HOST_KEYS_PATH/ssh_host_rsa_key" ]; then
/usr/bin/ssh-keygen -A -f "$HOST_KEYS_PATH_PREFIX"
if [[ ! -f "${HOST_KEYS_PATH}/ssh_host_rsa_key" ]]; then
/usr/bin/ssh-keygen -A -f "${HOST_KEYS_PATH_PREFIX}"
fi
if [ -n "$LISTEN_ADDRESS" ]; then
CONFIG_LISTEN_ADDRESS="-o ListenAddress=$LISTEN_ADDRESS"
if [[ -n ${LISTEN_ADDRESS} ]]; then
CONFIG_LISTEN_ADDRESS="-o ListenAddress=${LISTEN_ADDRESS}"
else
CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0"
CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0"
fi
if [ -n "$LISTEN_PORT" ]; then
CONFIG_LISTEN_PORT="-o Port=$LISTEN_PORT"
if [[ -n ${LISTEN_PORT} ]]; then
CONFIG_LISTEN_PORT="-o Port=${LISTEN_PORT}"
else
CONFIG_LISTEN_PORT="-o Port=22"
CONFIG_LISTEN_PORT="-o Port=22"
fi
/usr/sbin/sshd -D -e -4 \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_rsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_dsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_ecdsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_ed25519_key" \
-o "PasswordAuthentication=no" \
-o "PermitEmptyPasswords=no" \
-o "PermitRootLogin=no" \
$CONFIG_PUBKEY_AUTHENTICATION \
$CONFIG_AUTHORIZED_KEYS \
$CONFIG_GATEWAY_PORTS \
$CONFIG_PERMIT_TUNNEL \
$CONFIG_X11_FORWARDING \
$CONFIG_AGENT_FORWARDING \
$CONFIG_TCP_FORWARDING \
$CONFIG_TRUSTED_USER_CA_KEYS \
$CONFIG_AUTHORIZED_PRINCIPALS_FILE \
$CONFIG_LISTEN_ADDRESS \
$CONFIG_LISTEN_PORT
-o "HostKey=${HOST_KEYS_PATH}/ssh_host_rsa_key" \
-o "HostKey=${HOST_KEYS_PATH}/ssh_host_dsa_key" \
-o "HostKey=${HOST_KEYS_PATH}/ssh_host_ecdsa_key" \
-o "HostKey=${HOST_KEYS_PATH}/ssh_host_ed25519_key" \
-o "PasswordAuthentication=no" \
-o "PermitEmptyPasswords=no" \
-o "PermitRootLogin=no" \
"${CONFIG_PUBKEY_AUTHENTICATION}" \
"${CONFIG_AUTHORIZED_KEYS}" \
"${CONFIG_GATEWAY_PORTS}" \
"${CONFIG_PERMIT_TUNNEL}" \
"${CONFIG_X11_FORWARDING}" \
"${CONFIG_AGENT_FORWARDING}" \
"${CONFIG_TCP_FORWARDING}" \
"${CONFIG_TRUSTED_USER_CA_KEYS}" \
"${CONFIG_AUTHORIZED_PRINCIPALS_FILE}" \
"${CONFIG_LISTEN_ADDRESS}" \
"${CONFIG_LISTEN_PORT}"

2
products/bastion/docker-compose.yml
View file

@ -33,4 +33,4 @@ services:
target: /var/lib/bastion/authorized_keys
volumes:
bastion:
bastion:

24
products/expose/auth.tf Normal file
View file

@ -0,0 +1,24 @@
variable "username" {
type = string
description = "The username to use for the service."
default = null
}
variable "password" {
type = string
description = "The password to use for the service."
default = null
}
resource "random_pet" "username" {
count = var.username == null ? 1 : 0
length = 2
separator = ""
}
resource "random_string" "password" {
count = var.username == null ? 1 : 0
length = 32
special = false
}
locals {
username = var.username != null ? var.username : random_pet.username[0].id
password = var.password != null ? var.password : nonsensitive(random_string.password[0].result)
}

26
products/expose/expose.tf Normal file
View file

@ -0,0 +1,26 @@
variable "domain" {
type = string
description = "The domain to use for the service."
}
module "service" {
source = "../../docker/service"
image = "beyondcodegmbh/expose-server:latest"
service_name = "expose"
stack_name = var.stack_name
networks = concat(var.networks, [module.network.network])
traefik = var.traefik
placement_constraints = var.placement_constraints
mounts = var.mounts
ports = var.ports
converge_enable = false
environment_variables = {
port = 9090
domain = var.domain
username = local.username
password = local.password
}
volumes = {
"expose_data" = "/root/.expose"
}
}

