From 69a2ad4efdcda430a5d611e91a098d50b5e5c954 Mon Sep 17 00:00:00 2001
From: vincent <vincent@ducamps.win>
Date: Sun, 28 Apr 2024 16:10:43 +0200
Subject: [PATCH] feat: implement mealie

---
 ansible/group_vars/database/database       |  2 +
 ansible/group_vars/database/vault_database | 90 +++++++++++----------
 nomad-job/authelia.nomad.hcl               | 36 +++++++--
 nomad-job/mealie.nomad.hcl                 | 94 ++++++++++++++++++++++
 nomad-job/volume/mealie-data.hcl           | 17 ++++
 script/generate-vault-secret               |  3 +-
 terraform/dns/variable.tf                  |  3 +-
 terraform/vault/nomad.tf                   |  1 +
 8 files changed, 195 insertions(+), 51 deletions(-)
 create mode 100644 nomad-job/mealie.nomad.hcl
 create mode 100644 nomad-job/volume/mealie-data.hcl

diff --git a/ansible/group_vars/database/database b/ansible/group_vars/database/database
index 96dad1b..686bcd5 100644
--- a/ansible/group_vars/database/database
+++ b/ansible/group_vars/database/database
@@ -24,6 +24,8 @@ postgresql_databases:
     owner: pdns-auth
   - name: pdns-admin
     owner: pdns-admin
+  - name: mealie
+    owner: mealie
 
