initial commit
This commit is contained in:
commit
52e7012b41
76
openfga-end.sh
Executable file
76
openfga-end.sh
Executable file
@ -0,0 +1,76 @@
|
||||
#!/bin/bash
|
||||
# Source: https://raw.githubusercontent.com/rgl/incus-playground/349480b30d82ca1b468cb6e983988c7cb01343e3/provision-openfga.sh
|
||||
set -euxo pipefail
|
||||
|
||||
POSTGRES_FQDN="localhost"
|
||||
OPENFGA_FQDN="localhost"
|
||||
|
||||
# configure.
|
||||
# see https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga
|
||||
# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L189
|
||||
# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L341
|
||||
cat >/opt/openfga/config.yaml <<EOF
|
||||
log:
|
||||
format: text
|
||||
level: info # none, debug, info, warn, error, panic, fatal.
|
||||
datastore:
|
||||
engine: postgres
|
||||
uri: postgres://openfga:abracadabra@$POSTGRES_FQDN:5432/openfga
|
||||
authn:
|
||||
method: preshared
|
||||
preshared:
|
||||
keys:
|
||||
- abracadabra
|
||||
grpc:
|
||||
# TODO change this back to :8081 once https://github.com/openfga/openfga/issues/640 is fixed.
|
||||
addr: $OPENFGA_FQDN:8081
|
||||
tls:
|
||||
enabled: false
|
||||
http:
|
||||
enabled: true
|
||||
addr: :8080
|
||||
tls:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
addr: :2112
|
||||
playground:
|
||||
enabled: false
|
||||
port: 3000
|
||||
EOF
|
||||
|
||||
# brandonkal: disable TLS
|
||||
#install -o root -g openfga -m 444 "/vagrant/shared/example-ca/$OPENFGA_FQDN-crt.pem" /opt/openfga
|
||||
#install -o root -g openfga -m 440 "/vagrant/shared/example-ca/$OPENFGA_FQDN-key.pem" /opt/openfga
|
||||
|
||||
# start.
|
||||
cat >/etc/systemd/system/openfga.service <<EOF
|
||||
[Unit]
|
||||
Description=openfga
|
||||
After=network.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=openfga
|
||||
Group=openfga
|
||||
ExecStart=/opt/openfga/openfga run
|
||||
WorkingDirectory=/opt/openfga
|
||||
Restart=on-abort
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
systemctl enable openfga
|
||||
systemctl start openfga
|
||||
ss -anlp | grep -E '(Address:Port|openfga)'
|
||||
|
||||
# show information.
|
||||
cat <<EOF
|
||||
|
||||
OpenFGA is available at:
|
||||
|
||||
grpc://$OPENFGA_FQDN:8081
|
||||
https://$OPENFGA_FQDN:8080
|
||||
http://$OPENFGA_FQDN:2112/metrics
|
||||
|
||||
EOF
|
||||
26
provision-openfga-cli.sh
Executable file
26
provision-openfga-cli.sh
Executable file
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
set -euxo pipefail
|
||||
|
||||
OPENFGA_FQDN="localhost"
|
||||
|
||||
# see https://github.com/openfga/cli/releases
|
||||
# renovate: datasource=github-releases depName=openfga/cli
|
||||
openfga_cli_version='0.3.0'
|
||||
|
||||
# download and install the fga cli.
|
||||
# see https://github.com/openfga/cli/releases
|
||||
openfga_cli_artifact_url="https://github.com/openfga/cli/releases/download/v${openfga_cli_version}/fga_${openfga_cli_version}_linux_amd64.tar.gz"
|
||||
t="$(mktemp -q -d --suffix=.openfga_cli)"
|
||||
wget -qO "$t/openfga_cli.tgz" "$openfga_cli_artifact_url"
|
||||
install -d "$t/dist"
|
||||
tar xf "$t/openfga_cli.tgz" -C "$t/dist"
|
||||
install -o root -g root -m 755 "$t/dist/fga" /usr/local/bin
|
||||
rm -rf "$t"
