diff --git a/.gitignore b/.gitignore index b8332c7..723861c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,45 @@ +# ---> Terraform +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore transient lock info files created by terraform apply +.terraform.tfstate.lock.info + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +# ---> Ansible +*.retry + # ---> Python # Byte-compiled / optimized / DLL files __pycache__/ @@ -168,60 +210,8 @@ cython_debug/ # option (not recommended) you can uncomment the following to ignore the entire idea folder. #.idea/ -# ---> Ansible -*.retry - -# ---> Terraform -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Ignore transient lock info files created by terraform apply -.terraform.tfstate.lock.info - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc - -# Custom ignores. -boot -ssh.pem -.DS_Store *secret* -*.tfbackend -*.env -*.tar.gz -*.tar.xz -*.tar -*.pem -.venv .vscode -tmp -node_modules \ No newline at end of file +.DS_Store +*.key +*.out \ No newline at end of file diff --git a/Taskfile.yml b/Taskfile.yml index 97ac20d..ca96851 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -1,15 +1,12 @@ version: 3 -includes: - tf: { taskfile: terraform, dir: terraform } - tasks: - deploy: ansible-playbook playbooks/deploy.yml + vault: ansible-vault edit vault.yml {{.CLI_ARGS}} + provision: ansible-playbook playbooks/provision.yml {{.CLI_ARGS}} + deploy: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}} + restore: ansible-playbook playbooks/restore.yml {{.CLI_ARGS}} enter: - cmd: aws ssm start-session --target $INSTANCE_ID - env: - INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json } - AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json } - AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json } - AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json } + cmd: ssh {{.GITEA}} + vars: + GITEA: { sh: cat ./variables.yml | yq -r ".variables.gitea_host" } diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..63c126b --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,13 @@ +[defaults] +callbacks_enabled = profile_tasks +localhost_warning = False +vault_password_file = vault.key +interpreter_python = /usr/bin/python3.11 + +[inventory] +inventory_unparsed_warning = False + +[ssh_connection] +ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o IdentityAgent=none +pipelining = True +retries = 2 \ No newline at end of file diff --git a/playbooks/provision.yml b/playbooks/provision.yml new file mode 100644 index 0000000..42525b0 --- /dev/null +++ b/playbooks/provision.yml @@ -0,0 +1,38 @@ +- name: Deploy terraform infrastructure. + hosts: localhost + gather_facts: false + vars_files: + - ../vault.yml + tasks: + - name: Reconfigure and plan. + community.general.terraform: + project_path: '../terraform' + state: "planned" + plan_file: plan.out + # init_reconfigure: true + backend_config: "{{ terraform.backend }}" + variables: "{{ terraform.variables }}" + complex_vars: true + + - name: Apply. + community.general.terraform: + project_path: '../terraform' + state: "present" + plan_file: plan.out + backend_config: "{{ terraform.backend }}" + variables: "{{ terraform.variables }}" + complex_vars: true + register: terraform_apply + + - name: Create secret directory. + ansible.builtin.file: + path: ../dist + recurse: true + mode: "0755" + state: directory + + - name: Send outputs to file. + ansible.builtin.copy: + content: "{{ terraform_apply.outputs }}" + dest: ../dist/terraform_outputs.yml + mode: '0755' diff --git a/requirements.txt b/requirements.txt index f1246e9..f1062ee 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,6 +3,7 @@ ansible-compat==24.10.0 ansible-core==2.18.1 ansible-lint==24.12.2 attrs==24.3.0 +awscli-local==0.22.0 black==24.10.0 boto3==1.35.95 botocore==1.35.95 @@ -13,12 +14,14 @@ charset-normalizer==3.4.1 click==8.1.8 cryptography==44.0.0 filelock==3.16.1 +go-task-bin==3.44.1 idna==3.10 