gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(keycloak): cloudflared and vouch

Browse source
This commit is contained in:
arcnmx 2024-03-18 19:10:43 -07:00
parent b8714cc674
commit 2eef6e5508
15 changed files with 303 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

192
tf/cloudflare_idp_records.tf
View file

@ -3,177 +3,177 @@ locals {
}
resource "cloudflare_record" "kerberos_master_tcp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_kerberos-master"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_kerberos-master"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 88
target = local.idp_fqdn
weight = 100
port = 88
target = local.idp_fqdn
}
}
resource "cloudflare_record" "kerberos_master_udp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_kerberos-master"
proto = "_udp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_kerberos-master"
proto = "_udp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 88
target = local.idp_fqdn
weight = 100
port = 88
target = local.idp_fqdn
}
}
resource "cloudflare_record" "kerberos_tcp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_kerberos"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_kerberos"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 88
target = local.idp_fqdn
weight = 100
port = 88
target = local.idp_fqdn
}
}
resource "cloudflare_record" "kerberos_udp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_kerberos"
proto = "_udp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_kerberos"
proto = "_udp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 88
target = local.idp_fqdn
weight = 100
port = 88
target = local.idp_fqdn
}
}
resource "cloudflare_record" "kerberos_txt" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kerberos"
type = "TXT"
ttl = 3600
value = "GENSOKYO.ZONE"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kerberos"
type = "TXT"
ttl = 3600
value = "GENSOKYO.ZONE"
}
resource "cloudflare_record" "kerberos_uri_tcp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kerberos"
type = "URI"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kerberos"
type = "URI"
priority = 0
data {
weight = 100
weight = 100
content = "krb5srv:m:tcp:${local.idp_fqdn}."
}
ttl = 3600
}
resource "cloudflare_record" "kerberos_uri_udp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kerberos"
type = "URI"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kerberos"
type = "URI"
priority = 0
data {
weight = 100
weight = 100
content = "krb5srv:m:udp:${local.idp_fqdn}."
}
ttl = 3600
}
resource "cloudflare_record" "kpasswd_tcp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_kpasswd"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_kpasswd"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 464
target = local.idp_fqdn
weight = 100
port = 464
target = local.idp_fqdn
}
}
resource "cloudflare_record" "kpasswd_udp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_kpasswd"
proto = "_udp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_kpasswd"
proto = "_udp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 464
target = local.idp_fqdn
weight = 100
port = 464
target = local.idp_fqdn
}
}
resource "cloudflare_record" "kpasswd_uri_tcp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kpasswd"
type = "URI"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kpasswd"
type = "URI"
priority = 0
data {
weight = 100
weight = 100
content = "krb5srv:m:tcp:${local.idp_fqdn}."
}
ttl = 3600
}
resource "cloudflare_record" "kpasswd_uri_udp" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kpasswd"
type = "URI"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "_kpasswd"
type = "URI"
priority = 0
data {
weight = 100
weight = 100
content = "krb5srv:m:udp:${local.idp_fqdn}."
}
ttl = 3600
}
resource "cloudflare_record" "ldap" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "@"
type = "SRV"
ttl = 3600
data {
service = "_ldap"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
service = "_ldap"
proto = "_tcp"
name = cloudflare_zone.gensokyo-zone_zone.zone
priority = 0
weight = 100
port = 389
target = local.idp_fqdn
weight = 100
port = 389
target = local.idp_fqdn
}
}
resource "cloudflare_record" "idp-ca" {
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "idp-ca"
type = "CNAME"
ttl = 60
value = local.idp_fqdn
zone_id = cloudflare_zone.gensokyo-zone_zone.id
name = "idp-ca"
type = "CNAME"
ttl = 60
value = local.idp_fqdn
}

12
tf/cloudflare_records.tf
View file

@ -33,7 +33,6 @@ module "hakurei_system_records" {
"freeipa",
"ldap",
"pbx",
"sso",
"smb",
"kitchen",
"yt",
@ -54,11 +53,12 @@ module "reimu_system_records" {
}
module "keycloak_system_records" {
source = "./system/records"
name = "keycloak"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
local_v4 = "10.1.1.48"
source = "./system/records"
name = "keycloak"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
local_v4 = "10.1.1.48"
local_v6 = "fd0a::be24:11ff:fec4:66ac"
}
module "aya_system_records" {