|
||||
|
||||
# configure fga.
|
||||
# see https://github.com/openfga/cli?tab=readme-ov-file#configuration
|
||||
install /dev/null -m 600 ~/.fga.yaml
|
||||
cat >~/.fga.yaml <<EOF
|
||||
api-url: https://$OPENFGA_FQDN:8080
|
||||
api-token: abracadabra
|
||||
EOF
|
||||
8
provision-openfga-incus.sh
Executable file
8
provision-openfga-incus.sh
Executable file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
set -euxo pipefail
|
||||
|
||||
# create the incus store.
|
||||
fga store create \
|
||||
--name Incus \
|
||||
| jq \
|
||||
> ./openfga-incus.json
|
||||
113
provision-openfga.sh
Executable file
113
provision-openfga.sh
Executable file
@ -0,0 +1,113 @@
|
||||
#!/bin/bash
|
||||
# Source: https://raw.githubusercontent.com/rgl/incus-playground/349480b30d82ca1b468cb6e983988c7cb01343e3/provision-openfga.sh
|
||||
set -euxo pipefail
|
||||
|
||||
POSTGRES_FQDN="localhost"
|
||||
OPENFGA_FQDN="localhost"
|
||||
|
||||
# see https://github.com/openfga/openfga/releases
|
||||
# renovate: datasource=github-releases depName=openfga/openfga
|
||||
openfga_version='1.5.3'
|
||||
|
||||
# create the openfga system user.
|
||||
groupadd --system openfga || true
|
||||
adduser \
|
||||
--system \
|
||||
--disabled-login \
|
||||
--no-create-home \
|
||||
--gecos '' \
|
||||
--ingroup openfga \
|
||||
--home /opt/openfga \
|
||||
openfga || true
|
||||
|
||||
# download and install.
|
||||
openfga_artifact_url="https://github.com/openfga/openfga/releases/download/v${openfga_version}/openfga_${openfga_version}_linux_amd64.tar.gz"
|
||||
t="$(mktemp -q -d --suffix=.openfga)"
|
||||
wget -qO "$t/openfga.tgz" "$openfga_artifact_url"
|
||||
install -d "$t/dist"
|
||||
tar xf "$t/openfga.tgz" -C "$t/dist"
|
||||
rm -rf /opt/openfga
|
||||
mv "$t/dist" /opt/openfga
|
||||
chown -R root:root /opt/openfga
|
||||
rm -rf "$t"
|
||||
|
||||
# create the openfga role and database.
|
||||
pushd /
|
||||
sudo -sHu postgres psql -c "create role openfga login password 'abracadabra'"
|
||||
sudo -sHu postgres createdb -E UTF8 -O openfga openfga >/dev/null
|
||||
/opt/openfga/openfga migrate \
|
||||
--datastore-engine postgres \
|
||||
--datastore-uri "postgres://openfga:abracadabra@$POSTGRES_FQDN:5432/openfga"
|
||||
sudo -sHu postgres psql -c '\du'
|
||||
sudo -sHu postgres psql -l
|
||||
popd
|
||||
|
||||
# configure.
|
||||
# see https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga
|
||||
# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L189
|
||||
# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L341
|
||||
cat >/opt/openfga/config.yaml <<EOF
|
||||
log:
|
||||
format: text
|
||||
level: info # none, debug, info, warn, error, panic, fatal.
|
||||
datastore:
|
||||
engine: postgres
|
||||
uri: postgres://openfga:abracadabra@$POSTGRES_FQDN:5432/openfga
|
||||
authn:
|
||||
method: preshared
|
||||
preshared:
|
||||
keys:
|
||||
- abracadabra
|
||||
grpc:
|
||||
# TODO change this back to :8081 once https://github.com/openfga/openfga/issues/640 is fixed.
|
||||
addr: $OPENFGA_FQDN:8081
|
||||
tls:
|
||||
enabled: false
|
||||
http:
|
||||
enabled: true
|
||||
addr: :8080
|
||||
tls:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
addr: :2112
|
||||
playground:
|
||||
enabled: false
|
||||
port: 3000
|
||||
EOF
|
||||
|
||||
# brandonkal: disable TLS
|
||||
#install -o root -g openfga -m 444 "/vagrant/shared/example-ca/$OPENFGA_FQDN-crt.pem" /opt/openfga
|
||||
#install -o root -g openfga -m 440 "/vagrant/shared/example-ca/$OPENFGA_FQDN-key.pem" /opt/openfga
|
||||
|
||||
# start.
|
||||
cat >/etc/systemd/system/openfga.service <<EOF
|
||||
[Unit]
|
||||
Description=openfga
|
||||
After=network.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=openfga
|
||||
Group=openfga
|
||||
ExecStart=/opt/openfga/openfga run
|
||||
WorkingDirectory=/opt/openfga
|
||||
Restart=on-abort
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
systemctl enable openfga
|
||||
systemctl start openfga
|
||||
ss -anlp | grep -E '(Address:Port|openfga)'
|
||||
|
||||
# show information.
|
||||
cat <<EOF
|
||||
|
||||
OpenFGA is available at:
|
||||
|
||||
grpc://$OPENFGA_FQDN:8081
|
||||
https://$OPENFGA_FQDN:8080
|
||||
http://$OPENFGA_FQDN:2112/metrics
|
||||
|
||||
EOF
|
||||
Loading…
x
Reference in New Issue
Block a user