tf/modules/swarm/ontime/main.tf

data "docker_registry_image" "primary" {
  name = "getontime/ontime:latest"
}

data "docker_network" "traefik" {
  name = "traefik"
}

locals {
  name = "ontime${var.ontime_identifier}"
  public_paths = [
    "/ontime-logo.png",
    "/favicon.ico",
    "/data",
    "/assets",
    "/timer",
    "/minimal",
    "/clock",
    "/backstage",
    "/countdown",
    "/studio",
    "/timeline",
    "/api/poll",
    "/api/version",
  ]
  public_paths_rule = join(" || ", [for path in local.public_paths : "PathPrefix(`${path}`)"])
  labels = {
    "shepherd.auto-update"                                         = "true",
    "traefik.enable"                                               = "true"
    "traefik.http.services.${local.name}.loadbalancer.server.port" = "4001",
    "traefik.http.routers.${local.name}.rule"                      = "Host(`${local.name}.chaoswest.tv`)",
    "traefik.http.routers.${local.name}.tls"                       = "true",
    "traefik.http.routers.${local.name}.tls.certresolver"          = "default",
    "traefik.http.routers.${local.name}.priority"                  = "1",

    ## Authentication was tried, but ontime needs a WebSocket connection for almost everything, and we can't really secure this.
    ## So, we'll be using the pincode feature of ontime and just deploy it only for the time needed.

    #"traefik.http.routers.${local.name}.middlewares"               = "auth-ontime@file",

    #"traefik.http.services.${local.name}-open.loadbalancer.server.port"  = "4001",
    #"traefik.http.routers.${local.name}-open.rule"                      = "Host(`${local.name}.chaoswest.tv`) && (${local.public_paths_rule})",
    #"traefik.http.routers.${local.name}-open.tls"                       = "true",
    #"traefik.http.routers.${local.name}-open.tls.certresolver"          = "default",
    #"traefik.http.routers.${local.name}-open.priority"                       = "2",
  }
}

resource "docker_service" "primary" {
  name = local.name

  dynamic "labels" {
    for_each = local.labels
    content {
      label = labels.key
      value = labels.value
    }
  }

  task_spec {
    networks_advanced {
      name = data.docker_network.traefik.id
    }

    container_spec {
      image = "${data.docker_registry_image.primary.name}@${data.docker_registry_image.primary.sha256_digest}"

      mounts {
        target = "/data/"
        source = "/mnt/data/${local.name}"
        type   = "bind"
      }
    }
  }
}

data "hetznerdns_zone" "primary" {
  name = "chaoswest.tv"
}

resource "hetznerdns_record" "www" {
  zone_id = data.hetznerdns_zone.primary.id
  name    = local.name
  value   = "ax41-1.fsn.mon2.de."
  type    = "CNAME"
}