From 31a8eafd6543da1769abeacb9851106c19683b49 Mon Sep 17 00:00:00 2001
From: "M. V. Hutz" <git@maximhutz.me>
Date: Thu, 11 Sep 2025 20:05:40 -0400
Subject: [PATCH] feat: new style in prod

---
 Taskfile.yml             |   5 +-
 gitea/Dockerfile         |   1 +
 gitea/config/app.ini     |   6 +-
 gitea/config/dev.app.ini | 106 -----------------------------------
 playbooks/deploy.yml     |  32 +++++++++++
 playbooks/restore.yml    |  72 ++++++++++++++++++++++++
 terraform/variables.tf   |   2 +-
 vault.yml                | 118 +++++++++++++++++++++------------------
 8 files changed, 175 insertions(+), 167 deletions(-)
 delete mode 100644 gitea/config/dev.app.ini
 create mode 100644 playbooks/restore.yml

diff --git a/Taskfile.yml b/Taskfile.yml
index 4cd1274..d25150a 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -2,8 +2,9 @@ version: 3
 
 tasks:
   vault: ansible-vault edit vault.yml {{.CLI_ARGS}}
-  infra: ansible-playbook playbooks/provision.yml {{.CLI_ARGS}}
-  setup: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
+  provision: ansible-playbook playbooks/provision.yml {{.CLI_ARGS}}
+  deploy: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
+  restore: ansible-playbook playbooks/restore.yml {{.CLI_ARGS}}
   
   enter:
     cmd: ssh -i {{.KEY}} -p 2222 root@{{.IP}}
diff --git a/gitea/Dockerfile b/gitea/Dockerfile
index 17a78c1..0d7ffea 100644
--- a/gitea/Dockerfile
+++ b/gitea/Dockerfile
@@ -4,3 +4,4 @@ ADD --chown=git:git config /etc/gitea
 ADD --chown=git:git custom /etc/gitea-custom
 
 ENV GITEA_CUSTOM=/etc/gitea-custom
+ENV BUCKET_KEY=""
diff --git a/gitea/config/app.ini b/gitea/config/app.ini
index 9c300d5..9648ad6 100644
--- a/gitea/config/app.ini
+++ b/gitea/config/app.ini
@@ -24,16 +24,12 @@ DISABLE_SSH = false
 START_SSH_SERVER = true
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
-# SSH_DOMAIN = %(FULL_DOMAIN)s
 BUILTIN_SSH_SERVER_USER = git
 
 PROTOCOL=https
 ENABLE_ACME=true
 ACME_ACCEPTTOS=true
 ACME_DIRECTORY=https
-# ACME_EMAIL=%(EMAIL)s
-# DOMAIN = %(FULL_DOMAIN)s
-# ROOT_URL = %(ROOT_URL)s
 HTTP_PORT = 443
 