45
products/expose/inputs.tf Normal file
View file

@ -0,0 +1,45 @@
variable "stack_name" {
default = "expose"
type = string
description = "The name of the stack to create."
}
variable "networks" {
type = list(object({
name = string
id = string
}))
default = []
description = "A list of network names to attach the service to."
}
variable "traefik" {
default = null
type = object({
domain = string
port = optional(number)
non-ssl = optional(bool, true)
ssl = optional(bool, false)
rule = optional(string)
middlewares = optional(list(string))
network = optional(object({ name = string, id = string }))
basic-auth-users = optional(list(string))
})
description = "Whether to enable traefik for the service."
}
variable "placement_constraints" {
default = []
type = list(string)
description = "Docker Swarm placement constraints"
}
variable "mounts" {
type = map(string)
default = {}
description = "A map of host paths to container paths to mount. The key is the host path, and the value is the container path."
}
variable "ports" {
type = list(object({
host = optional(number, null)
container = number
protocol = optional(string, "tcp")
}))
default = []
}

4
products/expose/network.tf Normal file
View file

@ -0,0 +1,4 @@
module "network" {
source = "../../docker/network"
stack_name = var.stack_name
}

15
products/expose/outputs.tf Normal file
View file

@ -0,0 +1,15 @@
output "docker_service" {
value = module.service.docker_service
}
output "network" {
value = module.network.network
}
output "endpoint" {
value = module.service.endpoint
}
output "auth" {
value = {
username = local.username
password = local.password
}
}

16
products/expose/terraform.tf Normal file
View file

@ -0,0 +1,16 @@
terraform {
required_version = "~> 1.6"
required_providers {
docker = {
source = "kreuzwerker/docker"
version = "~> 3.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5"
}
}
}

65
products/frigate/frigate.tf
View file

@ -1,55 +1,14 @@
data "docker_registry_image" "frigate" {
name = "ghcr.io/blakeblackshear/frigate:stable"
}
resource "docker_container" "frigate" {
image = "${data.docker_registry_image.frigate.name}@${data.docker_registry_image.frigate.sha256_digest}"
name = local.container_name
restart = "unless-stopped"
privileged = "true"
shm_size = var.shm_size_mb
network_mode = "bridge"
env = [
"FRIGATE_RTSP_PASSWORD=${var.frigate_rtsp_password}"
]
dynamic "devices" {
for_each = var.devices
content {
host_path = devices.value.host_path
container_path = devices.value.container_path
permissions = devices.value.permissions
}
}
dynamic "volumes" {
for_each = var.volumes
content {
container_path = volumes.value
host_path = volumes.key
read_only = false
}
}
dynamic "ports" {
for_each = var.ports
content {
internal = ports.value.container
external = ports.value.host
protocol = ports.value.protocol
}
}
dynamic "networks_advanced" {
for_each = var.networks
content {
name = networks_advanced.value.id
}
}
dynamic "labels" {
for_each = local.labels
content {
label = labels.key
value = labels.value
}
}
lifecycle {
create_before_destroy = false
module "frigate" {
source = "../../docker/service"
image = "ghcr.io/blakeblackshear/frigate:stable"
stack_name = var.stack_name
service_name = "frigate"
mounts = var.mounts
placement_constraints = var.placement_constraints
traefik = var.traefik
environment_variables = {
FRIGATE_RTSP_PASSWORD = var.frigate_rtsp_password
}
labels = var.labels
converge_enable = false
}

32
products/frigate/inputs.tf
View file

@ -20,20 +20,11 @@ variable "frigate_rtsp_password" {
description = "The password to use for the RTSP streams"
default = ""
}
variable "devices" {
type = list(object({
host_path = string
container_path = string
permissions = optional(string, "rwm")
}))
description = "The devices to mount into the container"
}
variable "volumes" {
variable "mounts" {
type = map(string)
default = {}
description = "A map of volume names to create and mount. The key is the volume name, and the value is the mount point."
description = "A map of host paths to container paths to mount. The key is the host path, and the value is the container path."
}
variable "ports" {
type = list(object({
host = number
@ -72,15 +63,16 @@ variable "ports" {
variable "traefik" {
default = null
type = object({
domain = string
port = optional(number, 5000)
non-ssl = optional(bool, true)
ssl = optional(bool, false)
rule = optional(string)
network = optional(object({
name = string
id = string
}))
domain = string
port = optional(number)
non-ssl = optional(bool, false)
ssl = optional(bool, false)
rule = optional(string)
middlewares = optional(list(string), [])
network = optional(object({ name = string, id = string }))
basic-auth-users = optional(list(string), [])
headers = optional(map(string), {})
udp_entrypoints = optional(list(string), []) # List of UDP entrypoints
})
description = "Whether to enable traefik for the service."
}

