feat: protfolio IaC

## 🔍 Motivation & Context

I lost 5 months of work. Let us not have this happen again.

## 🔖 Related Issue

Solves #11.

## ✨ Changes

- Added `crontab` job to Gitea instance.

Reviewed-on: https://code.maximhutz.com/Web/Gitea/pulls/21
Co-authored-by: Max <git@maximhutz.me>
Co-committed-by: Max <git@maximhutz.me>

Taskfile.yml

@@ -30,6 +30,6 @@ tasks:
   runner/enter: ./ssm/runner.sh
   runner/deploy: ansible-playbook playbooks/runner/deployment.yml
   
-  repository/copy: ansible-playbook playbooks/repository.yml
+  repo/fetch: ansible-playbook playbooks/repository/fetch.yml
 
-  dev: docker compose -f compose.dev.yml up
+  dev: docker compose -f compose.dev.yml up --build --force-recreate --no-deps

compose.dev.yml

@@ -10,25 +10,24 @@ services:
   #   ports:
   #     - 80:80
 
-  # gitea:
-  #   container_name: codebase-dev-gitea
-  #   build: gitea
-  #   volumes:
-  #     - ./gitea/boot:/var/lib/gitea
-  #     - /etc/timezone:/etc/timezone:ro
-  #     - /etc/localtime:/etc/localtime:ro
-  #   ports:
-  #     - 80:80
-  #     - 443:443
-  #     - 2222:2222
-  #   environment:
-  #     GITEA_APP_INI: /etc/gitea/dev.app.ini
-  
-  runner:
-    container_name: codebase-dev-runner
-    image: gitea/act_runner
-    environment:
-      GITEA_INSTANCE_URL: "https://code.maximhutz.com/"
-      GITEA_RUNNER_REGISTRATION_TOKEN: "bgM1Ux9do7EWj6JwniXjdfs8fmjuzWgMeeNF5vhd"
+  gitea:
+    container_name: codebase-dev-gitea
+    build:
+      context: gitea
+      dockerfile: Dockerfile.dev
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 80:80
+      - 443:443
+      - 2222:2222
+  
+  # runner:
+  #   container_name: codebase-dev-runner
+  #   image: gitea/act_runner
+  #   environment:
+  #     GITEA_INSTANCE_URL: "https://code.maximhutz.com/"
+  #     GITEA_RUNNER_REGISTRATION_TOKEN: "bgM1Ux9do7EWj6JwniXjdfs8fmjuzWgMeeNF5vhd"
+  #   volumes:
+  #     - /var/run/docker.sock:/var/run/docker.sock

gitea/Dockerfile

@@ -1,5 +1,15 @@
-FROM gitea/gitea:latest-rootless
+FROM gitea/gitea:latest
 
-ADD --chown=git:git config /etc/gitea
-ADD --chown=git:git custom /etc/gitea-custom
-ENV GITEA_CUSTOM /etc/gitea-custom
+RUN apk add aws-cli xz
+
+ADD --chown=git:git custom /data/gitea
+ADD --chown=git:git entrypoint.sh /home/entrypoint.sh
+
+ADD --chown=git:git scripts /home/scripts
+RUN chmod +x /home/scripts/*
+
+ADD --chown=git:git crontab.txt /home/crontab.txt
+RUN /usr/bin/crontab /home/crontab.txt
+
+ENTRYPOINT [ "/home/entrypoint.sh" ]
+CMD [ "/usr/bin/s6-svscan", "/etc/s6" ]

gitea/Dockerfile.dev

@@ -0,0 +1,18 @@
+FROM gitea/gitea:latest
+
+RUN apk add aws-cli xz
+
+ADD --chown=git:git custom /data/gitea
+ADD --chown=git:git entrypoint.sh /home/entrypoint.sh
+
+ADD --chown=git:git scripts /home/scripts
+RUN chmod +x /home/scripts/*
+
+ADD --chown=git:git crontab.txt /home/crontab.txt
+RUN /usr/bin/crontab /home/crontab.txt
+
+RUN rm /data/gitea/conf/app.ini
+RUN mv /data/gitea/conf/dev.app.ini /data/gitea/conf/app.ini
+
+ENTRYPOINT [ "/home/entrypoint.sh" ]
+CMD [ "/usr/bin/s6-svscan", "/etc/s6" ]