 [database]
@@ -98,4 +94,4 @@ DEFAULT_TRUST_MODEL = committer
 [storage]
 STORAGE_TYPE = minio
 MINIO_USE_SSL = true
-MINIO_INSECURE_SKIP_VERIFY = false
\ No newline at end of file
+MINIO_INSECURE_SKIP_VERIFY = false
diff --git a/gitea/config/dev.app.ini b/gitea/config/dev.app.ini
deleted file mode 100644
index f17a670..0000000
--- a/gitea/config/dev.app.ini
+++ /dev/null
@@ -1,106 +0,0 @@
-APP_NAME = """Max's Code"""
-RUN_USER = git
-RUN_MODE = prod
-WORK_PATH = /var/lib/gitea
-
-[ui]
-DEFAULT_THEME = gitea-dark
-
-[repository]
-ROOT = /var/lib/gitea/git/repositories
-
-[repository.local]
-LOCAL_COPY_PATH = /tmp/gitea/local-repo
-
-[repository.upload]
-TEMP_PATH = /tmp/gitea/uploads
-
-[server]
-APP_DATA_PATH = /var/lib/gitea
-LFS_START_SERVER = true
-OFFLINE_MODE = true
-LFS_JWT_SECRET = x-----------------------------------------x
-
-DISABLE_SSH = false
-START_SSH_SERVER = true
-SSH_PORT = 2222
-SSH_LISTEN_PORT = 2222
-SSH_DOMAIN = localhost
-BUILTIN_SSH_SERVER_USER = git
-
-PROTOCOL  = https
-ROOT_URL  = https://localhost:443/
-DOMAIN = localhost
-HTTP_PORT = 443
-CERT_FILE = /etc/gitea-custom/cert.pem
-KEY_FILE  = /etc/gitea-custom/key.pem
-
-[database]
-DB_TYPE = sqlite3
-
-[session]
-PROVIDER_CONFIG = /var/lib/gitea/data/sessions
-PROVIDER = file
-
-[picture]
-AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
-REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
-
-[attachment]
-PATH = /var/lib/gitea/data/attachments
-
-[log]
-ROOT_PATH = /var/lib/gitea/data/log
-MODE = console
-LEVEL = info
-
-[security]
-INSTALL_LOCK = true
-SECRET_KEY = 
-REVERSE_PROXY_LIMIT = 1
-REVERSE_PROXY_TRUSTED_PROXIES = *
-PASSWORD_HASH_ALGO = pbkdf2
-INTERNAL_TOKEN = x-----------------------------------------x
-
-[service]
-DISABLE_REGISTRATION = true
-REQUIRE_SIGNIN_VIEW = false
-REGISTER_EMAIL_CONFIRM = false
-ENABLE_NOTIFY_MAIL = false
-ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-ENABLE_CAPTCHA = false
-DEFAULT_KEEP_EMAIL_PRIVATE = false
-DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-DEFAULT_ENABLE_TIMETRACKING = true
-NO_REPLY_ADDRESS = noreply
-
-[lfs]
-PATH = /var/lib/gitea/git/lfs
-
-[mailer]
-ENABLED = false
-
-[openid]
-ENABLE_OPENID_SIGNIN = false
-ENABLE_OPENID_SIGNUP = false
-
-[cron.update_checker]
-ENABLED = false
-
-[repository.pull-request]
-DEFAULT_MERGE_STYLE = merge
-
-[repository.signing]
-DEFAULT_TRUST_MODEL = committer
-
-[oauth2]
-JWT_SECRET = x-----------------------------------------x
-
-[storage]
-STORAGE_TYPE = minio
-MINIO_ENDPOINT = localstack:4566
-MINIO_ACCESS_KEY_ID = test
-MINIO_SECRET_ACCESS_KEY = test
-MINIO_BUCKET = storage
-MINIO_USE_SSL = false
-MINIO_INSECURE_SKIP_VERIFY = true
\ No newline at end of file
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
index 345c375..9b84b48 100644
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@@ -32,6 +32,8 @@
 - name: Set up real host.
   gather_facts: false
   hosts: localhost
+  tags:
+    - deploy
   vars_files:
     - ../vault.yml
     - ../dist/terraform_outputs.yml
@@ -51,6 +53,21 @@
     - ../vault.yml
     - ../dist/terraform_outputs.yml
   tasks:
+    - name: Install PIP.
+      ansible.builtin.apt:
+        name:
+          - python3-pip
+        state: present
+
+    - name: Install needed packages.
+      ansible.builtin.pip:
+        name:
+          - botocore
+          - boto3
+          - packaging
+        state: present
+        break_system_packages: true
+
     - name: Download Docker repository key.
       ansible.builtin.apt_key:
         url: https://download.docker.com/linux/debian/gpg
@@ -92,6 +109,8 @@
 
 - name: Deploy artifact to instance.
   hosts: server
+  tags:
+    - deploy
   gather_facts: false
   vars_files:
     - ../variables.yml
@@ -129,6 +148,7 @@
         memory_swap: 900m
         ports: [80:80, 443:443, "22:22"]
         env:
+          # Secrets.
           GITEA__security__INTERNAL_TOKEN: "{{ secret.internal }}"
           GITEA__server__LFS_JWT_SECRET: "{{ secret.lfs }}"
           GITEA__oauth2__JWT_SECRET: "{{ secret.jwt }}"
@@ -137,10 +157,22 @@
           GITEA__server__DOMAIN: "{{ server_fqdn.value }}"
           GITEA__server__ROOT_URL: "https://{{ server_fqdn.value }}/"
 
