From f193ff4e6b567901778201feabe43dc99e7c2581 Mon Sep 17 00:00:00 2001
From: "M. V. Hutz" <git@maximhutz.me>
Date: Tue, 9 Sep 2025 00:36:31 -0400
Subject: [PATCH] feat: gitea works!

---
 Taskfile.yml                        |  2 +-
 gitea/Containerfile.dev             | 13 -----
 gitea/{Containerfile => Dockerfile} |  0
 gitea/config/app.ini                |  2 -
 playbooks/deploy.yml                | 81 +++++++++++++++++++++++++++-
 terraform/.terraform.lock.hcl       | 22 ++++++++
 terraform/outputs.tf                |  6 +++
 terraform/providers.tf              |  6 +++
 terraform/routing.tf                | 13 +++++
 terraform/variables.tf              | 31 +++++++++--
 variables.yml                       |  2 +
 vault.yml                           | 82 +++++++++++++++++++----------
 12 files changed, 209 insertions(+), 51 deletions(-)
 delete mode 100644 gitea/Containerfile.dev
 rename gitea/{Containerfile => Dockerfile} (100%)
 create mode 100644 terraform/routing.tf
 create mode 100644 variables.yml

diff --git a/Taskfile.yml b/Taskfile.yml
index 6471a5a..4cd1274 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -8,5 +8,5 @@ tasks:
   enter:
     cmd: ssh -i {{.KEY}} -p 2222 root@{{.IP}}
     vars:
-      KEY: { sh: ansible-vault view vault.yml | yq -r ".deploy.private_ssh_key_path" }
+      KEY: { sh: ansible-vault view vault.yml | yq -r ".secret.private_ssh_key_path" }
       IP: { sh: cat dist/terraform_outputs.yml | jq -r ".server_ip.value" }
\ No newline at end of file
diff --git a/gitea/Containerfile.dev b/gitea/Containerfile.dev
deleted file mode 100644
index 7f6b027..0000000
--- a/gitea/Containerfile.dev
+++ /dev/null
@@ -1,13 +0,0 @@
-FROM gitea/gitea:latest-rootless
-
-ADD --chown=git:git config /etc/gitea
-ADD --chown=git:git custom /etc/gitea-custom
-
-ENV GITEA_CUSTOM=/etc/gitea-custom
-
-RUN rm /etc/gitea/app.ini
-RUN mv /etc/gitea/dev.app.ini /etc/gitea/app.ini
-
-WORKDIR /etc/gitea-custom
-
-RUN gitea cert --host localhost --ca
\ No newline at end of file
diff --git a/gitea/Containerfile b/gitea/Dockerfile
similarity index 100%
rename from gitea/Containerfile
rename to gitea/Dockerfile
diff --git a/gitea/config/app.ini b/gitea/config/app.ini
index 4200fcd..9c300d5 100644
--- a/gitea/config/app.ini
+++ b/gitea/config/app.ini
@@ -97,7 +97,5 @@ DEFAULT_TRUST_MODEL = committer
 
 [storage]
 STORAGE_TYPE = minio
-MINIO_ENDPOINT = s3.us-east-1.amazonaws.com
-MINIO_BUCKET = myrica-faya
 MINIO_USE_SSL = true
 MINIO_INSECURE_SKIP_VERIFY = false
\ No newline at end of file
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
index f509061..345c375 100644
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@@ -11,7 +11,7 @@
         ansible_ssh_host: "{{ server_ip.value }}"
         ansible_user: root
         ansible_port: 22
-        ansible_private_key_file: "{{ deploy.private_ssh_key_path }}"
+        ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
 
 - name: Switch port to 2222.
   hosts: server_fresh
@@ -42,7 +42,7 @@
         ansible_ssh_host: "{{ server_ip.value }}"
         ansible_user: root
         ansible_port: 2222
-        ansible_private_key_file: "{{ deploy.private_ssh_key_path }}"
+        ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
 
 - name: Install Docker.
   gather_facts: true
@@ -89,3 +89,80 @@
           - containerd.io
           - docker-buildx-plugin
           - docker-compose-plugin
+
+- name: Deploy artifact to instance.
+  hosts: server
+  gather_facts: false
+  vars_files:
+    - ../variables.yml
+    - ../vault.yml
+    - ../dist/terraform_outputs.yml
+  tasks:
+    - name: Copy gitea folder.
+      ansible.builtin.copy:
+        src: ../gitea/
+        dest: /root/gitea/
+        mode: preserve
+
+    - name: Build image.