gitea/crontab.txt

@@ -0,0 +1 @@
+0 0 * * * /home/scripts/push.sh >> /home/cron.log

gitea/entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Get S3 data.
+echo "Pulling data..."
+./home/scripts/pull.sh
+echo "Data pulled!"
+
+# Run crontab.
+/usr/sbin/crond -f -l 8 &
+
+# shellcheck disable=SC2068
+exec /usr/bin/entrypoint $@

gitea/scripts/pull.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# Pull achived data.
+aws s3 cp "$BOOT_URI" /home/archive.tar.xz
+
+# Extracted Gitea data.
+mkdir -p /var/lib/gitea
+tar -xvf /home/archive.tar.xz -C /var/lib/gitea

gitea/scripts/push.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+GITEA_PROCESS="$(pgrep gitea)"
+
+# Stop Gitea.
+echo "Stopped Gitea..."
+kill -STOP "$GITEA_PROCESS"
+
+# Archive Gitea data.
+echo "Archiving..."
+cd /var/lib/gitea
+tar cfJ ../archive.tar.xz .
+cd ..
+
+# Upload to S3.
+echo "Uploading..."
+aws s3 cp archive.tar.xz "$BOOT_URI"
+
+# Restart Gitea.
+kill -CONT "$GITEA_PROCESS"
+echo "Restarted Gitea!"

playbooks/gitea/deployment.yml

@@ -20,7 +20,7 @@
         mode: get
         bucket: "{{ image_bucket }}"
         object: "{{ image_key }}"
-        dest: ~/image.tar.xz
+        dest: /root/image.tar.xz
 
         region: "{{ aws_region }}"
         access_key: "{{ aws_access_key }}"
@@ -28,7 +28,7 @@
 
     - name: Load image.
       community.docker.docker_image_load:
-        path: ~/image.tar.xz
+        path: /root/image.tar.xz
       register: image
 
     - name: Fetch repository.
@@ -36,7 +36,7 @@
         mode: get
         bucket: "{{ boot_bucket }}"
         object: "{{ boot_key }}"
-        dest: ~/boot.tar.xz
+        dest: /root/boot.tar.xz
 
         region: "{{ aws_region }}"
         access_key: "{{ aws_access_key }}"
@@ -44,9 +44,9 @@
 
     - name: Unarchive image.
       ansible.builtin.unarchive:
-        src: ~/boot.tar.xz
+        src: /root/boot.tar.xz
         remote_src: true
-        dest: "~"
+        dest: /root
         group: 1000
         owner: 1000
 
@@ -56,13 +56,17 @@
         image: "{{ image.image_names[0] }}"
         state: started
         recreate: true
-        restart_policy: always
+        restart_policy: unless-stopped
         ports: [80:80, 2222:2222]
         env:
           GITEA__security__INTERNAL_TOKEN: "{{ internal_secret }}"
           GITEA__server__LFS_JWT_SECRET: "{{ lfs_secret }}"
           GITEA__oauth2__JWT_SECRET: "{{ jwt_secret }}"
+          AWS_REGION: "{{ gitea_boot.value.region }}"
+          AWS_ACCESS_KEY_ID: "{{ gitea_boot.value.id }}"
+          AWS_SECRET_ACCESS_KEY: "{{ gitea_boot.value.secret }}"
+          BOOT_URI: "s3://{{ boot_bucket }}/{{ boot_key }}"
         volumes:
-          - ~/boot:/var/lib/gitea
+          - /root/boot:/var/lib/gitea
           - /etc/timezone:/etc/timezone:ro
           - /etc/localtime:/etc/localtime:ro

playbooks/repository/fetch.yml

@@ -1,9 +1,7 @@
----
-
 - name: Pull Gitea data.
   hosts: localhost
   vars_files:
-    ../secrets/gitea.json
+    ../../secrets/gitea.json
   tasks:
     - name: Temp file.
       ansible.builtin.tempfile:
@@ -12,8 +10,8 @@
 
