othrayte/infra
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Use tailscale to allow ssh access to gitea

Browse Source
This commit is contained in:
Adrian Cowan
2025-05-23 00:15:04 +10:00
parent 3f70bc62d3
commit c1aeb11354
5 changed files with 97 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
2-nomad-config/.terraform.lock.hcl generated
View File

@@ -16,6 +16,23 @@ provider "registry.terraform.io/carlpett/sops" {
] ]
} }
provider "registry.terraform.io/cloudflare/cloudflare" {
version = "5.5.0"
constraints = "~> 5.0"
hashes = [
"h1:wZhU174xytOMZ1t6uDUQiLtR/XKpi2RH9OzMz0XqP9Q=",
"zh:178f29dee2edac39252780819f34004b1841770c61ee7fb5a625afaece6495cd",
"zh:6faf26203167ae20ca5c8ece4a8bb1c4187137505058fb7b1a4bd5095823e648",
"zh:97c91a95819336b8c41618919786ddd2dca643d28219d52af1d80b88018c6eec",
"zh:bbc53670fc2613e3fe81b5bf7b8674c5ad083a206fa8af34f0f055a8d06b2d01",
"zh:d305bcb01249ada21b80e5038e371f6ca0a60d95d7052df82456e4c4963f3bfc",
"zh:e2f9db57ead7100676b790a3e4567d88443fae0e19127e66b3505210de93e4b5",
"zh:eb8cef2e6cbf05237b8a2f229314ae12c792ed5f8f60fe180102bdf17dc30841",
"zh:f51a5bb0130d2f42772988ee56723f176aa230701184a0f5598dbb1c7b4c3906",
"zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
]
}
provider "registry.terraform.io/cyrilgdn/postgresql" { provider "registry.terraform.io/cyrilgdn/postgresql" {
version = "1.25.0" version = "1.25.0"
hashes = [ hashes = [

28
2-nomad-config/1-infra.tf
View File

@@ -10,6 +10,10 @@ terraform {
source = "carlpett/sops" source = "carlpett/sops"
version = "~> 0.5" version = "~> 0.5"
} }
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 5"
}
postgresql = { postgresql = {
source = "cyrilgdn/postgresql" source = "cyrilgdn/postgresql"
} }
@@ -24,8 +28,32 @@ data "sops_file" "secrets" {
source_file = "secrets.enc.json" source_file = "secrets.enc.json"
} }
provider "cloudflare" {
api_token = data.sops_file.secrets.data["cloudflare.api_token"]
}
// Networking // Networking
resource "cloudflare_dns_record" "othrayte-one" {
comment = "othrayte.one proxy to internal IP for traefik"
zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
type = "AAAA"
name = "othrayte.one"
content = data.sops_file.secrets.data["cloudflare.direct_ip6"]
proxied = true
ttl = 1 # Auto
}
resource "cloudflare_dns_record" "star-othrayte-one" {
comment = "*.othrayte.one proxy to internal IP for traefik"
zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
type = "AAAA"
name = "*"
content = data.sops_file.secrets.data["cloudflare.direct_ip6"]
proxied = true
ttl = 1 # Auto
}
resource "nomad_job" "traefik" { resource "nomad_job" "traefik" {
jobspec = file("traefik.nomad.hcl") jobspec = file("traefik.nomad.hcl")
} }

13
2-nomad-config/2-services.tf
View File

@@ -58,8 +58,19 @@ resource "nomad_csi_volume_registration" "unraid_appdata_transferfilebrowser" {
} }
} }
resource "cloudflare_dns_record" "git-othrayte-one" {
comment = "git.othrayte.one maps to tailscale fqdn"
zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
type = "CNAME"
name = "git"
content = "git.tail15856.ts.net"
ttl = 1 # Auto
}
resource "nomad_job" "gitea" { resource "nomad_job" "gitea" {
jobspec = file("gitea.nomad.hcl") jobspec = templatefile("gitea.nomad.hcl", {
ts_authkey = data.sops_file.secrets.data["tailscale.auth_key"]
})
} }
resource "nomad_variable" "gitea" { resource "nomad_variable" "gitea" {

42
2-nomad-config/gitea.nomad.hcl
View File

@@ -1,7 +1,3 @@
# TODOs
# - Map /data/ to unraid appdata
# - Move database config to /data/gitea/conf/app.ini (where it would be copied on first run)
job "gitea" { job "gitea" {
group "gitea" { group "gitea" {
network { network {
@@ -33,12 +29,12 @@ job "gitea" {
"traefik.http.routers.gitea.middlewares=auth@file", "traefik.http.routers.gitea.middlewares=auth@file",
] ]
# check { check {
# type = "http" type = "http"
# path = "/" path = "/"
# interval = "10s" interval = "10s"
# timeout = "2s" timeout = "2s"
# } }
} }
task "gitea" { task "gitea" {
@@ -59,7 +55,7 @@ job "gitea" {
resources { resources {
cpu = 500 cpu = 500
memory = 256 memory = 512
} }
volume_mount { volume_mount {
@@ -85,6 +81,7 @@ ROOT = /data/git/repositories
[server] [server]
DOMAIN = code.othrayte.one DOMAIN = code.othrayte.one
SSH_DOMAIN = git.othrayte.one
ROOT_URL = https://code.othrayte.one/ ROOT_URL = https://code.othrayte.one/
[lfs] [lfs]
@@ -107,6 +104,29 @@ EOF
} }
} }
task "tailscale" {
driver = "docker"
config {
image = "tailscale/tailscale:latest"
}
env = {
TS_AUTHKEY = "${ts_authkey}"
TS_HOSTNAME = "git"
}
resources {
cpu = 100
memory = 64
}
lifecycle {
hook = "prestart"
sidecar = true
}
}
volume "unraid_appdata_gitea" { volume "unraid_appdata_gitea" {
type = "csi" type = "csi"
read_only = false read_only = false

