diff --git a/mgmt/do-jeremydormitzer-com/terraform/data.tf b/mgmt/do-jeremydormitzer-com/terraform/data.tf index e9f8da4..2a8f05b 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/data.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf @@ -1,4 +1,4 @@ -data "terraform_remote_state" "nginx" { +data "terraform_remote_state" "gitea" { backend = "s3" config = { @@ -9,21 +9,6 @@ data "terraform_remote_state" "nginx" { region = "us-east-1" endpoint = "nyc3.digitaloceanspaces.com" bucket = "jdormit-tf-state" - key = "prod/nginx.tfstate" - } -} - -data "terraform_remote_state" "freshrss" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/freshrss.tfstate" + key = "prod/gitea.tfstate" } } diff --git a/mgmt/do-jeremydormitzer-com/terraform/main.tf b/mgmt/do-jeremydormitzer-com/terraform/main.tf index 752320c..c3bc88c 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/main.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf @@ -46,7 +46,7 @@ resource "digitalocean_record" "git" { domain = digitalocean_domain.jeremydormitzer_com.name type = "A" name = "git" - value = data.terraform_remote_state.nginx.outputs.nginx_ip_address + value = data.terraform_remote_state.gitea.outputs.gitea_ip_address ttl = 3600 } diff --git a/prod/gitea/packer/.gitignore b/prod/gitea/packer/.gitignore index 0b3b071..6f7c105 100644 --- a/prod/gitea/packer/.gitignore +++ b/prod/gitea/packer/.gitignore @@ -1 +1,3 @@ -files/app.ini \ No newline at end of file +files/app.ini +tmp/ +certbot/ \ No newline at end of file diff --git a/prod/gitea/packer/Makefile b/prod/gitea/packer/Makefile index 92dad9d..a98c3c4 100644 --- a/prod/gitea/packer/Makefile +++ b/prod/gitea/packer/Makefile @@ -5,8 +5,24 @@ packer-manifest.json: gitea.json \ scripts/volume.sh \ files/gitea.service \ files/app.ini \ - scripts/gitea.sh + files/certbot-renew.service \ + files/certbot-renew.timer \ + scripts/gitea.sh \ + files/gitea-nginx.conf \ + scripts/nginx.sh \ + tmp/do.ini packer build gitea.json files/app.ini: templates/app.ini.template sigil -p -f templates/app.ini.template > files/app.ini + +tmp/do.ini: templates/do.ini.template tmp + sigil -p -f templates/do.ini.template > tmp/do.ini + chmod 600 tmp/do.ini + +tmp: + mkdir tmp + +reissue-certs: + rm -rf certbot + make diff --git a/prod/nginx/packer/files/certbot-renew.service b/prod/gitea/packer/files/certbot-renew.service similarity index 71% rename from prod/nginx/packer/files/certbot-renew.service rename to prod/gitea/packer/files/certbot-renew.service index 60f294a..8c4c0e1 100644 --- a/prod/nginx/packer/files/certbot-renew.service +++ b/prod/gitea/packer/files/certbot-renew.service @@ -4,4 +4,4 @@ Wants=cerbot-renew.timer [Service] Type=simple -ExecStart=/usr/bin/env certbot renew \ No newline at end of file +ExecStart=/usr/bin/env certbot renew diff --git a/prod/nginx/packer/files/certbot-renew.timer b/prod/gitea/packer/files/certbot-renew.timer similarity index 83% rename from prod/nginx/packer/files/certbot-renew.timer rename to prod/gitea/packer/files/certbot-renew.timer index a74b0da..259e6c1 100644 --- a/prod/nginx/packer/files/certbot-renew.timer +++ b/prod/gitea/packer/files/certbot-renew.timer @@ -7,4 +7,4 @@ OnCalendar=Sat 20:00 Persistent=true [Install] -WantedBy=timers.target \ No newline at end of file +WantedBy=timers.target diff --git a/prod/gitea/packer/files/gitea-nginx.conf b/prod/gitea/packer/files/gitea-nginx.conf new file mode 100644 index 0000000..dd2eee6 --- /dev/null +++ b/prod/gitea/packer/files/gitea-nginx.conf @@ -0,0 +1,28 @@ +server { + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/git.jeremydormitzer.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.jeremydormitzer.com/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + + error_log /var/log/nginx/gitea_error.log; + access_log /var/log/nginx/gitea_access.log; + + location / { + proxy_pass http://localhost:3000; + } +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; +} diff --git a/prod/gitea/packer/gitea.json b/prod/gitea/packer/gitea.json index 15f9458..1b154ec 100644 --- a/prod/gitea/packer/gitea.json +++ b/prod/gitea/packer/gitea.json @@ -2,7 +2,7 @@ "builders": [ { "type": "digitalocean", - "image": "ubuntu-20-04-x64", + "image": "ubuntu-23-10-x64", "region": "nyc1", "size": "s-1vcpu-1gb", "snapshot_name": "packer-gitea-{{timestamp}}", @@ -31,6 +31,30 @@ { "type": "shell", "script": "scripts/gitea.sh" + }, + { + "type": "file", + "source": "tmp/do.ini", + "destination": "/tmp/do.ini" + }, + { + "type": "file", + "source": "files/gitea-nginx.conf", + "destination": "/tmp/gitea-nginx.conf" + }, + { + "type": "file", + "source": "files/certbot-renew.timer", + "destination": "/tmp/certbot-renew.timer" + }, + { + "type": "file", + "source": "files/certbot-renew.service", + "destination": "/tmp/certbot-renew.service" + }, + { + "type": "shell", + "script": "scripts/nginx.sh" } ], "post-processors": [ diff --git a/prod/gitea/packer/packer-manifest.json b/prod/gitea/packer/packer-manifest.json index 0e4d836..b05403f 100644 --- a/prod/gitea/packer/packer-manifest.json +++ b/prod/gitea/packer/packer-manifest.json @@ -138,12 +138,12 @@ { "name": "digitalocean", "builder_type": "digitalocean", - "build_time": 1633381649, + "build_time": 1705296843, "files": null, - "artifact_id": "nyc1:92993522", - "packer_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc", + "artifact_id": "nyc1:148206452", + "packer_run_uuid": "511bb962-b822-b10b-f042-3b780c71b9fb", "custom_data": null } ], - "last_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc" + "last_run_uuid": "511bb962-b822-b10b-f042-3b780c71b9fb" } \ No newline at end of file diff --git a/prod/gitea/packer/scripts/dependencies.sh b/prod/gitea/packer/scripts/dependencies.sh index fa9ad0a..7e2e3da 100644 --- a/prod/gitea/packer/scripts/dependencies.sh +++ b/prod/gitea/packer/scripts/dependencies.sh @@ -2,5 +2,11 @@ set -ex -sudo apt-get update && sleep 5 -sudo apt-get install -y git bindfs +sudo apt-get update +sleep 2 +sudo apt-get install -y \ + git \ + bindfs \ + nginx \ + certbot \ + python3-certbot-dns-digitalocean diff --git a/prod/nginx/packer/scripts/nginx.sh b/prod/gitea/packer/scripts/nginx.sh similarity index 54% rename from prod/nginx/packer/scripts/nginx.sh rename to prod/gitea/packer/scripts/nginx.sh index a222734..5a3cb9d 100644 --- a/prod/nginx/packer/scripts/nginx.sh +++ b/prod/gitea/packer/scripts/nginx.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -set -xe +set -ex sudo mv /tmp/do.ini ~/do.ini sudo certbot certonly \ @@ -10,20 +10,15 @@ sudo certbot certonly \ --dns-digitalocean \ --dns-digitalocean-credentials ~/do.ini \ --dns-digitalocean-propagation-seconds 30 \ - -d '*.jeremydormitzer.com' \ - -d 'jeremydormitzer.com' - -sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf -sudo mkdir -p /var/log/nginx -sudo systemctl enable nginx + -d 'git.jeremydormitzer.com' \ sudo mv /tmp/certbot-renew.timer /etc/systemd/system/ sudo mv /tmp/certbot-renew.service /etc/systemd/system/ sudo systemctl enable certbot-renew.timer -sudo mv /tmp/nginx-restart.timer /etc/systemd/system/ -sudo mv /tmp/nginx-restart.service /etc/systemd/system/ -sudo systemctl enable nginx-restart.timer +sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf +sudo ln -s /etc/nginx/sites-available/gitea.conf \ + /etc/nginx/sites-enabled/ +sudo unlink /etc/nginx/sites-enabled/default -sudo mv /tmp/sshd_config /etc/ssh/sshd_config -sudo systemctl restart sshd +sudo systemctl enable nginx diff --git a/prod/nginx/packer/templates/do.ini.template b/prod/gitea/packer/templates/do.ini.template similarity index 100% rename from prod/nginx/packer/templates/do.ini.template rename to prod/gitea/packer/templates/do.ini.template diff --git a/prod/nginx/packer/Makefile b/prod/nginx/packer/Makefile deleted file mode 100644 index 8a69548..0000000 --- a/prod/nginx/packer/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -.PHONY: force - -packer-manifest.json: nginx.json \ - tmp/nginx.conf \ - tmp/do.ini \ - files/certbot-renew.service \ - files/certbot-renew.timer \ - files/nginx-restart.service \ - files/nginx-restart.timer \ - scripts/dependencies.sh \ - scripts/nginx.sh - packer build nginx.json - -tmp/nginx.conf: tmp force - cd terraform && terraform apply -auto-approve - -tmp/do.ini: templates/do.ini.template tmp - sigil -p -f templates/do.ini.template > tmp/do.ini - chmod 600 tmp/do.ini - -tmp: - mkdir tmp - -force: diff --git a/prod/nginx/packer/files/nginx-restart.service b/prod/nginx/packer/files/nginx-restart.service deleted file mode 100644 index e0a496b..0000000 --- a/prod/nginx/packer/files/nginx-restart.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Restart nginx -Wants=restart-nginx.timer - -[Service] -Type=simple -ExecStart=/usr/bin/env systemctl restart nginx \ No newline at end of file diff --git a/prod/nginx/packer/files/nginx-restart.timer b/prod/nginx/packer/files/nginx-restart.timer deleted file mode 100644 index 1d96859..0000000 --- a/prod/nginx/packer/files/nginx-restart.timer +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Restart nginx - -[Timer] -OnBootSec=60s -OnCalendar=Sat 20:02 -Persistent=true - -[Install] -WantedBy=timers.target \ No newline at end of file diff --git a/prod/nginx/packer/files/sshd_config b/prod/nginx/packer/files/sshd_config deleted file mode 100644 index f82ba81..0000000 --- a/prod/nginx/packer/files/sshd_config +++ /dev/null @@ -1,122 +0,0 @@ -# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Port 222 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin yes -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/prod/nginx/packer/nginx.json b/prod/nginx/packer/nginx.json deleted file mode 100644 index 8007d4f..0000000 --- a/prod/nginx/packer/nginx.