Add penpot, upgrade authentik and add new network to README.md

2025-11-12 14:08:34 +00:00
parent eb9d52445e
commit a7e442ff10
5 changed files with 206 additions and 2 deletions
@@ -74,6 +74,7 @@ You get 6 usable host addresses per internal network, to find the usable address
 | Pelican                  | .8 - .15         |
 | Coder                    | .16 - .23        |
 | Tandoor                  | .24 - .31        |
+| Penpot                   | .32 - .39        |

 ## Configuration

@@ -1,8 +1,8 @@

 variable "image_tag" {
-  description = "The tag for the authentik container image. Default: 2025.8.1"
+  description = "The tag for the authentik container image. Default: 2025.10"
  type        = string
-  default     = "2025.8.1"
+  default     = "2025.10"
 }

 variable "redis_image_tag" {
@@ -0,0 +1,7 @@
+POSTGRES_USER=penpot
+POSTGRES_PASSWORD=penpot
+POSTGRES_DB=penpot
+PENPOT_SECRET_KEY=
+PENPOT_OIDC_CLIENT_ID=
+PENPOT_OIDC_BASE_URI=
+PENPOT_OIDC_ROLES="admin user"
@@ -0,0 +1,150 @@
+terraform {
+  required_providers {
+    dotenv = {
+      source = "germanbrew/dotenv"
+    }
+  }
+}
+
+locals {
+    container_name             = "penpot"
+    penpot_backend_name        = "penpot-backend"
+    penpot_exporter_name       = "penpot-exporter"
+    postgres_container_name    = "penpot-postgres"
+    valkey_container_name      = "penpot-valkey"
+    penpot_frontend_image      = "docker.io/penpotapp/frontend"
+    penpot_backend_image       = "docker.io/penpotapp/backend"
+    penpot_exporter_image      = "docker.io/penpotapp/exporter"
+    valkey_image               = "docker.io/valkey/valkey"
+    postgres_image             = "docker.io/library/postgres"
+    penpot_frontend_tag        = var.image_tag
+    penpot_backend_tag         = var.image_tag
+    penpot_exporter_tag        = var.image_tag
+    valkey_tag                 = var.valkey_image_tag
+    postgres_tag               = var.postgres_image_tag
+    env_file                   = "${path.module}/.env"
+    internal_port              = 8080
+
+    penpot_volumes = [
+        {
+            host_path      = "${var.volume_path}/${local.container_name}/assets"
+            container_path = "/opt/data/assets"
+            read_only      = false
+        }
+    ]
+
+    postgres_volumes = [
+        {
+            host_path      = "${var.volume_path}/${local.container_name}/data"
+            container_path = "/var/lib/postgresql/data"
+            read_only      = false
+        }
+    ]
+
+    penpot_exporter_env_vars = {
+        PENPOT_PUBLIC_URI                    = "http://${local.container_name}:${local.internal_port}"
+        PENPOT_REDIS_URI                     = "redis://${local.valkey_container_name}/0"
+    }
+
+    # Disable emails and enable OIDC since this is a private instanced managed with Authentik
+    penpot_env_vars = {
+        PENPOT_FLAGS = "disable-smtp enable-prepl-server enable-login-with-oidc"
+
+        PENPOT_SECRET_KEY                    = provider::dotenv::get_by_key("PENPOT_SECRET_KEY", local.env_file)
+        
+        PENPOT_PREPL_HOST                    = "0.0.0.0"
+        
+        PENPOT_DATABASE_URI                  = "postgresql://${local.postgres_container_name}/${try(provider::dotenv::get_by_key("POSTGRES_DB", local.env_file), "penpot")}"
+        PENPOT_DATABASE_USERNAME             = provider::dotenv::get_by_key("POSTGRES_USER", local.env_file)
+        PENPOT_DATABASE_PASSWORD             = provider::dotenv::get_by_key("POSTGRES_PASSWORD", local.env_file)
+        PENPOT_REDIS_URI                     = "redis://${local.valkey_container_name}/0"
+        
+        PENPOT_ASSETS_STORAGE_BACKEND        = "assets-fs"
+        PENPOT_STORAGE_ASSETS_FS_DIRECTORY   = "/opt/data/assets"
+
+        PENPOT_TELEMETRY_ENABLED             = false
+        PENPOT_TELEMETRY_REFERER             = ""
+
+        PENPOT_OIDC_CLIENT_ID                = provider::dotenv::get_by_key("PENPOT_OIDC_CLIENT_ID", local.env_file)
+        PENPOT_OIDC_BASE_URI                 = provider::dotenv::get_by_key("PENPOT_OIDC_BASE_URI", local.env_file)