importlib_metadata==8.5.0 Jinja2==3.1.5 jmespath==1.0.1 jsonschema==4.23.0 jsonschema-specifications==2024.10.1 +localstack-client==2.7 MarkupSafe==3.0.2 mypy-extensions==1.0.0 packaging==24.2 diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 97507b9..10fc2d6 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -2,23 +2,45 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.87.0" + version = "6.12.0" hashes = [ - "h1:IYq3by7O/eJuXzJwOF920z2nZEkw08PkDFdw2xkyhrs=", - "zh:017f237466875c919330b9e214fb33af14fffbff830d3755e8976d8fa3c963c2", - "zh:0776d1e60aa93c85ecbb01144aed2789c8e180bb0f1c811a0aba17ca7247b26c", - "zh:0dfa5c6cfb3724494fdc73f7d042515e88a20da8968959f48b3ec0b937bd8c8f", - "zh:1707a5ead36a7980cb3f83e8b69a67a14ae725bfc990ddfcc209b59400b57b04", - "zh:1c71f54fdd6adcbe547d6577dbb843d72a30fef0ab882d0afbeb8a7b348bc442", - "zh:3563c850a29790957ec3f4d3ba203bfa2e084ac7319035b3f43b91f818a2c9b4", - "zh:520bf6cef53785a92226651d5bebacbbf9314bdbc3211d0bf0903bce4e45149d", - "zh:56f9778575830f6e5c23462c2eccbf2c9afaddb00a69275fcfb33cd1a6d17f4d", - "zh:73e381cb0b1e76d471d7b0952f3d2a80350b507d15bda9b7041ea69077e3b5b5", - "zh:7da74b48f8fa088be758a92407980400cb4b039a8d9ba3c108907e4055e9ad6f", - "zh:8dacfa9623ba2e0197fe7db6faaaa0820a3b91fe00ba9e5d8a646340522bc8dd", + "h1:8u90EMle+I3Auh4f/LPP6fEfRsAF6xCFnUZF4b7ngEs=", + "zh:054bcbf13c6ac9ddd2247876f82f9b56493e2f71d8c88baeec142386a395165d", + "zh:195489f16ad5621db2cec80be997d33060462a3b8d442c890bef3eceba34fa4d", + "zh:3461ef14904ab7de246296e44d24c042f3190e6bead3d7ce1d9fda63dcb0f047", + "zh:44517a0035996431e4127f45db5a84f53ce80730eae35629eda3101709df1e5c", + "zh:4b0374abaa6b9a9debed563380cc944873e4f30771dd1da7b9e812a49bf485e3", + "zh:531468b99465bd98a89a4ce2f1a30168dfadf6edb57f7836df8a977a2c4f9804", + "zh:6a95ed7b4852174aa748d3412bff3d45e4d7420d12659f981c3d9f4a1a59a35f", + "zh:88c2d21af1e64eed4a13dbb85590c66a519f3ecc54b72875d4bb6326f3ef84e7", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c2ebd21d697e1a611fe201788dc9e1678949a088afc85d4589563bca484d835", - "zh:ac5d0bbf36f9a6cedbfb63993f6baf0aabdaf21c8d7fc3b1e69ba8cbf344b5f3", - "zh:c2329644179f78a0458b6cf2dd5eaadca4c610fc3577a1b50620544d92df13e8", + "zh:a8b648470bb5df098e56b1ec5c6a39e0bbb7b496b23a19ea9f494bf48d4a122a", + "zh:b23fb13efdb527677db546bc92aeb2bdf64ff3f480188841f2bfdfa7d3d907c1", + "zh:be5858a1951ae5f5a9c388949c3e3c66a3375f684fb79b06b1d1db7a9703b18e", + "zh:c368e03a7c922493daf4c7348faafc45f455225815ef218b5491c46cea5f76b7", + "zh:e31e75d5d19b8ac08aa01be7e78207966e1faa3b82ed9fe3acfdc2d806be924c", + "zh:ea84182343b5fd9252a6fae41e844eed4fdc3311473a753b09f06e49ec0e7853", + ] +} + +provider "registry.terraform.io/hetznercloud/hcloud" { + version = "1.52.0" + constraints = "~> 1.45" + hashes = [ + "h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=", + "zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875", + "zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c", + "zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7", + "zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609", + "zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75", + "zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278", + "zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824", + "zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b", + "zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278", + "zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7", + "zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682", + "zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186", + "zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7", + "zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915", ] } diff --git a/terraform/Taskfile.yml b/terraform/Taskfile.yml deleted file mode 100644 index 4f51aec..0000000 --- a/terraform/Taskfile.yml +++ /dev/null @@ -1,18 +0,0 @@ -version: 3 -silent: true - -vars: - BACKEND: ../config/backend.secret.json - VARIABLES: ../config/variables.secret.json - OUTPUT: ../config/infrastructure.secret.json - -tasks: - init: terraform init -backend-config={{.BACKEND}} - plan: terraform plan -var-file={{.VARIABLES}} - destroy: terraform destroy - format: terraform fmt -recursive - out: terraform output -json > {{.OUTPUT}} - apply: - - terraform apply -var-file={{.VARIABLES}} - - task: out - import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}} \ No newline at end of file diff --git a/terraform/install.sh b/terraform/install.sh deleted file mode 100644 index bcb2efd..0000000 --- a/terraform/install.