diff --git a/.gitignore b/.gitignore index 072c29b..3f374e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /.idea +/.debug /.terraform /terraform.tfstate* /.terraform.tfstate* diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index bc3a7a2..37e4fe5 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,6 +1,48 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/brendanthompson/scratch" { + version = "0.4.0" + constraints = "0.4.0" + hashes = [ + "h1:MTVRrvKcbCMw67V+QMOWkHaH5W6wusaBwoB2e6HcELM=", + "zh:02de448b66fa61d39588dadb267698f361a3b681beb48d6576068923de600df7", + "zh:23d038c6571aa3062e36b95bc3c7bcd511da66ae6f7e417ac2eb64b05794cad7", + "zh:31061bfe3094360eed7f649ad03d86b67b93af3019170c168888d82cbcffc380", + "zh:395932aa5755a5f8e77a429c393182b461c51a583fe17dee38e73aff70bbc640", + "zh:3e7b738148381ed501853bb21e34b30ec93320d3fe42cec127aa8513ab975eaf", + "zh:49a9a9e03a18ea052cc7ce71646e46f92ffc3ff47f9892182707508a8db2efa9", + "zh:5da9a599ebd739e6155a5ed64fec47cc4d44c1d480474235464c475f5db68d38", + "zh:8deeba7e7cc41be90b2a433fa69e7b59b5d7d4f35f73aa2c95dbb430bc21b3e2", + "zh:c6304ce9f6e499a4b537345c7587c232b6bca4954d7150ace8400ecae38392e5", + "zh:c9d3751cc1203a440b215358fb6f38023678ab36da02e28b5d84722fa19d7c48", + "zh:d649dcd94424fb23e9caa90a89a9f19c7964d4d56240f2f75c79ff27192f638a", + "zh:e4483df0cdfc2dd2210d406e7b4bc3c5940f8e63c9d2fce6958971a1fbc56813", + "zh:e71f355566b17fb0d834940a5d46256528684e1b2717eca6752e11cba329fe2f", + "zh:fe48ba87307e3b7833793ee7c2dec428aa1ace8af759ef3bbb32380b69d4a2d5", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.1" + constraints = "~> 2.1" + hashes = [ + "h1:8oTPe2VUL6E2d3OcrvqyjI4Nn/Y/UEQN26WLk5O/B0g=", + "zh:0af29ce2b7b5712319bf6424cb58d13b852bf9a777011a545fac99c7fdcdf561", + "zh:126063ea0d79dad1f68fa4e4d556793c0108ce278034f101d1dbbb2463924561", + "zh:196bfb49086f22fd4db46033e01655b0e5e036a5582d250412cc690fa7995de5", + "zh:37c92ec084d059d37d6cffdb683ccf68e3a5f8d2eb69dd73c8e43ad003ef8d24", + "zh:4269f01a98513651ad66763c16b268f4c2da76cc892ccfd54b401fff6cc11667", + "zh:51904350b9c728f963eef0c28f1d43e73d010333133eb7f30999a8fb6a0cc3d8", + "zh:73a66611359b83d0c3fcba2984610273f7954002febb8a57242bbb86d967b635", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7ae387993a92bcc379063229b3cce8af7eaf082dd9306598fcd42352994d2de0", + "zh:9e0f365f807b088646db6e4a8d4b188129d9ebdbcf2568c8ab33bddd1b82c867", + "zh:b5263acbd8ae51c9cbffa79743fbcadcb7908057c87eb22fd9048268056efbc4", + "zh:dfcd88ac5f13c0d04e24be00b686d069b4879cc4add1b7b1a8ae545783d97520", + ] +} + provider "registry.terraform.io/hashicorp/random" { version = "3.6.2" constraints = "~> 3.3" diff --git a/docker.tf b/docker.tf index b4ff144..7745b14 100644 --- a/docker.tf +++ b/docker.tf @@ -3,19 +3,20 @@ provider "ssh" { host = "california.ti" port = 22 } - user = "techinc" - auth = { + user = "techinc" + auth = { private_key = { content = file("~/.ssh/keys/exploding_bolts_2_rsa") } } } -data "ssh_tunnel" "docker" { - connection_name = "docker_socket_tunnel_california" - remote = { - socket = "/var/run/docker.sock" - } -} +#data "ssh_tunnel" "docker" { +# connection_name = "docker_socket_tunnel_california" +# remote = { +# socket = "/var/run/docker.sock" +# } +#} provider "docker" { - host = "tcp://${data.ssh_tunnel.docker.local.address}" + #host = "tcp://${data.ssh_tunnel.docker.local.address}" + host = "ssh://california.ti" } diff --git a/loadbalancer.tf b/loadbalancer.tf new file mode 100644 index 0000000..0c7da0b --- /dev/null +++ b/loadbalancer.tf @@ -0,0 +1,22 @@ +resource "docker_network" "loadbalancer" { + name = "loadbalancer" + driver = "overlay" + attachable = true + ipam_driver = "default" + ipam_config { + aux_address = {} + subnet = "172.16.0.0/16" + gateway = "172.16.0.1" + } +} + +module "nginx" { + source = "git::https://code.techinc.nl/grey/terraform-nginx.git" + configs = concat( + module.minio.nginx_files + ) + networks = [ + docker_network.loadbalancer, + ] + replicas = 1 +} diff --git a/minio.tf b/minio.tf new file mode 100644 index 0000000..de092ec --- /dev/null +++ b/minio.tf @@ -0,0 +1,6 @@ +module "minio" { + source = "./modules/minio" + domain = "s3.california.ti" + network = docker_network.loadbalancer + storage_path = "/media/storage/minio" +} diff --git a/modules/minio/inputs.tf b/modules/minio/inputs.tf new file mode 100644 index 0000000..244ef5a --- /dev/null +++ b/modules/minio/inputs.tf @@ -0,0 +1,20 @@ +variable "admin_username" { + type = string + description = "The username of the admin user" + default = "admin" +} +variable "domain" { + type = string + description = "The domain name of the minio instance" +} +variable "network" { + type = object({ + id = string + name = string + }) + description = "The network to attach the minio service to" +} +variable "storage_path" { + type = string + description = "The path to the storage directory to use" +} diff --git a/modules/minio/minio.tf b/modules/minio/minio.tf new file mode 100644 index 0000000..d0fe7ba --- /dev/null +++ b/modules/minio/minio.tf @@ -0,0 +1,70 @@ +data "docker_registry_image" "minio" { + name = "quay.io/minio/minio:latest" +} + +resource "random_password" "minio_password" { + length = 32 + special = false +} + +locals { + SERVER_URL = "https://${var.domain}" + UI_URL = "https://${var.domain}/ui/" +} + +resource "docker_service" "minio" { + name = "minio" + task_spec { + container_spec { + image = "${data.docker_registry_image.minio.name}@${data.docker_registry_image.minio.sha256_digest}" + command = ["minio", "server", "/data", ] + env = { + MINIO_ADDRESS = "0.0.0.0:9000" + MINIO_CONSOLE_ADDRESS = "0.0.0.0:9001" + MINIO_ROOT_USER = var.admin_username + MINIO_ROOT_PASSWORD = random_password.minio_password.result + MINIO_SERVER_URL = local.SERVER_URL + MINIO_BROWSER_REDIRECT_URL = local.UI_URL + MINIO_BROWSER_REDIRECT = true + MINIO_API_ROOT_ACCESS = "on" + } + mounts { + target = "/data" + source = var.storage_path + type = "bind" + read_only = false + } + } + networks_advanced { + name = var.network.id + } + placement { + platforms { + architecture = "amd64" + os = "linux" + } + } + } + update_config { + parallelism = 1 + order = "stop-first" + } +} + +module "minio_nginx_config" { + source = "git::https://code.techinc.nl/grey/terraform-nginx.git//nginx-site-available" + hostname = var.domain + //certificate = acme_certificate.ooo_grey["s3"] + service_name = "minio_s3" + upstream_host = "${docker_service.minio.name}:9000" + config_prefix = "nginx" + extra_upstreams = [ + { + name = "minio_ui", + servers = ["${docker_service.minio.name}:9001"] + } + ] + extra_locations = file("${path.module}/minio_nginx_extra.conf") + allow_non_ssl = true + allow_ssl = false +} diff --git a/modules/minio/minio_nginx_extra.conf b/modules/minio/minio_nginx_extra.conf new file mode 100644 index 0000000..0f97fd8 --- /dev/null +++ b/modules/minio/minio_nginx_extra.conf @@ -0,0 +1,25 @@ + location /ui/ { + rewrite ^/ui/(.*) /$1 break; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-NginX-Proxy true; + + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + + proxy_connect_timeout 300; + + # To support websockets in MinIO versions released after January 2023 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress) + # Uncomment the following line to set the Origin request to an empty string + # proxy_set_header Origin ''; + + chunked_transfer_encoding off; + + proxy_pass http://minio_ui; + } diff --git a/modules/minio/outputs.tf b/modules/minio/outputs.tf new file mode 100644 index 0000000..9475641 --- /dev/null +++ b/modules/minio/outputs.tf @@ -0,0 +1,12 @@ +output "auth" { + value = { + user = docker_service.minio.task_spec[0].container_spec[0].env.MINIO_ROOT_USER + password = nonsensitive(docker_service.minio.task_spec[0].container_spec[0].env.MINIO_ROOT_PASSWORD) + } +} +output "domain" { + value = local.SERVER_URL +} +output "nginx_files" { + value = module.minio_nginx_config.files +} diff --git a/modules/minio/terraform.tf b/modules/minio/terraform.tf new file mode 100644 index 0000000..448ac0b --- /dev/null +++ b/modules/minio/terraform.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.3" + } + } +}