+          # General S3 storage information.
           GITEA__storage__MINIO_BUCKET: "{{ secret.bucket.name }}"
           GITEA__storage__MINIO_ENDPOINT: "{{ secret.bucket.endpoint }}"
           GITEA__storage__MINIO_ACCESS_KEY_ID: "{{ secret.bucket.access_key }}"
           GITEA__storage__MINIO_SECRET_ACCESS_KEY: "{{ secret.bucket.secret_key }}"
+
+          # Set storage to specific S3 bucket path.
+          GITEA__storage_0x2E_attachments__MINIO_BASE_PATH: "{{ secret.storage.key }}/attachments"
+          GITEA__storage_0x2E_lfs__MINIO_BASE_PATH: "{{ secret.storage.key }}/lfs"
+          GITEA__storage_0x2E_avatars__MINIO_BASE_PATH: "{{ secret.storage.key }}/avatars"
+          GITEA__storage_0x2E_repo_0X2D_archive___MINIO_BASE_PATH: "{{ secret.storage.key }}/repo-archive"
+          GITEA__storage_0x2E_repo_0X2D_avatars__MINIO_BASE_PATH: "{{ secret.storage.key }}/repo-avatars"
+          GITEA__storage_0x2E_packages__MINIO_BASE_PATH: "{{ secret.storage.key }}/packages"
+          GITEA__storage_0x2E_actions_log__MINIO_BASE_PATH: "{{ secret.storage.key }}/actions_log"
+          GITEA__storage_0x2E_actions_artifacts__MINIO_BASE_PATH: "{{ secret.storage.key }}/actions_artifacts"
+
         labels:
           docker-volume-backup.stop-during-backup: "true"
         volumes:
diff --git a/playbooks/restore.yml b/playbooks/restore.yml
new file mode 100644
index 0000000..a7f1ab2
--- /dev/null
+++ b/playbooks/restore.yml
@@ -0,0 +1,72 @@
+- name: Set up real host.
+  gather_facts: false
+  hosts: localhost
+  vars_files:
+    - ../vault.yml
+    - ../dist/terraform_outputs.yml
+  tasks:
+    - name: Add remote host.
+      ansible.builtin.add_host:
+        name: server
+        ansible_ssh_host: "{{ server_ip.value }}"
+        ansible_user: root
+        ansible_port: 2222
+        ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
+
+- name: Deploy artifact to instance.
+  hosts: server
+  become: true
+  gather_facts: false
+  vars_files:
+    - ../vault.yml
+    - ../dist/terraform_outputs.yml
+  tasks:
+    - name: Stop server.
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: stopped
+      loop: [server, backup]
+
+    - name: Copy backup from S3.
+      amazon.aws.s3_object:
+        bucket: "{{ secret.restore.bucket | mandatory(msg='You must specify the bucket of the data.') }}"
+        object: "{{ secret.restore.key | mandatory(msg='You must specify the key of the data.') }}"
+        dest: /root/snapshot.tar.gz
+        mode: get
+        region: "{{ secret.restore.region }}"
+        access_key: "{{ secret.restore.access_key }}"
+        secret_key: "{{ secret.restore.secret_key }}"
+        ignore_nonexistent_bucket: true
+
+    - name: Ensure backup directory exists.
+      ansible.builtin.file:
+        path: /root/restore
+        state: directory
+        mode: '0777'
+
+    - name: Extract backup.
+      ansible.builtin.unarchive:
+        src: /root/snapshot.tar.gz
+        dest: /root/restore
+        remote_src: true
+
+    - name: Move backup files to data folder.
+      ansible.builtin.copy:
+        remote_src: true
+        src: /root/restore/backup/my-app-backup/
+        dest: /root/data/
+        mode: '0777'
+
+    - name: Update permissions.
+      ansible.builtin.file:
+        path: /root/data
+        recurse: true
+        mode: '0777'
+        owner: 1000
+        group: 1000
+
+    - name: Restart containers.
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: started
+      loop: [server, backup]
diff --git a/terraform/variables.tf b/terraform/variables.tf
index ffb0085..dd91c42 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -4,7 +4,7 @@ locals {
   server_image = "debian-12"
 