11
2-nomad-config/secrets.enc.json
View File

@@ -2,6 +2,13 @@
"unraid": { "unraid": {
"nomad": "ENC[AES256_GCM,data:FCGEs+XCSuunLxVPyzE=,iv:j8Ey+l8iJiPY7CbE5IoT0ZgNklnv+4odSZkorJQ/nr8=,tag:7PoizENid+vgWC/eb5MOaQ==,type:str]" "nomad": "ENC[AES256_GCM,data:FCGEs+XCSuunLxVPyzE=,iv:j8Ey+l8iJiPY7CbE5IoT0ZgNklnv+4odSZkorJQ/nr8=,tag:7PoizENid+vgWC/eb5MOaQ==,type:str]"
}, },
"cloudflare": {
"api_token": "ENC[AES256_GCM,data:445wM+3yHRnMfiAHuBg3dWzLA3jB0dpNBaHrxl1bb036sFZnzN+gOg==,iv:g8tMdxY8XFTPA2W8/RtMtDhnyCzNLY6dJDWWC2ZeIZQ=,tag:04uf/y3DWY3HIXOJ2HenJw==,type:str]",
"direct_ip6": "ENC[AES256_GCM,data:/yDwQJHmcwD6nULnRFdn9aSVY1rQUic+,iv:5YBevwSrZzsqdoo5K8Wv6R4nxmWoCFa9NLP35Y+wtLw=,tag:+5F0SlVo5D4ZoMcKzaODRQ==,type:str]"
},
"tailscale": {
"auth_key": "ENC[AES256_GCM,data:gzh4nqEOQLijp5DTGHHSn0aO1mFQUB3sVSdAVDLG+a2H6XJ0BtJJGU55oLJURy7E/um7gzwDofP5mwZGTA==,iv:yl8lHqnNLB2AXlBfMyw/0CAR7+KmyKKDFc7kxbo9S6c=,tag:CunYd62x3omji6ozqmhgOg==,type:str]"
},
"authelia": { "authelia": {
"session_secret": "ENC[AES256_GCM,data:gPVSGzU00EjuW/NDD9bpsc+4DQ==,iv:IRzSKqfv2Quaj1bzrFaK0glCKEPrle+uI8fq/1HFi60=,tag:loiTEpEBGBwQETRWpOffNg==,type:str]", "session_secret": "ENC[AES256_GCM,data:gPVSGzU00EjuW/NDD9bpsc+4DQ==,iv:IRzSKqfv2Quaj1bzrFaK0glCKEPrle+uI8fq/1HFi60=,tag:loiTEpEBGBwQETRWpOffNg==,type:str]",
"jwt_secret": "ENC[AES256_GCM,data:7Q/0M5IY0vLsgCE0z78L,iv:f6GymDrq2/NlKJuMNnDDmG2GUAzhonNa8LXlr0x1elw=,tag:1ITT9WmD3UOP30AjYEkLJQ==,type:str]", "jwt_secret": "ENC[AES256_GCM,data:7Q/0M5IY0vLsgCE0z78L,iv:f6GymDrq2/NlKJuMNnDDmG2GUAzhonNa8LXlr0x1elw=,tag:1ITT9WmD3UOP30AjYEkLJQ==,type:str]",
@@ -21,8 +28,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-05-19T12:11:30Z", "lastmodified": "2025-05-22T14:03:49Z",
"mac": "ENC[AES256_GCM,data:BjUuMWp3bE0iHLZZ9lHh/sSKSDF3sBgRr4CmKKqjXaY1CJ6k9wESgZmxjT2FOTfzJ5tZaBXdm4WKwagE6frke0eNfYDIWC+FQfX/4geUe8OyQFW/22i7I60uS4bVv9PAO/JJKTNCZxOdtLsK7fZ8rS4Jve9mAdhEbKfPmQHIiy4=,iv:cqi4rpbJLxLr8zjKrx80mKJBbSuU1D0XjUbBg1CYDRk=,tag:+8Hl9WQ2ZUY6BPMw/GMtpQ==,type:str]", "mac": "ENC[AES256_GCM,data:gRzCl7GS4ywePISLFcR4bd+D8lg+2ZNDpF1QEKS/VZmRZW42NIQT+xiNg7cX7QYYnMyAjckYVGXFlK2/INzHGHWZhuP7pREt9zVCFAXaDZ6s1FVV1ee59u9VdZX7mzUESxvUWEPYvrkbDPtTC6U0x67rihBj/oIc7tGCWt7EoyY=,iv:UVZPZiByRFb1gFL+n1NkokEuDPXaYPbTBhKhraUWOD4=,tag:prVhsjnUswTW9aHz8Xu9IA==,type:str]",
"encrypted_regex": "^(.*)$", "encrypted_regex": "^(.*)$",
"version": "3.10.2" "version": "3.10.2"
} }