     - name: Fetch from S3.
       amazon.aws.s3_object:
-        bucket: "acer-saccharum"
-        object: "codebase/gitea/boot"
+        bucket: "{{ boot_bucket }}"
+        object: "{{ boot_key }}"
         dest: "{{ file.path }}"
         mode: get
 
@@ -24,4 +22,4 @@
     - name: Unarchive image.
       ansible.builtin.unarchive:
         src: "{{ file.path }}"
-        dest: ../gitea
+        dest: ../../gitea

requirements.txt

@@ -0,0 +1,41 @@
+ansible==11.1.0
+ansible-compat==24.10.0
+ansible-core==2.18.1
+ansible-lint==24.12.2
+attrs==24.3.0
+black==24.10.0
+boto3==1.35.95
+botocore==1.35.95
+bracex==2.5.post1
+certifi==2024.12.14
+cffi==1.17.1
+charset-normalizer==3.4.1
+click==8.1.8
+cryptography==44.0.0
+filelock==3.16.1
+idna==3.10
+importlib_metadata==8.5.0
+Jinja2==3.1.5
+jmespath==1.0.1
+jsonschema==4.23.0
+jsonschema-specifications==2024.10.1
+MarkupSafe==3.0.2
+mypy-extensions==1.0.0
+packaging==24.2
+pathspec==0.12.1
+platformdirs==4.3.6
+pycparser==2.22
+python-dateutil==2.9.0.post0
+PyYAML==6.0.2
+referencing==0.35.1
+requests==2.32.3
+resolvelib==1.0.1
+rpds-py==0.22.3
+ruamel.yaml==0.18.10
+s3transfer==0.10.4
+six==1.17.0
+subprocess-tee==0.4.2
+urllib3==2.3.0
+wcmatch==10.0
+yamllint==1.35.1
+zipp==3.21.0

terraform/iam.tf

@@ -0,0 +1,31 @@
+data "aws_s3_bucket" "storage_bucket" {
+  bucket = var.gitea_boot.bucket
+}
+
+data "aws_iam_policy_document" "gitea_bool_policy" {
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:*", "s3-object-lambda:*"]
+    resources = ["${data.aws_s3_bucket.storage_bucket.arn}/${var.gitea_boot.key}"]
+  }
+}
+
+resource "aws_iam_policy" "gitea_boot_policy" {
+  name        = "${var.gitea_boot.role}Policy"
+  description = "The policy that manages the Gitea Boot."
+
+  policy = data.aws_iam_policy_document.gitea_bool_policy.json
+}
+
+resource "aws_iam_user" "gitea_boot_user" {
+  name = "${var.gitea_boot.role}User"
+}
+
+resource "aws_iam_user_policy_attachment" "attachment" {
+  user       = aws_iam_user.gitea_boot_user.name
+  policy_arn = aws_iam_policy.gitea_boot_policy.arn
+}
+
+resource "aws_iam_access_key" "gitea_boot_key" {
+  user = aws_iam_user.gitea_boot_user.name
+}

terraform/install.sh

@@ -2,10 +2,18 @@
 
 amazon-linux-extras install docker ansible2 python3.8 -y
 
+# Make Docker work.
 systemctl enable docker
 systemctl start docker
-
 usermod -a -G docker ssm-user
+
+# Set up the correct version of Python (for Ansible).
 ln -sf /usr/bin/python3.8 /usr/bin/python3
 ln -sf /usr/bin/pip3.8 /usr/bin/pip3
-pip3 install botocore boto3 requests
+pip3 install botocore boto3 requests
+
+# Add some swap space.
+sudo dd if=/dev/zero of=/swapfile bs=128M count=8
+sudo chmod 600 /swapfile
+sudo mkswap /swapfile
+sudo swapon /swapfile

terraform/outputs.tf

@@ -1,19 +1,41 @@
-# The instance ID (`i-*****************`) of the reverse proxy.
 output "public_instance_id" {
-  value = aws_instance.public.id
+  value       = aws_instance.public.id
+  description = "The instance ID (`i-*****************`) of the reverse proxy."
 }
 