+        PENPOT_OIDC_ROLES                    = provider::dotenv::get_by_key("PENPOT_OIDC_ROLES", local.env_file)
+    }
+
+    postgres_env_vars = {
+        POSTGRES_USER                        = provider::dotenv::get_by_key("POSTGRES_USER", local.env_file)
+        POSTGRES_PASSWORD                    = provider::dotenv::get_by_key("POSTGRES_PASSWORD", local.env_file)
+        POSTGRES_DB                          = provider::dotenv::get_by_key("POSTGRES_DB", local.env_file)
+    }
+}
+
+module "penpot_network" {
+    source = "../../01-networking/network-service"
+    name   = "penpot-network"
+    subnet = "172.16.0.32/29"
+    driver = "bridge"
+    options = {
+        "isolate": false
+    }
+}
+
+module "penpot-postgres" {
+    source         = "../../10-generic/docker-service"
+    container_name = local.postgres_container_name
+    image          = local.postgres_image
+    tag            = local.postgres_tag
+    volumes        = local.postgres_volumes
+    env_vars       = local.postgres_env_vars
+    networks       = module.penpot_network.name
+    restart_policy = "always"
+}
+
+module "penpot-valkey" {
+    source         = "../../10-generic/docker-service"
+    container_name = local.valkey_container_name
+    image          = local.valkey_image
+    tag            = local.valkey_tag
+    networks       = module.penpot_network.name
+    restart_policy = "always"
+}
+
+module "penpot-exporter" {
+    source         = "../../10-generic/docker-service"
+    container_name = local.penpot_exporter_name
+    image          = local.penpot_backend_image
+    tag            = local.penpot_backend_tag
+    env_vars       = local.penpot_exporter_env_vars
+    networks       = module.penpot_network.name
+    restart_policy = "always"
+}
+
+module "penpot-backend" {
+    source         = "../../10-generic/docker-service"
+    container_name = local.penpot_backend_name
+    image          = local.penpot_backend_image
+    tag            = local.penpot_backend_tag
+    volumes        = local.penpot_volumes
+    env_vars       = local.penpot_env_vars
+    networks       = module.penpot_network.name
+    restart_policy = "always"
+}
+
+module "penpot" {
+    source         = "../../10-generic/docker-service"
+    container_name = local.container_name
+    image          = local.penpot_frontend_image
+    tag            = local.penpot_frontend_tag
+    volumes        = local.penpot_volumes
+    networks       = concat([module.penpot_network.name], var.networks)
+    restart_policy = "always"
+}
+
+
+output "service_definition" {
+  description = "General service definition with optional ingress configuration"
+  value = {
+    name         = local.container_name
+    primary_port = local.internal_port
+    endpoint     = "http://${local.container_name}:${local.internal_port}"
+    subdomains   = ["penpot"]
+  }
+}
@@ -0,0 +1,46 @@
+variable "image_tag" {
+  description = "The tag for the coder container image. Default: Latest"
+  type        = string
+  default     = "latest"
+}
+
+variable "postgres_image_tag" {
+  description = "The tag for the postgres container image. Default: Latest"
+  type        = string
+  default     = "17-alpine"
+}
+
+variable "valkey_image_tag" {
+  description = "Valkey K/V store container image. Default: 8.1"
+  type        = string
+  default     = "8.1"
+}
+
+variable "volume_path" {
+  description = "Base directory for volumes"
+  type        = string
+}
+
+variable "networks" {
+  description = "List of networks to which the container should be attached"
+  type        = list(string)
+  default     = []
+}
+
+variable "user_id" {
+  description = "User ID for container permissions"
+  type        = string
+  default     = "1000"
+}
+
+variable "group_id" {
+  description = "Group ID for container permissions"
+  type        = string
+  default     = "1000"
+}
+
+variable "timezone" {
+  description = "Timezone for the container"
+  type        = string
+  default     = "Europe/Helsinki"
+}