24
products/frigate/labels.tf
View file

@ -1,24 +0,0 @@
locals {
container_name = "frigate"
# Define service labels en-masse
labels = merge({
"com.docker.stack.namespace" = var.stack_name
"com.docker.stack.image" = data.docker_registry_image.frigate.name
"ooo.grey.service.stack" = var.stack_name
"ooo.grey.service.name" = local.container_name
"ooo.grey.service.image" = data.docker_registry_image.frigate.name
#"ooo.grey.service.image.digest" = data.docker_registry_image.frigate.sha256_digest
}, local.traefik_labels, var.labels)
# Calculate the traefik labels to use if enabled
traefik_labels = var.traefik != null ? {
"traefik.enable" = "true"
"traefik.http.routers.${local.container_name}.rule" = "Host(`${var.traefik.domain}`)"
"traefik.http.routers.${local.container_name}.entrypoints" = "websecure"
"traefik.http.routers.${local.container_name}.tls.certresolver" = "default"
"traefik.http.services.${local.container_name}.loadbalancer.server.port" = 5000
} : {
"traefik.enable" = "false"
}
}

2
products/frigate/output.tf
View file

@ -1,3 +1,3 @@
output "endpoint" {
value = try("https://${var.traefik.domain}", "unknown")
value = module.frigate.endpoint
}

7
products/memcached/memcached.tf
View file

@ -4,7 +4,7 @@ module "service" {
stack_name = var.stack_name
service_name = var.service_name
networks = var.networks
command = ["memcached", "--memory-limit", var.memory_limit_mb, "--threads", var.threads, "--connection-limit", var.connection_limit]
command = ["memcached", "-m", var.memory_limit_mb, "-t", var.threads, "-c", var.connection_limit]
#healthcheck = ["CMD-SHELL", "echo \"version\" | nc -vn -w 1 127.0.0.1 11211"]
#healthcheck_start_period = "10s"
#healthcheck_interval = "10s"
@ -21,8 +21,5 @@ locals {
volumes = var.data_persist_path == null ? {
"data" = "/var/lib/mysql"
} : {}
mounts = var.data_persist_path != null ? {
"${var.data_persist_path}" = "/var/lib/mysql"
} : {}
mounts = var.data_persist_path != null ? zipmap([var.data_persist_path], ["/var/lib/mysql"]) : {}
}

5
products/mysql/mysql.tf
View file

@ -24,8 +24,5 @@ locals {
volumes = var.data_persist_path == null ? {
"data" = "/var/lib/mysql"
} : {}
mounts = var.data_persist_path != null ? {
"${var.data_persist_path}" = "/var/lib/mysql"
} : {}
mounts = var.data_persist_path != null ? zipmap([var.data_persist_path], ["/var/lib/mysql"]) : {}
}

4
products/openhaystack/inputs.tf
View file

@ -9,7 +9,7 @@ variable "networks" {
}))
default = []
description = "A list of network names to attach the service to."
}
} /*
variable "ports" {
type = list(object({
host = optional(number)
@ -30,7 +30,7 @@ variable "ports" {
error_message = "Protocol must be either 'tcp' or 'udp'."
condition = alltrue([for port in var.ports : port.protocol == "tcp" || port.protocol == "udp"])
}
}
}*/
variable "placement_constraints" {
default = []
type = list(string)

1
products/openhaystack/openhaystack.tf
View file

@ -15,7 +15,6 @@ module "anisette" {
"anisette-v3-data" = "/home/Alcoholic/.config/anisette-v3/lib/"
}
}
module "macless-haystack" {
source = "../../docker/service"
stack_name = var.stack_name

5
products/postgres/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enable" {
type = bool
description = "Whether to enable the service."
default = true
}
variable "postgres_image" {
default = "postgres"
type = string

7
products/postgres/postgres.tf
View file

@ -1,5 +1,6 @@
module "service" {
source = "../../docker/service"
enable = var.enable
image = "${var.postgres_image}:${var.postgres_version}"
stack_name = var.stack_name
service_name = var.service_name
@ -16,13 +17,9 @@ module "service" {
ports = var.ports
placement_constraints = var.placement_constraints
}
locals {
volumes = var.data_persist_path == null ? {
"data" = "/var/lib/postgres/data"
} : {}
mounts = var.data_persist_path != null ? {
"${var.data_persist_path}" = "/var/lib/postgres/data"
} : {}
mounts = var.data_persist_path != null ? zipmap([var.data_persist_path], ["/var/lib/postgres/data"]) : {}
}

