From 4c13b3d2cb384a9a0dafca07cc6b3a82cbe57612 Mon Sep 17 00:00:00 2001 From: "M. V. Hutz" Date: Sat, 6 Sep 2025 20:08:05 -0400 Subject: [PATCH] feat: hetz cloud server provisioned --- .gitignore | 3 +- Taskfile.yml | 23 +------ playbooks/fast.yml | 91 ------------------------- playbooks/infrastructure.yml | 38 +++++++++++ playbooks/restore.yml | 66 ------------------- playbooks/slow.yml | 121 ---------------------------------- terraform/.terraform.lock.hcl | 36 +++++----- terraform/Taskfile.yml | 18 ----- terraform/iam.tf | 31 --------- terraform/main.tf | 57 ++++++---------- terraform/network.tf | 55 ---------------- terraform/output.tf | 33 ---------- terraform/providers.tf | 23 ++++--- terraform/routing.tf | 13 ---- terraform/variables.tf | 47 ++++--------- vault.yml | 31 +++++++-- 16 files changed, 132 insertions(+), 554 deletions(-) delete mode 100644 playbooks/fast.yml create mode 100644 playbooks/infrastructure.yml delete mode 100644 playbooks/restore.yml delete mode 100644 playbooks/slow.yml delete mode 100644 terraform/Taskfile.yml delete mode 100644 terraform/iam.tf delete mode 100644 terraform/network.tf delete mode 100644 terraform/output.tf delete mode 100644 terraform/routing.tf diff --git a/.gitignore b/.gitignore index 59c0721..723861c 100644 --- a/.gitignore +++ b/.gitignore @@ -213,4 +213,5 @@ cython_debug/ *secret* .vscode .DS_Store -*.key \ No newline at end of file +*.key +*.out \ No newline at end of file diff --git a/Taskfile.yml b/Taskfile.yml index e11db9c..f553a65 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -1,24 +1,5 @@ version: 3 -# includes: -# tf: { taskfile: terraform, dir: terraform } - -# tasks: -# dev: -# - docker compose -f compose.dev.yml rm -fsv -# - docker compose -f compose.dev.yml up --build --force-recreate --no-deps - -# deploy:fast: ansible-playbook playbooks/fast.yml -# deploy:slow: ansible-playbook playbooks/slow.yml -# deploy:restore: ansible-playbook playbooks/restore.yml -e "restore_bucket={{.BUCKET}} restore_key={{.KEY}}" - -# enter: -# cmd: aws ssm start-session --target $INSTANCE_ID -# env: -# INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json } -# AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json } -# AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json } -# AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json } - tasks: - vault:edit: ansible-vault edit vault.yml \ No newline at end of file + vault: ansible-vault edit vault.yml + infra: ansible-playbook playbooks/infrastructure.yml \ No newline at end of file diff --git a/playbooks/fast.yml b/playbooks/fast.yml deleted file mode 100644 index cbc46f7..0000000 --- a/playbooks/fast.yml +++ /dev/null @@ -1,91 +0,0 @@ -- name: Make build artifact. - hosts: localhost - vars_files: - - ../config/ansible.secret.json - - ../config/infrastructure.secret.json - gather_facts: false - tasks: - - name: Log into Docker. - community.docker.docker_login: - registry_url: '{{ full_domain.value }}' - username: '{{ username }}' - password: '{{ api_key }}' - reauthorize: true - - - name: Build image. - community.docker.docker_image_build: - name: "{{ full_domain.value }}/{{ image_name }}:latest" - path: ../gitea - nocache: true - rebuild: always - pull: true - outputs: [{ type: image, push: true }] - platform: - - linux/amd64 - - linux/arm64/v8 - - - name: Log out of Docker. - community.docker.docker_login: - state: absent - -- name: Deploy artifact to instance. - hosts: localhost - become: true - gather_facts: false - vars_files: - - ../config/ansible.secret.json - - ../config/infrastructure.secret.json - vars: - ansible_connection: aws_ssm - ansible_aws_ssm_plugin: "{{ ssm_plugin }}" - ansible_aws_ssm_bucket_name: "{{ image_bucket }}" - ansible_aws_ssm_instance_id: "{{ instance_id.value }}" - ansible_python_interpreter: /usr/bin/python3 - ansible_aws_ssm_region: "{{ aws_region }}" - ansible_aws_ssm_access_key_id: "{{ aws_access_key }}" - ansible_aws_ssm_secret_access_key: "{{ aws_secret_key }}" - tasks: - - name: Run image. - community.docker.docker_container: - name: server - image: "{{ full_domain.value }}/{{ image_name }}:latest" - state: started - recreate: true - restart_policy: unless-stopped - memory: 425m - memory_swap: 900m - ports: [80:80, 2222:2222, 443:443, "22:22"] - env: - GITEA__security__INTERNAL_TOKEN: "{{ internal_secret }}" - GITEA__server__LFS_JWT_SECRET: "{{ lfs_secret }}" - GITEA__oauth2__JWT_SECRET: "{{ jwt_secret }}" - GITEA__server__ACME_EMAIL: "{{ email }}" - GITEA__server__SSH_DOMAIN: "{{ full_domain.value }}" - GITEA__server__DOMAIN: "{{ full_domain.value }}" - GITEA__server__ROOT_URL: "https://{{ full_domain.value }}/" - GITEA__storage__MINIO_ACCESS_KEY_ID: "{{ minio_access_key }}" - GITEA__storage__MINIO_SECRET_ACCESS_KEY: "{{ minio_secret_key }}" - labels: - docker-volume-backup.stop-during-backup: "true" - volumes: - - /home/ssm-user/data:/var/lib/gitea - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - - - name: Run backup. - community.docker.docker_container: - name: backup - image: offen/docker-volume-backup:v2 - state: started - recreate: true - restart_policy: unless-stopped - volumes: - - /home/ssm-user/data:/backup/my-app-backup:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - env: - AWS_S3_BUCKET_NAME: "{{ boot_bucket }}" - AWS_S3_PATH: "{{ boot_key }}" - AWS_REGION: "{{ boot_region.value }}" - AWS_ACCESS_KEY_ID: "{{ boot_id.value }}" - AWS_SECRET_ACCESS_KEY: "{{ boot_secret.value }}" - BACKUP_CRON_EXPRESSION: "0 0 * * *" diff --git a/playbooks/infrastructure.yml b/playbooks/infrastructure.yml new file mode 100644 index 0000000..4f4ba12 --- /dev/null +++ b/playbooks/infrastructure.yml @@ -0,0 +1,38 @@ +- name: Deploy terraform infrastructure. + hosts: localhost + gather_facts: false + vars_files: + - ../vault.yml + tasks: + - name: Reconfigure and plan. + community.general.terraform: + project_path: '../terraform' + state: "planned" + plan_file: plan.out + # init_reconfigure: true + backend_config: "{{ terraform.backend }}" + variables: "{{ terraform.variables }}" + complex_vars: true + + - name: Apply. + community.general.terraform: + project_path: '../terraform' + state: "present" + plan_file: plan.out + backend_config: "{{ terraform.backend }}" + variables: "{{ terraform.variables }}" + complex_vars: true + register: terraform_apply + + - name: Create secret directory. + ansible.builtin.file: + path: ../secret + recurse: true + mode: "0755" + state: directory + + - name: Send outputs to file. + ansible.builtin.copy: + content: "{{ terraform_apply.outputs }}" + dest: ../secret/terraform_outputs.yml + mode: '0755' diff --git a/playbooks/restore.yml b/playbooks/restore.yml deleted file mode 100644 index e0a848f..0000000 --- a/playbooks/restore.yml +++ /dev/null @@ -1,66 +0,0 @@ -- name: Deploy artifact to instance. - hosts: localhost - become: true - gather_facts: false - vars_files: - - ../config/ansible.secret.json - - ../config/infrastructure.secret.json - vars: - ansible_connection: aws_ssm - ansible_python_interpreter: /usr/bin/python3 - ansible_aws_ssm_plugin: "{{ ssm_plugin }}" - ansible_aws_ssm_bucket_name: "{{ image_bucket }}" - ansible_aws_ssm_instance_id: "{{ instance_id.value }}" - ansible_aws_ssm_region: "{{ aws_region }}" - ansible_aws_ssm_access_key_id: "{{ aws_access_key }}" - ansible_aws_ssm_secret_access_key: "{{ aws_secret_key }}" - tasks: - - name: Stop server. - community.docker.docker_container: - name: "{{ item }}" - state: stopped - loop: [server, backup] - - - name: Copy backup from S3. - environment: - region: "{{ boot_region.value }}" - access_key: "{{ boot_id.value }}" - secret_key: "{{ boot_secret.value }}" - amazon.aws.s3_object: - bucket: "{{ restore_bucket | mandatory(msg='You must specify the bucket of the data.') }}" - object: "{{ restore_key | mandatory(msg='You must specify the key of the data.') }}" - dest: /home/ssm-user/backup.tar.gz - mode: get - - - name: Ensure backup directory exists. - ansible.builtin.file: - path: /home/ssm-user/backup - state: directory - mode: '0777' - - - name: Extract backup. - ansible.builtin.unarchive: - src: /home/ssm-user/backup.tar.gz - dest: /home/ssm-user/backup - remote_src: true - - - name: Move backup files to data folder. - ansible.builtin.copy: - remote_src: true - src: /home/ssm-user/backup/backup/my-app-backup/ - dest: /home/ssm-user/data/ - mode: '0777' - - - name: Update permissions. - ansible.builtin.file: - path: /home/ssm-user/data - recurse: true - mode: '0777' - owner: 1000 - group: 1000 - - - name: Restart containers. - community.docker.docker_container: - name: "{{ item }}" - state: started - loop: [server, backup] diff --git a/playbooks/slow.yml b/playbooks/slow.yml deleted file mode 100644 index f851fb0..0000000 --- a/playbooks/slow.yml +++ /dev/null @@ -1,121 +0,0 @@ -- name: Make build artifact. - hosts: localhost - vars_files: ../config/ansible.secret.json - gather_facts: false - tasks: - - name: Build image. - community.docker.docker_image_build: - name: "{{ image_name }}" - path: ../gitea - nocache: true - rebuild: always - pull: true - - - name: Push image to archive. - community.docker.docker_image: - name: "{{ image_name }}" - archive_path: ../dist/image.tar - source: local - - - name: Compress archive to artifact. - register: compress_image - community.general.archive: - path: ../dist/image.tar - dest: ../dist/image.tar.xz - format: xz - mode: "0644" - - - name: Push artifact to S3. - amazon.aws.s3_object: - bucket: "{{ image_bucket }}" - object: "{{ image_key }}" - src: ../dist/image.tar.xz - mode: put - - region: "{{ aws_region }}" - access_key: "{{ aws_access_key }}" - secret_key: "{{ aws_secret_key }}" - -- name: Deploy artifact to instance. - hosts: localhost - become: true - gather_facts: false - vars_files: - - ../config/ansible.secret.json - - ../config/infrastructure.secret.json - vars: - ansible_connection: aws_ssm - ansible_python_interpreter: /usr/bin/python3 - ansible_aws_ssm_plugin: "{{ ssm_plugin }}" - ansible_aws_ssm_bucket_name: "{{ image_bucket }}" - ansible_aws_ssm_instance_id: "{{ instance_id.value }}" - ansible_aws_ssm_region: "{{ aws_region }}" - ansible_aws_ssm_access_key_id: "{{ aws_access_key }}" - ansible_aws_ssm_secret_access_key: "{{ aws_secret_key }}" - tasks: - - name: Fetch image. - amazon.aws.s3_object: - mode: get - bucket: "{{ image_bucket }}" - object: "{{ image_key }}" - dest: /root/image.tar.gz - - region: "{{ aws_region }}" - access_key: "{{ aws_access_key }}" - secret_key: "{{ aws_secret_key }}" - - - name: Create data directory. - ansible.builtin.file: - path: /home/ssm-user/data - state: directory - mode: '0777' - - - name: Load image. - community.docker.docker_image_load: - path: /root/image.tar.gz - register: image - - - name: Run image. - community.docker.docker_container: - name: server - image: "{{ image.image_names[0] }}" - state: started - recreate: true - restart_policy: unless-stopped - memory: 425m - memory_swap: 900m - ports: [80:80, 2222:2222, 443:443, "22:22"] - env: - GITEA__security__INTERNAL_TOKEN: "{{ internal_secret }}" - GITEA__server__LFS_JWT_SECRET: "{{ lfs_secret }}" - GITEA__oauth2__JWT_SECRET: "{{ jwt_secret }}" - GITEA__server__ACME_EMAIL: "{{ email }}" - GITEA__server__SSH_DOMAIN: "{{ full_domain.value }}" - GITEA__server__DOMAIN: "{{ full_domain.value }}" - GITEA__server__ROOT_URL: "https://{{ full_domain.value }}/" - GITEA__storage__MINIO_ACCESS_KEY_ID: "{{ minio_access_key }}" - GITEA__storage__MINIO_SECRET_ACCESS_KEY: "{{ minio_secret_key }}" - labels: - docker-volume-backup.stop-during-backup: "true" - volumes: - - /home/ssm-user/data:/var/lib/gitea - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - - - name: Run backup. - community.docker.docker_container: - name: backup - image: offen/docker-volume-backup:v2 - state: started - recreate: true - restart_policy: unless-stopped - volumes: - - /home/ssm-user/data:/backup/my-app-backup:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - env: - AWS_S3_BUCKET_NAME: "{{ boot_bucket }}" - AWS_S3_PATH: "{{ boot_key }}" - AWS_REGION: "{{ boot_region.value }}" - AWS_ACCESS_KEY_ID: "{{ boot_id.value }}" - AWS_SECRET_ACCESS_KEY: "{{ boot_secret.value }}" - BACKUP_CRON_EXPRESSION: "0 0 * * *" diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 8b9ee2c..5fd97ce 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -1,24 +1,24 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/aws" { - version = "5.83.1" +provider "registry.terraform.io/hetznercloud/hcloud" { + version = "1.52.0" + constraints = "~> 1.45" hashes = [ - "h1:Yy3K7R7881H72rQDzG6qjZVkrWA6DGJzfE21TionY7w=", - "zh:0313253c78f195973752c4d1f62bfdd345a9c99c1bc7a612a8c1f1e27d51e49e", - "zh:108523f3e9ebc93f7d900c51681f6edbd3f3a56b8a62b0afc31d8214892f91e0", - "zh:175b9bf2a00bea6ac1c73796ad77b0e00dcbbde166235017c49377d7763861d8", - "zh:1c8bf55b8548bbad683cd6d7bdb03e8840a00b2422dc1529ffb9892820657130", - "zh:22338f09bae62d5ff646de00182417f992548da534fee7d98c5d0136d4bd5d7a", - "zh:92de1107ec43de60612be5f6255616f16a9cf82d88df1af1c0471b81f3a82c16", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c7bfb7afea330e6d90e1466125a8cba3db1ed4043c5da52f737459c89290a6e", - "zh:ba59b374d477e5610674b70f5abfe0408e8f809390347372751384151440d3d0", - "zh:bd1c433966002f586d63cb1e3e16326991f238bc6beeb2352be36ec651917b0b", - "zh:ca2b4d1d02651c15261fffa4b142e45def9a22c6069353f0f663fd2046e268f8", - "zh:d8ed98c748f7a3f1a72277cfee9afe346aca39ab319d17402277852551d8f14a", - "zh:ed3d8bc89de5f35f3c5f4802ff7c749fda2e2be267f9af4a850694f099960a72", - "zh:f698732a4391c3f4d7079b4aaa52389da2a460cac5eed438ed688f147d603689", - "zh:f9f51b17f2978394954e9f6ab9ef293b8e11f1443117294ccf87f7f8212b3439", + "h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=", + "zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875", + "zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c", + "zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7", + "zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609", + "zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75", + "zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278", + "zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824", + "zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b", + "zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278", + "zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7", + "zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682", + "zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186", + "zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7", + "zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915", ] } diff --git a/terraform/Taskfile.yml b/terraform/Taskfile.yml deleted file mode 100644 index 4f51aec..0000000 --- a/terraform/Taskfile.yml +++ /dev/null @@ -1,18 +0,0 @@ -version: 3 -silent: true - -vars: - BACKEND: ../config/backend.secret.json - VARIABLES: ../config/variables.secret.json - OUTPUT: ../config/infrastructure.secret.json - -tasks: - init: terraform init -backend-config={{.BACKEND}} - plan: terraform plan -var-file={{.VARIABLES}} - destroy: terraform destroy - format: terraform fmt -recursive - out: terraform output -json > {{.OUTPUT}} - apply: - - terraform apply -var-file={{.VARIABLES}} - - task: out - import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}} \ No newline at end of file diff --git a/terraform/iam.tf b/terraform/iam.tf deleted file mode 100644 index eba76dc..0000000 --- a/terraform/iam.tf +++ /dev/null @@ -1,31 +0,0 @@ -data "aws_s3_bucket" "storage_bucket" { - bucket = var.boot_bucket -} - -data "aws_iam_policy_document" "boot" { - statement { - effect = "Allow" - actions = ["s3:*", "s3-object-lambda:*"] - resources = [ - "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}", - "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}/*", - ] - } -} - -resource "aws_iam_policy" "boot" { - name = "${var.boot_role}Policy" - description = "The policy that manages the Gitea Boot." - - policy = data.aws_iam_policy_document.boot.json -} - -module "boot_user" { - source = "terraform-aws-modules/iam/aws//modules/iam-user" - version = "5.52.2" - - create_iam_user_login_profile = false - name = "${var.boot_role}User" - password_reset_required = false - policy_arns = [aws_iam_policy.boot.arn] -} diff --git a/terraform/main.tf b/terraform/main.tf index 69704ec..1c6a0d6 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,43 +1,24 @@ -# An elastic IP, so if the reverse proxy is modified, the route tables won't. -resource "aws_eip" "public" { - instance = aws_instance.this.id - domain = "vpc" +resource "hcloud_primary_ip" "public_ip" { + name = "repository-public-ip" + datacenter = local.datacenter + type = "ipv4" + assignee_type = "server" + auto_delete = false } -# An instance profile for access via AWS SSM. -resource "aws_iam_instance_profile" "ssm" { - name = "SSMInstanceProfile" - role = "AmazonSSMRoleForInstancesQuickSetup" +resource "hcloud_ssh_key" "ssky_key" { + name = "repository-ssh-key" + public_key = file(var.public_ssh_key_path) } -# The Gitea instance. -resource "aws_instance" "this" { - # ami = data.aws_ami.amazon-linux-2.id - ami = "ami-0adec96dc0cdc7bca" - instance_type = "t4g.nano" - subnet_id = module.vpc.public_subnets[0] - - user_data = file("install.sh") - user_data_replace_on_change = true - - iam_instance_profile = aws_iam_instance_profile.ssm.name - vpc_security_group_ids = [aws_security_group.public_access.id] - - metadata_options { - http_tokens = "required" +resource "hcloud_server" "server_test" { + name = "repository-server" + image = local.server_image + server_type = local.server_type + datacenter = local.datacenter + public_net { + ipv4_enabled = true + ipv4 = hcloud_primary_ip.public_ip.id + ipv6_enabled = false } - - root_block_device { - volume_type = "gp3" - volume_size = 8 - } - - tags = { - Name = "Codebase: Gitea" - } -} - -resource "aws_ec2_instance_state" "this" { - instance_id = aws_instance.this.id - state = "running" -} +} \ No newline at end of file diff --git a/terraform/network.tf b/terraform/network.tf deleted file mode 100644 index a93837d..0000000 --- a/terraform/network.tf +++ /dev/null @@ -1,55 +0,0 @@ -locals { - # The IP block for the VPC. - vpc_cidr = "10.0.0.0/16" -} - -data "aws_availability_zones" "all" {} - -# The main VPC. -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - - name = "Main" - cidr = local.vpc_cidr - - azs = [data.aws_availability_zones.all.names[0]] - private_subnets = [cidrsubnet(local.vpc_cidr, 8, 0)] - public_subnets = [cidrsubnet(local.vpc_cidr, 8, 4)] - - private_subnet_tags = { SubnetOf = "Main", SubnetType = "Private" } - public_subnet_tags = { SubnetOf = "Main", SubnetType = "Public" } - - map_public_ip_on_launch = true - enable_dns_hostnames = true - enable_dns_support = true - - private_route_table_tags = { TableOf = "Main", TableType = "Public" } -} - -# Only allow HTTP(s) and SSH traffic. Allow full access to internet. -resource "aws_security_group" "public_access" { - vpc_id = module.vpc.vpc_id - tags = { GroupOf = "Main", GroupType = "Public" } -} - -resource "aws_vpc_security_group_ingress_rule" "ingress" { - for_each = toset(["80", "443", "22", "2222", "81", "8080", "4321", "1234"]) - - security_group_id = aws_security_group.public_access.id - - from_port = each.value - to_port = each.value - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" -} - -resource "aws_vpc_security_group_egress_rule" "egress" { - for_each = toset(["-1"]) - - security_group_id = aws_security_group.public_access.id - - from_port = each.value - to_port = each.value - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" -} \ No newline at end of file diff --git a/terraform/output.tf b/terraform/output.tf deleted file mode 100644 index 065b01c..0000000 --- a/terraform/output.tf +++ /dev/null @@ -1,33 +0,0 @@ -output "instance_id" { - value = aws_instance.this.id - description = "The instance ID of the Gitea instance." -} - -output "ip_address" { - value = aws_instance.this.private_ip - description = "The Gitea IP address." -} - -output "boot_region" { - value = var.aws_region - description = "The region to manipulate the codebase repository boot." - sensitive = true -} - -output "boot_id" { - value = module.boot_user.iam_access_key_id - description = "The access id to manipulate the codebase repository boot." - sensitive = true -} - -output "boot_secret" { - value = module.boot_user.iam_access_key_secret - description = "The access secret to manipulate the codebase repository boot." - sensitive = true -} - -output "full_domain" { - value = "${var.subdomain}.${var.domain}" - description = "The domain of the Gitea instance." - sensitive = true -} diff --git a/terraform/providers.tf b/terraform/providers.tf index d97d5b4..f0603d5 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -1,11 +1,18 @@ terraform { - # The backend is stored in an S3 bucket. - backend "s3" {} + backend "s3" { + skip_credentials_validation = true + skip_region_validation = true + skip_requesting_account_id = true + } + + required_providers { + hcloud = { + source = "hetznercloud/hcloud" + version = "~> 1.45" + } + } } -# Access AWS through the IaC roles. -provider "aws" { - region = var.aws_region - access_key = var.aws_access - secret_key = var.aws_secret -} \ No newline at end of file +provider "hcloud" { + token = var.hcloud_token +} diff --git a/terraform/routing.tf b/terraform/routing.tf deleted file mode 100644 index a9bf3df..0000000 --- a/terraform/routing.tf +++ /dev/null @@ -1,13 +0,0 @@ -# The Route53 DNS zone. -data "aws_route53_zone" "main" { - name = var.domain -} - -# Push all domain traffic through the reverse proxy. -resource "aws_route53_record" "domain" { - zone_id = data.aws_route53_zone.main.zone_id - name = "${var.subdomain}.