 postgresql_hba_entries:
   - {type: local, database: all, user: postgres, auth_method: peer}
diff --git a/ansible/group_vars/database/vault_database b/ansible/group_vars/database/vault_database
index 49c917f..8ddf5ce 100644
--- a/ansible/group_vars/database/vault_database
+++ b/ansible/group_vars/database/vault_database
@@ -1,45 +1,47 @@
 $ANSIBLE_VAULT;1.1;AES256
-64656332666561346439636331396439333566646361333031613764376634363061623635356630
-3832326235316435316264653637396130383465323234630a653138393161316232323236323366
-32363661633631623132323864663366633766396266623630636135396165663062353434613231
-6363646665626439610a313233313639333232393035633139326561316431393837616231313933
-38646532613665666136316635376533653161616630313532333330393364636662653331336637
-39353462336130333933383033656634633461333461393730633333343330306432623466623062
-32353962623338356630393935646537313335313335323464666265303732653633396332363965
-36356338386330653863646134623234623230356232643535643763303162626132333530626639
-39316166613862356264336362303833343236616635613136356433663766383861333832656261
-35613662653266396461383162303230613865373232353437646131633063633634346633383563
-31323736303537643433633235613464376230373332613331623439643462313362356437623463
-65326335653938626461353332356434303962376630626666666631386334316261653639623633
-34326633393330313064326562363838316366316361626662393435363262333264626333396136
-66353936623763323865656632373763303365316131663064343830663330323566346535316436
-63623931383461363364613632363661613734306535373536643236656161393634633435653862
-34316666353234646633633635653934373335396635343035663238323636323662346632303865
-35326333366439646661303437626238326435313032373031636535353963666263636635366234
-36336562633666623932653465376237366232306262386565646631346432346631353566326535
-32356337333762653161376439353035323633363833633862336134366132623963326231643461
-35623863373730313935393631626266336465613261636364353533666233613831323031643035
-32663630316264633932643132633061303438613339646264666334306630643038323632366330
-31366365333039636434613537386436313539396632613766333136663638393462653263613165
-33323937313031626233623237616464323939303131613465326362346632346538323161343362
-65353839386133326233356561363864336261663135343865323861623330613736333835396261
-64653361333530326630363633383836396565646463396239616261646635303535316135306537
-64343830616566663633323531383464383834373539646637633465616533383238346565303337
-34386561626266303833353665306335326264343533386263626562373633303135313735643733
-37333766373465326133663663303166316134643732343938343930616631383137356137373564
-31633831663264653762326534343635323364313632353661323330646638363062346137646337
-61323334623434613333613038633637666131393338653839373835633062396661653537343138
-61643961623366393735393438356461333731326265313937613066323038313163353835363135
-33323932353264313536393865373232333930613636343661613033656165616237373439383531
-38393932366633616639303964386333386462353935646432663330313137306465386634633931
-33656533306665653836363830363164303039356463386130663536636330396138643363383838
-35393966646630663535623836303262353739353063303763333530383630353838623939376535
-34343239373831623232343530396561393730303066323236306539333263656133366363396534
-30666662336435313561666536643231633562663037353837303936326164353366333032656431
-39303063343536336431336637323239356432616562656565306561666664663930303232313464
-34333236613239656562323037656137376135396636323361383565336636303338663138396238
-65396130303931393266636630656637333464346361303763653931383464326365333232623437
-61623263316562643636386637303531626238333131656130306236636230626362653935353331
-34366663303235653431616135343963643935303336313231343562376430343564393832343335
-36363130313533373137383738346438666634303537633232636535303835636333653636303937
-39356339656234303432
+38633535353630393131613866663164303337323939363261633266376163336664313930336664
+3135653966393866633438306361303165633337306333640a333532336662323333376333386637
+37376462646539653637323930366239353036376330623732393434353231333730653338386433
+6238333164646237620a316434373136393765363630306130353237623961353166376233366364
+34616362626231393732333535373765616533333038326636626434396432323831313530623562
+31616331323936643761373639336132666166613163616431346330643333613738663231353433
+66353264616535346238313061646362313764613733383334313230383539643961653339313931
+64326634646133386162353835633630386235343637666437643238616233643036343566393962
