feat: remote access for loopdedupe (#1664)

Author: bo0tzz

tf/deployment/modules/shared/1password/account/secrets.tf

@@ -51,6 +51,7 @@ module "manual-secrets" {
       "IMMICH_GITHUB_OAUTH_APP_INTERNAL_FUTO_ZITADEL_CLIENT_ID",
       "IMMICH_GITHUB_OAUTH_APP_INTERNAL_FUTO_ZITADEL_CLIENT_SECRET",
       "FUTO_ZITADEL_PROFILE_JSON",
+      "LOOPDEDUPE_GITHUB_WEBHOOK_URL",
       "LOOPDEDUPE_VOYAGE_API_KEY",
     ]
     scoped = [
@@ -82,6 +83,7 @@ module "generated-secrets" {
       { name = "OAUTH2_PROXY_COOKIE_SECRET", length = 32 },
       { name = "IMMICH_GITHUB_ACTION_CHECKS_WEBHOOK_SECRET" },
       { name = "OUTLINE_ROLE_SYNC_WEBHOOK_SECRET" },
+      { name = "LOOPDEDUPE_GITHUB_WEBHOOK_SECRET" },
       { name = "LOOPDEDUPE_SECRET_KEY_BASE", length = 64 }
     ]
     scoped = [

tf/deployment/modules/shared/cloudflare/account/dns-immich-cloud.tf

@@ -34,6 +34,24 @@ resource "cloudflare_record" "immich_cloud_a_mich" {
   zone_id = cloudflare_zone.immich_cloud.id
 }
 
+resource "cloudflare_record" "immich_cloud_a_pokedex" {
+  name    = "pokedex"
+  proxied = false
+  ttl     = 1
+  type    = "A"
+  content = local.pokedex_ip
+  zone_id = cloudflare_zone.immich_cloud.id
+}
+
+resource "cloudflare_record" "immich_cloud_cname_loopdedupe_internal" {
+  name    = "loopdedupe.internal"
+  proxied = false
+  ttl     = 1
+  type    = "CNAME"
+  content = "pokedex.immich.cloud"
+  zone_id = cloudflare_zone.immich_cloud.id
+}
+
 resource "cloudflare_record" "immich_cloud_a_kube_pokedex_internal_brock" {
   name    = "kube.pokedex.internal"
   proxied = false

tf/deployment/modules/shared/cloudflare/account/locals.tf

@@ -1,4 +1,6 @@
 locals {
   mich_ip    = "162.55.19.222"
   mich_cidrs = ["${local.mich_ip}/32"]
+
+  pokedex_ip = "97.77.242.206"
 }

tf/deployment/modules/shared/github/webhooks/webhooks.tf

@@ -79,3 +79,27 @@ import {
   to = github_repository_webhook.fluxcd[0]
   id = "devtools/541139511"
 }
+
+data "onepassword_item" "loopdedupe_webhook_url" {
+  title = "LOOPDEDUPE_GITHUB_WEBHOOK_URL"
+  vault = data.onepassword_vault.tf.name
+}
+
+data "onepassword_item" "loopdedupe_webhook_secret" {
+  title = "LOOPDEDUPE_GITHUB_WEBHOOK_SECRET"
+  vault = data.onepassword_vault.tf.name
+}
+
+resource "github_repository_webhook" "loopdedupe" {
+  count = data.onepassword_item.loopdedupe_webhook_url.password != "REPLACE_ME" ? 1 : 0
+  events = [
+    "issues",
+    "discussion"
+  ]
+  repository = "immich"
+  configuration {
+    url          = data.onepassword_item.loopdedupe_webhook_url.password
+    secret       = data.onepassword_item.loopdedupe_webhook_secret.password
+    content_type = "json"
+  }
+}

tf/deployment/modules/shared/zitadel/self-hosted/project.tf

@@ -47,6 +47,12 @@ locals {
       roles        = [{ key = "Granted", grants_to = ["immich_admin", "team"] }]
       redirectUris = ["https://oauth2-proxy.internal.immich.cloud/oauth2/callback"]
     },
+    {
+      name         = "LoopDedupe"
+      roles        = [{ key = "Granted", grants_to = ["immich_admin", "team", "contributor", "support"] }]
+      authMethod   = "BASIC"
+      redirectUris = ["https://loopdedupe.internal.immich.cloud/oauth2/callback"]
+    },
     {
       name        = "OVHCloud"
       protocol    = "saml"