Use submodules to separate Terraform. (#22)

## 🔍 Motivation & Context

Currently, the whole site has been one mono-repository, which has gotten more and more unwieldy. While this set up, the code is now split amongst smaller, more focused sub-repositories, which can operate separately.

## 🔖 Related Issue

None.

## ✨ Changes

- Use sub-modules to separate the `Portfolio` and `Git` components of the site from the main glue.

Reviewed-on: https://code.maximhutz.com/Web/Web/pulls/22
Co-authored-by: Max <git@maximhutz.me>
Co-committed-by: Max <git@maximhutz.me>

.commitlintrc.yml

@@ -1,2 +0,0 @@
-extends:
-  - "@commitlint/config-conventional"

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "Portfolio"]
+	path = Portfolio
+	url = git@maximhutz.com:Web/Portfolio.git
+[submodule "Git"]
+	path = Git
+	url = git@maximhutz.com:Web/Git.git

.husky/commit-msg

@@ -1,4 +0,0 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-npx --no -- commitlint --edit "$1"

.husky/pre-commit

@@ -1,5 +0,0 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-terraform -chdir=terraform validate
-terraform -chdir=terraform fmt -recursive

.husky/prepare-commit-msg

@@ -1,4 +0,0 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-exec < /dev/tty && node_modules/.bin/cz --hook || true

Taskfile.yml

@@ -30,6 +30,6 @@ tasks:
   runner/enter: ./ssm/runner.sh
   runner/deploy: ansible-playbook playbooks/runner/deployment.yml
   
-  repository/copy: ansible-playbook playbooks/repository.yml
+  repo/fetch: ansible-playbook playbooks/repository/fetch.yml
 
-  dev: docker compose -f compose.dev.yml up
+  dev: docker compose -f compose.dev.yml up --build --force-recreate --no-deps

compose.dev.yml

@@ -10,25 +10,24 @@ services:
   #   ports:
   #     - 80:80
 
-  # gitea:
-  #   container_name: codebase-dev-gitea
-  #   build: gitea
-  #   volumes:
-  #     - ./gitea/boot:/var/lib/gitea
-  #     - /etc/timezone:/etc/timezone:ro
-  #     - /etc/localtime:/etc/localtime:ro
-  #   ports:
-  #     - 80:80
-  #     - 443:443
-  #     - 2222:2222
-  #   environment:
-  #     GITEA_APP_INI: /etc/gitea/dev.app.ini
-  
-  runner:
-    container_name: codebase-dev-runner
-    image: gitea/act_runner
-    environment:
-      GITEA_INSTANCE_URL: "https://code.maximhutz.com/"
-      GITEA_RUNNER_REGISTRATION_TOKEN: "bgM1Ux9do7EWj6JwniXjdfs8fmjuzWgMeeNF5vhd"
+  gitea:
+    container_name: codebase-dev-gitea
+    build:
+      context: gitea
+      dockerfile: Dockerfile.dev
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 80:80
+      - 443:443
+      - 2222:2222
+  
+  # runner:
+  #   container_name: codebase-dev-runner
+  #   image: gitea/act_runner
+  #   environment:
+  #     GITEA_INSTANCE_URL: "https://code.maximhutz.com/"
+  #     GITEA_RUNNER_REGISTRATION_TOKEN: "bgM1Ux9do7EWj6JwniXjdfs8fmjuzWgMeeNF5vhd"
+  #   volumes:
+  #     - /var/run/docker.sock:/var/run/docker.sock

gitea/Dockerfile

@@ -1,5 +1,15 @@
-FROM gitea/gitea:latest-rootless
+FROM gitea/gitea:latest
 
-ADD --chown=git:git config /etc/gitea
-ADD --chown=git:git custom /etc/gitea-custom
-ENV GITEA_CUSTOM /etc/gitea-custom
+RUN apk add aws-cli xz
+
+ADD --chown=git:git custom /data/gitea
+ADD --chown=git:git entrypoint.sh /home/entrypoint.sh
+
+ADD --chown=git:git scripts /home/scripts
+RUN chmod +x /home/scripts/*
+
+ADD --chown=git:git crontab.txt /home/crontab.txt
+RUN /usr/bin/crontab /home/crontab.txt
+
+ENTRYPOINT [ "/home/entrypoint.sh" ]
+CMD [ "/usr/bin/s6-svscan", "/etc/s6" ]