+32646334306439326664666139396136333033396536656438316130393032653563623539653430
+33393564303135363738326630373232396235383635313366333333666564613162613235613066
+66636430623335393562323365383030633335353834313065346566626632316162323761633637
+64356136313438313161353933633133623861623638646463366134636630616630373466336436
+34363264613665393062666330373934666230313662383862353336613531366139666636333635
+66383730363630396131636338396461356563353164373466343334646336383536623661353235
+38663761353462306562336237663133633032323037663932643966393032613337656163313636
+65303732636331646231346366376631353436306332306439323563383765636537613061346463
+61383666653537353732343834613461393133393264633336643966643532373336333761316464
+62656562343733626331663066646462393835623065636432356634356630643761393538323437
+62353934633839616631616564353833633739333366633162313166646664646663303132363536
+36626461653764613238623237643965333932666563303461323566653137313431323364646334
+39326135306330373233333538646130343035373231323461633637353836356236653862343432
+36656239653838313035333761343261646665316530393739643538373231303764343762646565
+61343334356438663831386166626662613361616632346631373466656335323838346131366634
+39383534306139313934316431623638363734616438396335323430643537663166663061626464
+63356230343062666165393062386461393233616238613366643164336538356636303635343036
+62363664326231313864613164353561346238363237613935323361313135303366306464333631
+31633730353637303933666137373238643731356361393731616566366564373330326365333362
+38326338633938363935633735633830663635363036393661303031663035386238383566393339
+61376333363832386131663962323932663263356335346538616261626432376638396235333163
+62333439353836633931306262633065306235313633356266383837313134633334623762333362
+37306235333066626435313465636632316131396565396161396437653038333865656532623537
+66656237393139363034366337386262386130373662363432333137356134373966376261323930
+34396666636533633762373532316336623634383963323635613435373734343935363136353634
+66616530656265323536343934353534633736316538316565336637623631376236363031623161
+36666339643265313738373262353739633337383134363832343330643662396133393163623661
+63323739303464313132353766613831396338393338636531343936353134663232323033306230
+66636562386466353061343161336335323763663564343863373362303962373534356366346564
+31353565333963623736376239363838346530646262356533613431346361653962313765636532
+64333634646664613436316331313832613463646335373261303363653030346235313666633365
+65666562623832346364646364356333386130633130346533633437333033616232363162613936
+36353737653031383165396163346561306136376531613338323665393763663339613236353837
+32653233343235306262353665353861623132663961386338383238346335313039383866613830
+31373634613039633466376330386563653638656631333839346131616332326363343935363731
+61643433653463313833623834643862623238613561666630363137393730333538666361613937
+32663630303864396630303465343064333035313836346131393834303135323766303861666133
+3030326636393762613263626666373133363237633030356265
diff --git a/nomad-job/authelia.nomad.hcl b/nomad-job/authelia.nomad.hcl
index 813fbdd..8a70369 100644
--- a/nomad-job/authelia.nomad.hcl
+++ b/nomad-job/authelia.nomad.hcl
@@ -99,10 +99,19 @@ identity_providers:
      - key_id: 'key'
        key: |
 {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
+    cors:
+      endpoints:
+        - userinfo
+        - authorization
+        - token
+        - revocation
+        - introspection
+      allowed_origins: 
+        - https://mealie.ducamps.eu
+      allowed_origins_from_client_redirect_uris: true
     clients:
       - client_id: 'ttrss'
         client_name: 'ttrss'
-#        client_secret: $pbkdf2-sha512$310000$5igZ9BADDMeXml91wcIq3w$fNFeVMHDxXx758cYQe0kmgidZMedEgtN.zQd12xE9DzmSk8QRRUYx56zpjzLTO8PcKhDgR3qCdUPnO/XDdEDLg
         client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
         public: false
         scopes:
@@ -114,9 +123,24 @@ identity_providers:
         userinfo_signed_response_alg: none
         authorization_policy: 'one_factor'
         pre_configured_consent_duration: 15d
+      - client_id: 'mealie'
+        client_name: 'mealie'
+        public: true
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        scopes:
+          - openid
+          - email
+          - profile
+          - groups
+        redirect_uris:
+          - 'https://mealie.ducamps.eu/login'
+        userinfo_signed_response_alg: none
+        authorization_policy: 'one_factor'
+        token_endpoint_auth_method: 'none'
 