31
tf/cloudflare_tunnels.tf
View file

@ -28,6 +28,36 @@ output "cloudflare_tunnel_cname_hakurei" {
value = module.hakurei.cname
}
variable "cloudflare_tunnel_secret_keycloak" {
type = string
sensitive = true
}
module "keycloak" {
source = "./tunnel"
name = "keycloak"
secret = var.cloudflare_tunnel_secret_keycloak
account_id = var.cloudflare_account_id
zone_id = cloudflare_zone.gensokyo-zone_zone.id
subdomains = [
"sso",
"login",
]
}
output "cloudflare_tunnel_id_keycloak" {
value = module.keycloak.id
}
output "cloudflare_tunnel_token_keycloak" {
value = module.keycloak.token
sensitive = true
}
output "cloudflare_tunnel_cname_keycloak" {
value = module.keycloak.cname
}
variable "cloudflare_tunnel_secret_tewi" {
type = string
sensitive = true
@ -42,7 +72,6 @@ module "tewi" {
subdomains = [
"home",
"id",
"login",
"z2m",
"unifi",
]

18
tf/proxmox_vms.tf
View file

@ -4,9 +4,10 @@ variable "proxmox_container_template" {
}
locals {
proxmox_keycloak_vm_id = 107
proxmox_litterbox_vm_id = 106
proxmox_litterbox_config = jsondecode(file("${path.root}/../systems/litterbox/lxc.json"))
proxmox_keycloak_vm_id = 107
proxmox_keycloak_config = jsondecode(file("${path.root}/../systems/keycloak/lxc.json"))
proxmox_litterbox_vm_id = 106
proxmox_litterbox_config = jsondecode(file("${path.root}/../systems/litterbox/lxc.json"))
proxmox_aya_vm_id = 105
proxmox_aya_config = jsondecode(file("${path.root}/../systems/aya/lxc.json"))
proxmox_reimu_vm_id = 104
@ -367,7 +368,7 @@ EOT
}
network_device {
bridge = "vmbr0"
bridge = "vmbr0"
mac_address = "BC:24:11:3D:39:91"
}
@ -493,7 +494,7 @@ EOT
}
network_device {
bridge = "vmbr0"
bridge = "vmbr0"
mac_address = "BC:24:11:33:19:04"
}
@ -573,3 +574,10 @@ EOT
ignore_changes = [started, unprivileged, initialization[0].dns, operating_system[0].template_file_id]
}
}
module "keycloak_config" {
source = "./system/proxmox/lxc/config"
connection = local.proxmox_reisen_connection
container = proxmox_virtual_environment_container.keycloak
config = local.proxmox_keycloak_config.lxc
}