gitea/Dockerfile.dev

@@ -0,0 +1,18 @@
+FROM gitea/gitea:latest
+
+RUN apk add aws-cli xz
+
+ADD --chown=git:git custom /data/gitea
+ADD --chown=git:git entrypoint.sh /home/entrypoint.sh
+
+ADD --chown=git:git scripts /home/scripts
+RUN chmod +x /home/scripts/*
+
+ADD --chown=git:git crontab.txt /home/crontab.txt
+RUN /usr/bin/crontab /home/crontab.txt
+
+RUN rm /data/gitea/conf/app.ini
+RUN mv /data/gitea/conf/dev.app.ini /data/gitea/conf/app.ini
+
+ENTRYPOINT [ "/home/entrypoint.sh" ]
+CMD [ "/usr/bin/s6-svscan", "/etc/s6" ]

gitea/crontab.txt

@@ -0,0 +1 @@
+0 0 * * * /home/scripts/push.sh >> /home/cron.log

gitea/custom/conf/app.ini

@@ -37,6 +37,8 @@ DB_TYPE = sqlite3
 [session]
 PROVIDER_CONFIG = /var/lib/gitea/data/sessions
 PROVIDER = file
+GC_INTERVAL_TIME = 86400
+SESSION_LIFE_TIME = 86400
 
 [picture]
 AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars

gitea/entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Get S3 data.
+echo "Pulling data..."
+./home/scripts/pull.sh
+echo "Data pulled!"
+
+# Run crontab.
+/usr/sbin/crond -f -l 8 &
+
+# shellcheck disable=SC2068
+exec /usr/bin/entrypoint $@

gitea/scripts/pull.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# Pull achived data.
+aws s3 cp "$BOOT_URI" /home/archive.tar.xz
+
+# Extracted Gitea data.
+mkdir -p /var/lib/gitea
+tar -xvf /home/archive.tar.xz -C /var/lib/gitea

gitea/scripts/push.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+GITEA_PROCESS="$(pgrep gitea)"
+
+# Stop Gitea.
+echo "Stopped Gitea..."
+kill -STOP "$GITEA_PROCESS"
+
+# Archive Gitea data.
+echo "Archiving..."
+cd /var/lib/gitea
+tar cfJ ../archive.tar.xz .
+cd ..
+
+# Upload to S3.
+echo "Uploading..."
+aws s3 cp archive.tar.xz "$BOOT_URI"
+
+# Restart Gitea.
+kill -CONT "$GITEA_PROCESS"
+echo "Restarted Gitea!"

package.json

@@ -1,25 +0,0 @@
-{
-  "name": "codebase",
-  "version": "1.0.0",
-  "description": "This is the [Gitea](https://about.gitea.com/) instance that stores all repositories seen on [this site](https://git1.maximhutz.com)!",
-  "main": "index.js",
-  "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1",
-    "prepare": "husky install",
-    "cz": "cz"
-  },
-  "keywords": [],
-  "author": "",
-  "license": "ISC",
-  "devDependencies": {
-    "@commitlint/cli": "19.4.0",
-    "@commitlint/config-conventional": "19.2.2",
-    "cz-conventional-changelog": "^3.3.0",
-    "husky": "^8.0.0"
-  },
-  "config": {
-    "commitizen": {
-      "path": "./node_modules/cz-conventional-changelog"
-    }
-  }
-}

playbooks/gitea/deployment.yml

@@ -20,7 +20,7 @@
         mode: get
         bucket: "{{ image_bucket }}"
         object: "{{ image_key }}"
-        dest: ~/image.tar.xz
+        dest: /root/image.tar.xz
 
         region: "{{ aws_region }}"
         access_key: "{{ aws_access_key }}"
@@ -28,41 +28,28 @@
 
     - name: Load image.
       community.docker.docker_image_load:
-        path: ~/image.tar.xz
+        path: /root/image.tar.xz
       register: image
 
-    - name: Fetch repository.
-      amazon.aws.s3_object:
-        mode: get
-        bucket: "{{ boot_bucket }}"
-        object: "{{ boot_key }}"
-        dest: ~/boot.tar.xz
-
-        region: "{{ aws_region }}"
-        access_key: "{{ aws_access_key }}"
-        secret_key: "{{ aws_secret_key }}"
-
-    - name: Unarchive image.
-      ansible.builtin.unarchive:
-        src: ~/boot.tar.xz
-        remote_src: true
-        dest: "~"
-        group: 1000
-        owner: 1000
-
     - name: Run image.
       community.docker.docker_container:
         name: server
         image: "{{ image.image_names[0] }}"
         state: started
         recreate: true
-        restart_policy: always
+        restart_policy: unless-stopped
+        memory: 425m
+        memory_swap: 900m
         ports: [80:80, 2222:2222]
         env:
           GITEA__security__INTERNAL_TOKEN: "{{ internal_secret }}"
           GITEA__server__LFS_JWT_SECRET: "{{ lfs_secret }}"
           GITEA__oauth2__JWT_SECRET: "{{ jwt_secret }}"
+          AWS_REGION: "{{ gitea_boot.value.region }}"
+          AWS_ACCESS_KEY_ID: "{{ gitea_boot.value.id }}"
+          AWS_SECRET_ACCESS_KEY: "{{ gitea_boot.value.secret }}"
+          BOOT_URI: "s3://{{ boot_bucket }}/{{ boot_key }}"
         volumes:
-          - ~/boot:/var/lib/gitea
+          - /root/boot:/var/lib/gitea
           - /etc/timezone:/etc/timezone:ro
           - /etc/localtime:/etc/localtime:ro

