Moved off AWS. (#2)

- Instance in Hetzner. - Data stored in Backblaze B2. Reviewed-on: #2 Co-authored-by: M. V. Hutz <git@maximhutz.me> Co-committed-by: M. V. Hutz <git@maximhutz.me>
2025-09-12 00:07:17 +00:00
parent 23cf397581
commit 23120b9559
25 changed files with 517 additions and 611 deletions
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -2,23 +2,45 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/aws" {
-  version = "5.83.1"
+  version = "6.12.0"
  hashes = [
-    "h1:Yy3K7R7881H72rQDzG6qjZVkrWA6DGJzfE21TionY7w=",
-    "zh:0313253c78f195973752c4d1f62bfdd345a9c99c1bc7a612a8c1f1e27d51e49e",
-    "zh:108523f3e9ebc93f7d900c51681f6edbd3f3a56b8a62b0afc31d8214892f91e0",
-    "zh:175b9bf2a00bea6ac1c73796ad77b0e00dcbbde166235017c49377d7763861d8",
-    "zh:1c8bf55b8548bbad683cd6d7bdb03e8840a00b2422dc1529ffb9892820657130",
-    "zh:22338f09bae62d5ff646de00182417f992548da534fee7d98c5d0136d4bd5d7a",
-    "zh:92de1107ec43de60612be5f6255616f16a9cf82d88df1af1c0471b81f3a82c16",
+    "h1:8u90EMle+I3Auh4f/LPP6fEfRsAF6xCFnUZF4b7ngEs=",
+    "zh:054bcbf13c6ac9ddd2247876f82f9b56493e2f71d8c88baeec142386a395165d",
+    "zh:195489f16ad5621db2cec80be997d33060462a3b8d442c890bef3eceba34fa4d",
+    "zh:3461ef14904ab7de246296e44d24c042f3190e6bead3d7ce1d9fda63dcb0f047",
+    "zh:44517a0035996431e4127f45db5a84f53ce80730eae35629eda3101709df1e5c",
+    "zh:4b0374abaa6b9a9debed563380cc944873e4f30771dd1da7b9e812a49bf485e3",
+    "zh:531468b99465bd98a89a4ce2f1a30168dfadf6edb57f7836df8a977a2c4f9804",
+    "zh:6a95ed7b4852174aa748d3412bff3d45e4d7420d12659f981c3d9f4a1a59a35f",
+    "zh:88c2d21af1e64eed4a13dbb85590c66a519f3ecc54b72875d4bb6326f3ef84e7",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9c7bfb7afea330e6d90e1466125a8cba3db1ed4043c5da52f737459c89290a6e",
-    "zh:ba59b374d477e5610674b70f5abfe0408e8f809390347372751384151440d3d0",
-    "zh:bd1c433966002f586d63cb1e3e16326991f238bc6beeb2352be36ec651917b0b",
-    "zh:ca2b4d1d02651c15261fffa4b142e45def9a22c6069353f0f663fd2046e268f8",
-    "zh:d8ed98c748f7a3f1a72277cfee9afe346aca39ab319d17402277852551d8f14a",
-    "zh:ed3d8bc89de5f35f3c5f4802ff7c749fda2e2be267f9af4a850694f099960a72",
-    "zh:f698732a4391c3f4d7079b4aaa52389da2a460cac5eed438ed688f147d603689",
-    "zh:f9f51b17f2978394954e9f6ab9ef293b8e11f1443117294ccf87f7f8212b3439",
+    "zh:a8b648470bb5df098e56b1ec5c6a39e0bbb7b496b23a19ea9f494bf48d4a122a",
+    "zh:b23fb13efdb527677db546bc92aeb2bdf64ff3f480188841f2bfdfa7d3d907c1",
+    "zh:be5858a1951ae5f5a9c388949c3e3c66a3375f684fb79b06b1d1db7a9703b18e",
+    "zh:c368e03a7c922493daf4c7348faafc45f455225815ef218b5491c46cea5f76b7",
+    "zh:e31e75d5d19b8ac08aa01be7e78207966e1faa3b82ed9fe3acfdc2d806be924c",
+    "zh:ea84182343b5fd9252a6fae41e844eed4fdc3311473a753b09f06e49ec0e7853",
+  ]
+}
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.52.0"
+  constraints = "~> 1.45"
+  hashes = [
+    "h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=",
+    "zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875",
+    "zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c",
+    "zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7",
+    "zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609",
+    "zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75",
+    "zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278",
+    "zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824",
+    "zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b",
+    "zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278",
+    "zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7",
+    "zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682",
+    "zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186",
+    "zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7",
+    "zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915",
  ]
 }
--- a/terraform/Taskfile.yml
+++ b/terraform/Taskfile.yml
@@ -1,18 +0,0 @@
-version: 3
-silent: true
-
-vars:
-  BACKEND: ../config/backend.secret.json
-  VARIABLES: ../config/variables.secret.json
-  OUTPUT: ../config/infrastructure.secret.json
-
-tasks:
-  init: terraform init -backend-config={{.BACKEND}}
-  plan: terraform plan -var-file={{.VARIABLES}}
-  destroy: terraform destroy
-  format: terraform fmt -recursive
-  out: terraform output -json > {{.OUTPUT}}
-  apply: 
-    - terraform apply -var-file={{.VARIABLES}}
-    - task: out
-  import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}}
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -1,31 +0,0 @@
-data "aws_s3_bucket" "storage_bucket" {
-  bucket = var.boot_bucket
-}
-
-data "aws_iam_policy_document" "boot" {
-  statement {
-    effect  = "Allow"
-    actions = ["s3:*", "s3-object-lambda:*"]
-    resources = [
-      "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}",
-      "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}/*",
-    ]
-  }
-}
-
-resource "aws_iam_policy" "boot" {
-  name        = "${var.boot_role}Policy"
-  description = "The policy that manages the Gitea Boot."
-
-  policy = data.aws_iam_policy_document.boot.json
-}
-
-module "boot_user" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
-  version = "5.52.2"
-
-  create_iam_user_login_profile = false
-  name                          = "${var.boot_role}User"
-  password_reset_required       = false
-  policy_arns                   = [aws_iam_policy.boot.arn]
-}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,43 +1,62 @@
-# An elastic IP, so if the reverse proxy is modified, the route tables won't.
-resource "aws_eip" "public" {
-  instance = aws_instance.this.id
-  domain   = "vpc"
+resource "hcloud_primary_ip" "public_ip" {
+  name          = "repository-public-ip"
+  datacenter    = local.datacenter
+  type          = "ipv4"
+  assignee_type = "server"
+  auto_delete   = false
 }