6
tf/terraform.tfvars.sops
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:uZ2jedT/YvjZMyHpTsueV1pR03ftduNH874inWoVogZ+OxEHyhhomI2Li1WYxIuAkALAKe2SHEfbksn2EXAJgJ5nta4nWssaNVclhhxjb/pJecbawz4Th/zBVEqX0ys5ydAqGJRJxb6sCg7q6RMewTxNyZ3fP4/WBVrMLngtJW+eYsMl4la8GGhj5JmGtryAHxNKgj/1R1w2fUDP+QFUgs284mncJfkaEgnF/KUlscqWX2rv3s+dey2bAOzTG+0prBDrL5TdgyITzR18FpSFt7IIsPES+Y8ru1wuwswvQ6hlbgdI1cUBlAbh5+RRTlZLYXw3yTKD6i6fWFtyPryqj4fQpo/KT5yL9UtEVzbgIdOJc/1K0D39TcdxEjcGMGDBilZg88ZwFXkHxhfdSAW14IK7YlGOhmSB23cGkxBXM8vvI1KyX9Ouhi11lInAyF7hhKr7FFClIPduInjmB37SBxG0+kIDfu3PbkLnWTybw2vtjao7iv3AK6jrLbbeViTQP+ryCrRLdaDBNJwid/KRcmnasrorbZ8vCAVBEKOf1qbA3dSsGXTtDcqzCZStPuBxmO9/ECVaaZRJ3HL0B8RL6djmTcvqFHal6NCmfX6pNtTfcQBAJ45C+g+nmPkDke8EMDX4v7pM/K+3ZkczUe9ineadQFMoUGJsvXWdv0cohEoNjz3WSZ0VJnEIBQ9SawMkKAQNrWgpqRBlbXk0wW7bvcEFRSbSTJnl5W8t9n6BTPWTzjgGomnp20a56Au2kZcpt4duxbtMaBn/FWCwY3QIHXXYyZkbwTNgOFZy7CarAdbfmzmhZMeGcj0zoN7Y+psd6u3IzV1ZrYbZ5haXmOnqrBVz9f247JfYMN7JAqETnJ4sTvEFPhACjWnB6Xw0DVA7hzT4e+S9t3TNx0mE59O/cLTnN1M5kIDF20YaIkDvAka/3eOHHE5j3BypDhOcU/VPG9OODc3fcqARcFo3cR8d785KyI58LaVgwM1OdmpAQjgdQ9YdKnS4tZOzVRWoJ8O413paiic7QAbVptBst1QoLO2uSO8rCn+qk4COWJyvD3sjWyf4191t+9k2vveSLbSLAufs0hm4if7kEiBP37uWdqhyORr7Y1F2Q/Ahb8Xe0CQAJYVX/ieYSxNBD7fvl65car8oWNRA0VOfQkXkbCPctdM/u97EOcptREOJhEDV3vGolkSiHNAAASk6cJBlnP9ViCL+zfQWFZ5xIigmXkD7nstUaIPJ/yF3CaxPyXRf5MNOv4+u+luRPEgTekGcQPMe7PgZRidQHEgVTeo8Kgi0w/wOBveCEBKpb1E2PIVM9zcWbuMaK4z/Z0Rq4lk2cHfAqD9Lx0sfxarB+GBZg4wa/krqAr16kdBgeMUwi63WXULk8cGh7EiCatmqvTNuuh6cXM3+juzoWKCh+RsOcN7sg0uv9R4CI/T/p9iFoL/O+C5QrWYKEzBpqfnnFqsnCd1P5zGJ9XgY/3wi4jBZ5NxHM6EQ7NzeykgPTnF2bZdR1Xw+uzQpKO3mkRfyo1yW3Tt2VxxRqkPd5hKHCqla0DMVMlVwEbjx3HWcKRdQoBfl2acBaj1Qchu2SGJXIH+1JemoZaN64mQZteUjX+qDnrzXKuwMG+cAmPq15X7F4bhmPnIvhDNLwd+gCtYBaNrGqRjUAttnRwvPtjJFTDvkcr9Nxlgfa7tYCUYqfbqC5N6dUmsTO7IRNpAdU+OY2cnb+Xcd7abNFvDIMUsu3YlV1zX4cgYDFrlO1CKTykM7dcwEuPL30yxNACHbMDSf5Dt7edE/WMllfLaD6Hgydb6LFrgNBL8flOsz/1Rh/8f88oMqTlNHEUjOMmduLVlntjHyGKfgGRHehmPgO8AjP/i/z4hoSVjZprtqWAKUXZLfCxU61wDwyOli8BLof2khyb0E2DiGe7xZLgtyJKv6hYq8QDjmdv7DMJXoONtmQRiwwWBZgF42zSltETjethLSwz2ARv4HJQanYoIjpteDridHhBhW+40uKbvk4A6bHWz7vBKZtLHBdVIH9hYjYA==,iv:8whKSRvl1YFYXfZQpVTqrdUHcTg0Ar1vJygWG1cp2xc=,tag:uty8o9zad3AvS1teVSIDOg==,type:str]",
"data": "ENC[AES256_GCM,data:xhV1so+M7nd5ZlBcCHDp3mIJCCshTi7Tljw2m/Fy9wWuvqOFSthm+J8q8aOm7JaReU0NlGq2aUg0SlEDF/MQ7UU36P30OkL1AdEOeAKeOL6LUfJGNIwaBNrykGTorP/uUAUwueXfGOJ6Btxu/BNa6w+L+GpKPjwTxUaLLnij06suUtDduWszEFLrbhoBiLbbI1RUoa9EbPfgKd364QIvwCR7hT+w0LPg+ArrAgsMXnWtyrWHfieCgPL1gBxfbFBUFalt5BnlPVzmML2KcJ5GLvgoMfWV+scp4m1Y/kxkm0azRBeuHPFO3g0pLZfk57fmvoedFod+e/mttaRi+KSc5kipMKrmirFUR0fjf5GFpM2oH3UsyoQp8tD/Sn85jT84k6JSDsY5XYNwqT5N1mJ08olsHvep/mZXVnmY3iPo3IkqGcI6HHxpgB