feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu> Co-Authored-by: Ryan Lahfa <raito@lix.systems> Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
2025-01-06 01:06:47 +01:00 · 2025-01-06 01:06:47 +01:00 · a52ea3675c
commit a52ea3675c
parent 067eff3427
124 changed files with 27723 additions and 1631 deletions
--- a/ops/keycloak/clients.tf
+++ b/ops/keycloak/clients.tf
@ -1,48 +1,82 @@
 # All Keycloak clients, that is applications which authenticate
 # through Keycloak.
 #
-# Includes first-party (i.e. TVL-hosted) and third-party clients.
+# Includes first-party (i.e. snix-hosted) and third-party clients.

 resource "keycloak_openid_client" "grafana" {
-  realm_id              = keycloak_realm.tvl.id
+  realm_id              = keycloak_realm.snix.id
  client_id             = "grafana"
  name                  = "Grafana"
  enabled               = true
  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true
-  base_url              = "https://status.tvl.su"
+  base_url              = "https://status.snix.dev"
+  full_scope_allowed    = true

  valid_redirect_uris = [
-    "https://status.tvl.su/*",
+    "https://status.snix.dev/*",
+  ]
+}
+
+resource "keycloak_openid_client_default_scopes" "grafana_default_scopes" {
+  realm_id  = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.grafana.id
+
+  default_scopes = [
+    "profile",
+    "email",
+    "roles",
+    "web-origins",
  ]
 }

 resource "keycloak_openid_client" "gerrit" {
-  realm_id                                 = keycloak_realm.tvl.id
+  realm_id                                 = keycloak_realm.snix.id
  client_id                                = "gerrit"
-  name                                     = "TVL Gerrit"
+  name                                     = "snix Gerrit"
  enabled                                  = true
  access_type                              = "CONFIDENTIAL"
  standard_flow_enabled                    = true
-  base_url                                 = "https://cl.tvl.fyi"
-  description                              = "TVL's code review tool"
+  base_url                                 = "https://cl.snix.dev"
+  description                              = "snix project's code review tool"
  direct_access_grants_enabled             = true
  exclude_session_state_from_auth_response = false

  valid_redirect_uris = [
-    "https://cl.tvl.fyi/*",
+    "https://cl.snix.dev/*",
  ]

  web_origins = [
-    "https://cl.tvl.fyi",
+    "https://cl.snix.dev",
+  ]
+}
+
+resource "keycloak_openid_client" "forgejo" {
+  realm_id                                 = keycloak_realm.snix.id
+  client_id                                = "forgejo"
+  name                                     = "snix Forgejo"
+  enabled                                  = true
+  access_type                              = "CONFIDENTIAL"
+  standard_flow_enabled                    = true
+  base_url                                 = "https://git.snix.dev"
+  description                              = "snix project's code browsing, search and issue tracker"
+  direct_access_grants_enabled             = true
+  exclude_session_state_from_auth_response = false
+
+  valid_redirect_uris = [
+    "https://git.snix.dev/*",
+  ]
+
+  web_origins = [
+    "https://git.snix.dev",
  ]
 }

 resource "keycloak_saml_client" "buildkite" {
-  realm_id  = keycloak_realm.tvl.id
+  realm_id  = keycloak_realm.snix.id
  client_id = "https://buildkite.com"
  name      = "Buildkite"
-  base_url  = "https://buildkite.com/sso/tvl"
+  base_url  = "https://buildkite.com/sso/snix"

  client_signature_required   = false
  assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
@ -53,7 +87,7 @@ resource "keycloak_saml_client" "buildkite" {
 }

 resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
-  realm_id                   = keycloak_realm.tvl.id
+  realm_id                   = keycloak_realm.snix.id
  client_id                  = keycloak_saml_client.buildkite.id
  name                       = "buildkite-email-mapper"
  user_attribute             = "email"
@ -62,24 +96,10 @@ resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
 }

 resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
-  realm_id                   = keycloak_realm.tvl.id
+  realm_id                   = keycloak_realm.snix.id
  client_id                  = keycloak_saml_client.buildkite.id
  name                       = "buildkite-name-mapper"
  user_attribute             = "displayName"
  saml_attribute_name        = "name"
  saml_attribute_name_format = "Unspecified"
 }
-
-resource "keycloak_openid_client" "panettone" {
-  realm_id              = keycloak_realm.tvl.id
-  client_id             = "panettone"
-  name                  = "Panettone"
-  enabled               = true
-  access_type           = "CONFIDENTIAL"
-  standard_flow_enabled = true
-
-  valid_redirect_uris = [
-    "https://b.tvl.fyi/auth",
-    "http://localhost:6161/auth",
-  ]
-}
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@ -1,6 +1,4 @@
-# Configure TVL Keycloak instance.
-#
-# TODO(tazjin): Configure GitLab IDP
+# Configure snix's Keycloak instance.

 terraform {
  required_providers {
@ -11,43 +9,37 @@ terraform {

  backend "s3" {
    endpoints = {
-      s3 = "https://objects.dc-sto1.glesys.net"
+      s3 = "https://s3.dualstack.eu-central-1.amazonaws.com"
    }
-    bucket = "tvl-state"
-    key    = "terraform/tvl-keycloak"
-    region = "glesys"
+
+    bucket = "snix-tfstate"
+    key    = "terraform/snix-keycloak"
+    region = "eu-central-1"

    skip_credentials_validation = true
-    skip_region_validation      = true
-    skip_metadata_api_check     = true
+    skip_metadata_api_check = true
    skip_requesting_account_id  = true
-    skip_s3_checksum            = true
  }
 }

 provider "keycloak" {
  client_id = "terraform"
-  url       = "https://auth.tvl.fyi"
-  # NOTE: Docs mention this applies to "users of the legacy distribution of keycloak".
-  # However, we get a "failed to perform initial login to Keycloak: error
-  # sending POST request to https://auth.tvl.fyi/realms/master/protocol/openid-connect/token: 404 Not Found"
-  # if we don't set this.
-  base_path = "/auth"
+  url       = "https://auth.snix.dev"
 }

-resource "keycloak_realm" "tvl" {
-  realm                       = "TVL"
+resource "keycloak_realm" "snix" {
+  realm                       = "snix-project"
  enabled                     = true
-  display_name                = "The Virus Lounge"
+  display_name                = "The snix project"
  default_signature_algorithm = "RS256"