 log:
-  level: 'debug'
+  level: 'trace'
 
 totp:
   issuer: 'authelia.com'
@@ -124,7 +148,7 @@ totp:
 
 authentication_backend:
   ldap:
-    address: 'ldaps://ldap.ducamps.eu'
+    address: 'ldaps://ldap.service.consul'
     implementation: 'custom'
     timeout: '5s'
     start_tls: false
@@ -135,11 +159,13 @@ authentication_backend:
     additional_users_dn: 'OU=users'
     users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
     additional_groups_dn: 'OU=groups'
-    groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
+    #groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
+    groups_filter: '(&(|{memberof:rdn})(objectClass=groupOfNames))'
+    group_search_mode: 'memberof'
     user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
     password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
     attributes:
-      distinguished_name: 'distinguishedname'
+      distinguished_name: ''
       username: 'uid'
       mail: 'mail'
       member_of: 'memberOf'
diff --git a/nomad-job/mealie.nomad.hcl b/nomad-job/mealie.nomad.hcl
new file mode 100644
index 0000000..dc4c1f4
--- /dev/null
+++ b/nomad-job/mealie.nomad.hcl
@@ -0,0 +1,94 @@
+
+job "mealie" {
+  datacenters = ["homelab"]
+  priority    = 50
+  type        = "service"
+  meta {
+    forcedeploy = "0"
+  }
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "mealie" {
+    network {
+      mode = "host"
+      port "http" {
+        to = 9000
+      }
+    }
+    volume "mealie-data" {
+      type            = "csi"
+      source          = "mealie-data"
+      access_mode     = "multi-node-multi-writer"
+      attachment_mode = "file-system"
+    }
+    vault {
+      policies = ["mealie"]
+
+    }
+    task "mealie-server" {
+      driver = "docker"
+      service {
+        name = "mealie"
+        port = "http"
+        tags = [
+          "homer.enable=true",
+          "homer.name=Mealie",
+          "homer.service=Application",
+          "homer.subtitle=Mealie",
+          "homer.logo=https://mealie.ducamps.eu/favicon.ico",
+          "homer.target=_blank",
+          "homer.url=https://${NOMAD_JOB_NAME}.ducamps.eu",
+          "traefik.enable=true",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`${NOMAD_JOB_NAME}.ducamps.eu`)",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=${NOMAD_JOB_NAME}.ducamps.eu",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
+        ]
+      }
+      config {
+        image = "ghcr.io/mealie-recipes/mealie"
+        ports = ["http"]
+      }
+      volume_mount {
+        volume      = "mealie-data"
+        destination = "/app/data"
+      }
+      env {
+        PUID                   = "1000001"
+        PGID                   = "1000001"
+        TZ                     = "Europe/Paris"
+        MAX_WORKERS            = 1
+        WEB_CONCURRENCY        = 1
+        BASE_URL               = "https://mealie.ducamps.eu"
+        OIDC_USER_GROUP        = "MealieUsers"
+        OIDC_ADMIN_GROUP       = "MealieAdmins"
+        OIDC_AUTH_ENABLED      = "True"
+        OIDC_SIGNUP_ENABLED    = "true"
+        OIDC_CONFIGURATION_URL = "https://auth.ducamps.eu/.well-known/openid-configuration"
+        OIDC_CLIENT_ID         = "mealie"
+        OIDC_AUTO_REDIRECT     = "false"
+        OIDC_PROVIDER_NAME     = "authelia"
+        DB_ENGINE              = "postgres"
+        POSTGRES_USER          = "mealie"
+        POSTGRES_SERVER        = "active.db.service.consul"
+        POSTGRES_PORT          = 5432
+        POSTGRES_DB            =  "mealie"
+        LOG_LEVEL              = "DEBUG"
+      }
+      template {
+        data        = <<EOH
+{{ with secret "secrets/data/database/mealie"}}POSTGRES_PASSWORD= "{{ .Data.data.password }}" {{end}}
+          EOH
+        destination = "secrets/var.env"
+        env         = true
+      }
+      resources {
+        memory = 300
+      }
+    }
+
+  }
+}
diff --git a/nomad-job/volume/mealie-data.hcl b/nomad-job/volume/mealie-data.hcl
new file mode 100644
index 0000000..f2e4e59
--- /dev/null
+++ b/nomad-job/volume/mealie-data.hcl
@@ -0,0 +1,17 @@
+type = "csi"
+id = "mealie-data"
+name = "mealie-data"
+external_id = "mealie-data"
+plugin_id = "nfs"
+capability {
+	access_mode = "multi-node-multi-writer"
+	attachment_mode = "file-system"
+}
+context {
+  server = "nfs.service.consul"
+  share = "/nomad/mealie"
+}
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "vers=4" ]
+}
diff --git a/script/generate-vault-secret b/script/generate-vault-secret
index 36794a8..3e01b79 100755
--- a/script/generate-vault-secret
+++ b/script/generate-vault-secret
@@ -69,7 +69,8 @@ def main() -> None:
         }
     }
     listAutheliaSecret=[
-        "authelia/ttrss"
+        "authelia/ttrss",
+        "authelia/mealie"
     ]
 
     token=os.getenv('VAULT_TOKEN',"")
diff --git a/terraform/dns/variable.tf b/terraform/dns/variable.tf
index 8436870..6ee4330 100644
--- a/terraform/dns/variable.tf
+++ b/terraform/dns/variable.tf
@@ -37,7 +37,8 @@ variable cnameList{
     "www",
     "mail",
     "ldap",
-    "budget"
+    "budget",
+    "mealie",
   ]
 }
 
diff --git a/terraform/vault/nomad.tf b/terraform/vault/nomad.tf
index 9a9cc87..3a5e361 100644
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@@ -25,6 +25,7 @@ locals {
     "pdns",
     "ldap",
     "borgmatic",
+    "mealie",
   ]
 nomad_custom_policy = [
     {