57INll3lrAD1X8Lc9zYY/qgCzYsULX6lejUNprg/IP/felMGe74dRm+40/4ZbObD9aKSAhXJHUBTjite9jksTrsaCzF1EafvYPaVIW40ci6SoK1+zsA1Nvuz2GB8kGw50xVuCmJcsgR+Pv1IcfjkXXoGbikBMbcy2DNzOA6DOhrkGW2h17Cx06ZE4MgwaTcXgqA2nAF+xC9s3um8WsZiWdZLKCEfaELtrXqb8LlSeJ9aCwvNzLELAbwq3AzgTNGzR/tDhV8FYKeNa94/Uh2rdFhVZCgZZ4Wllg4P6yNmuc/meYqyw3U1VmYjiuGWLmE5x8JxvN0Ro1tEGzpXJyuGGzN5rqDxfval0JaWXaCRKN7i5yQZWJ+9hzFg95GRtb6hS7yFfTh7ZmKH8Z0rpKr0l6vPWrcdMHP+AEXtymw+degwBM88VgXuhRxtz3Yid+Bqz7MeQVQyBAJeqVWc5VHX+lpXJnPg08f6WyInEiXC4w+sUDcH7M1zAZVF7BFdfrlSabobv3rikX6rG8tvp0Cr1PdjIE8RZ4+o6OSkO3VdxuEP3O4c6xuGqbvVzKqsb4vPtLpz8mYgs8jEt5z+mVaQFJfYris+yLUE3zMcpFFKGA9pGq+60/EKtdvWpXruCmdG/XuXMN0LRkDh2Pq91oXeUkEKgFRZJYcEhf3gQ8NYt2nWdG6nhtT6PqJT/WA0Z3t/YN4fx08xc77QdV4qeD3u2wdOCHSbyctllmLO2IPtRsJGgEzxD3/sM1Zc9T0YI3JgNblMQIG3nch3V7FQ3tdIOS8i3Y46pyOlh69ncS9Ifja12DLrjlebGbAJHVuVwGzddsjZ+6TAFlgbkC3l4tpfYnKHNz7TgP8B7djwejFCqpOE8pRC800pxMDgIqwhd+zJDQvjZDcSbtrdTGh1giABCu/yauSEDi3B53Rp9xp9WOgApm0g2cdH29cPQVSlnevD5hk2lS8+DCfFtct7AAVQsIsECvMInOxMKBXQuRWhbUvatk5gJProgdWDts3w9tueChjNermhihSlf3tLyoYwNPkculWkhQmqhY4Gf3562putVkTb/di+or/VPf3l330rn9OGse//koJGZM7v2LbbxTle9LbytFJ+gKAcr9gcW9Dg2We3ZXuZUKkzCzcPt0ghvOc40g1BuziULLIClO8aKKt88BSyUwmbLE6+ZV0by17h/hYd0t4sUnYF94sff2a5Lh7Joay07J8HvV7M1uWhC/vt7ua+m5dVcrUNXzJV8iuw9W0u2V6kWiyeT3UpBdhPq6/k99gQ7+VItSJmN2GOKot8ndG5M9x+ZGY68LVxXkW8+eZUiWJAqdDHDdzPGca6Nm5WZmDtck8WjldoOaaMzijzQ+Jt41bpJiP1Yq+9s0ORR5Q6Af/4wgfAwZAaTF57soLhrCAPgv5vmx2bN0uNjEth7tikvyp7HnmHmv0eYRkuWyJkdI6nw+fqFK+Drqq/FbraYL53B6FIMpCdX9FjmNg1rO0eBxPmOHKyOU9Hzes+aBztYoqPPbcGXp8zEyN5JmjD9Xz6HB7EnYuzNMcJUEeH6eZSzBMx8+pJLbYJB11DysgdN4tYTHddKgOtTLGkD0teru+tsJBKP1i5buq+S7zWa8EVnYbbK5BR8mQK69meXRwZpTwQgHvyPUwGZjuWnLU3D9T0+QE478XsCiQWy34paGfl9hsljlHtp/KQUL2bwhtU/0Eyqy6DOqOePZV0Y58wrJpDmafP+w2raDZ9FboD8zXANWFPGh0Glo2E4=,iv:6vdvCs0371Zr1d/C6KHZkATVLFJRyyWuwtqEP8SkouU=,tag:QYh+Ufu8YIvvziHGLt/FZw==,type:str]",
"sops": {
"shamir_threshold": 1,
"kms": null,
@ -7,8 +7,8 @@
"azure_kv": null,
"hc_vault": null,
"age": null,
"lastmodified": "2024-03-04T16:53:42Z",
"mac": "ENC[AES256_GCM,data:5L+DYEvVmO8RCQ7+dQVf9FT8Fud2Xys/xoo3s8UDS4a1H/dNTbPa9F4M5Tj8zVkVzms0+yerivpgl//LWteuXFWjHuT39Tcg8g5HCtHjijQz3bMcxp7Tx3CbrylK71ljO0LK6IeMF96s7B8VmfpueC5lmzmPUGFqaKZFtHGXhlg=,iv:bOjioDXBsQ0O+W5gArDm7W91LZWCzRAat0NYHnoqSEg=,tag:gIj85XVMKHt9zuPdZw15mQ==,type:str]",
"lastmodified": "2024-03-19T01:44:48Z",
"mac": "ENC[AES256_GCM,data:c+4WUmXEs1r6C1riHHsMAwRyjf5Z58l1/f03Jc8L+komJevGpbSNTxBad3GOHnvFHB4M7ONZehlkEmaXEmTMJUN2LUs4ULU3wsRe/tD1BXs06Ktx8zuW3ym8ND/kfsu17/O5v951iZpDWWuk+ACsu4dnEDeIg27yXviUg4k3BVw=,iv:cVUlvEsXv8AAeDkw+B7aPNo+TQtNzUjO4lZHKge7pg8=,tag:WSRAk1xlVw8TaCxToAYr1g==,type:str]",
"pgp": [
{
"created_at": "2024-01-14T19:49:29Z",