From 829df54ae9c55bb745e411ddd19b8a7bdae2e57c Mon Sep 17 00:00:00 2001
From: Max <git@maximhutz.me>
Date: Thu, 13 Feb 2025 15:50:39 -0500
Subject: [PATCH] feat: runner infrastructure is built

---
 .gitignore                    |  1 +
 Taskfile.yml                  | 19 +++++++++++++++++++
 terraform/.terraform.lock.hcl | 24 ++++++++++++++++++++++++
 terraform/Taskfile.yml        | 18 ++++++++++++++++++
 terraform/install.sh          | 30 ++++++++++++++++++++++++++++++
 terraform/main.tf             | 29 +++++++++++++++++++++++++++++
 terraform/outputs.tf          |  4 ++++
 terraform/providers.tf        | 11 +++++++++++
 terraform/variables.tf        | 14 ++++++++++++++
 9 files changed, 150 insertions(+)
 create mode 100644 Taskfile.yml
 create mode 100644 terraform/.terraform.lock.hcl
 create mode 100644 terraform/Taskfile.yml
 create mode 100644 terraform/install.sh
 create mode 100644 terraform/main.tf
 create mode 100644 terraform/outputs.tf
 create mode 100644 terraform/providers.tf
 create mode 100644 terraform/variables.tf

diff --git a/.gitignore b/.gitignore
index c726e99..158b044 100644
--- a/.gitignore
+++ b/.gitignore
@@ -210,3 +210,4 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 
+*secret*
\ No newline at end of file
diff --git a/Taskfile.yml b/Taskfile.yml
new file mode 100644
index 0000000..d118a19
--- /dev/null
+++ b/Taskfile.yml
@@ -0,0 +1,19 @@
+version: 3
+
+includes:
+  tf: { taskfile: terraform, dir: terraform }
+
+tasks:
+  dev: docker compose -f compose.dev.yml up --build --force-recreate --no-deps
+
+  deploy:fast: ansible-playbook playbooks/fast.yml
+  deploy:slow: ansible-playbook playbooks/slow.yml
+  deploy:restore: ansible-playbook playbooks/restore.yml -e "restore_bucket={{.BUCKET}} restore_key={{.KEY}}"
+
+  enter:
+    cmd: aws ssm start-session --target $INSTANCE_ID
+    env:
+      INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json }
+      AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json }
+      AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json }
+      AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json }
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..7471eb9
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "5.86.1"
+  hashes = [
+    "h1:IekGV22ML8NcKlhaAceeWdHdXAWfFLJYaslIEkpMHps=",
+    "zh:0c5901c55f9bc0d353c48aa29e08d7152055dd296f3b60e1fe1634af8a7d32e4",
+    "zh:26ddfc89d2a410492e31f1014bbf5388f871cb67d01e80255bde3e22a468e8a6",
+    "zh:380c57474796e680c4477c4a69810db9389ce2717ff2da8d0f06716247dd1295",
+    "zh:53bf6f567be4348ddd566792fccddd9db6104111e619aa4042afb594b9a5cc75",
+    "zh:575c41544fd4ac969d59ecdff66428583c228a20a4893d238414e932bb2f2dc0",
+    "zh:63d9473a2f55f4941e98cb2fcc7031b4266c1cdc40a8f96d52b7d29504984da3",
+    "zh:6ec72fbc68f608a4e947a0b1356b14791330a425b7ebd3125e8023693bb37ec8",
+    "zh:729a0853f9ca42b60993d6233b80e1fea52cc5c9401693cef83ade502f51e3e8",
+    "zh:750eda82a9bde02a999677cdeb1e6d69b0d7af783e8d629c813da9be3ee6d493",
+    "zh:90f70d5b31bdae6b7f3aee9b2b618168a32f434eb976b935d907c95271e7e692",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9cbf0464984b19a5a9027e8b03ebf1b56761c73f97171013b29f2d525ba91587",
+    "zh:aec08a2374a5cdaac3df3d6a39d98aaf58a3e0a500259b791a2dc5693280bc4b",
+    "zh:b638d8bd8ad11f14f7811696edcf744df07ea0f5c6033f59f3b325f921b7f54c",
+    "zh:bb862a4d11da06fff7c04978769cd100547bbf4735f64bfe2374b289e41a5147",
+  ]
+}
diff --git a/terraform/Taskfile.yml b/terraform/Taskfile.yml
new file mode 100644
index 0000000..4f51aec
--- /dev/null
+++ b/terraform/Taskfile.yml
