commit 52e7012b4126eba1bb36e810fe3eb8280f5b032a
Author: Brandon Kalinowski <brandon@brandonkalinowski.com>
Date:   Mon Oct 28 15:01:27 2024 +0000

    initial commit

diff --git a/openfga-end.sh b/openfga-end.sh
new file mode 100755
index 0000000..86918da
--- /dev/null
+++ b/openfga-end.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# Source: https://raw.githubusercontent.com/rgl/incus-playground/349480b30d82ca1b468cb6e983988c7cb01343e3/provision-openfga.sh
+set -euxo pipefail
+
+POSTGRES_FQDN="localhost"
+OPENFGA_FQDN="localhost"
+
+# configure.
+# see https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga
+# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L189
+# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L341
+cat >/opt/openfga/config.yaml <<EOF
+log:
+  format: text
+  level: info # none, debug, info, warn, error, panic, fatal.
+datastore:
+  engine: postgres
+  uri: postgres://openfga:abracadabra@$POSTGRES_FQDN:5432/openfga
+authn:
+  method: preshared
+  preshared:
+    keys:
+      - abracadabra
+grpc:
+  # TODO change this back to :8081 once https://github.com/openfga/openfga/issues/640 is fixed.
+  addr: $OPENFGA_FQDN:8081
+  tls:
+    enabled: false
+http:
+  enabled: true
+  addr: :8080
+  tls:
+    enabled: false
+metrics:
+  enabled: true
+  addr: :2112
+playground:
+  enabled: false
+  port: 3000
+EOF
+
+# brandonkal: disable TLS
+#install -o root -g openfga -m 444 "/vagrant/shared/example-ca/$OPENFGA_FQDN-crt.pem" /opt/openfga
+#install -o root -g openfga -m 440 "/vagrant/shared/example-ca/$OPENFGA_FQDN-key.pem" /opt/openfga
+
+# start.
+cat >/etc/systemd/system/openfga.service <<EOF
+[Unit]
+Description=openfga
+After=network.service
+
+[Service]
+Type=simple
+User=openfga
+Group=openfga
+ExecStart=/opt/openfga/openfga run
+WorkingDirectory=/opt/openfga
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable openfga
+systemctl start openfga
+ss -anlp | grep -E '(Address:Port|openfga)'
+
+# show information.
+cat <<EOF
+
+OpenFGA is available at:
+
+    grpc://$OPENFGA_FQDN:8081
+    https://$OPENFGA_FQDN:8080
+    http://$OPENFGA_FQDN:2112/metrics
+
+EOF
diff --git a/provision-openfga-cli.sh b/provision-openfga-cli.sh
new file mode 100755
index 0000000..741595c
--- /dev/null
+++ b/provision-openfga-cli.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -euxo pipefail
+
+OPENFGA_FQDN="localhost"
+
+# see https://github.com/openfga/cli/releases
+# renovate: datasource=github-releases depName=openfga/cli
+openfga_cli_version='0.3.0'
+
+# download and install the fga cli.
+# see https://github.com/openfga/cli/releases
+openfga_cli_artifact_url="https://github.com/openfga/cli/releases/download/v${openfga_cli_version}/fga_${openfga_cli_version}_linux_amd64.tar.gz"
+t="$(mktemp -q -d --suffix=.openfga_cli)"
+wget -qO "$t/openfga_cli.tgz" "$openfga_cli_artifact_url"
+install -d "$t/dist"
+tar xf "$t/openfga_cli.tgz" -C "$t/dist"
+install -o root -g root -m 755 "$t/dist/fga" /usr/local/bin
+rm -rf "$t"
+
+# configure fga.
+# see https://github.com/openfga/cli?tab=readme-ov-file#configuration
+install /dev/null -m 600 ~/.fga.yaml
+cat >~/.fga.yaml <<EOF
+api-url: https://$OPENFGA_FQDN:8080
+api-token: abracadabra
+EOF
diff --git a/provision-openfga-incus.sh b/provision-openfga-incus.sh
new file mode 100755
index 0000000..e90f93a
--- /dev/null
+++ b/provision-openfga-incus.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euxo pipefail
+
+# create the incus store.