   domain = "maximhutz.com"
-  subdomain = "git2"
+  subdomain = "git"
 }
 
 # ---------------------------------------------------------------------------- #
diff --git a/vault.yml b/vault.yml
index 153e66d..daff56c 100644
--- a/vault.yml
+++ b/vault.yml
@@ -1,54 +1,66 @@
 $ANSIBLE_VAULT;1.1;AES256
-38663938363539353464613331616136616331306165376535336636653164613838643438376565
-3961346438313132643166396662333536326264353935390a626235663065666266383132626164
-35306337636461626533343438633766303464363065653432303438666234626436663235376263
-3337616265643730640a643265616330393136386139613166333834376336353532366362346662
-31363731616339336461306230616234323866373239313662643933653666626233616135333837
-38313935386234333165333230633236353261396337343936346161636435653663343139373839
-36303431623662363765373962333834386266303236623064356639633431313833663562633630
-36653962663763383334383862383337323132376536346335333235353364313965366332353164
-35306563616161626366653433333861616161623838343432663333643539303765323733643831
-33366166386661386562616634323730666534663937376164656365323163633034633435623734
-36393366653562363835633139316331636361373361363461656338363633373538333639343336
-62326365396666376239346265633463356664333263353639393562393137653666353439356330
-36643333383964393735666537336565373131396139363336613138326563653739626135363739
-32326663666634383736333933373939376366303036383466663361363235663862306331343231
-38323736336235633965643937646138646634323065373332346663343933643562363265633666
-30373234373066386132373361623833396330306364613138346461303132626236343334333664
-37653362383265623235306562366439353938653539663332313234353561303839353334636665
-66326434353265623831346562333863376161643862343430666438626231653033656464343162
-33303864303263386332396466616661343732616131363138343462303233616239636564343337
-31366561393137336533656437366331373130306131363138626130393435626236373830333232
-33633063656139316437386532353161363132656134623836626336663833366339363936313930
-63373930333438626430643261616565643537613133643230633663323334326234323664323533
-33613636626434323466663437336466636133313537356433313537306166663931343039623431
-32633932663731316435303933343534646439623232376463613463356637363635303263623333
-64623663643938363432623330333333306166633234346636666365653861303731333166363232
-34353733613263613630643331636634386539636637353163396634636438383166646563383461
-66356166633166656461613966306333666535393665323761323832313835613339363833666361
-39313536663962393734643237636162623832313261356435346661656536613461336431666431
-64353362343939343664313863363339636535653038343635393534393534393635343839333162
-63313136646563653636343534393366646563346537346662396538383535363566626365666264
-62393965303766376133383338396434376466663537333934333464333933636363396365393531
-33353437373962633938393331613339346662343964633931613735333864306261663139323662
-35633064356162336430343831343238333361346138303466646162393366663431623630646233
-61353466303363373162343534346132393539363033663062376539386334633066383635303961
-34306532316637333936633237343562653838656434316238656362633431633661646666346333
-64316163396137376266663033383032376431373062643832333764663766303461383933336231
-36346261343364376664323836333530613863363437373134633434373663383338616230303239
-32333362353133333164346462326333636539376239653638626163373166383834616462383136
-36393838616266356139303430313931396337306362663061346632383764326137303265373030
-31636466353139353135653765616561653463383737376461376532646162643434356263303764
-38663530666361656561633936643035616531313339623065343634633135383934343466313537
-61613465303761396239333835353735313235336463623265343064323032643832633133313831
-31396437383563633036363737376463316135366161653162613738633466633061343933343430
-37313433313934373266616634633065663030656163343032346462376265656363663262663064
-66396666636638393538373534323664636464386239643964666432396337666130323562303234
-39633431656333646538313762613661353764356532363833383136363335356530363761316366
-32346635333762656336643163616335363634346330613462393336656265303365643638396338
-32663933363738666465353931393937353336633337383166326634663966356336363566333232
-39373566393061643632313661356434663039623862343836376238323861363034643566343863
-31303936373236333865376131623462323130353163633031373839383962333237333564336666
-66316334303461336531366165626236616565373562633930323565616366616235313661303832
-61663436633435313933613436633138613135383066333735393563643466613237616161633234
-6462
+62366236383830323331383264663835316237363032333766333730653939666236666261653162
+3938653635393063313566343261303338666363386661650a376637613563303238373965356134
+30373861653832383462666231356163623231303637636539383166383039333562636434646334
+3433393163363562340a333962343636366234336239633032313166303163353165643762326464
+34353062323863666666666132663364633336623430373033623761613035666332323739313833
