terraform-variables.md

Terraform Variables Reference

Complete reference for all Terraform variables in Charon. Configure these in terraform/terraform.tfvars.

Table of Contents

• Kubernetes Configuration
• Headscale VPN
• cert-manager
• Ingress Controllers
• Cloudflare DNS
• Service Configuration
  • FreeIPA
  • Grafana
  • Open-WebUI
  • Ollama
  • Redmine
  • vLLM
• Monitoring Stack
• Storage
• Node Affinity

---

Kubernetes Configuration

kubeconfig_path

• Type: string
• Default: ~/.kube/config
• Sensitive: Yes
• Description: Path to kubeconfig file for cluster access

namespace

• Type: string
• Default: dev
• Description: Kubernetes namespace for application resources

create_namespace

• Type: bool
• Default: true
• Description: Whether to create the namespace (set false if it exists)

---

Headscale VPN

headscale_enabled

• Type: bool
• Default: true
• Description: Enable Headscale VPN deployment

headscale_version

• Type: string
• Default: 0.23.0
• Description: Headscale container image version

headscale_server_url

• Type: string
• Required: Yes
• Sensitive: Yes
• Description: Public URL where Headscale is accessible (e.g., https://vpn.example.com)

headscale_nodeport

• Type: number
• Default: 30080
• Description: NodePort for Headscale HTTP API (range: 30000-32767)

headscale_grpc_nodeport

• Type: number
• Default: 30443
• Description: NodePort for Headscale gRPC API (range: 30000-32767)

headscale_ip_prefix

• Type: string
• Default: 100.64.0.0/10
• Description: IP prefix for VPN network (CGNAT range recommended)

headscale_base_domain

• Type: string
• Default: vpn.local
• Description: Base domain for MagicDNS hostname resolution

headscale_magic_dns

• Type: bool
• Default: true
• Description: Enable MagicDNS for VPN hostnames

headscale_storage

• Type: string
• Default: 1Gi
• Description: Storage size for Headscale SQLite database

---

cert-manager

cert_manager_enabled

• Type: bool
• Default: true
• Description: Enable cert-manager for TLS certificate management

cert_manager_namespace

• Type: string
• Default: cert-manager
• Description: Namespace for cert-manager deployment

cert_manager_version

• Type: string
• Default: v1.14.0
• Description: cert-manager Helm chart version

cert_manager_email

• Type: string
• Required: Yes
• Sensitive: Yes
• Description: Email address for Let's Encrypt certificate notifications

cert_issuer

• Type: string
• Default: letsencrypt-staging
• Description: Let's Encrypt issuer (letsencrypt-staging or letsencrypt-prod)
• Note: Use staging for testing to avoid rate limits

---

Ingress Controllers

ingress_class_name

• Type: string
• Default: nginx
• Description: Ingress class name for internal VPN-only access

ingress_external_class_name

• Type: string
• Default: nginx-external
• Description: Ingress class for services requiring public access (e.g., Headscale enrollment)

ingress_enabled

• Type: bool
• Default: true
• Description: Enable Ingress for services (required for TLS)

ingress_namespace

• Type: string
• Default: ingress-nginx
• Description: Namespace for internal NGINX Ingress Controller

ingress_external_namespace

• Type: string
• Default: ingress-nginx-external
• Description: Namespace for external NGINX Ingress Controller

nginx_ingress_enabled

• Type: bool
• Default: true
• Description: Enable NGINX Ingress Controller deployment

nginx_ingress_version

• Type: string
• Default: 4.11.3
• Description: NGINX Ingress Controller Helm chart version

---

Cloudflare DNS

cloudflare_api_token

• Type: string
• Required: Yes
• Sensitive: Yes
• Description: Cloudflare API token with DNS edit permissions

cloudflare_zone_id

• Type: string
• Required: Yes
• Sensitive: Yes
• Description: Cloudflare Zone ID for your domain

domain_name

• Type: string
• Required: Yes
• Sensitive: Yes
• Description: Primary domain name (e.g., example.com)

---

Service Configuration

FreeIPA

freeipa_enabled

• Type: bool
• Default: false
• Description: Enable FreeIPA identity management deployment

freeipa_hostname

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: Hostname for FreeIPA ingress (e.g., freeipa.example.com)

freeipa_domain

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: FreeIPA domain (e.g., dev.svc.cluster.local)

freeipa_realm

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: FreeIPA Kerberos realm (e.g., DEV.SVC.CLUSTER.LOCAL)

freeipa_admin_password

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: FreeIPA admin user password

freeipa_replicas

• Type: number
• Default: 1
• Description: Number of FreeIPA replicas for high availability