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "builders": [ - { - "type": "digitalocean", - "image": "ubuntu-18-04-x64", - "region": "nyc1", - "size": "s-1vcpu-1gb", - "snapshot_name": "packer-nginx-{{timestamp}}", - "ssh_username": "root" - } - ], - "provisioners": [ - { - "type": "shell", - "script": "scripts/dependencies.sh" - }, - { - "type": "file", - "source": "tmp/nginx.conf", - "destination": "/tmp/nginx.conf" - }, - { - "type": "file", - "source": "tmp/do.ini", - "destination": "/tmp/do.ini" - }, - { - "type": "file", - "source": "files/certbot-renew.timer", - "destination": "/tmp/certbot-renew.timer" - }, - { - "type": "file", - "source": "files/certbot-renew.service", - "destination": "/tmp/certbot-renew.service" - }, - { - "type": "file", - "source": "files/nginx-restart.timer", - "destination": "/tmp/nginx-restart.timer" - }, - { - "type": "file", - "source": "files/nginx-restart.service", - "destination": "/tmp/nginx-restart.service" - }, - { - "type": "file", - "source": "files/sshd_config", - "destination": "/tmp/sshd_config" - }, - { - "type": "shell", - "script": "scripts/nginx.sh" - } - ], - "post-processors": [ - { - "type": "manifest" - } - ] -} diff --git a/prod/nginx/packer/packer-manifest.json b/prod/nginx/packer/packer-manifest.json deleted file mode 100644 index 4d6112b..0000000 --- a/prod/nginx/packer/packer-manifest.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "builds": [ - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633368571, - "files": null, - "artifact_id": "nyc1:92979065", - "packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633381985, - "files": null, - "artifact_id": "nyc1:92994055", - "packer_run_uuid": "3175c525-7550-f016-4b23-5b8f1b544b69", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633382771, - "files": null, - "artifact_id": "nyc1:92995027", - "packer_run_uuid": "7414490b-f330-d906-78e5-1b1dac89a265", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633388606, - "files": null, - "artifact_id": "nyc1:92999824", - "packer_run_uuid": "26369d41-f7b3-bdda-57e0-e329c1836a53", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633389351, - "files": null, - "artifact_id": "nyc1:93000183", - "packer_run_uuid": "7dc36fa3-25ac-fe47-0168-f90c160d3673", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633445796, - "files": null, - "artifact_id": "nyc1:93041994", - "packer_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633459198, - "files": null, - "artifact_id": "nyc1:93047327", - "packer_run_uuid": "4adb4205-6a8b-6a87-b92d-a3766eada22d", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633469746, - "files": null, - "artifact_id": "nyc1:93061502", - "packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633480191, - "files": null, - "artifact_id": "nyc1:93071958", - "packer_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1633490191, - "files": null, - "artifact_id": "nyc1:93089106", - "packer_run_uuid": "fbff41d7-ee1a-5bcf-6859-8655dc171dd9", - "custom_data": null - }, - { - "name": "digitalocean", - "builder_type": "digitalocean", - "build_time": 1646758186, - "files": null, - "artifact_id": "nyc1:103546758", - "packer_run_uuid": "97c2bbc0-5cb7-ce64-ccb0-9c79813534a4", - "custom_data": null - } - ], - "last_run_uuid": "97c2bbc0-5cb7-ce64-ccb0-9c79813534a4" -} \ No newline at end of file diff --git a/prod/nginx/packer/scripts/dependencies.sh b/prod/nginx/packer/scripts/dependencies.sh deleted file mode 100644 index 6b8a9e8..0000000 --- a/prod/nginx/packer/scripts/dependencies.