${data.aws_route53_zone.main.name}" - type = "A" - ttl = "60" - records = [aws_eip.public.public_ip] -} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index 45ee6ed..8879a88 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,39 +1,16 @@ -variable "aws_region" { - type = string - description = "The AWS region things are created in." +variable "hcloud_token" { + sensitive = true + description = "The hCloud token used to access Hetzner resources." + type = string } -variable "aws_access" { - type = string - description = "The access key to generate the Gitea instance." +variable "public_ssh_key_path" { + description = "The location of the public key used to access the repository server." + type = string } -variable "aws_secret" { - type = string - description = "The access secret to generate the Gitea instance." -} - -variable "boot_bucket" { - type = string - description = "The name of the bucket to store the boot in." -} - -variable "boot_key" { - type = string - description = "The path that will hold the boot data." -} - -variable "boot_role" { - type = string - description = "The name of the role for boot access." -} - -variable "domain" { - type = string - description = "The name of the domain." -} - -variable "subdomain" { - type = string - description = "The name of the subdomain." -} +locals { + datacenter = "fsn1-dc14" + server_type = "cx22" + server_image = "debian-12" +} \ No newline at end of file diff --git a/vault.yml b/vault.yml index 8a990c8..46b567e 100644 --- a/vault.yml +++ b/vault.yml @@ -1,6 +1,27 @@ $ANSIBLE_VAULT;1.1;AES256 -38656161656531643430306264373465643164656338326333333365646666336364303939383330 -3730613865373335386631313931656438396435366330610a663837343033643964356333653663 -66643062653936343031336432663064663831313430346464643534316538616638333965386531 -3834373335663766380a396534363833653163373635353037623337336637303962303733396439 -6631 +38323339316264326632393865326536613866323232396239306431386339326431316637343431 +6537323139653664383461393937656332666136373333370a373964396538643439376633316437 +32613563306661323830376135623466626636316433323866396230313566653933386162366131 +3562343139653337660a366136623834613564633964306662326336306334646264643365623864 +33303965326234373235386230353464393061356639303438636535626330333064353863623030 +33383539323136333939303939313734636137376637636638643334663962653061633930386262 +39333766613031343861376639303636363763663431363538633566616366653632633262336362 +32666463336665653135316266393231323264303163646336343962633537643534353632363637 +30643831303866376634383939623439633530653330353839663037313731306163633938303961 +66313735353831376366323635653063343262343337666537633766633037313765386237383134 +62343234356635653733633461613232333935396363666631653638363961376362643932643135 +65626463323265623863663766613865326664653863643032303464333939363739656238383732 +37343936666238333130323263666131363833616261633936623833353565353332666638316232 +66343064386265313830306163366533313035343261383037646666366532313565643762363432 +33646161376236363932326532393935363736643732373838633035653565376466663538393132 +33646436666463356330386337633636373961323031343065303638323439623034333031323135 +30663362393539396366656634353166636533303562376232643733303434376565323936316638 +36353338373664386331303532633063383166646332326562303830353264386335663363326262 +32666161633134626162636463663364316139623234383531343363316566633336633238323434 +62613634663465356238666238356164636231343938643064333466343135333032623435396230 +64323265633537333538343363656438333764623532366431643263396263303966326264373139 +38346138643866666233313162346431656131653137373562333234626263313332363366626130 +65316338363465323435373638353266366331663535643733353565303565353730346462633265 +33396637353939303335383634623732633565643964316233373962316530623232313663666266 +33353463633661633831323830303864363863306330313261356464383231373163383231393631 +3037376236613365393332666331613263333936616362616639