feat: moved to git subdomain

Taskfile.yml

@@ -1,23 +1,16 @@
 version: 3
-env: { TF: terraform -chdir=terraform }
 silent: true
 
+includes:
+  tf: { taskfile: terraform, dir: terraform }
+
 tasks:
   dev: docker compose -f compose.dev.yml up --build --force-recreate --no-deps
 
-  tf/init: $TF init -backend-config=backend.tfvars
-  tf/plan: $TF plan -var-file=secret.tfvars
-  tf/destroy: $TF destroy
-  tf/format: $TF fmt -recursive
-  tf/apply: 
-    - $TF apply -var-file=secret.tfvars
-    - $TF output -json > secrets.tf.json
-  tf/import:
-    - $TF import -var-file=secret.tfvars {{.CLI_ARGS}}
 
   build: ansible-playbook playbooks/build.yml
   deploy: ansible-playbook playbooks/deploy.yml
-  restore: ansible-playbook playbooks/restore.yml
+  restore: ansible-playbook playbooks/restore.yml -e "restore_bucket={{.BUCKET}} restore_key={{.KEY}}"
   run:
      - task: build
      - task: deploy
@@ -25,14 +18,14 @@ tasks:
   enter:
     cmd: aws ssm start-session --target $INSTANCE_ID
     env:
-      INSTANCE_ID: { sh: jq -r .instance_id.value < secrets.tf.json }
-      AWS_REGION: { sh: jq -r .aws_region < secrets/gitea.json }
-      AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < secrets/gitea.json }
-      AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < secrets/gitea.json }
+      INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.tf.json }
+      AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json }
+      AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json }
+      AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json }
   
-  prune:
-    - docker system prune -af
-    - docker image prune -af
-    - docker system prune -af --volumes
-    - docker volume prune -af
-    - docker system df
+  push:
+    dir: gitea
+    cmds:
+      - docker build -t web/git . -f Dockerfile --platform linux/amd64,linux/arm64
+      - docker login code.maximhutz.com
+      - defer: docker logout

gitea/Dockerfile

@@ -2,8 +2,4 @@ FROM gitea/gitea:latest-rootless
 
 ADD --chown=git:git config /etc/gitea
 ADD --chown=git:git custom /etc/gitea-custom
-ENV GITEA_CUSTOM /etc/gitea-custom
-
-WORKDIR /etc/gitea-custom
-
-RUN gitea cert --host localhost --ca
+ENV GITEA_CUSTOM=/etc/gitea-custom

gitea/Dockerfile.dev

@@ -2,11 +2,11 @@ FROM gitea/gitea:latest-rootless
 
 ADD --chown=git:git config /etc/gitea
 ADD --chown=git:git custom /etc/gitea-custom
-ENV GITEA_CUSTOM /etc/gitea-custom
+ENV GITEA_CUSTOM=/etc/gitea-custom
 
 RUN rm /etc/gitea/app.ini
 RUN mv /etc/gitea/dev.app.ini /etc/gitea/app.ini
 
 WORKDIR /etc/gitea-custom
 
-RUN gitea cert --host code.maximhutz.com --ca
+RUN gitea cert --host localhost --ca

gitea/config/app.ini

@@ -24,31 +24,31 @@ DISABLE_SSH = false
 START_SSH_SERVER = true
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
-SSH_DOMAIN = code.maximhutz.com
+SSH_DOMAIN = git.maximhutz.com
 BUILTIN_SSH_SERVER_USER = git
 
 ; --- Signed SSL ---
-; PROTOCOL=https
-; ENABLE_ACME=true
-; ACME_ACCEPTTOS=true
-; ACME_DIRECTORY=https
-; ACME_EMAIL=proxy@maximhutz.com
-; DOMAIN = code.maximhutz.com
-; ROOT_URL = https://code.maximhutz.com/
-; HTTP_PORT = 443
+PROTOCOL=https
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_DIRECTORY=https
+ACME_EMAIL=proxy@maximhutz.com
+DOMAIN = git.maximhutz.com
+ROOT_URL = https://git.maximhutz.com/
+HTTP_PORT = 443
 
 ; --- No SSL ---
-; DOMAIN = code.maximhutz.com
-; ROOT_URL = http://code.maximhutz.com/
+; DOMAIN = git.maximhutz.com
+; ROOT_URL = http://git.maximhutz.com/
 ; HTTP_PORT = 80
 