playbooks/repository/fetch.yml

@@ -1,9 +1,7 @@
----
-
 - name: Pull Gitea data.
   hosts: localhost
   vars_files:
-    ../secrets/gitea.json
+    ../../secrets/gitea.json
   tasks:
     - name: Temp file.
       ansible.builtin.tempfile:
@@ -12,8 +10,8 @@
 
     - name: Fetch from S3.
       amazon.aws.s3_object:
-        bucket: "acer-saccharum"
-        object: "codebase/gitea/boot"
+        bucket: "{{ boot_bucket }}"
+        object: "{{ boot_key }}"
         dest: "{{ file.path }}"
         mode: get
 
@@ -24,4 +22,4 @@
     - name: Unarchive image.
       ansible.builtin.unarchive:
         src: "{{ file.path }}"
-        dest: ../gitea
+        dest: ../../gitea

requirements.txt

@@ -0,0 +1,41 @@
+ansible==11.1.0
+ansible-compat==24.10.0
+ansible-core==2.18.1
+ansible-lint==24.12.2
+attrs==24.3.0
+black==24.10.0
+boto3==1.35.95
+botocore==1.35.95
+bracex==2.5.post1
+certifi==2024.12.14
+cffi==1.17.1
+charset-normalizer==3.4.1
+click==8.1.8
+cryptography==44.0.0
+filelock==3.16.1
+idna==3.10
+importlib_metadata==8.5.0
+Jinja2==3.1.5
+jmespath==1.0.1
+jsonschema==4.23.0
+jsonschema-specifications==2024.10.1
+MarkupSafe==3.0.2
+mypy-extensions==1.0.0
+packaging==24.2
+pathspec==0.12.1
+platformdirs==4.3.6
+pycparser==2.22
+python-dateutil==2.9.0.post0
+PyYAML==6.0.2
+referencing==0.35.1
+requests==2.32.3
+resolvelib==1.0.1
+rpds-py==0.22.3
+ruamel.yaml==0.18.10
+s3transfer==0.10.4
+six==1.17.0
+subprocess-tee==0.4.2
+urllib3==2.3.0
+wcmatch==10.0
+yamllint==1.35.1
+zipp==3.21.0

terraform/compute.tf

@@ -1,23 +1,3 @@
-# An `t4g.nano` comaptible AMI for Amazon Linux 2.
-data "aws_ami" "amazon-linux-2" {
-  most_recent = true
-
-  filter {
-    name   = "owner-alias"
-    values = ["amazon"]
-  }
-
-  filter {
-    name   = "architecture"
-    values = ["arm64"]
-  }
-
-  filter {
-    name   = "name"
-    values = ["amzn2-ami-hvm*"]
-  }
-}
-
 # An instance profile for access via AWS SSM.
 resource "aws_iam_instance_profile" "ssm" {
   name = "SSMInstanceProfile"
@@ -32,12 +12,13 @@ resource "aws_eip" "public" {
 
 # The reverse proxy.
 resource "aws_instance" "public" {
-  # ami                    = data.aws_ami.amazon-linux-2.id
   ami                    = "ami-0adec96dc0cdc7bca"
   instance_type          = "t4g.nano"
   subnet_id              = module.vpc.public_subnets[0]
   vpc_security_group_ids = [aws_security_group.public_access.id]
-  user_data              = file("install.sh")
+
+  user_data                   = file("install.sh")
+  user_data_replace_on_change = true
 
   iam_instance_profile = aws_iam_instance_profile.ssm.name
 
@@ -51,33 +32,14 @@ resource "aws_instance" "public" {
   }
 }
 
-# The Gitea instance.
-resource "aws_instance" "private" {
-  # ami           = data.aws_ami.amazon-linux-2.id
-  ami           = "ami-0adec96dc0cdc7bca"
-  instance_type = "t4g.nano"
-  subnet_id     = module.vpc.private_subnets[0]
-  user_data     = file("install.sh")
-
-  iam_instance_profile = aws_iam_instance_profile.ssm.name
-
-  root_block_device {
-    volume_type = "gp3"
-    volume_size = 8
-  }
-
-  tags = {
-    Name = "Codebase: Gitea"
-  }
-}
-
 # The Gitea Runner instance.
 resource "aws_instance" "runner" {
-  # ami           = data.aws_ami.amazon-linux-2.id
   ami           = "ami-0adec96dc0cdc7bca"
   instance_type = "t4g.nano"
   subnet_id     = module.vpc.private_subnets[0]
-  user_data     = file("install.sh")
+
+  user_data                   = file("install.sh")
+  user_data_replace_on_change = true
 