@@ -0,0 +1,18 @@
+version: 3
+silent: true
+
+vars:
+  BACKEND: ../config/backend.secret.json
+  VARIABLES: ../config/variables.secret.json
+  OUTPUT: ../config/infrastructure.secret.json
+
+tasks:
+  init: terraform init -backend-config={{.BACKEND}}
+  plan: terraform plan -var-file={{.VARIABLES}}
+  destroy: terraform destroy
+  format: terraform fmt -recursive
+  out: terraform output -json > {{.OUTPUT}}
+  apply: 
+    - terraform apply -var-file={{.VARIABLES}}
+    - task: out
+  import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}}
\ No newline at end of file
diff --git a/terraform/install.sh b/terraform/install.sh
new file mode 100644
index 0000000..bcb2efd
--- /dev/null
+++ b/terraform/install.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+rpm --rebuilddb
+amazon-linux-extras install docker ansible2 python3.8 -y
+
+# Make Docker work.
+systemctl enable docker
+systemctl start docker
+
+# Set up the correct version of Python (for Ansible).
+ln -sf /usr/bin/python3.8 /usr/bin/python3
+ln -sf /usr/bin/pip3.8 /usr/bin/pip3
+pip3 install botocore boto3 requests packaging
+python3 -m pip install -U pip
+
+# Add some swap space.
+dd if=/dev/zero of=/swapfile bs=128M count=8
+chmod 600 /swapfile
+mkswap /swapfile
+swapon /swapfile
+
+# Stop SSH (because we have SSM.)
+service sshd stop
+
+# Install Docker Compose.
+curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+chmod +x /usr/local/bin/docker-compose
+
+# ERROR: SSM User not created yet.
+sudo usermod -aG docker ssm-user
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..0ccb78e
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,29 @@
+data "aws_subnet" "public" {
+  tags = { SubnetOf = "Main", SubnetType = "Public" }
+}
+
+# An instance profile for access via AWS SSM.
+data "aws_iam_instance_profile" "ssm" {
+  name = "SSMInstanceProfile"
+}
+
+# The Gitea Runner instance.
+resource "aws_instance" "this" {
+  ami           = "ami-0adec96dc0cdc7bca"
+  instance_type = "t4g.nano"
+  subnet_id     = data.aws_subnet.public.id
+
+  user_data                   = file("install.sh")
+  user_data_replace_on_change = true
+
+  iam_instance_profile = data.aws_iam_instance_profile.ssm.name
+
+  root_block_device {
+    volume_type = "gp3"
+    volume_size = 8
+  }
+
+  tags = {
+    Name = "Codebase: Runner"
+  }
+}
\ No newline at end of file
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
new file mode 100644
index 0000000..62aa936
--- /dev/null
+++ b/terraform/outputs.tf
@@ -0,0 +1,4 @@
+output "instance_id" {
+  value       = aws_instance.this.id
+  description = "The instance ID of the Gitea instance."
+}
\ No newline at end of file
diff --git a/terraform/providers.tf b/terraform/providers.tf
new file mode 100644
index 0000000..d97d5b4
--- /dev/null
+++ b/terraform/providers.tf
@@ -0,0 +1,11 @@
+terraform {
+  # The backend is stored in an S3 bucket.
+  backend "s3" {}
+}
+
+# Access AWS through the IaC roles.
+provider "aws" {
+  region     = var.aws_region
+  access_key = var.aws_access
+  secret_key = var.aws_secret
+}
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000..6565f7e
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,14 @@
+variable "aws_region" {
+  type        = string
+  description = "The AWS region things are created in."
+}
+
+variable "aws_access" {
+  type        = string
+  description = "The access key to generate the Gitea instance."
+}
+
+variable "aws_secret" {
+  type        = string
+  description = "The access secret to generate the Gitea instance."
+}
\ No newline at end of file