web/proxy
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore: move over files from web/git

Browse Source
This commit is contained in:
Maxim Hutz
2025-10-08 20:40:44 -04:00
parent 2e5f7821ec
commit 5697e53bc9
15 changed files with 264 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
.gitignore vendored
View File

@@ -1,3 +1,45 @@
# ---> Terraform
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore transient lock info files created by terraform apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
# ---> Ansible
*.retry
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
@@ -168,60 +210,8 @@ cython_debug/
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
# ---> Ansible
*.retry
# ---> Terraform
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore transient lock info files created by terraform apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Custom ignores.
boot
ssh.pem
.DS_Store
*secret*
*.tfbackend
*.env
*.tar.gz
*.tar.xz
*.tar
*.pem
.venv
.vscode
tmp
node_modules
.DS_Store
*.key
*.out

17
Taskfile.yml
View File

@@ -1,15 +1,12 @@
version: 3
includes:
tf: { taskfile: terraform, dir: terraform }
tasks:
deploy: ansible-playbook playbooks/deploy.yml
vault: ansible-vault edit vault.yml {{.CLI_ARGS}}
provision: ansible-playbook playbooks/provision.yml {{.CLI_ARGS}}
deploy: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
restore: ansible-playbook playbooks/restore.yml {{.CLI_ARGS}}
enter:
cmd: aws ssm start-session --target $INSTANCE_ID
env:
INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json }
AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json }
AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json }
AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json }
cmd: ssh {{.GITEA}}
vars:
GITEA: { sh: cat ./variables.yml | yq -r ".variables.gitea_host" }

13
ansible.cfg Normal file
View File

@@ -0,0 +1,13 @@
[defaults]
callbacks_enabled = profile_tasks
localhost_warning = False
vault_password_file = vault.key
interpreter_python = /usr/bin/python3.11
[inventory]
inventory_unparsed_warning = False
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o IdentityAgent=none
pipelining = True
retries = 2

38
playbooks/provision.yml Normal file
View File

@@ -0,0 +1,38 @@
- name: Deploy terraform infrastructure.
hosts: localhost
gather_facts: false
vars_files:
- ../vault.yml
tasks:
- name: Reconfigure and plan.
community.general.terraform:
project_path: '../terraform'
state: "planned"
plan_file: plan.out
# init_reconfigure: true
backend_config: "{{ terraform.backend }}"
variables: "{{ terraform.variables }}"
complex_vars: true
- name: Apply.
community.general.terraform:
project_path: '../terraform'
state: "present"
plan_file: plan.out
backend_config: "{{ terraform.backend }}"
variables: "{{ terraform.variables }}"
complex_vars: true
register: terraform_apply
- name: Create secret directory.
ansible.builtin.file:
path: ../dist
recurse: true
mode: "0755"
state: directory
- name: Send outputs to file.
ansible.builtin.copy:
content: "{{ terraform_apply.outputs }}"
dest: ../dist/terraform_outputs.yml
mode: '0755'

3
requirements.txt
View File

@@ -3,6 +3,7 @@ ansible-compat==24.10.0
ansible-core==2.18.1
ansible-lint==24.12.2
attrs==24.3.0
awscli-local==0.22.0
black==24.10.0
boto3==1.35.95
botocore==1.35.95
@@ -13,12 +14,14 @@ charset-normalizer==3.4.1
click==8.1.8
cryptography==44.0.0
filelock==3.16.1
go-task-bin==3.44.1
idna==3.10
importlib_metadata==8.5.0
Jinja2==3.1.5
jmespath==1.0.1
jsonschema==4.23.0
jsonschema-specifications==2024.10.1
localstack-client==2.7
MarkupSafe==3.0.2
mypy-extensions==1.0.0
packaging==24.2