13
products/quassel/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enable" {
type = bool
description = "Whether to enable the service."
default = true
}
variable "quassel_image" {
default = "lscr.io/linuxserver/quassel-core"
type = string
@ -17,4 +22,12 @@ variable "placement_constraints" {
default = []
type = list(string)
description = "Docker Swarm placement constraints"
}
variable "ports" {
default = [{ host = 4242, container = 4242 }]
type = list(object({
host = number
container = number
}))
description = "Ports to expose on the service. Default is port 4242."
}

6
products/quassel/quassel.tf
View file

@ -4,16 +4,18 @@ module "network" {
}
module "postgres" {
source = "../postgres"
enable = var.enable
postgres_version = "16"
stack_name = var.stack_name
networks = [module.network]
username = "postgres"
database = "postgres"
placement_constraints = var.placement_constraints
ports = [{ container = 5432, host = 65432 }]
ports = [{ container = 5432 }]
}
module "service" {
source = "../../docker/service"
enable = var.enable
image = "${var.quassel_image}:${var.quassel_version}"
stack_name = var.stack_name
service_name = "quassel"
@ -31,6 +33,6 @@ module "service" {
AUTH_AUTHENTICATOR = "Database"
}
placement_constraints = var.placement_constraints
ports = [{ container = 4242, host = 4242 }]
ports = var.ports
converge_enable = false # @todo MB: add healthcheck and fix this.
}

5
products/redis/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enable" {
type = bool
description = "Whether to enable the service."
default = true
}
variable "redis_image" {
default = "redis"
type = string

1
products/redis/redis.tf
View file

@ -24,6 +24,7 @@ variable "append_only" {
}
module "service" {
source = "../../docker/service"
enable = var.enable
image = "${var.redis_image}:${var.redis_version}"
stack_name = var.stack_name
service_name = "redis"

3
products/traefik/outputs.tf
View file

@ -6,4 +6,7 @@ output "docker_network" {
}
output "endpoint" {
value = module.traefik.endpoint
}
output "hello_endpoint" {
value = try(module.traefik_hello[0].endpoint, null)
}

11
products/unifi/magic-forward/magic_forward.tf
View file

@ -1,7 +1,8 @@
module "port_forward" {
source = "../port-forward"
enabled = var.enabled
label = var.label
port = var.port != null ? var.port : var.docker_service.endpoint_spec[0].ports[0].published_port
ip = var.target.fixed_ip
source = "../port-forward"
enabled = var.enabled
label = var.label
port = var.port != null ? var.port : var.docker_service.endpoint_spec[0].ports[0].published_port
ip = var.target.fixed_ip
protocol = var.protocol
}

2
products/watchtower/watchtower.tf
View file

@ -3,7 +3,7 @@ module "watchtower" {
image = "containrrr/watchtower:latest"
stack_name = "watchtower"
service_name = "watchtower"
placement_constraints = var.placement_constraints + ["node.role == manager"]
placement_constraints = distinct(concat(var.placement_constraints, ["node.role == manager"]))
command = ["--cleanup", "--label-enable", "--interval", "3600"]
labels = {
"com.centurylinklabs.watchtower.enable" = "true"

11
products/yarr/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enabled" {
description = "Whether to enable the services or merely provision them."
type = bool
default = true
}
variable "stack_name" {
description = "The name of the stack"
type = string
@ -16,7 +21,6 @@ variable "placement_constraints" {
default = []
}
variable "traefik" {
default = null
type = object({
domain = string
port = optional(number)
@ -29,8 +33,3 @@ variable "traefik" {
})
description = "Whether to enable traefik for the service."
}
variable "enabled" {
description = "Whether to enable the services or merely provision them."
type = bool
default = true
}

27
products/yarr/metube.tf Normal file
View file

@ -0,0 +1,27 @@
module "metube" {
source = "../../docker/service"
image = "ghcr.io/alexta69/metube"
enable = var.enabled
service_name = "metube"
stack_name = var.stack_name
environment_variables = {
DOWNLOAD_DIR = "/media/youtube"
HTTPS = false
CUSTOM_DIRS = true
TEMP_DIR = "/media/youtube/.temp"
}
remote_volumes = {
"/media" = module.media
}
mounts = {
"/etc/localtime" = "/etc/localtime"
}
networks = [module.network]
converge_enable = false
traefik = {
domain = "metube.${var.traefik.domain}"
ssl = true
port = 8081
}
placement_constraints = var.placement_constraints
}

5
utils/identity/locals.tf
View file

@ -1,5 +1,4 @@
locals {
username_words = var.username_words != null ? var.username_words : floor(var.username_max_length / 3)
username = var.username != null ? var.username : random_pet.username[0].id
password = var.password != null ? nonsensitive(var.password) : nonsensitive(random_password.password[0].result)
username = var.username != null ? var.username : random_pet.username[0].id
password = var.password != null ? nonsensitive(var.password) : nonsensitive(random_password.password[0].result)
}