 ; --- Self-Signed SSL ---
-PROTOCOL  = https
-ROOT_URL  = https://code.maximhutz.com/
-DOMAIN = code.maximhutz.com
-HTTP_PORT = 443
-CERT_FILE = cert.pem
-KEY_FILE  = key.pem
+# PROTOCOL  = https
+# ROOT_URL  = https://git.maximhutz.com/
+# DOMAIN = git.maximhutz.com
+# HTTP_PORT = 443
+# CERT_FILE = cert.pem
+# KEY_FILE  = key.pem
 
 [database]
 DB_TYPE = sqlite3

playbooks/build.yml

@@ -1,6 +1,7 @@
 - name: Make build artifact.
   hosts: localhost
-  vars_files: ../secrets/gitea.json
+  vars_files: ../config/ansible.secret.json
+  gather_facts: false
   tasks:
     - name: Build image.
       community.docker.docker_image_build:

playbooks/deploy.yml

@@ -1,9 +1,10 @@
 - name: Deploy artifact to instance.
   hosts: localhost
   become: true
+  gather_facts: false
   vars_files:
-    - ../secrets/gitea.json
-    - ../secrets.tf.json
+    - ../config/ansible.secret.json
+    - ../config/infrastructure.secret.tf.json
   vars:
     ansible_connection: aws_ssm
     ansible_python_interpreter: /usr/bin/python3
@@ -26,15 +27,17 @@
         access_key: "{{ aws_access_key }}"
         secret_key: "{{ aws_secret_key }}"
 
+    - name: Create data directory.
+      ansible.builtin.file:
+        path: /home/ssm-user/data
+        state: directory
+        mode: '0777'
+
     - name: Load image.
       community.docker.docker_image_load:
         path: /root/image.tar.gz
       register: image
 
-    - name: Create a volume.
-      community.docker.docker_volume:
-        name: data
-
     - name: Run image.
       community.docker.docker_container:
         name: server

playbooks/restore.yml

@@ -1,9 +1,10 @@
 - name: Deploy artifact to instance.
   hosts: localhost
   become: true
+  gather_facts: false
   vars_files:
-    - ../secrets/gitea.json
-    - ../secrets.tf.json
+    - ../config/ansible.secret.json
+    - ../config/infrastructure.secret.tf.json
   vars:
     ansible_connection: aws_ssm
     ansible_python_interpreter: /usr/bin/python3
@@ -27,23 +28,38 @@
         access_key: "{{ boot_id.value }}"
         secret_key: "{{ boot_secret.value }}"
       amazon.aws.s3_object:
-        bucket: "{{ boot_bucket }}"
-        object: "{{ boot_key }}"
-        dest: /home/ssm-user/backup.tar.xz
+        bucket: "{{ restore_bucket | mandatory(msg='You must specify the bucket of the data.') }}"
+        object: "{{ restore_key | mandatory(msg='You must specify the key of the data.') }}"
+        dest: /home/ssm-user/backup.tar.gz
         mode: get
 
     - name: Ensure backup directory exists.
       ansible.builtin.file:
-        path: /home/ssm-user/data
+        path: /home/ssm-user/backup
         state: directory
         mode: '0777'
 
     - name: Extract backup.
       ansible.builtin.unarchive:
-        src: /home/ssm-user/backup.tar.xz
-        dest: /home/ssm-user/data
+        src: /home/ssm-user/backup.tar.gz
+        dest: /home/ssm-user/backup
         remote_src: true
 
+    - name: Move backup files to data folder.
+      ansible.builtin.copy:
+        remote_src: true
+        src: /home/ssm-user/backup/backup/my-app-backup/
+        dest: /home/ssm-user/data/
+        mode: '0777'
+
+    - name: Update permissions.
+      ansible.builtin.file:
+        path: /home/ssm-user/data
+        recurse: true
+        mode: '0777'
+        owner: 1000
+        group: 1000
+
     - name: Restart containers.
       community.docker.docker_container:
         name: "{{ item }}"

terraform/Taskfile.yml

@@ -0,0 +1,18 @@
+version: 3
+silent: true
+
+vars:
+  BACKEND: ../config/backend.secret.tf.json
+  VARIABLES: ../config/variables.secret.tf.json
+  OUTPUT: ../config/infrastructure.secret.tf.json
+
+tasks:
+  init: terraform init -backend-config={{.BACKEND}}
+  plan: terraform plan -var-file={{.VARIABLES}}
+  destroy: terraform destroy
+  format: terraform fmt -recursive
+  out: terraform output -json > {{.OUTPUT}}
+  apply: 
+    - terraform apply -var-file={{.VARIABLES}}
+    - task: out
+  import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}}

terraform/iam.tf

@@ -4,8 +4,8 @@ data "aws_s3_bucket" "storage_bucket" {
 
 data "aws_iam_policy_document" "boot" {
   statement {
-    effect    = "Allow"
-    actions   = ["s3:*", "s3-object-lambda:*"]
+    effect  = "Allow"
+    actions = ["s3:*", "s3-object-lambda:*"]
     resources = [
       "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}",
       "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}/*",

terraform/install.sh

@@ -6,7 +6,6 @@ amazon-linux-extras install docker ansible2 python3.8 -y
 # Make Docker work.
 systemctl enable docker
 systemctl start docker
-sudo usermod -aG docker ssm-user
 