---

Grafana

grafana_enabled

• Type: bool
• Default: true
• Description: Enable Grafana monitoring deployment

grafana_version

• Type: string
• Default: 8.5.0
• Description: Grafana Helm chart version

grafana_hostname

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: Hostname for Grafana ingress (e.g., grafana.example.com)

grafana_ingress_enabled

• Type: bool
• Default: true
• Description: Enable ingress for Grafana

grafana_admin_password

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: Grafana admin user password

grafana_cpu_request

• Type: string
• Default: 500m
• Description: Grafana container CPU request

grafana_memory_request

• Type: string
• Default: 512Mi
• Description: Grafana container memory request

grafana_cpu_limit

• Type: string
• Default: 1
• Description: Grafana container CPU limit

grafana_memory_limit

• Type: string
• Default: 1Gi
• Description: Grafana container memory limit

grafana_tailscale_enabled

• Type: bool
• Default: true
• Description: Enable Tailscale sidecar for Grafana VPN connectivity

grafana_dashboards_git_enabled

• Type: bool
• Default: false
• Description: Enable Git sync for Grafana dashboards

grafana_dashboards_git_repo

• Type: string
• Sensitive: Yes
• Default: ""
• Description: Git repository URL for dashboards (HTTPS for private repos)

grafana_dashboards_git_branch

• Type: string
• Default: main
• Description: Git branch for Grafana dashboards

grafana_dashboards_git_token

• Type: string
• Sensitive: Yes
• Default: ""
• Description: Git repository token for private repos

grafana_dashboards_git_sync_interval

• Type: number
• Default: 60
• Description: Git sync interval in seconds

---

Open-WebUI

open_webui_enabled

• Type: bool
• Default: true
• Description: Enable Open-WebUI AI chat deployment

open_webui_version

• Type: string
• Default: 0.6.40
• Description: Open-WebUI Helm chart version

open_webui_hostname

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: Hostname for Open-WebUI ingress (e.g., ai.example.com)

open_webui_ingress_enabled

• Type: bool
• Default: true
• Description: Enable ingress for Open-WebUI

open_webui_cpu_request

• Type: string
• Default: 500m
• Description: Open-WebUI container CPU request

open_webui_memory_request

• Type: string
• Default: 1Gi
• Description: Open-WebUI container memory request

open_webui_cpu_limit

• Type: string
• Default: 2
• Description: Open-WebUI container CPU limit

open_webui_memory_limit

• Type: string
• Default: 2Gi
• Description: Open-WebUI container memory limit

open_webui_storage

• Type: string
• Default: 10Gi
• Description: Storage size for Open-WebUI data

open_webui_open_api_keys

• Type: string
• Sensitive: Yes
• Default: ""
• Description: Semicolon-separated OpenAI API keys

open_webui_tailscale_enabled

• Type: bool
• Default: true
• Description: Enable Tailscale sidecar for VPN connectivity

open_webui_ollama_enabled

• Type: bool
• Default: true
• Description: Enable bundled Ollama in Open-WebUI

---

Ollama

ollama_enabled

• Type: bool
• Default: true
• Description: Enable Ollama LLM deployment

ollama_image

• Type: string
• Default: ollama/ollama:latest
• Description: Ollama container image

ollama_cpu_request

• Type: string
• Default: 500m
• Description: Ollama container CPU request

ollama_memory_request

• Type: string
• Default: 1Gi
• Description: Ollama container memory request

ollama_cpu_limit

• Type: string
• Default: 4
• Description: Ollama container CPU limit

ollama_memory_limit

• Type: string
• Default: 8Gi
• Description: Ollama container memory limit

ollama_storage

• Type: string
• Default: 50Gi
• Description: Storage size for Ollama models

---

Redmine

redmine_enabled

• Type: bool
• Default: true
• Description: Enable Redmine project management deployment

redmine_image

• Type: string
• Default: redmine:6.0
• Description: Redmine container image

redmine_hostname

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: Hostname for Redmine ingress (e.g., redmine.example.com)

redmine_ingress_enabled

• Type: bool
• Default: true
• Description: Enable ingress for Redmine

redmine_db_host

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: PostgreSQL database host (external)

