From f05b5689f86243b227068cf9331d8146fbc33cf8 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Mon, 27 Feb 2023 11:35:40 +0100 Subject: unifi-controller --- bin/terragrunt | 36 ++++++++++++ terraform/backend.tf | 12 ++++ terraform/conflatorio-docker/traefik.tf | 42 +++++++++----- terraform/terragrunt.hcl | 16 ++++++ terraform/unifi-controller/.terraform.lock.hcl | 68 +++++++++++++++++++++++ terraform/unifi-controller/backend.tf | 12 ++++ terraform/unifi-controller/main.tf | 36 ++++++++++++ terraform/unifi-controller/terragrunt.hcl | 3 + terraform/unifi-controller/unifi.tf | 76 ++++++++++++++++++++++++++ 9 files changed, 287 insertions(+), 14 deletions(-) create mode 100755 bin/terragrunt create mode 100644 terraform/backend.tf create mode 100644 terraform/terragrunt.hcl create mode 100644 terraform/unifi-controller/.terraform.lock.hcl create mode 100644 terraform/unifi-controller/backend.tf create mode 100644 terraform/unifi-controller/main.tf create mode 100644 terraform/unifi-controller/terragrunt.hcl create mode 100644 terraform/unifi-controller/unifi.tf diff --git a/bin/terragrunt b/bin/terragrunt new file mode 100755 index 0000000..04086d1 --- /dev/null +++ b/bin/terragrunt @@ -0,0 +1,36 @@ +#!/bin/bash + +set -euo pipefail + +v=0.44.0 + +basedir="${0%/*}" +self="${0##*/}" + +s=$(uname -s) +case "$s" +in + Darwin) s=darwin ;; + Linux) s=linux ;; + *) echo "Unsupported system: $s" >/dev/stderr ;; +esac + +m=$(uname -m) +case "$m" +in + x86_64) m=amd64 ;; + arm64) ;; + *) echo "Unsupported machine: $m" >/dev/stderr ;; +esac + +url=https://github.com/gruntwork-io/terragrunt/releases/download/v${v}/terragrunt_${s}_${m} +bin="$basedir/.tmp/$v/$self" + +if [[ ! -x "$bin" ]] +then + mkdir -p $(dirname "$bin") + wget -O "$bin" "$url" + chmod +x $bin +fi + +exec "$bin" "${@}" diff --git a/terraform/backend.tf b/terraform/backend.tf new file mode 100644 index 0000000..d970fc9 --- /dev/null +++ b/terraform/backend.tf @@ -0,0 +1,12 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + endpoint = "eu-central-1.linodeobjects.com" + key = "./terraform.tfstate" + region = "eu-central-1" + skip_credentials_validation = true + skip_metadata_api_check = true + skip_region_validation = true + } +} diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf index 46d4671..a1cedec 100644 --- a/terraform/conflatorio-docker/traefik.tf +++ b/terraform/conflatorio-docker/traefik.tf @@ -1,20 +1,20 @@ resource "docker_network" "traefik" { name = "traefik" -# ipv6 = true + # ipv6 = true ipam_config { gateway = "172.20.0.1" subnet = "172.20.0.0/16" } -# ipam_config { -# subnet = "fd00:dead:beef::/48" -# gateway = "fd00:dead:beef::1" -# } + # ipam_config { + # subnet = "fd00:dead:beef::/48" + # gateway = "fd00:dead:beef::1" + # } } resource "docker_image" "traefik" { - name = "traefik:2.9" + name = "traefik:2.9.8" } resource "docker_container" "traefik" { @@ -47,7 +47,10 @@ resource "docker_container" "traefik" { command = [ "--log.level=DEBUG", - "--api.insecure=true", + "--api=true", + "--api.dashboard=true", + "--api.debug=true", + # "--api.insecure=true", "--providers.docker=true", "--providers.docker.exposedbydefault=false", "--entrypoints.websecure.address=:443", @@ -58,15 +61,26 @@ resource "docker_container" "traefik" { "--certificatesresolvers.linode.