+      community.docker.docker_image_build:
+        name: "{{ variables.image_name }}"
+        path: /root/gitea
+        nocache: true
+        rebuild: always
+        pull: true
+
+    - name: Create data directory.
+      ansible.builtin.file:
+        path: /root/data
+        state: directory
+        mode: '0777'
+
+    - name: Run image.
+      community.docker.docker_container:
+        name: server
+        image: "{{ variables.image_name }}"
+        state: started
+        recreate: true
+        restart_policy: unless-stopped
+        memory: 425m
+        memory_swap: 900m
+        ports: [80:80, 443:443, "22:22"]
+        env:
+          GITEA__security__INTERNAL_TOKEN: "{{ secret.internal }}"
+          GITEA__server__LFS_JWT_SECRET: "{{ secret.lfs }}"
+          GITEA__oauth2__JWT_SECRET: "{{ secret.jwt }}"
+          GITEA__server__ACME_EMAIL: "acme@maximhutz.me"
+          GITEA__server__SSH_DOMAIN: "{{ server_fqdn.value }}"
+          GITEA__server__DOMAIN: "{{ server_fqdn.value }}"
+          GITEA__server__ROOT_URL: "https://{{ server_fqdn.value }}/"
+
+          GITEA__storage__MINIO_BUCKET: "{{ secret.bucket.name }}"
+          GITEA__storage__MINIO_ENDPOINT: "{{ secret.bucket.endpoint }}"
+          GITEA__storage__MINIO_ACCESS_KEY_ID: "{{ secret.bucket.access_key }}"
+          GITEA__storage__MINIO_SECRET_ACCESS_KEY: "{{ secret.bucket.secret_key }}"
+        labels:
+          docker-volume-backup.stop-during-backup: "true"
+        volumes:
+          - /root/data:/var/lib/gitea
+          - /etc/timezone:/etc/timezone:ro
+          - /etc/localtime:/etc/localtime:ro
+
+    - name: Run backup.
+      community.docker.docker_container:
+        name: backup
+        image: offen/docker-volume-backup:v2
+        state: started
+        recreate: true
+        restart_policy: unless-stopped
+        volumes:
+          - /root/data:/backup/my-app-backup:ro
+          - /var/run/docker.sock:/var/run/docker.sock:ro
+        env:
+          AWS_S3_BUCKET_NAME: "{{ secret.bucket.name }}"
+          AWS_S3_PATH: "{{ secret.backup.key }}"
+          AWS_REGION: "{{ secret.bucket.region }}"
+          AWS_ACCESS_KEY_ID: "{{ secret.bucket.access_key }}"
+          AWS_SECRET_ACCESS_KEY: "{{ secret.bucket.secret_key }}"
+          AWS_ENDPOINT: "{{ secret.bucket.endpoint }}"
+          BACKUP_CRON_EXPRESSION: "0 0 * * *"
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 5fd97ce..10fc2d6 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -1,6 +1,28 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "6.12.0"
+  hashes = [
+    "h1:8u90EMle+I3Auh4f/LPP6fEfRsAF6xCFnUZF4b7ngEs=",
+    "zh:054bcbf13c6ac9ddd2247876f82f9b56493e2f71d8c88baeec142386a395165d",
+    "zh:195489f16ad5621db2cec80be997d33060462a3b8d442c890bef3eceba34fa4d",
+    "zh:3461ef14904ab7de246296e44d24c042f3190e6bead3d7ce1d9fda63dcb0f047",
+    "zh:44517a0035996431e4127f45db5a84f53ce80730eae35629eda3101709df1e5c",
+    "zh:4b0374abaa6b9a9debed563380cc944873e4f30771dd1da7b9e812a49bf485e3",
+    "zh:531468b99465bd98a89a4ce2f1a30168dfadf6edb57f7836df8a977a2c4f9804",
+    "zh:6a95ed7b4852174aa748d3412bff3d45e4d7420d12659f981c3d9f4a1a59a35f",
+    "zh:88c2d21af1e64eed4a13dbb85590c66a519f3ecc54b72875d4bb6326f3ef84e7",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a8b648470bb5df098e56b1ec5c6a39e0bbb7b496b23a19ea9f494bf48d4a122a",
+    "zh:b23fb13efdb527677db546bc92aeb2bdf64ff3f480188841f2bfdfa7d3d907c1",
+    "zh:be5858a1951ae5f5a9c388949c3e3c66a3375f684fb79b06b1d1db7a9703b18e",
+    "zh:c368e03a7c922493daf4c7348faafc45f455225815ef218b5491c46cea5f76b7",
+    "zh:e31e75d5d19b8ac08aa01be7e78207966e1faa3b82ed9fe3acfdc2d806be924c",
+    "zh:ea84182343b5fd9252a6fae41e844eed4fdc3311473a753b09f06e49ec0e7853",
+  ]
+}
+
 provider "registry.terraform.io/hetznercloud/hcloud" {
   version     = "1.52.0"
   constraints = "~> 1.45"
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index 929c5d2..f2e54d1 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -3,3 +3,9 @@ output "server_ip" {
   value = hcloud_server.server_instance.ipv4_address
   sensitive = false
 }
+
+output "server_fqdn" {
+  description = "The public domain of the server."
