chore: move over files from web/git

terraform/main.tf

@@ -1,65 +1,87 @@
-data "aws_vpc" "main" {
-  tags = { Name = "Main" }
+resource "hcloud_network" "network" {
+  name     = "proxy-network"
+  ip_range = local.network_cidr
 }
 
-data "aws_subnet" "public" {
-  tags = { SubnetOf = "Main", SubnetType = "Public" }
+resource "hcloud_network_subnet" "subnet" {
+  type         = "cloud"
+  network_id   = hcloud_network.network.id
+  network_zone = "eu-central"
+  ip_range     = local.subnet_cidr
 }
 
-# An instance profile for access via AWS SSM.
-data "aws_iam_instance_profile" "ssm" {
-  name = "SSMInstanceProfile"
+/* -------------------------------------------------------------------------- */
+
+resource "hcloud_primary_ip" "public_ip" {
+  name          = "proxy-public-ip"
+  datacenter    = local.datacenter
+  type          = "ipv4"
+  assignee_type = "server"
+  auto_delete   = false
 }
 
-data "aws_security_group" "public" {
-  tags = { GroupOf = "Main", GroupType = "Public" }
+resource "hcloud_ssh_key" "ssh_key" {
+  name       = "proxy-ssh-key"
+  public_key = file(var.public_ssh_key_path)
 }
 
-data "aws_route_table" "public" {
-  tags = { TableOf = "Main", TableType = "Public" }
+resource "hcloud_server" "server_instance" {
+  name        = "proxy-server"
+  image       = local.server_image
+  server_type = local.server_type
+  datacenter  = local.datacenter
+  ssh_keys    = [hcloud_ssh_key.gitea_ssh_key.id]
+
+  public_net {
+    ipv4_enabled = true
+    ipv4         = hcloud_primary_ip.public_ip.id
+    ipv6_enabled = false
+  }
+
+  network {
+    network_id = hcloud_network.network.id
+    ip = local.proxy_ip
+    alias_ips = [ ]
+  }
+
+  depends_on = [ hcloud_network_subnet.subnet ]
 }
 
-# Give the private subnet full access to the internet, too.
-module "fck-nat" {
-  source = "RaJiska/fck-nat/aws"
+resource "hcloud_firewall" "server_firewall" {
+  name = "proxy-server-firewall"
 
-  name          = "NatInstance"
-  vpc_id        = data.aws_vpc.main.id
-  subnet_id     = data.aws_subnet.public.id
-  instance_type = "t4g.nano"
+  # Allow ICMP.
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
 
-  update_route_table = true
-  route_table_id     = data.aws_route_table.public.id
+  # Allow all out.
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "any"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
 
-  tags = {
-    Name = "Codebase: Nat"
+  # Allow ingress for in-network.
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    source_ips = [local.network_cidr]
+  }
+
+  # Poke holes for SSH.
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port = "22"
+    source_ips = ["0.0.0.0/0", "::/0"]
   }
 }
 
-# An elastic IP, so if the reverse proxy is modified, the route tables won't.
-resource "aws_eip" "public" {
-  instance = aws_instance.proxy.id
-  domain   = "vpc"
+resource "hcloud_firewall_attachment" "server_fw_attachment" {
+  firewall_id = hcloud_firewall.server_firewall.id
+  server_ids  = [hcloud_server.gitea_server_instance.id]
 }
-
-# The reverse proxy.
-resource "aws_instance" "proxy" {
-  ami                    = "ami-0adec96dc0cdc7bca"
-  instance_type          = "t4g.nano"
-  subnet_id              = data.aws_subnet.public.id
-  vpc_security_group_ids = [data.aws_security_group.public.id]
-
-  user_data                   = file("install.sh")
-  user_data_replace_on_change = true
-
-  iam_instance_profile = data.aws_iam_instance_profile.ssm.name
-
-  root_block_device {
-    volume_type = "gp3"
-    volume_size = 8
-  }
-
-  tags = {
-    Name = "Codebase: Reverse Proxy"
-  }
-}