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53", "--certificatesresolvers.linode.acme.email=root@trygvis.io", "--certificatesresolvers.linode.acme.storage=/letsencrypt/acme.json", - ] - # labels { - # label = "traefik.enable" - # value = "true" - # } + # There doesn't seem to be a way to define a specific + # serversTransport through the CLI or lables, to here backend + # certificate checks are globally disabled. + "--serverstransport.insecureskipverify", + ] - # - "{{ docker_service__root }}/traefik/letsencrypt:/letsencrypt" - # - "/var/run/docker.sock:/var/run/docker.sock:ro" + dynamic "labels" { + for_each = [ + { label = "traefik.enable", value = "true" }, + { label = "traefik.http.routers.traefik.service", value = "api@internal" }, + { label = "traefik.http.routers.traefik.rule", value = "Host(`conflatorio.vpn.trygvis.io`)" }, + { label = "traefik.http.routers.traefik.entrypoints", value = "websecure" }, + { label = "traefik.http.routers.traefik.tls.certresolver", value = "linode" }, + ] + content { + label = labels.value["label"] + value = labels.value["value"] + } + } env = [ "LINODE_TOKEN=${data.sops_file_entry.linode_token.data}" diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl new file mode 100644 index 0000000..74d2de9 --- /dev/null +++ b/terraform/terragrunt.hcl @@ -0,0 +1,16 @@ +remote_state { + backend = "s3" + generate = { + path = "backend.tf" + if_exists = "overwrite_terragrunt" + } + config = { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "${path_relative_to_include()}/terraform.tfstate" + region = "eu-central-1" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + endpoint = "eu-central-1.linodeobjects.com" + } +} diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl new file mode 100644 index 0000000..b96b3f3 --- /dev/null +++ b/terraform/unifi-controller/.terraform.lock.hcl @@ -0,0 +1,68 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cyrilgdn/postgresql" { + version = "1.18.0" + constraints = "1.18.0" + hashes = [ + "h1:Nf26liFILUZXPh1P2B8T3qtq2Tc7objtm0sBSt0lhh0=", + "zh:251b609167ce25e974607c0c7dd3f90cfc45980c9068364f896e26c31416d96c", + "zh:317980d14a6a171f118bb522ffd02046e508d98100073f97671aeb2adae30d79", + "zh:3622c6414e91f8ccceed94ddf12062a22c14de4fac73c6142b009ae791ca7cd4", + "zh:36be2b338c230b0ab0c7b4c55049dba9bd8d705973c2cceaf3e293d41f520db5", + "zh:4332e83b91f60c43679ff9660c8ef4ebe251e05926a4d20dc64db1bfbabc8670", + "zh:444835840c917aff17f49f9f7b4ae542d5bd9f2ec306b581d1931b00380213bd", + "zh:5174bd85ea94ed4a6cef6c02bc27498f47ac21841fcab7487ab19d8513c97e54", + "zh:61c6eb6b2bf18cdc0734c101854e25990ba24a16580c6bbc599a0b00f72be397", + "zh:b40bbc61a4e522b22ebd57f01a518370a97cd6945e4bdd2955e5f887c88ee3f6", + "zh:d7aeb158c884f6590d6033cd44d5e9438f648bcb5ca3bd54573847c287845b00", + "zh:da3bee1282f6b48572d15f7a693113931afb306b98e29c09c9a054bdc3d6df44", + "zh:ec864a068eeab48899d99405f5606379478df8e48c005844d63a5360c23d5e15", + "zh:fda709d1cabde236b79c98c9abb80f2c1591fdea751afadc546073056be6e6ba", + "zh:ff08607ab25d1c5b55c3794b67a4ee2c9ac5023962c196ce587df34f0e201ca6", + ] +} + +provider "registry.terraform.io/kreuzwerker/docker" { + version = "3.0.1" + constraints = "3.0.1" + hashes = [ + "h1:X2wZHQoG54NmtojeFcX0PSJPelaIejQRqyyI2h+LjWg=", + "zh:02f60126ca16b344092df3c315296bf1a216c3b2a68eddb3c89fdfa5ea826118", + "zh:0d2ee9624a54dbc10538b0c4e296348641b9bfba1354b3f872e43f7ec69a75f2", + "zh:473d7427da8c9efc231266abc7fdc27fca5f9ee0bdfcdb9914f0a2886e3e23b8", + "zh:5f0189bcd0c944c001098cb17a23efa79df8f0eec8644a64fe0e4200983ba5b7", + "zh:6200319c41d6baad3f46701a4028412f8ae2496e29fc4fef9584cc71da5fbbe6", + "zh:650be621f2216b1240f148eae8fcf80ec57c35925e2b212db7c23a70b9e67e06", + "zh:72fcfa6207251105066a34f0ec6d27ecc658b565e84fa946da376dd1afadd265", + "zh:92fc352a2090d3d380c7c8e8bbdf6f99d93a0182701056bb1d2dbfd5049e8ca6", + "zh:a7e2ef666c2a7eb5661b06cfbd7635cb9543524e7bf6a3851dcf6eacc9950cc4", + "zh:a8604595e61e8919c51a8656800c8c64557f9a2bc00309315895b380f2e9be19", + "zh:caf65603a84b749d8f3af2ee47b66f7e21d481f981e2e1d1d59838751c5e3be4", + "zh:dad40c4e57da284e7f57b5c0cc9dfac3cb27b01d2f2436fbe3464f0a2111b262", + "zh:dc1b173dbcba9d74879b16f36f6d9e97ef62fbd6fca8db79ec4fe4ec69c0e2f3", + "zh:e506d04677383b6d62bd69d42dc9005e27a45ccc2efc6e0de607e1f8445981d2", + ] +} + +provider "registry.terraform.io/linode/linode" { + version = "1.30.0" + constraints = "1.30.0" + hashes = [ + "h1:rd4yQ7u3awn2kTqdKf5D67TTeo6rybYpDry/WwvolRA=", + "zh:197c61c5eb2252f65c18d2aa65cdc0511617b13e2388118f3fe063d7969dd7ad", + "zh:1a66470682acb13dc57308d5b1eaa19ff60c2404a3b15714e3072d02d569b1a5", + "zh:368cdcf17073a39687da830c02cf3ce50e0d8f03b7ec808b49561628be798abc", + "zh:42f2510a70afbb7fc8928df119d1e14ce1b61d2aded13b88072858ee5861feb2", + "zh:57734dd1e8255abd52a33ff79c20ef4efc3831850b22dd1a628e6301c3cf95c6", + "zh:61d614a7a4607bfc4ab6bfd0501007501957b973dbd028e0e513a3d4df07f12e", + "zh:79243f22fc0a9adfc1123abdd17c515f0ce4d8147302889033b6c44f6a48337e", + "zh:9f7cd46185bbe2c001dab1d0bd6c17a9740e7279d3fffe93755f2c964e267213", + "zh:9fdc9f8f47bde4140bc14cf082bbc2ceb63a3bebf0683df2fefd83c9e248274c", + "zh:aa1fd80a7ea245f8b852e40c68ccde2d8b6446e2138ebdec7425c67e82099881", + "zh:bb31f1ba5b0e001cf343d3a4cfafa70e6f3e30fd8a200d2cd7e077663efe0456", + "zh:da87881fa030287df2009028c49581e1fd0ff89baef0d8543b27ca506eff2971", + "zh:ed6afd7b1bc7237a9dff5c721ca3a5c7c505803cd5ea0b4ad0dfdf07ed6f9b0d", + "zh:ee653d5d08cb331ce2d8dc1010e68d363470ae87be62c0515e5d2418727cd02b", + ] +} diff --git a/terraform/unifi-controller/backend.tf b/terraform/unifi-controller/backend.tf new file mode 100644 index 0000000..af4b54d --- /dev/null +++ b/terraform/unifi-controller/backend.tf @@ -0,0 +1,12 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + endpoint = "eu-central-1.linodeobjects.com" + key = "unifi-controller/terraform.tfstate" + region = "eu-central-1" + skip_credentials_validation = true + skip_metadata_api_check = true + skip_region_validation = true + } +} diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf new file mode 100644 index 0000000..98d559a --- /dev/null +++ b/terraform/unifi-controller/main.tf @@ -0,0 +1,36 @@ +terraform { + required_version = "~> 1.3.5" + + # backend "s3" { + # bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + # key = "unifi/terraform.tfstate" + # region = "eu-central-1" + # skip_region_validation = true + # skip_credentials_validation = true + # skip_metadata_api_check = true + # endpoint = "eu-central-1.linodeobjects.com" + # } + + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "3.0.1" + } + linode = { + source = "linode/linode" + version = "1.30.0" + } + postgresql = { + source = "cyrilgdn/postgresql" + version = "1.18.0" + } + } +} + +provider "docker" { + host = "ssh://conflatorio.vpn.trygvis.io" +} + +locals { + domain_name = "unifi.vpn.trygvis.io" +} diff --git a/terraform/unifi-controller/terragrunt.hcl b/terraform/unifi-controller/terragrunt.hcl new file mode 100644 index 0000000..e147285 --- /dev/null +++ b/terraform/unifi-controller/terragrunt.hcl @@ -0,0 +1,3 @@ +include "root" { + path = find_in_parent_folders() +} diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf new file mode 100644 index 0000000..55ccef3 --- /dev/null +++ b/terraform/unifi-controller/unifi.tf @@ -0,0 +1,76 @@ +data "docker_network" "traefik" { + name = "traefik" +} + +data "docker_registry_image" "unifi-controller" { + name = "lscr.io/linuxserver/unifi-controller:latest" +} + +resource "docker_image" "unifi-controller" { + name = data.docker_registry_image.unifi-controller.name + pull_triggers = [data.docker_registry_image.unifi-controller.sha256_digest] +} + +resource "docker_volume" "unifi-controller" { + name = "unifi-controller" +} + +resource "docker_container" "unifi-controller" { + image = docker_image.unifi-controller.image_id + name = "unifi-controller" + hostname = "unifi-controller" + # privileged = true + # must_run = false + + networks_advanced { + name = data.docker_network.traefik.name + } + + dynamic "ports" { + for_each = [ + { port = 161, proto = "udp" }, + { port = 3478, proto = "udp" }, + { port = 6789, proto = "tcp" }, + { port = 8081, proto = "tcp" }, + { port = 8080, proto = "tcp" }, + { port = 8880, proto = "tcp" }, + { port = 8443, proto = "tcp" }, + { port = 10001, proto = "udp" }, + +# { port = 8843, proto = "tcp" }, web ui + ] + content { + internal = ports.value["port"] + external = ports.value["port"] + protocol = ports.value["proto"] + ip = "192.168.10.3" + } + } + + volumes { + volume_name = docker_volume.unifi-controller.name + container_path = "/config" + } + + dynamic "labels" { + for_each = [ + { label = "traefik.enable", value = "true" }, + { label = "traefik.http.routers.unifi-controller.rule", value = "Host(`${local.domain_name}`)" }, + { label = "traefik.http.routers.unifi-controller.entrypoints", value = "websecure" }, + { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" }, + { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" }, + { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" }, +# { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" }, + ] + content { + label = labels.value["label"] + value = labels.value["value"] + } + } + + env = [ + "PUID=1000", + "PGID=1000", + "MEM_LIMIT=default", + ] +} -- cgit v1.2.3