+  value = "${local.subdomain}.${local.domain}"
+  sensitive = false
+}
diff --git a/terraform/providers.tf b/terraform/providers.tf
index f0603d5..849c70c 100644
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -16,3 +16,9 @@ terraform {
 provider "hcloud" {
   token = var.hcloud_token
 }
+
+provider "aws" {
+  region     = var.aws_region
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+}
\ No newline at end of file
diff --git a/terraform/routing.tf b/terraform/routing.tf
new file mode 100644
index 0000000..d1714d1
--- /dev/null
+++ b/terraform/routing.tf
@@ -0,0 +1,13 @@
+# The Route53 DNS zone.
+data "aws_route53_zone" "main" {
+  name = local.domain
+}
+
+# Push all domain traffic through the reverse proxy.
+resource "aws_route53_record" "domain" {
+  zone_id = data.aws_route53_zone.main.zone_id
+  name    = "${local.subdomain}.${data.aws_route53_zone.main.name}"
+  type    = "A"
+  ttl     = "60"
+  records = [hcloud_primary_ip.public_ip.ip_address]
+}
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 8879a88..ffb0085 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,3 +1,14 @@
+locals {
+  datacenter = "fsn1-dc14"
+  server_type = "cx22"
+  server_image = "debian-12"
+
+  domain = "maximhutz.com"
+  subdomain = "git2"
+}
+
+# ---------------------------------------------------------------------------- #
+
 variable "hcloud_token" {
   sensitive = true
   description = "The hCloud token used to access Hetzner resources."
@@ -9,8 +20,20 @@ variable "public_ssh_key_path" {
   type = string
 }
 
-locals {
-  datacenter = "fsn1-dc14"
-  server_type = "cx22"
-  server_image = "debian-12"
+variable "aws_region" {
+  description = "The region of the AWS account."
+  type = string
+  sensitive = true
+}
+
+variable "aws_access_key" {
+  description = "The access key of the account."
+  type = string
+  sensitive = true
+}
+
+variable "aws_secret_key" {
+  description = "The secret key of the account."
+  type = string
+  sensitive = true
 }
\ No newline at end of file
diff --git a/variables.yml b/variables.yml
new file mode 100644
index 0000000..e684b58
--- /dev/null
+++ b/variables.yml
@@ -0,0 +1,2 @@
+variables:
+  image_name: mvhutz/gitea
diff --git a/vault.yml b/vault.yml
index 598fc07..153e66d 100644
--- a/vault.yml
+++ b/vault.yml
@@ -1,30 +1,54 @@
 $ANSIBLE_VAULT;1.1;AES256
-34643530383765643831323664663862643337623238343461366330376462326636383935333036
-6537343334303666336163363965303035613437333235650a346434356437323964376262663834
-61373330643932363061393039373064306262373738303934393437333934653434626434373362
-6265383464376133650a333162373362323261353163646566653733626533613863323237633833
-36616463396535366436356662306333383134653233323334303639336439653732326534313161
-38353463643563363631346537653133353165376438336131323662376263356662366233343337
-61333961653339316332653630666633323635353135303633316635326430373630653464343765
-66613938663762326462353563323138356466653966383336633962613639633638363561353836
-32376161343131323262643831653965333338346263643463613238626231383364626431386636
-34636330663261303664656534353934656135306164353864623236396530323366363666623832
-36386666383434336265623262626566626464363163663332623562393330653137333062353665
-39623233626130613263653434613066393831383931666138373066323336663066646230623738
-30613139663838623632376137343935353739626239303034633766363239383333633035653365
-39316665633536323238393930646461623363613964393132353636633663376163323164363362
-62653861326434646537323365663534653462303239396333653132373337333262633934633439
-31316330373565313462613239626331383462613762303737386436646633363361373835643839
-38373863306534383831646162323839323433633139336636333037376633313939306438303635
-61356366613265333832326363626135663731316366633639343162383132373364396462623438
-39373630363439643762363464303233623631613030616135366332393163393835353064666362
-32663331323030356265366434356466613161323065366331343432656638646334316139656263
-62343331376335336434663636636436616338343837646566353131353661366165393565313062
-32326436396539623236316563306264396134613030623533343761623464323135396235303535
-38343662306636653039373962363030353666343837343865333965646538396432346264346236
-32616562336561633366656366396133346463613037366139656233313961393565373833643130
-63613434663330336431363732323132333166373762373831653362326466663862356534323331
-65653663323336613535383735303130336262343936356331363839643537623037633766626635