-# The instance ID of the Gitea instance.
 output "private_instance_id" {
-  value = aws_instance.private.id
+  value       = aws_instance.private.id
+  description = "The instance ID of the Gitea instance."
 }
 
-# The instance ID of the Gitea runner.
 output "runner_instance_id" {
-  value = aws_instance.runner.id
+  value       = aws_instance.runner.id
+  description = "The instance ID of the Gitea runner."
 }
 
-# The private IP (not accessible from internet) of the Gitea instnace.
 output "private_instance_ip" {
-  value = aws_instance.private.private_ip
+  value       = aws_instance.private.private_ip
+  description = "The private IP (not accessible from internet) of the Gitea instnace."
+}
+
+output "gitea_boot" {
+  value = {
+    id     = aws_iam_access_key.gitea_boot_key.id
+    secret = aws_iam_access_key.gitea_boot_key.secret
+    region = var.region
+  }
+  description = "The credentials to manipulate the codebase repository boot."
+  sensitive   = true
+}
+
+output "portfolio" {
+  value = {
+    bucket = {
+      id     = aws_iam_access_key.portfolio_bucket_key.id
+      secret = aws_iam_access_key.portfolio_bucket_key.secret
+      region = var.region
+    }
+  }
+  description = "The details for the portfolio site."
+  sensitive   = true
 }

terraform/portfolio.tf

@@ -0,0 +1,59 @@
+# Create the S3 bucket.
+
+resource "aws_s3_bucket" "portfolio_bucket" {
+  bucket = var.portfolio.bucket
+
+  tags = {
+    Name        = "Portfolio Bucket"
+    Environment = "Production"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "portfolio_bucket_access" {
+  bucket = aws_s3_bucket.portfolio_bucket.id
+
+  block_public_acls   = false
+  block_public_policy = false
+}
+
+resource "aws_s3_bucket_versioning" "portfolio_bucket_access_versioning" {
+  bucket = aws_s3_bucket.portfolio_bucket.id
+
+  versioning_configuration {
+    status = "Disabled"
+  }
+}
+
+#------------------------------------------------------------------------------#
+
+# Give a user access.
+
+data "aws_iam_policy_document" "portfolio_bucket_policy_doc" {
+  statement {
+    effect  = "Allow"
+    actions = ["s3:*", "s3-object-lambda:*"]
+    resources = [
+      "${aws_s3_bucket.portfolio_bucket.arn}/*",
+      "${aws_s3_bucket.portfolio_bucket.arn}"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "portfolio_bucket_policy" {
+  name        = "${var.portfolio.role}Policy"
+  description = "The policy that manages the Portfolio Bucket."
+  policy      = data.aws_iam_policy_document.portfolio_bucket_policy_doc.json
+}
+
+resource "aws_iam_user" "portfolio_bucket_user" {
+  name = "${var.portfolio.role}User"
+}
+
+resource "aws_iam_user_policy_attachment" "portfolio_bucket_attachment" {
+  user       = aws_iam_user.portfolio_bucket_user.name
+  policy_arn = aws_iam_policy.gitea_boot_policy.arn
+}
+
+resource "aws_iam_access_key" "portfolio_bucket_key" {
+  user = aws_iam_user.portfolio_bucket_user.name
+}

terraform/variables.tf

@@ -11,4 +11,21 @@ variable "roles" {
     secret = string
   }))
   description = "The different roles that are used by Terraform."
-}
+}
+
+variable "gitea_boot" {
+  type = object({
+    bucket = string
+    key    = string
+    role   = string
+  })
+  description = "The storage for the Gitea instance."
+}
+
+variable "portfolio" {
+  type = object({
+    bucket = string
+    role   = string
+  })
+  description = "Storage for my static portfolio website."
+}