feat: added config edit to taskfile

2025-06-22 03:47:54 -04:00
parent 80270b9a93
commit 06646e7ec7
11 changed files with 3 additions and 306 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -11,11 +11,6 @@ tasks:
  deploy:fast: ansible-playbook playbooks/fast.yml
  deploy:slow: ansible-playbook playbooks/slow.yml
  deploy:restore: ansible-playbook playbooks/restore.yml -e "restore_bucket={{.BUCKET}} restore_key={{.KEY}}"
-
+  
-  enter:
+  vault: ansible-vault edit vault.yml
-    cmd: aws ssm start-session --target $INSTANCE_ID
+  inventory: ansible-vault edit inventory.ini
    env:
      INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json }
      AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json }
      AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json }
      AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json }
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -1,24 +0,0 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/aws" {
  version = "5.83.1"
  hashes = [
    "h1:Yy3K7R7881H72rQDzG6qjZVkrWA6DGJzfE21TionY7w=",
    "zh:0313253c78f195973752c4d1f62bfdd345a9c99c1bc7a612a8c1f1e27d51e49e",
    "zh:108523f3e9ebc93f7d900c51681f6edbd3f3a56b8a62b0afc31d8214892f91e0",
    "zh:175b9bf2a00bea6ac1c73796ad77b0e00dcbbde166235017c49377d7763861d8",
    "zh:1c8bf55b8548bbad683cd6d7bdb03e8840a00b2422dc1529ffb9892820657130",
    "zh:22338f09bae62d5ff646de00182417f992548da534fee7d98c5d0136d4bd5d7a",
    "zh:92de1107ec43de60612be5f6255616f16a9cf82d88df1af1c0471b81f3a82c16",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
    "zh:9c7bfb7afea330e6d90e1466125a8cba3db1ed4043c5da52f737459c89290a6e",
    "zh:ba59b374d477e5610674b70f5abfe0408e8f809390347372751384151440d3d0",
    "zh:bd1c433966002f586d63cb1e3e16326991f238bc6beeb2352be36ec651917b0b",
    "zh:ca2b4d1d02651c15261fffa4b142e45def9a22c6069353f0f663fd2046e268f8",
    "zh:d8ed98c748f7a3f1a72277cfee9afe346aca39ab319d17402277852551d8f14a",
    "zh:ed3d8bc89de5f35f3c5f4802ff7c749fda2e2be267f9af4a850694f099960a72",
    "zh:f698732a4391c3f4d7079b4aaa52389da2a460cac5eed438ed688f147d603689",
    "zh:f9f51b17f2978394954e9f6ab9ef293b8e11f1443117294ccf87f7f8212b3439",
  ]
 }
--- a/terraform/Taskfile.yml
+++ b/terraform/Taskfile.yml
@@ -1,18 +0,0 @@
 version: 3
 silent: true
 vars:
  BACKEND: ../config/backend.secret.json
  VARIABLES: ../config/variables.secret.json
  OUTPUT: ../config/infrastructure.secret.json
 tasks:
  init: terraform init -backend-config={{.BACKEND}}
  plan: terraform plan -var-file={{.VARIABLES}}
  destroy: terraform destroy
  format: terraform fmt -recursive
  out: terraform output -json > {{.OUTPUT}}
  apply: 
    - terraform apply -var-file={{.VARIABLES}}
    - task: out
  import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}}
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -1,31 +0,0 @@
 data "aws_s3_bucket" "storage_bucket" {
  bucket = var.boot_bucket
 }
 data "aws_iam_policy_document" "boot" {
  statement {
    effect  = "Allow"
    actions = ["s3:*", "s3-object-lambda:*"]
    resources = [
      "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}",
      "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}/*",
    ]
  }
 }
 resource "aws_iam_policy" "boot" {
  name        = "${var.boot_role}Policy"
  description = "The policy that manages the Gitea Boot."
  policy = data.aws_iam_policy_document.boot.json
 }
 module "boot_user" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "5.52.2"
  create_iam_user_login_profile = false
  name                          = "${var.boot_role}User"
  password_reset_required       = false
  policy_arns                   = [aws_iam_policy.boot.arn]
 }
--- a/terraform/install.sh
+++ b/terraform/install.sh
@@ -1,31 +0,0 @@
 #!/bin/sh
 ## Install extras.
 rpm --rebuilddb
 amazon-linux-extras install docker ansible2 python3.8 -y
 # Make Docker work.
 systemctl enable docker
 systemctl start docker
 # Set up the correct version of Python (for Ansible).
 ln -sf /usr/bin/python3.8 /usr/bin/python3
 ln -sf /usr/bin/pip3.8 /usr/bin/pip3
 pip3 install botocore boto3 requests packaging --user ssm-user
 python3 -m pip install -U pip
 # Add some swap space.
 dd if=/dev/zero of=/swapfile bs=128M count=8
 chmod 600 /swapfile
 mkswap /swapfile
 swapon /swapfile
 # Stop SSH (because we have SSM.)
 service sshd stop
 # Install Docker Compose.
 curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 chmod +x /usr/local/bin/docker-compose
 # ERROR: SSM User not created yet.
 sudo usermod -aG docker ssm-user
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,43 +0,0 @@
 # An elastic IP, so if the reverse proxy is modified, the route tables won't.
 resource "aws_eip" "public" {
  instance = aws_instance.this.id
  domain   = "vpc"
