distrust-stack/infra/main/main.tf

variable "environment" {}
variable "namespace" {}
variable "region" {}
variable "out_dir" {
  type    = string
  default = "../../out"
}

resource "random_id" "suffix" {
  byte_length = 8
}

data "digitalocean_region" "provided" {
  slug = var.region
}

resource "digitalocean_custom_image" "talos" {
  name = "talos"
  url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz"
  # this gets reset by DigitalOcean otherwise
  distribution = "Unknown OS"
  regions = [data.digitalocean_region.provided.slug]
}

resource "digitalocean_vpc" "main" {
  name = "talos"
  region = data.digitalocean_region.provided.slug
  # Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium
  ip_range = "192.168.0.0/16"
}

module "digitalocean_talos_cluster" {
  source = "../../terraform_modules/digitalocean_talos_cluster"

  talos_cluster_name = "distrust"
  talos_image = digitalocean_custom_image.talos.image_id
  talos_config_directory = "talos"
  control_plane_pool = {
    count = 1,
    size = "s-4vcpu-8gb",
  }
  worker_pools = [{
    name = "primary",
    count = 2,
    size = "s-2vcpu-4gb",
  }]
  vpc_id = digitalocean_vpc.main.id
  digitalocean_region = data.digitalocean_region.provided.slug
}

module "digitalocean_database_cluster" {
  source = "../../terraform_modules/digitalocean_database_cluster"

  cluster_name = "distrust"
  db_engine = "pg"
  db_version = "15"
  size = "db-s-1vcpu-2gb"
  node_count = 1

  databases = [{
    name = "keycloak",
    create_default_superuser = true,
  }, {
    name = "forgejo",
    create_default_superuser = true,
  }, {
    # We're creating this database, but then need to delete and recreate manually with LOCALE=C. Otherwise synapse won't work
    # CREATE DATABASE synapse WITH template=template0 owner=doadmin locale="C" encoding=UTF8;
    # GRANT ALL ON DATABASE synapse TO synapse;
    name = "synapse",
    create_default_superuser = true,
  }, {
    name = "telegram",
    create_default_superuser = true,
  }, {
    name = "slack",
    create_default_superuser = true,
  }, {
    name = "media_repo",
    create_default_superuser = true,
  }]

  vpc_id = digitalocean_vpc.main.id
  digitalocean_region = data.digitalocean_region.provided.slug
}

resource "digitalocean_spaces_bucket" "matrix_media_repo" {
  name = "${var.namespace}-${var.environment}-distrust-media-repo"
  region = var.region
}

locals {
  database_host = module.digitalocean_database_cluster.database_cluster.private_host
  database_port = module.digitalocean_database_cluster.database_cluster.port
  database_jdbc_uri_prefix = join("", [
    "jdbc:postgresql://",
    module.digitalocean_database_cluster.database_cluster.private_host,
    ":",
    module.digitalocean_database_cluster.database_cluster.port,
  ])
}

# `jq .database_users.value.forgejo | sops --encrypt`
output "database_users" {
  value = {
    for db_user in module.digitalocean_database_cluster.database_users:
    db_user.name => {
      apiVersion = "v1",
      kind = "Secret",
      metadata = {
        name = "database-configuration",
      },
      stringData = {
        name = db_user.name,
        dbname = db_user.name,
        host = local.database_host,
        port = tostring(local.database_port),
        password = db_user.password,
        # Forgejo, they call it "host"
        address = join(":", [local.database_host, local.database_port]),
        # Keycloak
        jdbc_url = "${local.database_jdbc_uri_prefix}/${db_user.name}?sslmode=require",
      }
    }
  }
  sensitive = true
}

output "database" {
  value = module.digitalocean_database_cluster.database_cluster
  sensitive = true
}

output "vpc_id" {
  value = digitalocean_vpc.main.id
}