Moved off AWS. (#2)

- Instance in Hetzner. - Data stored in Backblaze B2. Reviewed-on: #2 Co-authored-by: M. V. Hutz <git@maximhutz.me> Co-committed-by: M. V. Hutz <git@maximhutz.me>
2025-09-12 00:07:17 +00:00
parent 23cf397581
commit 23120b9559
25 changed files with 517 additions and 611 deletions
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,43 +1,62 @@
-# An elastic IP, so if the reverse proxy is modified, the route tables won't.
-resource "aws_eip" "public" {
-  instance = aws_instance.this.id
-  domain   = "vpc"
+resource "hcloud_primary_ip" "public_ip" {
+  name          = "repository-public-ip"
+  datacenter    = local.datacenter
+  type          = "ipv4"
+  assignee_type = "server"
+  auto_delete   = false
 }

-# An instance profile for access via AWS SSM.
-resource "aws_iam_instance_profile" "ssm" {
-  name = "SSMInstanceProfile"
-  role = "AmazonSSMRoleForInstancesQuickSetup"
+resource "hcloud_ssh_key" "ssh_key" {
+  name       = "repository-ssh-key"
+  public_key = file(var.public_ssh_key_path)
 }

-# The Gitea instance.
-resource "aws_instance" "this" {
-  # ami           = data.aws_ami.amazon-linux-2.id
-  ami           = "ami-0adec96dc0cdc7bca"
-  instance_type = "t4g.nano"
-  subnet_id     = module.vpc.public_subnets[0]
+resource "hcloud_server" "server_instance" {
+  name        = "repository-server"
+  image       = local.server_image
+  server_type = local.server_type
+  datacenter  = local.datacenter
+  ssh_keys    = [hcloud_ssh_key.ssh_key.id]

-  user_data                   = file("install.sh")
-  user_data_replace_on_change = true
-
-  iam_instance_profile   = aws_iam_instance_profile.ssm.name
-  vpc_security_group_ids = [aws_security_group.public_access.id]
-  
-  metadata_options {
-    http_tokens = "required"
-  }
-
-  root_block_device {
-    volume_type = "gp3"
-    volume_size = 8
-  }
-
-  tags = {
-    Name = "Codebase: Gitea"
+  public_net {
+    ipv4_enabled = true
+    ipv4         = hcloud_primary_ip.public_ip.id
+    ipv6_enabled = false
  }
 }

-resource "aws_ec2_instance_state" "this" {
-  instance_id = aws_instance.this.id
-  state       = "running"
+resource "hcloud_firewall" "server_firewall" {
+  name = "repository-server-firewall"
+
+  # Allow ICMP.
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Allow all out.
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "any"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Poke holes for applications, and SSH.
+  dynamic "rule" {
+    for_each = ["80", "443", "22", "2222"]
+
+    content {
+      direction  = "in"
+      protocol   = "tcp"
+      port       = rule.value
+      source_ips = ["0.0.0.0/0", "::/0"]
+    }
+  }
+}
+
+resource "hcloud_firewall_attachment" "server_fw_attachment" {
+  firewall_id = hcloud_firewall.server_firewall.id
+  server_ids  = [hcloud_server.server_instance.id]
 }