-# An instance profile for access via AWS SSM.
-resource "aws_iam_instance_profile" "ssm" {
-  name = "SSMInstanceProfile"
-  role = "AmazonSSMRoleForInstancesQuickSetup"
+resource "hcloud_ssh_key" "ssh_key" {
+  name       = "repository-ssh-key"
+  public_key = file(var.public_ssh_key_path)
 }

-# The Gitea instance.
-resource "aws_instance" "this" {
-  # ami           = data.aws_ami.amazon-linux-2.id
-  ami           = "ami-0adec96dc0cdc7bca"
-  instance_type = "t4g.nano"
-  subnet_id     = module.vpc.public_subnets[0]
+resource "hcloud_server" "server_instance" {
+  name        = "repository-server"
+  image       = local.server_image
+  server_type = local.server_type
+  datacenter  = local.datacenter
+  ssh_keys    = [hcloud_ssh_key.ssh_key.id]

-  user_data                   = file("install.sh")
-  user_data_replace_on_change = true
-
-  iam_instance_profile   = aws_iam_instance_profile.ssm.name
-  vpc_security_group_ids = [aws_security_group.public_access.id]
-  
-  metadata_options {
-    http_tokens = "required"
-  }
-
-  root_block_device {
-    volume_type = "gp3"
-    volume_size = 8
-  }
-
-  tags = {
-    Name = "Codebase: Gitea"
+  public_net {
+    ipv4_enabled = true
+    ipv4         = hcloud_primary_ip.public_ip.id
+    ipv6_enabled = false
  }
 }