54
terraform/.terraform.lock.hcl generated
View File

@@ -2,23 +2,45 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "5.87.0"
version = "6.12.0"
hashes = [
"h1:IYq3by7O/eJuXzJwOF920z2nZEkw08PkDFdw2xkyhrs=",
"zh:017f237466875c919330b9e214fb33af14fffbff830d3755e8976d8fa3c963c2",
"zh:0776d1e60aa93c85ecbb01144aed2789c8e180bb0f1c811a0aba17ca7247b26c",
"zh:0dfa5c6cfb3724494fdc73f7d042515e88a20da8968959f48b3ec0b937bd8c8f",
"zh:1707a5ead36a7980cb3f83e8b69a67a14ae725bfc990ddfcc209b59400b57b04",
"zh:1c71f54fdd6adcbe547d6577dbb843d72a30fef0ab882d0afbeb8a7b348bc442",
"zh:3563c850a29790957ec3f4d3ba203bfa2e084ac7319035b3f43b91f818a2c9b4",
"zh:520bf6cef53785a92226651d5bebacbbf9314bdbc3211d0bf0903bce4e45149d",
"zh:56f9778575830f6e5c23462c2eccbf2c9afaddb00a69275fcfb33cd1a6d17f4d",
"zh:73e381cb0b1e76d471d7b0952f3d2a80350b507d15bda9b7041ea69077e3b5b5",
"zh:7da74b48f8fa088be758a92407980400cb4b039a8d9ba3c108907e4055e9ad6f",
"zh:8dacfa9623ba2e0197fe7db6faaaa0820a3b91fe00ba9e5d8a646340522bc8dd",
"h1:8u90EMle+I3Auh4f/LPP6fEfRsAF6xCFnUZF4b7ngEs=",
"zh:054bcbf13c6ac9ddd2247876f82f9b56493e2f71d8c88baeec142386a395165d",
"zh:195489f16ad5621db2cec80be997d33060462a3b8d442c890bef3eceba34fa4d",
"zh:3461ef14904ab7de246296e44d24c042f3190e6bead3d7ce1d9fda63dcb0f047",
"zh:44517a0035996431e4127f45db5a84f53ce80730eae35629eda3101709df1e5c",
"zh:4b0374abaa6b9a9debed563380cc944873e4f30771dd1da7b9e812a49bf485e3",
"zh:531468b99465bd98a89a4ce2f1a30168dfadf6edb57f7836df8a977a2c4f9804",
"zh:6a95ed7b4852174aa748d3412bff3d45e4d7420d12659f981c3d9f4a1a59a35f",
"zh:88c2d21af1e64eed4a13dbb85590c66a519f3ecc54b72875d4bb6326f3ef84e7",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:9c2ebd21d697e1a611fe201788dc9e1678949a088afc85d4589563bca484d835",
"zh:ac5d0bbf36f9a6cedbfb63993f6baf0aabdaf21c8d7fc3b1e69ba8cbf344b5f3",
"zh:c2329644179f78a0458b6cf2dd5eaadca4c610fc3577a1b50620544d92df13e8",
"zh:a8b648470bb5df098e56b1ec5c6a39e0bbb7b496b23a19ea9f494bf48d4a122a",
"zh:b23fb13efdb527677db546bc92aeb2bdf64ff3f480188841f2bfdfa7d3d907c1",
"zh:be5858a1951ae5f5a9c388949c3e3c66a3375f684fb79b06b1d1db7a9703b18e",
"zh:c368e03a7c922493daf4c7348faafc45f455225815ef218b5491c46cea5f76b7",
"zh:e31e75d5d19b8ac08aa01be7e78207966e1faa3b82ed9fe3acfdc2d806be924c",
"zh:ea84182343b5fd9252a6fae41e844eed4fdc3311473a753b09f06e49ec0e7853",
]
}
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.52.0"
constraints = "~> 1.45"
hashes = [
"h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=",
"zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875",
"zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c",
"zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7",
"zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609",
"zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75",
"zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278",
"zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824",
"zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b",
"zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278",
"zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7",
"zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682",
"zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186",
"zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7",
"zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915",
]
}

18
terraform/Taskfile.yml
View File

@@ -1,18 +0,0 @@
version: 3
silent: true
vars:
BACKEND: ../config/backend.secret.json
VARIABLES: ../config/variables.secret.json
OUTPUT: ../config/infrastructure.secret.json
tasks:
init: terraform init -backend-config={{.BACKEND}}
plan: terraform plan -var-file={{.VARIABLES}}
destroy: terraform destroy
format: terraform fmt -recursive
out: terraform output -json > {{.OUTPUT}}
apply:
- terraform apply -var-file={{.VARIABLES}}
- task: out
import: terraform import -var-file={{.VARIABLES}} {{.CLI_ARGS}}

30
terraform/install.sh
View File

@@ -1,30 +0,0 @@
#!/bin/sh
rpm --rebuilddb
amazon-linux-extras install docker ansible2 python3.8 -y
# Make Docker work.
systemctl enable docker
systemctl start docker
# Set up the correct version of Python (for Ansible).
ln -sf /usr/bin/python3.8 /usr/bin/python3
ln -sf /usr/bin/pip3.8 /usr/bin/pip3
pip3 install botocore boto3 requests packaging
python3 -m pip install -U pip
# Add some swap space.
dd if=/dev/zero of=/swapfile bs=128M count=8
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
# Stop SSH (because we have SSM.)
service sshd stop
# Install Docker Compose.
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
# ERROR: SSM User not created yet.
sudo usermod -aG docker ssm-user