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash - -set -xe - -sudo apt-get update && sleep 5 -sudo apt-get install -y \ - nginx \ - certbot \ - python3-certbot-dns-digitalocean diff --git a/prod/nginx/packer/terraform/.terraform.lock.hcl b/prod/nginx/packer/terraform/.terraform.lock.hcl deleted file mode 100644 index fc94c5b..0000000 --- a/prod/nginx/packer/terraform/.terraform.lock.hcl +++ /dev/null @@ -1,41 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/digitalocean/digitalocean" { - version = "2.3.0" - constraints = "~> 2.3.0" - hashes = [ - "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=", - "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9", - "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84", - "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca", - "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb", - "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6", - "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021", - "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907", - "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8", - "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6", - "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be", - "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5", - "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7", - "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.1.0" - hashes = [ - "h1:KfieWtVyGWwplSoLIB5usKAUnrIkDQBkWaR5TI+4WYg=", - "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2", - "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab", - "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3", - "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a", - "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe", - "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1", - "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c", - "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4", - "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b", - "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3", - "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91", - ] -} diff --git a/prod/nginx/packer/terraform/data.tf b/prod/nginx/packer/terraform/data.tf deleted file mode 100644 index e0685bd..0000000 --- a/prod/nginx/packer/terraform/data.tf +++ /dev/null @@ -1,59 +0,0 @@ -data "terraform_remote_state" "gitea" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/gitea.tfstate" - } -} - -data "terraform_remote_state" "syncthing" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/syncthing.tfstate" - } -} - -data "terraform_remote_state" "wallabag" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/wallabag.tfstate" - } -} - -data "terraform_remote_state" "freshrss" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/freshrss.tfstate" - } -} diff --git a/prod/nginx/packer/terraform/main.tf b/prod/nginx/packer/terraform/main.tf deleted file mode 100644 index 20d8fe9..0000000 --- a/prod/nginx/packer/terraform/main.tf +++ /dev/null @@ -1,31 +0,0 @@ -resource "local_file" "nginx_config" { - filename = "${path.module}/../tmp/nginx.conf" - content = templatefile( - "${path.module}/templates/nginx.conf.template", - { - "servers" : [ - { - "domain" : "git.jeremydormitzer.com", - "ip" : "${data.terraform_remote_state.gitea.outputs.gitea_ip_address}", - "port" : "3000" - }, - { - "domain" : "wallabag.jeremydormitzer.com", - "ip" : "${data.terraform_remote_state.wallabag.outputs.ip_address}", - "port" : "80" - }, - { - "domain" : "rss.jeremydormitzer.com", - "ip" : "${data.terraform_remote_state.freshrss.outputs.ip_address}", - "port" : "80" - }, - { - "domain" : "syncthing.jeremydormitzer.com", - "ip" : "${data.terraform_remote_state.syncthing.outputs.ip_address}", - "port" : "8384" - } - ], - "gitea_ip" : "${data.terraform_remote_state.gitea.outputs.gitea_ip_address}" - } - ) -} diff --git a/prod/nginx/packer/terraform/templates/nginx.conf.template b/prod/nginx/packer/terraform/templates/nginx.conf.template deleted file mode 100644 index be2bf6b..0000000 --- a/prod/nginx/packer/terraform/templates/nginx.conf.template +++ /dev/null @@ -1,97 +0,0 @@ -user www-data; -worker_processes auto; -pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - %{ for server in servers } - server { - server_name ${server.domain}; - - access_log /var/log/nginx/${server.domain}_access.log; - error_log /var/log/nginx/${server.domain}_error.log; - - location / { - proxy_set_header Host $host; - proxy_pass http://${server.ip}:${server.port}; - } - - listen [::]:443 ssl; - listen 443 ssl; - - ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem; - - ssl_session_cache shared:le_nginx_SSL:1m; - ssl_session_timeout 1440m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; - - } - - %{ endfor ~} - server { - listen 80; - listen [::]:80; - return 301 https://$host$request_uri; - } -} - -stream { - server { - listen 22; - proxy_pass ${gitea_ip}:22; - } -} \ No newline at end of file diff --git a/prod/nginx/packer/terraform/terraform.tf b/prod/nginx/packer/terraform/terraform.tf deleted file