-62383837656532623734396438383334363466373439396435326163373531343963376131306461
-35323535356432633432393065346662336233393334396534346630393436303331666363653131
-65353932383566346366656161366136366564633036386262643333316533663962
+38663938363539353464613331616136616331306165376535336636653164613838643438376565
+3961346438313132643166396662333536326264353935390a626235663065666266383132626164
+35306337636461626533343438633766303464363065653432303438666234626436663235376263
+3337616265643730640a643265616330393136386139613166333834376336353532366362346662
+31363731616339336461306230616234323866373239313662643933653666626233616135333837
+38313935386234333165333230633236353261396337343936346161636435653663343139373839
+36303431623662363765373962333834386266303236623064356639633431313833663562633630
+36653962663763383334383862383337323132376536346335333235353364313965366332353164
+35306563616161626366653433333861616161623838343432663333643539303765323733643831
+33366166386661386562616634323730666534663937376164656365323163633034633435623734
+36393366653562363835633139316331636361373361363461656338363633373538333639343336
+62326365396666376239346265633463356664333263353639393562393137653666353439356330
+36643333383964393735666537336565373131396139363336613138326563653739626135363739
+32326663666634383736333933373939376366303036383466663361363235663862306331343231
+38323736336235633965643937646138646634323065373332346663343933643562363265633666
+30373234373066386132373361623833396330306364613138346461303132626236343334333664
+37653362383265623235306562366439353938653539663332313234353561303839353334636665
+66326434353265623831346562333863376161643862343430666438626231653033656464343162
+33303864303263386332396466616661343732616131363138343462303233616239636564343337
+31366561393137336533656437366331373130306131363138626130393435626236373830333232
+33633063656139316437386532353161363132656134623836626336663833366339363936313930
+63373930333438626430643261616565643537613133643230633663323334326234323664323533
+33613636626434323466663437336466636133313537356433313537306166663931343039623431
+32633932663731316435303933343534646439623232376463613463356637363635303263623333
+64623663643938363432623330333333306166633234346636666365653861303731333166363232
+34353733613263613630643331636634386539636637353163396634636438383166646563383461
+66356166633166656461613966306333666535393665323761323832313835613339363833666361
+39313536663962393734643237636162623832313261356435346661656536613461336431666431
+64353362343939343664313863363339636535653038343635393534393534393635343839333162
+63313136646563653636343534393366646563346537346662396538383535363566626365666264
+62393965303766376133383338396434376466663537333934333464333933636363396365393531
+33353437373962633938393331613339346662343964633931613735333864306261663139323662
+35633064356162336430343831343238333361346138303466646162393366663431623630646233
+61353466303363373162343534346132393539363033663062376539386334633066383635303961
+34306532316637333936633237343562653838656434316238656362633431633661646666346333
+64316163396137376266663033383032376431373062643832333764663766303461383933336231
+36346261343364376664323836333530613863363437373134633434373663383338616230303239
+32333362353133333164346462326333636539376239653638626163373166383834616462383136
+36393838616266356139303430313931396337306362663061346632383764326137303265373030
+31636466353139353135653765616561653463383737376461376532646162643434356263303764
+38663530666361656561633936643035616531313339623065343634633135383934343466313537
+61613465303761396239333835353735313235336463623265343064323032643832633133313831
+31396437383563633036363737376463316135366161653162613738633466633061343933343430
+37313433313934373266616634633065663030656163343032346462376265656363663262663064
+66396666636638393538373534323664636464386239643964666432396337666130323562303234
+39633431656333646538313762613661353764356532363833383136363335356530363761316366
+32346635333762656336643163616335363634346330613462393336656265303365643638396338
+32663933363738666465353931393937353336633337383166326634663966356336363566333232
+39373566393061643632313661356434663039623862343836376238323861363034643566343863
+31303936373236333865376131623462323130353163633031373839383962333237333564336666
+66316334303461336531366165626236616565373562633930323565616366616235313661303832
+61663436633435313933613436633138613135383066333735393563643466613237616161633234
+6462