118
terraform/main.tf
View File

@@ -1,65 +1,87 @@
data "aws_vpc" "main" {
tags = { Name = "Main" }
resource "hcloud_network" "network" {
name = "proxy-network"
ip_range = local.network_cidr
}
data "aws_subnet" "public" {
tags = { SubnetOf = "Main", SubnetType = "Public" }
resource "hcloud_network_subnet" "subnet" {
type = "cloud"
network_id = hcloud_network.network.id
network_zone = "eu-central"
ip_range = local.subnet_cidr
}
# An instance profile for access via AWS SSM.
data "aws_iam_instance_profile" "ssm" {
name = "SSMInstanceProfile"
/* -------------------------------------------------------------------------- */
resource "hcloud_primary_ip" "public_ip" {
name = "proxy-public-ip"
datacenter = local.datacenter
type = "ipv4"
assignee_type = "server"
auto_delete = false
}
data "aws_security_group" "public" {
tags = { GroupOf = "Main", GroupType = "Public" }
resource "hcloud_ssh_key" "ssh_key" {
name = "proxy-ssh-key"
public_key = file(var.public_ssh_key_path)
}
data "aws_route_table" "public" {
tags = { TableOf = "Main", TableType = "Public" }
resource "hcloud_server" "server_instance" {
name = "proxy-server"
image = local.server_image
server_type = local.server_type
datacenter = local.datacenter
ssh_keys = [hcloud_ssh_key.gitea_ssh_key.id]
public_net {
ipv4_enabled = true
ipv4 = hcloud_primary_ip.public_ip.id
ipv6_enabled = false
}
# Give the private subnet full access to the internet, too.
module "fck-nat" {
source = "RaJiska/fck-nat/aws"
network {
network_id = hcloud_network.network.id
ip = local.proxy_ip
alias_ips = [ ]
}
name = "NatInstance"
vpc_id = data.aws_vpc.main.id
subnet_id = data.aws_subnet.public.id
instance_type = "t4g.nano"
depends_on = [ hcloud_network_subnet.subnet ]
}
update_route_table = true
route_table_id = data.aws_route_table.public.id
resource "hcloud_firewall" "server_firewall" {
name = "proxy-server-firewall"
tags = {
Name = "Codebase: Nat"
# Allow ICMP.
rule {
direction = "in"
protocol = "icmp"
source_ips = ["0.0.0.0/0", "::/0"]
}
# Allow all out.
rule {
direction = "out"
protocol = "tcp"
port = "any"
destination_ips = ["0.0.0.0/0", "::/0"]
}
# Allow ingress for in-network.
rule {
direction = "in"
protocol = "tcp"
source_ips = [local.network_cidr]
}
# Poke holes for SSH.
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = ["0.0.0.0/0", "::/0"]
}
}
# An elastic IP, so if the reverse proxy is modified, the route tables won't.
resource "aws_eip" "public" {
instance = aws_instance.proxy.id
domain = "vpc"
}
# The reverse proxy.
resource "aws_instance" "proxy" {
ami = "ami-0adec96dc0cdc7bca"
instance_type = "t4g.nano"
subnet_id = data.aws_subnet.public.id
vpc_security_group_ids = [data.aws_security_group.public.id]
user_data = file("install.sh")
user_data_replace_on_change = true
iam_instance_profile = data.aws_iam_instance_profile.ssm.name
root_block_device {
volume_type = "gp3"
volume_size = 8
}
tags = {
Name = "Codebase: Reverse Proxy"
}
resource "hcloud_firewall_attachment" "server_fw_attachment" {
firewall_id = hcloud_firewall.server_firewall.id
server_ids = [hcloud_server.gitea_server_instance.id]
}

4
terraform/output.tf
View File

@@ -1,4 +0,0 @@
output "instance_id" {
value = aws_instance.proxy.id
description = "The instance ID of the Gitea instance."
}

5
terraform/outputs.tf Normal file
View File

@@ -0,0 +1,5 @@
output "proxy_ip" {
description = "The public address of the proxy server."
value = hcloud_server.server_instance.ipv4_address
sensitive = false
}

11
terraform/provider.tf
View File

@@ -1,11 +0,0 @@
terraform {
# The backend is stored in an S3 bucket.
backend "s3" {}
}
# Access AWS through the IaC roles.
provider "aws" {
region = var.aws_region
access_key = var.aws_access
secret_key = var.aws_secret
}

18
terraform/providers.tf Normal file
View File

@@ -0,0 +1,18 @@
terraform {
backend "s3" {
skip_credentials_validation = true
skip_region_validation = true
skip_requesting_account_id = true
}
required_providers {
hcloud = {
source = "hetznercloud/hcloud"
version = "~> 1.45"
}
}
}
provider "hcloud" {
token = var.hcloud_token
}

25
terraform/variables.tf
View File

@@ -1,14 +1,25 @@
variable "aws_region" {
type = string
description = "The AWS region things are created in."
locals {
datacenter = "fsn1-dc14"
server_type = "cx22"
server_image = "debian-12"
domain = "maximhutz.com"
subdomain = "git"
network_cidr = "10.0.0.0/16"
subnet_cidr = "10.0.0.0/24"
proxy_ip = "10.0.0.1"
}
variable "aws_access" {
# ---------------------------------------------------------------------------- #
variable "hcloud_token" {
sensitive = true
description = "The hCloud token used to access Hetzner resources."
type = string
description = "The access key to generate the Gitea instance."
}
variable "aws_secret" {
variable "public_ssh_key_path" {
description = "The location of the public key used to access the repository Gitea server."
type = string
description = "The access secret to generate the Gitea instance."
}

6
vault.yml Normal file
View File

@@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
64393531353664313066303161636532326263356634646430616130363039373333663639663634
3232356333343265353133623139333832663365666630310a643636656633653337373033376131
35336532353335363933316433313032343265663233646431613830376564633239663732373530
6138646232333933300a616232623765343566393137363762323231633565646266393862666131
3938