mode 100644 index 480cadb..0000000 --- a/prod/nginx/packer/terraform/terraform.tf +++ /dev/null @@ -1,18 +0,0 @@ -terraform { - required_providers { - digitalocean = { - source = "digitalocean/digitalocean" - version = "~> 2.3.0" - } - } - - backend "s3" { - skip_credentials_validation = true - skip_metadata_api_check = true - # Need to specify an AWS region to stop Terraform complaining - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/nginx-config.tfstate" - } -} diff --git a/prod/nginx/packer/terraform/variables.tf b/prod/nginx/packer/terraform/variables.tf deleted file mode 100644 index 1b3748a..0000000 --- a/prod/nginx/packer/terraform/variables.tf +++ /dev/null @@ -1,11 +0,0 @@ -variable "do_token" { - type = string -} - -variable "spaces_access_id" { - type = string -} - -variable "spaces_secret_key" { - type = string -} diff --git a/prod/nginx/terraform/.terraform.lock.hcl b/prod/nginx/terraform/.terraform.lock.hcl deleted file mode 100644 index fc94c5b..0000000 --- a/prod/nginx/terraform/.terraform.lock.hcl +++ /dev/null @@ -1,41 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/digitalocean/digitalocean" { - version = "2.3.0" - constraints = "~> 2.3.0" - hashes = [ - "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=", - "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9", - "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84", - "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca", - "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb", - "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6", - "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021", - "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907", - "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8", - "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6", - "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be", - "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5", - "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7", - "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.1.0" - hashes = [ - "h1:KfieWtVyGWwplSoLIB5usKAUnrIkDQBkWaR5TI+4WYg=", - "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2", - "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab", - "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3", - "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a", - "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe", - "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1", - "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c", - "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4", - "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b", - "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3", - "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91", - ] -} diff --git a/prod/nginx/terraform/main.tf b/prod/nginx/terraform/main.tf deleted file mode 100644 index 50b8692..0000000 --- a/prod/nginx/terraform/main.tf +++ /dev/null @@ -1,13 +0,0 @@ -provider "digitalocean" { - token = var.do_token - spaces_access_id = var.spaces_access_id - spaces_secret_key = var.spaces_secret_key -} - -module "packer_droplet" { - source = "../../../terraform-modules/packer_droplet" - name = "nginx" - do_token = var.do_token - spaces_access_id = var.spaces_access_id - spaces_secret_key = var.spaces_secret_key -} diff --git a/prod/nginx/terraform/outputs.tf b/prod/nginx/terraform/outputs.tf deleted file mode 100644 index 30d0079..0000000 --- a/prod/nginx/terraform/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "nginx_ip_address" { - value = module.packer_droplet.droplet_ip_address -} - -output "nginx_urn" { - value = module.packer_droplet.droplet_urn -} diff --git a/prod/nginx/terraform/terraform.tf b/prod/nginx/terraform/terraform.tf deleted file mode 100644 index cc237b2..0000000 --- a/prod/nginx/terraform/terraform.tf +++ /dev/null @@ -1,18 +0,0 @@ -terraform { - required_providers { - digitalocean = { - source = "digitalocean/digitalocean" - version = "~> 2.3.0" - } - } - - backend "s3" { - skip_credentials_validation = true - skip_metadata_api_check = true - # Need to specify an AWS region to stop Terraform complaining - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/nginx.tfstate" - } -} diff --git a/prod/nginx/terraform/variables.tf b/prod/nginx/terraform/variables.tf deleted file mode 100644 index 1b3748a..0000000 --- a/prod/nginx/terraform/variables.tf +++ /dev/null @@ -1,11 +0,0 @@ -variable "do_token" { - type = string -} - -variable "spaces_access_id" { - type = string -} - -variable "spaces_secret_key" { - type = string -}