+fga store create \
+  --name Incus \
+  | jq \
+  > ./openfga-incus.json
diff --git a/provision-openfga.sh b/provision-openfga.sh
new file mode 100755
index 0000000..c00b2c2
--- /dev/null
+++ b/provision-openfga.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+# Source: https://raw.githubusercontent.com/rgl/incus-playground/349480b30d82ca1b468cb6e983988c7cb01343e3/provision-openfga.sh
+set -euxo pipefail
+
+POSTGRES_FQDN="localhost"
+OPENFGA_FQDN="localhost"
+
+# see https://github.com/openfga/openfga/releases
+# renovate: datasource=github-releases depName=openfga/openfga
+openfga_version='1.5.3'
+
+# create the openfga system user.
+groupadd --system openfga || true
+adduser \
+    --system \
+    --disabled-login \
+    --no-create-home \
+    --gecos '' \
+    --ingroup openfga \
+    --home /opt/openfga \
+    openfga || true
+
+# download and install.
+openfga_artifact_url="https://github.com/openfga/openfga/releases/download/v${openfga_version}/openfga_${openfga_version}_linux_amd64.tar.gz"
+t="$(mktemp -q -d --suffix=.openfga)"
+wget -qO "$t/openfga.tgz" "$openfga_artifact_url"
+install -d "$t/dist"
+tar xf "$t/openfga.tgz" -C "$t/dist"
+rm -rf /opt/openfga
+mv "$t/dist" /opt/openfga
+chown -R root:root /opt/openfga
+rm -rf "$t"
+
+# create the openfga role and database.
+pushd /
+sudo -sHu postgres psql -c "create role openfga login password 'abracadabra'"
+sudo -sHu postgres createdb -E UTF8 -O openfga openfga >/dev/null
+/opt/openfga/openfga migrate \
+    --datastore-engine postgres \
+    --datastore-uri "postgres://openfga:abracadabra@$POSTGRES_FQDN:5432/openfga"
+sudo -sHu postgres psql -c '\du'
+sudo -sHu postgres psql -l
+popd
+
+# configure.
+# see https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga
+# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L189
+# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L341
+cat >/opt/openfga/config.yaml <<EOF
+log:
+  format: text
+  level: info # none, debug, info, warn, error, panic, fatal.
+datastore:
+  engine: postgres
+  uri: postgres://openfga:abracadabra@$POSTGRES_FQDN:5432/openfga
+authn:
+  method: preshared
+  preshared:
+    keys:
+      - abracadabra
+grpc:
+  # TODO change this back to :8081 once https://github.com/openfga/openfga/issues/640 is fixed.
+  addr: $OPENFGA_FQDN:8081
+  tls:
+    enabled: false
+http:
+  enabled: true
+  addr: :8080
+  tls:
+    enabled: false
+metrics:
+  enabled: true
+  addr: :2112
+playground:
+  enabled: false
+  port: 3000
+EOF
+
+# brandonkal: disable TLS
+#install -o root -g openfga -m 444 "/vagrant/shared/example-ca/$OPENFGA_FQDN-crt.pem" /opt/openfga
+#install -o root -g openfga -m 440 "/vagrant/shared/example-ca/$OPENFGA_FQDN-key.pem" /opt/openfga
+
+# start.
+cat >/etc/systemd/system/openfga.service <<EOF
+[Unit]
+Description=openfga
+After=network.service
+
+[Service]
+Type=simple
+User=openfga
+Group=openfga
+ExecStart=/opt/openfga/openfga run
+WorkingDirectory=/opt/openfga
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable openfga
+systemctl start openfga
+ss -anlp | grep -E '(Address:Port|openfga)'
+
+# show information.
+cat <<EOF
+
+OpenFGA is available at:
+
+    grpc://$OPENFGA_FQDN:8081
+    https://$OPENFGA_FQDN:8080
+    http://$OPENFGA_FQDN:2112/metrics
+
+EOF