 # Set up the correct version of Python (for Ansible).
 ln -sf /usr/bin/python3.8 /usr/bin/python3
@@ -26,3 +25,6 @@ service sshd stop
 # Install Docker Compose.
 curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 chmod +x /usr/local/bin/docker-compose
+
+# ERROR: SSM User not created yet.
+sudo usermod -aG docker ssm-user

terraform/main.tf

@@ -1,6 +1,6 @@
 # An elastic IP, so if the reverse proxy is modified, the route tables won't.
 resource "aws_eip" "public" {
-  instance = aws_instance.gitea.id
+  instance = aws_instance.this.id
   domain   = "vpc"
 }
 
@@ -9,7 +9,7 @@ data "aws_iam_instance_profile" "ssm" {
 }
 
 # The Gitea instance.
-resource "aws_instance" "gitea" {
+resource "aws_instance" "this" {
   # ami           = data.aws_ami.amazon-linux-2.id
   ami           = "ami-0adec96dc0cdc7bca"
   instance_type = "t4g.nano"
@@ -20,6 +20,10 @@ resource "aws_instance" "gitea" {
 
   iam_instance_profile   = data.aws_iam_instance_profile.ssm.name
   vpc_security_group_ids = [aws_security_group.public_access.id]
+  
+  metadata_options {
+    http_tokens = "required"
+  }
 
   root_block_device {
     volume_type = "gp3"
@@ -30,3 +34,8 @@ resource "aws_instance" "gitea" {
     Name = "Codebase: Gitea"
   }
 }
+
+resource "aws_ec2_instance_state" "this" {
+  instance_id = aws_instance.this.id
+  state       = "running"
+}

terraform/network.tf

@@ -20,7 +20,7 @@ module "vpc" {
   public_subnets  = [cidrsubnet(local.vpc_cidr, 8, 4)]
 
   private_subnet_tags = { SubnetOf = "Main", SubnetType = "Private" }
-  public_subnet_tags = { SubnetOf = "Main", SubnetType = "Public" }
+  public_subnet_tags  = { SubnetOf = "Main", SubnetType = "Public" }
 
   map_public_ip_on_launch = true
   enable_dns_hostnames    = true

terraform/output.tf

@@ -1,27 +1,27 @@
 output "instance_id" {
-  value       = aws_instance.gitea.id
+  value       = aws_instance.this.id
   description = "The instance ID of the Gitea instance."
 }
 
 output "ip_address" {
-  value       = aws_instance.gitea.private_ip
+  value       = aws_instance.this.private_ip
   description = "The Gitea IP address."
 }
 
 output "boot_region" {
-  value = var.aws_region
+  value       = var.aws_region
   description = "The region to manipulate the codebase repository boot."
   sensitive   = true
 }
 
 output "boot_id" {
-  value = module.boot_user.iam_access_key_id
+  value       = module.boot_user.iam_access_key_id
   description = "The access id to manipulate the codebase repository boot."
   sensitive   = true
 }
 
 output "boot_secret" {
-  value = module.boot_user.iam_access_key_secret
+  value       = module.boot_user.iam_access_key_secret
   description = "The access secret to manipulate the codebase repository boot."
   sensitive   = true
 }

terraform/routing.tf

@@ -6,7 +6,7 @@ data "aws_route53_zone" "main" {
 # Push all domain traffic through the reverse proxy.
 resource "aws_route53_record" "domain" {
   zone_id = data.aws_route53_zone.main.zone_id
-  name    = "code.${data.aws_route53_zone.main.name}"
+  name    = "git.${data.aws_route53_zone.main.name}"
   type    = "A"
   ttl     = "60"
   records = [aws_eip.public.public_ip]

terraform/variables.tf

@@ -14,16 +14,16 @@ variable "aws_secret" {
 }
 
 variable "boot_bucket" {
-  type = string
+  type        = string
   description = "The name of the bucket to store the boot in."
 }
 
 variable "boot_key" {
-  type = string
+  type        = string
   description = "The path that will hold the boot data."
 }
 
 variable "boot_role" {
-  type = string
+  type        = string
   description = "The name of the role for boot access."
 }