redmine_db_port

• Type: number
• Default: 22110
• Description: PostgreSQL database port

redmine_db_name

• Type: string
• Default: redmine
• Description: PostgreSQL database name

redmine_db_user

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: PostgreSQL database username

redmine_db_password

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: PostgreSQL database password

redmine_cpu_request

• Type: string
• Default: 500m
• Description: Redmine container CPU request

redmine_memory_request

• Type: string
• Default: 1Gi
• Description: Redmine container memory request

redmine_cpu_limit

• Type: string
• Default: 2
• Description: Redmine container CPU limit

redmine_memory_limit

• Type: string
• Default: 2Gi
• Description: Redmine container memory limit

redmine_tailscale_enabled

• Type: bool
• Default: false
• Description: Enable Tailscale sidecar for VPN connectivity

---

vLLM

vllm_enabled

• Type: bool
• Default: true
• Description: Enable vLLM model deployment

huggingface_token

• Type: string
• Required: Yes (if enabled)
• Sensitive: Yes
• Description: Hugging Face API token for accessing private models

vllm_hermes_replica_count

• Type: number
• Default: 0
• Description: Number of replicas for Hermes 3 8B model

vllm_deepseek_replica_count

• Type: number
• Default: 1
• Description: Number of replicas for DeepSeek Coder 6.7B model

---

Monitoring Stack

prometheus_enabled

• Type: bool
• Default: true
• Description: Enable Prometheus metrics deployment

prometheus_version

• Type: string
• Default: 27.47.0
• Description: Prometheus container image version

prometheus_storage

• Type: string
• Default: 50Gi
• Description: Storage size for Prometheus data

prometheus_cpu_request

• Type: string
• Default: 100m
• Description: Prometheus container CPU request

prometheus_memory_request

• Type: string
• Default: 256Mi
• Description: Prometheus container memory request

prometheus_cpu_limit

• Type: string
• Default: 500m
• Description: Prometheus container CPU limit

prometheus_memory_limit

• Type: string
• Default: 1Gi
• Description: Prometheus container memory limit

monitoring_namespace

• Type: string
• Default: monitoring
• Description: Namespace for monitoring services

loki_enabled

• Type: bool
• Default: false
• Description: Enable Loki log aggregation

loki_version

• Type: string
• Default: 5.40.0
• Description: Loki Helm chart version

loki_storage

• Type: string
• Default: 100Gi
• Description: Storage size for Loki log data

---

Storage

block_storage_class

• Type: string
• Default: standard
• Description: Default block storage class for persistent volumes

block_storage_class_retain

• Type: string
• Default: standard
• Description: Block storage class with retention policy

rwx_storage_enabled

• Type: bool
• Default: true
• Description: Enable RWX storage with Linode Block Storage + Samba CIFS

linode_token

• Type: string
• Sensitive: Yes
• Description: Linode API token for managing Block Storage volumes

---

Node Affinity

cpu_node_label_key

• Type: string
• Default: node-type
• Description: Node label key to identify CPU nodes

cpu_node_label_value

• Type: string
• Default: cpu
• Description: Node label value for CPU nodes

gpu_accelerator_labels

• Type: list(string)
• Default: ["nvidia-tesla-k80", "nvidia-tesla-v100", "nvidia-a100"]
• Description: GPU accelerator labels to avoid for CPU workloads

---

Example terraform.tfvars

# Cloudflare Configuration
cloudflare_zone_id    = "your-zone-id-here"
cloudflare_api_token  = "your-api-token-here"
domain_name           = "example.com"

# cert-manager
cert_manager_email    = "admin@example.com"
cert_issuer           = "letsencrypt-prod"

# Headscale VPN
headscale_server_url  = "https://vpn.example.com"
headscale_enabled     = true

# Services
grafana_enabled       = true
grafana_hostname      = "grafana.example.com"
grafana_admin_password = "your-secure-password"

open_webui_enabled    = true
open_webui_hostname   = "ai.example.com"

freeipa_enabled       = true
freeipa_hostname      = "freeipa.example.com"
freeipa_domain        = "dev.svc.cluster.local"
freeipa_realm         = "DEV.SVC.CLUSTER.LOCAL"
freeipa_admin_password = "your-secure-password"

redmine_enabled       = true
redmine_hostname      = "redmine.example.com"
redmine_db_host       = "postgres.external.com"
redmine_db_user       = "redmine"
redmine_db_password   = "your-secure-password"

---

Related Documentation:

• Configuration Guide
• Environment Variables
• Quick Start

Navigation: Documentation Index | Home