ouranos/terraform/storage.tf

# Storage Resources for Agathos Containers
# Provisions Incus storage volumes and S3 buckets with access keys

# Storage volume for Nextcloud data
resource "incus_storage_volume" "nextcloud_data" {
  name    = "nextcloud-data"
  pool    = var.storage_pool
  project = var.project_name

  config = {
    size = "100GB"
  }
}

# S3 bucket for Lobechat file storage
resource "incus_storage_bucket" "lobechat" {
  name        = "lobechat"
  pool        = var.storage_pool
  project     = var.project_name
  description = "Lobechat file storage bucket"
}

# Access key for Lobechat S3 bucket
resource "incus_storage_bucket_key" "lobechat_key" {
  name           = "lobechat-access"
  pool           = incus_storage_bucket.lobechat.pool
  storage_bucket = incus_storage_bucket.lobechat.name
  project        = var.project_name
  role           = "admin"
}

# S3 bucket for Casdoor file storage
resource "incus_storage_bucket" "casdoor" {
  name        = "casdoor"
  pool        = var.storage_pool
  project     = var.project_name
  description = "Casdoor file storage bucket"
}

# Access key for Casdoor S3 bucket
resource "incus_storage_bucket_key" "casdoor_key" {
  name           = "casdoor-access"
  pool           = incus_storage_bucket.casdoor.pool
  storage_bucket = incus_storage_bucket.casdoor.name
  project        = var.project_name
  role           = "admin"
}

# S3 bucket for Spelunker file storage
resource "incus_storage_bucket" "spelunker" {
  name        = "spelunker"
  pool        = var.storage_pool
  project     = var.project_name
  description = "Spelunker file storage bucket"
}

# Access key for Spelunker S3 bucket
resource "incus_storage_bucket_key" "spelunker_key" {
  name           = "spelunker-access"
  pool           = incus_storage_bucket.spelunker.pool
  storage_bucket = incus_storage_bucket.spelunker.name
  project        = var.project_name
  role           = "admin"
}

# Outputs for S3 credentials (to be stored in Ansible vault)
output "lobechat_s3_credentials" {
  description = "Lobechat S3 bucket credentials - store in vault as vault_lobechat_s3_*"
  value = {
    bucket     = incus_storage_bucket.lobechat.name
    access_key = incus_storage_bucket_key.lobechat_key.access_key
    secret_key = incus_storage_bucket_key.lobechat_key.secret_key
    endpoint   = "https://${incus_storage_bucket.lobechat.location}"
  }
  sensitive = true
}

output "casdoor_s3_credentials" {
  description = "Casdoor S3 bucket credentials - store in vault as vault_casdoor_s3_*"
  value = {
    bucket     = incus_storage_bucket.casdoor.name
    access_key = incus_storage_bucket_key.casdoor_key.access_key
    secret_key = incus_storage_bucket_key.casdoor_key.secret_key
    endpoint   = "https://${incus_storage_bucket.casdoor.location}"
  }
  sensitive = true
}

output "spelunker_s3_credentials" {
  description = "Spelunker S3 bucket credentials - store in vault as vault_spelunker_s3_*"
  value = {
    bucket     = incus_storage_bucket.spelunker.name
    access_key = incus_storage_bucket_key.spelunker_key.access_key
    secret_key = incus_storage_bucket_key.spelunker_key.secret_key
    endpoint   = "https://${incus_storage_bucket.spelunker.location}"
  }
  sensitive = true
}