-  smtp_server {
-    from              = "tvlbot@tazj.in"
-    from_display_name = "The Virus Lounge"
-    host              = "127.0.0.1"
-    port              = "25"
-    reply_to          = "depot@tvl.su"
-    ssl               = false
-    starttls          = false
-  }
+  # smtp_server {
+  #   from              = "tvlbot@tazj.in"
+  #   from_display_name = "The Virus Lounge"
+  #   host              = "127.0.0.1"
+  #   port              = "25"
+  #   reply_to          = "depot@tvl.su"
+  #   ssl               = false
+  #   starttls          = false
+  # }
 }
--- a/ops/keycloak/permissions.tf
+++ b/ops/keycloak/permissions.tf
@ -0,0 +1,100 @@
+# This sets the permissions for various groups and users.
+
+# TODO: Realm-level composite roles
+# resource "keycloak_role" "is_local_admin" {
+#   composite_roles = [
+#     keycloak_role.blablabla.id
+#   ]
+# }
+# 
+# resource "keycloak_role" "can_manage_trusted_contributors" {
+# }
+# 
+# # WARNING: This give PII access to the user.
+# resource "keycloak_role" "can_manage_snix" {
+# }
+
+# Realm-level groups to bestow to users.
+resource "keycloak_group" "snix_core_team" {
+  realm_id    = keycloak_realm.snix.id
+  name        = "snix core team"
+}
+
+resource "keycloak_group_roles" "snix_core_team_roles" {
+  realm_id    = keycloak_realm.snix.id
+  group_id    = keycloak_group.snix_core_team.id
+
+  role_ids = [
+    # keycloak_role.is_local_admin,
+    # keycloak_role.can_manage_snix,
+    keycloak_role.grafana_admin.id,
+    # keycloak_role.forgejo_admin.id,
+    # keycloak_role.gerrit_admin.id
+    # keycloak_role.wiki_admin.id
+  ]
+}
+
+resource "keycloak_group_memberships" "snix_core_team_members" {
+  realm_id    = keycloak_realm.snix.id
+  group_id    = keycloak_group.snix_core_team.id
+
+  members = [
+    "raitobezarius",
+    "edef"
+  ]
+}
+
+resource "keycloak_group" "trusted_contributors" {
+  name        = "trusted contributors"
+  realm_id    = keycloak_realm.snix.id
+
+}
+
+resource "keycloak_group_roles" "trusted_contributors_roles" {
+  realm_id    = keycloak_realm.snix.id
+  group_id    = keycloak_group.trusted_contributors.id
+
+  role_ids = [
+    keycloak_role.grafana_editor.id
+  ]
+}
+
+resource "keycloak_group" "wiki_editors" {
+  name        = "wiki editors"
+  realm_id    = keycloak_realm.snix.id
+}
+
+# Application-level roles.
+
+# Grafana
+
+resource "keycloak_role" "grafana_editor" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.grafana.id
+  name        = "Editor"
+  description = "Can edit things in Grafana"
+}
+
+resource "keycloak_role" "grafana_admin" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.grafana.id
+  name        = "Admin"
+  description = "Can admin things in Grafana"
+}
+
+# TODO:
+# Forgejo
+
+# resource "keycloak_role" "forgejo_admin" {
+# }
+# 
+# resource "keycloak_role" "forgejo_trusted_contributor" {
+# }
+# 
+# # Gerrit
+# 
+# resource "keycloak_role" "gerrit_admin" {
+# }
+# 
+# resource "keycloak_role" "gerrit_trusted_contributor" {
+# }
--- a/ops/keycloak/user_sources.tf
+++ b/ops/keycloak/user_sources.tf
@ -6,44 +6,20 @@ variable "github_client_secret" {
  type = string
 }

-resource "keycloak_ldap_user_federation" "tvl_ldap" {
-  name                    = "tvl-ldap"
-  realm_id                = keycloak_realm.tvl.id
-  enabled                 = true
-  connection_url          = "ldap://localhost"
-  users_dn                = "ou=users,dc=tvl,dc=fyi"
-  username_ldap_attribute = "cn"
-  uuid_ldap_attribute     = "cn"
-  rdn_ldap_attribute      = "cn"
-  full_sync_period        = 86400
-  trust_email             = true
-
-  user_object_classes = [
-    "inetOrgPerson",
-    "organizationalPerson",
-  ]
-
-  lifecycle {
-    # Without this, terraform wants to recreate the resource.
-    ignore_changes = [
-      delete_default_mappers
-    ]
-  }
-}
-
 # keycloak_oidc_identity_provider.github will be destroyed
 # (because keycloak_oidc_identity_provider.github is not in configuration)
 resource "keycloak_oidc_identity_provider" "github" {
  alias                 = "github"
  provider_id           = "github"
-  client_id             = "Iv23liXfGNIr7InMg5Uo"
+  client_id             = "Ov23liKpXqs0aPaVgDpg"
  client_secret         = var.github_client_secret
-  realm                 = keycloak_realm.tvl.id
+  realm                 = keycloak_realm.snix.id
  backchannel_supported = false
  gui_order             = "1"
  store_token           = false
  sync_mode             = "IMPORT"
  trust_email           = true
+  default_scopes        = "openid user:email"

  # These default to built-in values for the `github` provider_id.
  authorization_url = ""