   iam_instance_profile = aws_iam_instance_profile.ssm.name
 

terraform/install.sh

@@ -2,10 +2,19 @@
 
 amazon-linux-extras install docker ansible2 python3.8 -y
 
+# Make Docker work.
 systemctl enable docker
 systemctl start docker
-
 usermod -a -G docker ssm-user
+
+# Set up the correct version of Python (for Ansible).
 ln -sf /usr/bin/python3.8 /usr/bin/python3
 ln -sf /usr/bin/pip3.8 /usr/bin/pip3
-pip3 install botocore boto3 requests
+pip3 install botocore boto3 requests
+python3 -m pip install -U pip
+
+# Add some swap space.
+dd if=/dev/zero of=/swapfile bs=128M count=8
+chmod 600 /swapfile
+mkswap /swapfile
+swapon /swapfile

terraform/main.tf

@@ -5,3 +5,18 @@ locals {
   # Here is the domain name changes.
   domain_name = "maximhutz.com"
 }
+
+module "portfolio" {
+  source      = "../Portfolio/terraform"
+  role_name   = var.portfolio.role
+  bucket_name = var.portfolio.bucket
+}
+
+module "gitea" {
+  source = "../Git/terraform"
+  region = var.region
+  boot_bucket = var.gitea_boot.bucket
+  boot_key = var.gitea_boot.key
+  boot_role = var.gitea_boot.role
+  subnet = module.vpc.private_subnets[0]
+}

terraform/network.tf

@@ -19,69 +19,28 @@ module "vpc" {
 # Only allow HTTP(s) and SSH traffic. Allow full access to internet.
 resource "aws_security_group" "public_access" {
   vpc_id = module.vpc.vpc_id
+}
 
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_vpc_security_group_ingress_rule" "ingress" {
+  for_each = toset(["80", "443", "22", "2222", "81", "8080", "4321", "1234"])
 
-  ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  security_group_id = aws_security_group.public_access.id
 
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  from_port   = each.value
+  to_port     = each.value
+  ip_protocol = "tcp"
+  cidr_ipv4   = "0.0.0.0/0"
+}
 
-  ingress {
-    from_port   = 2222
-    to_port     = 2222
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_vpc_security_group_egress_rule" "egress" {
+  for_each = toset(["-1"])
 
-  ingress {
-    from_port   = 81
-    to_port     = 81
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  security_group_id = aws_security_group.public_access.id
 
-  ingress {
-    from_port   = 8080
-    to_port     = 8080
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    from_port   = 4321
-    to_port     = 4321
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    from_port   = 1234
-    to_port     = 1234
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  from_port   = each.value
+  to_port     = each.value
+  ip_protocol = "-1"
+  cidr_ipv4   = "0.0.0.0/0"
 }
 
 # Give the private subnet full access to the internet, too.
@@ -99,4 +58,4 @@ module "fck-nat" {
   tags = {
     Name = "Codebase: Nat"
   }
-}
+}

terraform/outputs.tf

@@ -1,19 +1,15 @@
-# The instance ID (`i-*****************`) of the reverse proxy.
 output "public_instance_id" {
-  value = aws_instance.public.id
+  value       = aws_instance.public.id
+  description = "The instance ID (`i-*****************`) of the reverse proxy."
 }
 
-# The instance ID of the Gitea instance.
-output "private_instance_id" {
-  value = aws_instance.private.id
-}
-
-# The instance ID of the Gitea runner.
 output "runner_instance_id" {
-  value = aws_instance.runner.id
+  value       = aws_instance.runner.id
+  description = "The instance ID of the Gitea runner."
 }
 
-# The private IP (not accessible from internet) of the Gitea instnace.
-output "private_instance_ip" {
-  value = aws_instance.private.private_ip
+output "portfolio" {
+  value       = module.portfolio
+  description = "The details for the portfolio site."
+  sensitive   = true
 }

terraform/variables.tf

@@ -11,4 +11,21 @@ variable "roles" {
     secret = string
   }))
   description = "The different roles that are used by Terraform."
-}
+}
+
+variable "portfolio" {
+  type = object({
+    bucket = string
+    role   = string
+  })
+  description = "Storage for my static portfolio website."
+}
+
+variable "gitea_boot" {
+  type = object({
+    bucket = string
+    key    = string
+    role   = string
+  })
+  description = "The storage for the Gitea instance."
+}