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh - -rpm --rebuilddb -amazon-linux-extras install docker ansible2 python3.8 -y - -# Make Docker work. -systemctl enable docker -systemctl start docker - -# Set up the correct version of Python (for Ansible). -ln -sf /usr/bin/python3.8 /usr/bin/python3 -ln -sf /usr/bin/pip3.8 /usr/bin/pip3 -pip3 install botocore boto3 requests packaging -python3 -m pip install -U pip - -# Add some swap space. -dd if=/dev/zero of=/swapfile bs=128M count=8 -chmod 600 /swapfile -mkswap /swapfile -swapon /swapfile - -# Stop SSH (because we have SSM.) -service sshd stop - -# Install Docker Compose. -curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose -chmod +x /usr/local/bin/docker-compose - -# ERROR: SSM User not created yet. -sudo usermod -aG docker ssm-user diff --git a/terraform/main.tf b/terraform/main.tf index cfed970..c5bb990 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,65 +1,87 @@ -data "aws_vpc" "main" { - tags = { Name = "Main" } +resource "hcloud_network" "network" { + name = "proxy-network" + ip_range = local.network_cidr } -data "aws_subnet" "public" { - tags = { SubnetOf = "Main", SubnetType = "Public" } +resource "hcloud_network_subnet" "subnet" { + type = "cloud" + network_id = hcloud_network.network.id + network_zone = "eu-central" + ip_range = local.subnet_cidr } -# An instance profile for access via AWS SSM. -data "aws_iam_instance_profile" "ssm" { - name = "SSMInstanceProfile" +/* -------------------------------------------------------------------------- */ + +resource "hcloud_primary_ip" "public_ip" { + name = "proxy-public-ip" + datacenter = local.datacenter + type = "ipv4" + assignee_type = "server" + auto_delete = false } -data "aws_security_group" "public" { - tags = { GroupOf = "Main", GroupType = "Public" } +resource "hcloud_ssh_key" "ssh_key" { + name = "proxy-ssh-key" + public_key = file(var.public_ssh_key_path) } -data "aws_route_table" "public" { - tags = { TableOf = "Main", TableType = "Public" } +resource "hcloud_server" "server_instance" { + name = "proxy-server" + image = local.server_image + server_type = local.server_type + datacenter = local.datacenter + ssh_keys = [hcloud_ssh_key.gitea_ssh_key.id] + + public_net { + ipv4_enabled = true + ipv4 = hcloud_primary_ip.public_ip.id + ipv6_enabled = false + } + + network { + network_id = hcloud_network.network.id + ip = local.proxy_ip + alias_ips = [ ] + } + + depends_on = [ hcloud_network_subnet.subnet ] } -# Give the private subnet full access to the internet, too. -module "fck-nat" { - source = "RaJiska/fck-nat/aws" +resource "hcloud_firewall" "server_firewall" { + name = "proxy-server-firewall" - name = "NatInstance" - vpc_id = data.aws_vpc.main.id - subnet_id = data.aws_subnet.public.id - instance_type = "t4g.nano" + # Allow ICMP. + rule { + direction = "in" + protocol = "icmp" + source_ips = ["0.0.0.0/0", "::/0"] + } - update_route_table = true - route_table_id = data.aws_route_table.public.id + # Allow all out. + rule { + direction = "out" + protocol = "tcp" + port = "any" + destination_ips = ["0.0.0.0/0", "::/0"] + } - tags = { - Name = "Codebase: Nat" + # Allow ingress for in-network. + rule { + direction = "in" + protocol = "tcp" + source_ips = [local.network_cidr] + } + + # Poke holes for SSH. + rule { + direction = "in" + protocol = "tcp" + port = "22" + source_ips = ["0.0.0.0/0", "::/0"] } } -# An elastic IP, so if the reverse proxy is modified, the route tables won't. -resource "aws_eip" "public" { - instance = aws_instance.proxy.id - domain = "vpc" +resource "hcloud_firewall_attachment" "server_fw_attachment" { + firewall_id = hcloud_firewall.server_firewall.id + server_ids = [hcloud_server.gitea_server_instance.id] } - -# The reverse proxy. -resource "aws_instance" "proxy" { - ami = "ami-0adec96dc0cdc7bca" - instance_type = "t4g.nano" - subnet_id = data.aws_subnet.public.id - vpc_security_group_ids = [data.aws_security_group.public.id] - - user_data = file("install.sh") - user_data_replace_on_change = true - - iam_instance_profile = data.aws_iam_instance_profile.ssm.name - - root_block_device { - volume_type = "gp3" - volume_size = 8 - } - - tags = { - Name = "Codebase: Reverse Proxy" - } -} \ No newline at end of file diff --git a/terraform/output.tf b/terraform/output.tf deleted file mode 100644 index 82c09e2..0000000 --- a/terraform/output.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "instance_id" { - value = aws_instance.proxy.id - description = "The instance ID of the Gitea instance." -} \ No newline at end of file diff --git a/terraform/outputs.tf b/terraform/outputs.tf new file mode 100644 index 0000000..84d2df3 --- /dev/null +++ b/terraform/outputs.tf @@ -0,0 +1,5 @@ +output "proxy_ip" { + description = "The public address of the proxy server." + value = hcloud_server.server_instance.ipv4_address + sensitive = false +} diff --git a/terraform/provider.tf b/terraform/provider.tf deleted file mode 100644 index d97d5b4..0000000 --- a/terraform/provider.tf +++ /dev/null @@ -1,11 +0,0 @@ -terraform { - # The backend is stored in an S3 bucket. - backend "s3" {} -} - -# Access AWS through the IaC roles. -provider "aws" { - region = var.aws_region - access_key = var.aws_access - secret_key = var.aws_secret -} \ No newline at end of file diff --git a/terraform/providers.tf b/terraform/providers.tf new file mode 100644 index 0000000..f0603d5 --- /dev/null +++ b/terraform/providers.tf @@ -0,0 +1,18 @@ +terraform { + backend "s3" { + skip_credentials_validation = true + skip_region_validation = true + skip_requesting_account_id = true + } + + required_providers { + hcloud = { + source = "hetznercloud/hcloud" + version = "~> 1.45" + } + } +} + +provider "hcloud" { + token = var.hcloud_token +} diff --git a/terraform/variables.tf b/terraform/variables.tf index 6565f7e..c28a02f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,14 +1,25 @@ -variable "aws_region" { - type = string - description = "The AWS region things are created in." +locals { + datacenter = "fsn1-dc14" + server_type = "cx22" + server_image = "debian-12" + + domain = "maximhutz.com" + subdomain = "git" + + network_cidr = "10.0.0.0/16" + subnet_cidr = "10.0.0.0/24" + proxy_ip = "10.0.0.1" } -variable "aws_access" { - type = string - description = "The access key to generate the Gitea instance." +# ---------------------------------------------------------------------------- # + +variable "hcloud_token" { + sensitive = true + description = "The hCloud token used to access Hetzner resources." + type = string } -variable "aws_secret" { - type = string - description = "The access secret to generate the Gitea instance." -} \ No newline at end of file +variable "public_ssh_key_path" { + description = "The location of the public key used to access the repository Gitea server." + type = string +} diff --git a/vault.yml b/vault.yml new file mode 100644 index 0000000..d8008f8 --- /dev/null +++ b/vault.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +64393531353664313066303161636532326263356634646430616130363039373333663639663634 +3232356333343265353133623139333832663365666630310a643636656633653337373033376131 +35336532353335363933316433313032343265663233646431613830376564633239663732373530 +6138646232333933300a616232623765343566393137363762323231633565646266393862666131 +3938