incus-fga/openfga-end.sh

#!/bin/bash
# Source: https://raw.githubusercontent.com/rgl/incus-playground/349480b30d82ca1b468cb6e983988c7cb01343e3/provision-openfga.sh
set -euxo pipefail

OPENFGA_FQDN="localhost"

# configure.
# see https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga
# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L189
# see https://github.com/openfga/openfga/blob/v1.5.2/internal/server/config/config.go#L341
cat >/opt/openfga/config.yaml <<EOF
log:
  format: text
  level: info # none, debug, info, warn, error, panic, fatal.
datastore:
  engine: sqlite
  uri: file:/opt/openfga/openfga.db
authn:
  method: preshared
  preshared:
    keys:
      - abracadabra
grpc:
  # TODO change this back to :8081 once https://github.com/openfga/openfga/issues/640 is fixed.
  addr: $OPENFGA_FQDN:8081
  tls:
    enabled: false
http:
  enabled: true
  addr: 127.0.0.1:8080
  tls:
    enabled: false
metrics:
  enabled: true
  addr: 127.0.0.1:2112
playground:
  enabled: false
  port: 3000
EOF

# brandonkal: disable TLS
#install -o root -g openfga -m 444 "/vagrant/shared/example-ca/$OPENFGA_FQDN-crt.pem" /opt/openfga
#install -o root -g openfga -m 440 "/vagrant/shared/example-ca/$OPENFGA_FQDN-key.pem" /opt/openfga

# start.
cat >/etc/systemd/system/openfga.service <<EOF
[Unit]
Description=openfga
After=network.service

[Service]
Type=simple
User=openfga
Group=openfga
ExecStart=/opt/openfga/openfga run
WorkingDirectory=/opt/openfga
Restart=on-abort

[Install]
WantedBy=multi-user.target
EOF
systemctl enable openfga
systemctl start openfga
ss -anlp | grep -E '(Address:Port|openfga)'

# show information.
cat <<EOF

OpenFGA is available at:

    grpc://$OPENFGA_FQDN:8081
    https://$OPENFGA_FQDN:8080
    http://$OPENFGA_FQDN:2112/metrics

EOF