-resource "aws_ec2_instance_state" "this" {
-  instance_id = aws_instance.this.id
-  state       = "running"
+resource "hcloud_firewall" "server_firewall" {
+  name = "repository-server-firewall"
+
+  # Allow ICMP.
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Allow all out.
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "any"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Poke holes for applications, and SSH.
+  dynamic "rule" {
+    for_each = ["80", "443", "22", "2222"]
+
+    content {
+      direction  = "in"
+      protocol   = "tcp"
+      port       = rule.value
+      source_ips = ["0.0.0.0/0", "::/0"]
+    }
+  }
+}
+
+resource "hcloud_firewall_attachment" "server_fw_attachment" {
+  firewall_id = hcloud_firewall.server_firewall.id
+  server_ids  = [hcloud_server.server_instance.id]
 }
--- a/terraform/network.tf
+++ b/terraform/network.tf
@@ -1,55 +0,0 @@
-locals {
-  # The IP block for the VPC.
-  vpc_cidr = "10.0.0.0/16"
-}
-
-data "aws_availability_zones" "all" {}
-
-# The main VPC.
-module "vpc" {
-  source = "terraform-aws-modules/vpc/aws"
-
-  name = "Main"
-  cidr = local.vpc_cidr
-
-  azs             = [data.aws_availability_zones.all.names[0]]
-  private_subnets = [cidrsubnet(local.vpc_cidr, 8, 0)]
-  public_subnets  = [cidrsubnet(local.vpc_cidr, 8, 4)]
-
-  private_subnet_tags = { SubnetOf = "Main", SubnetType = "Private" }
-  public_subnet_tags  = { SubnetOf = "Main", SubnetType = "Public" }
-
-  map_public_ip_on_launch = true
-  enable_dns_hostnames    = true
-  enable_dns_support      = true
-
-  private_route_table_tags = { TableOf = "Main", TableType = "Public" }
-}
-
-# Only allow HTTP(s) and SSH traffic. Allow full access to internet.
-resource "aws_security_group" "public_access" {
-  vpc_id = module.vpc.vpc_id
-  tags = { GroupOf = "Main", GroupType = "Public" }
-}
-
-resource "aws_vpc_security_group_ingress_rule" "ingress" {
-  for_each = toset(["80", "443", "22", "2222", "81", "8080", "4321", "1234"])
-
-  security_group_id = aws_security_group.public_access.id
-
-  from_port   = each.value
-  to_port     = each.value
-  ip_protocol = "tcp"
-  cidr_ipv4   = "0.0.0.0/0"
-}
-
-resource "aws_vpc_security_group_egress_rule" "egress" {
-  for_each = toset(["-1"])
-
-  security_group_id = aws_security_group.public_access.id
-
-  from_port   = each.value
-  to_port     = each.value
-  ip_protocol = "-1"
-  cidr_ipv4   = "0.0.0.0/0"
-}
--- a/terraform/output.tf
+++ b/terraform/output.tf
@@ -1,33 +0,0 @@
-output "instance_id" {
-  value       = aws_instance.this.id
-  description = "The instance ID of the Gitea instance."
-}
-
-output "ip_address" {
-  value       = aws_instance.this.private_ip
-  description = "The Gitea IP address."
-}
-
-output "boot_region" {
-  value       = var.aws_region
-  description = "The region to manipulate the codebase repository boot."
-  sensitive   = true
-}
-
-output "boot_id" {
-  value       = module.boot_user.iam_access_key_id
-  description = "The access id to manipulate the codebase repository boot."
-  sensitive   = true
-}
-
-output "boot_secret" {
-  value       = module.boot_user.iam_access_key_secret
-  description = "The access secret to manipulate the codebase repository boot."
-  sensitive   = true
-}
-
-output "full_domain" {
-  value       = "${var.subdomain}.${var.domain}"
-  description = "The domain of the Gitea instance."
-  sensitive   = true
-}
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -0,0 +1,11 @@
+output "server_ip" {
+  description = "The public address of the server."
+  value = hcloud_server.server_instance.ipv4_address
+  sensitive = false
+}
+
+output "server_fqdn" {
+  description = "The public domain of the server."
+  value = "${local.subdomain}.${local.domain}"
+  sensitive = false
+}
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -1,11 +1,24 @@
 terraform {
-  # The backend is stored in an S3 bucket.
-  backend "s3" {}
+  backend "s3" {
+    skip_credentials_validation = true
+    skip_region_validation = true
+    skip_requesting_account_id = true
+  }
+
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "~> 1.45"
+    }
+  }
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
 }

-# Access AWS through the IaC roles.
 provider "aws" {
  region     = var.aws_region
-  access_key = var.aws_access
-  secret_key = var.aws_secret
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
 }
--- a/terraform/routing.tf
+++ b/terraform/routing.tf
@@ -1,13 +1,13 @@
 # The Route53 DNS zone.
 data "aws_route53_zone" "main" {
-  name = var.domain
+  name = local.domain
 }

 # Push all domain traffic through the reverse proxy.
 resource "aws_route53_record" "domain" {
  zone_id = data.aws_route53_zone.main.zone_id
-  name    = "${var.subdomain}.${data.aws_route53_zone.main.name}"
+  name    = "${local.subdomain}.${data.aws_route53_zone.main.name}"
  type    = "A"
  ttl     = "60"
-  records = [aws_eip.public.public_ip]
+  records = [hcloud_primary_ip.public_ip.ip_address]
 }
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,39 +1,39 @@
+locals {
+  datacenter = "fsn1-dc14"
+  server_type = "cx22"
+  server_image = "debian-12"
+
+  domain = "maximhutz.com"
+  subdomain = "git"
+}
+
+# ---------------------------------------------------------------------------- #
+
+variable "hcloud_token" {
+  sensitive = true
+  description = "The hCloud token used to access Hetzner resources."
+  type = string
+}
+
+variable "public_ssh_key_path" {
+  description = "The location of the public key used to access the repository server."
+  type = string
+}
+
 variable "aws_region" {
-  type        = string
-  description = "The AWS region things are created in."
+  description = "The region of the AWS account."
+  type = string
+  sensitive = true
 }

-variable "aws_access" {
-  type        = string
-  description = "The access key to generate the Gitea instance."
+variable "aws_access_key" {
+  description = "The access key of the account."
+  type = string
+  sensitive = true
 }

-variable "aws_secret" {
-  type        = string
-  description = "The access secret to generate the Gitea instance."
-}
-
-variable "boot_bucket" {
-  type        = string
-  description = "The name of the bucket to store the boot in."
-}
-
-variable "boot_key" {
-  type        = string
-  description = "The path that will hold the boot data."
-}
-
-variable "boot_role" {
-  type        = string
-  description = "The name of the role for boot access."
-}
-
-variable "domain" {
-  type        = string
-  description = "The name of the domain."
-}
-
-variable "subdomain" {
-  type        = string
-  description = "The name of the subdomain."
-}
+variable "aws_secret_key" {
+  description = "The secret key of the account."
+  type = string
+  sensitive = true
+}