+38623639643539363639383339356231313431373437343430323237336539313939303139353534
+63616331353464613963323864626663396637313139646461356165643233306530303062666332
+36363636316335356434633439636434336666306466616231353135306538386334313937363765
+34333833626634383734396638646530393233623937396335313637333764313736383032333734
+64373966643030623331663139363034343536373830353338356335356338633638393862386230
+39336533656465366534306465396536613334333632643937316130303338626331386537343331
+64363966323561326262376631356261613231343335393233366231373631663635376234346164
+38303432386336643566363731386664376239666530336232666532616264353537353738636464
+64616364353730653831616335656532663336666339653337646133316661373038326164373235
+30653836336338333932303539393632326164623538303066353934623831376533333964346561
+61323137373837376161653730386637663336623130366639356130626338663764366661616163
+38356235386461366362396337646239633663303261616536386134663866333132613166373162
+33616663316566623665666464356135393932366663663932366235643336343434633731646665
+63323963366662346436393933643032653330313430633339613262306430306332326364343135
+37393764363338656639393333623835626135323434376338656663386662643339643135653938
+37396133373436353566646437633630373931643533383133343266626431393761646633666161
+66313365373537386332396562613531346634376266653631343934356134643463633566373162
+30633933636136663339316136333036386237346163646638393533336362363735623130623862
+38623666383461363564326462326239303838623533393034383831366631396530343037636532
+38366162396663653930633866303538353232656330643966386134316364313538646564313565
+61313732343330336436393963643164303139373036303437393336313738336138306438393364
+65623331663464626462316538663134346231643163356638383631623862313066343965376235
+65613736643163663238316532623638343062633564333865623264356362663433333734383365
+61373432656362343762333561376639396632386530353762303664373733656366343733613262
+62313562323938356563323939316131646239313432626261353431626661613235363566393038
+63656634383230316463363036306433366334643235656561613031653331333038323133653562
+61393034663030663432376331383236626639613663343662323639316331653432383036393130
+35376438333235336461313435316232373963613934323233613431643530646661666135613064
+34313431613164333761643965373939353864333234353136386637326536336266363733343332
+63393539353234343835633639333163386633326163623966343634346265623430326233353734
+61373339393264383038383564346462396362333132346632396534346134613038316231613966
+30636637626531343636376161326434336430386537646333353139353131363461613639646162
+31346538326138366663623439393764653237386564653666396338623435386639623239373438
+31616237343731623634643965386535663939356363653934343362633735353532353662396331
+39373639346336653739613162626537636663376163343831623762643765346535636565376463
+32366361373730376462356332363766376136613562613331386134633264613862383061343462
+38316637336437336637393030613933393633666332353533646362663661313930376337396234
+64636162343130326630366261356263363130663439393539363236343461343436316330663265
+32616665366664303038333966373835646130343237646464353362346132653331303634643165
+31393530373464653066643435343137313937326633653136623462363330343932383939626538
+61663137623931353166616639636635616232306161643432623563643633333739646336356236
+30663463303362396331396630623063646365373839333837333832643231396130636461636537
+35653937363434393331303065326137373931633231323861666632393762353162313635393830
+32666366376638383632666130353438316231313763323833663836663262646135633763376334
+64636531653937303136373063336430303536316636343835396532383164623539653966343865
+64316236656164653936613139643061323264333861623833383061386362333934373535633565
+37623065636437626165646261343265613234373963386134616632396433376162306432633038
+37356135663862363930303834303166333236643864383166333365313131333438373633653631
+35613639343638356135356537626231663661623364313837393065363031616661613032306462
+32653664373334636561613132336631613561363638666465393930336533333962383062316231
+35633535643836323131656337366139313864343632616266363666646130316532336465633562
+35326562633539386238613834656665306365643466356235326536383065623239653235653236
+34356636623263343932336266336664303362613537666630343935313362666466393134653262
+66396561363463646237363638336539663261626534363531636330386136623463366432313335
+36343236613863383139353461313562303534613166353866636262623866383736303262626438
+39353762303831353238323538626635393365363132646563626535613362326662653631663935
+35636134343266626162316135316533346331663634366630633437363531313732313161306665
+35336336323438613865396363363434663461646238346565336233363738666437323235336365
+37316561386137353338643561656262336336373736393939363039663731343636366435633162
+38383564663438303964643563613338306363623831613432333439386165303965