 }
 # An instance profile for access via AWS SSM.
 resource "aws_iam_instance_profile" "ssm" {
  name = "SSMInstanceProfile"
  role = "AmazonSSMRoleForInstancesQuickSetup"
 }
 # The Gitea instance.
 resource "aws_instance" "this" {
  # ami           = data.aws_ami.amazon-linux-2.id
  ami           = "ami-0adec96dc0cdc7bca"
  instance_type = "t4g.nano"
  subnet_id     = module.vpc.public_subnets[0]
  user_data                   = file("install.sh")
  user_data_replace_on_change = true
  iam_instance_profile   = aws_iam_instance_profile.ssm.name
  vpc_security_group_ids = [aws_security_group.public_access.id]
  metadata_options {
    http_tokens = "required"
  }
  root_block_device {
    volume_type = "gp3"
    volume_size = 8
  }
  tags = {
    Name = "Codebase: Gitea"
  }
 }
 resource "aws_ec2_instance_state" "this" {
  instance_id = aws_instance.this.id
  state       = "running"
 }
--- a/terraform/network.tf
+++ b/terraform/network.tf
@@ -1,55 +0,0 @@
 locals {
  # The IP block for the VPC.
  vpc_cidr = "10.0.0.0/16"
 }
 data "aws_availability_zones" "all" {}
 # The main VPC.
 module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name = "Main"
  cidr = local.vpc_cidr
  azs             = [data.aws_availability_zones.all.names[0]]
  private_subnets = [cidrsubnet(local.vpc_cidr, 8, 0)]
  public_subnets  = [cidrsubnet(local.vpc_cidr, 8, 4)]
  private_subnet_tags = { SubnetOf = "Main", SubnetType = "Private" }
  public_subnet_tags  = { SubnetOf = "Main", SubnetType = "Public" }
  map_public_ip_on_launch = true
  enable_dns_hostnames    = true
  enable_dns_support      = true
  private_route_table_tags = { TableOf = "Main", TableType = "Public" }
 }
 # Only allow HTTP(s) and SSH traffic. Allow full access to internet.
 resource "aws_security_group" "public_access" {
  vpc_id = module.vpc.vpc_id
  tags = { GroupOf = "Main", GroupType = "Public" }
 }
 resource "aws_vpc_security_group_ingress_rule" "ingress" {
  for_each = toset(["80", "443", "22", "2222", "81", "8080", "4321", "1234"])
  security_group_id = aws_security_group.public_access.id
  from_port   = each.value
  to_port     = each.value
  ip_protocol = "tcp"
  cidr_ipv4   = "0.0.0.0/0"
 }
 resource "aws_vpc_security_group_egress_rule" "egress" {
  for_each = toset(["-1"])
  security_group_id = aws_security_group.public_access.id
  from_port   = each.value
  to_port     = each.value
  ip_protocol = "-1"
  cidr_ipv4   = "0.0.0.0/0"
 }
--- a/terraform/output.tf
+++ b/terraform/output.tf
@@ -1,33 +0,0 @@
 output "instance_id" {
  value       = aws_instance.this.id
  description = "The instance ID of the Gitea instance."
 }
 output "ip_address" {
  value       = aws_instance.this.private_ip
  description = "The Gitea IP address."
 }
 output "boot_region" {
  value       = var.aws_region
  description = "The region to manipulate the codebase repository boot."
  sensitive   = true
 }
 output "boot_id" {
  value       = module.boot_user.iam_access_key_id
  description = "The access id to manipulate the codebase repository boot."
  sensitive   = true
 }
 output "boot_secret" {
  value       = module.boot_user.iam_access_key_secret
  description = "The access secret to manipulate the codebase repository boot."
  sensitive   = true
 }
 output "full_domain" {
  value       = "${var.subdomain}.${var.domain}"
  description = "The domain of the Gitea instance."
  sensitive   = true
 }
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -1,11 +0,0 @@
 terraform {
  # The backend is stored in an S3 bucket.
  backend "s3" {}
 }
 # Access AWS through the IaC roles.
 provider "aws" {
  region     = var.aws_region
  access_key = var.aws_access
  secret_key = var.aws_secret
 }
--- a/terraform/routing.tf
+++ b/terraform/routing.tf
@@ -1,13 +0,0 @@
 # The Route53 DNS zone.
 data "aws_route53_zone" "main" {
  name = var.domain
 }
 # Push all domain traffic through the reverse proxy.
 resource "aws_route53_record" "domain" {
  zone_id = data.aws_route53_zone.main.zone_id
  name    = "${var.subdomain}.${data.aws_route53_zone.main.name}"
  type    = "A"
  ttl     = "60"
  records = [aws_eip.public.public_ip]
 }
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,39 +0,0 @@
 variable "aws_region" {
  type        = string
  description = "The AWS region things are created in."
 }
 variable "aws_access" {
  type        = string
  description = "The access key to generate the Gitea instance."
 }
 variable "aws_secret" {
  type        = string
  description = "The access secret to generate the Gitea instance."
 }
 variable "boot_bucket" {
  type        = string
  description = "The name of the bucket to store the boot in."
 }
 variable "boot_key" {
  type        = string
  description = "The path that will hold the boot data."
 }
 variable "boot_role" {
  type        = string
  description = "The name of the role for boot access."
 }
 variable "domain" {
  type        = string
  description = "The name of the domain."
 }
 variable "subdomain" {
  type        = string
  description = "The name of the subdomain."
 }