diff --git a/.envrc b/.envrc index 402262d..3560150 100644 --- a/.envrc +++ b/.envrc @@ -1,9 +1,9 @@ PATH_add bin -export TF_VAR_do_token=$(pass jdormit-infra-do-token) -export DIGITALOCEAN_API_TOKEN=$(pass jdormit-infra-do-token) -export TF_VAR_spaces_access_id=$(pass jdormit-infra-spaces-access-id) -export TF_VAR_spaces_secret_key=$(pass jdormit-infra-spaces-secret-key) +# export TF_VAR_do_token=$(pass jdormit-infra-do-token) +# export DIGITALOCEAN_API_TOKEN=$(pass jdormit-infra-do-token) +# export TF_VAR_spaces_access_id=$(pass jdormit-infra-spaces-access-id) +# export TF_VAR_spaces_secret_key=$(pass jdormit-infra-spaces-secret-key) if [ -f ".env.local" ]; then echo "sourcing .env.local" diff --git a/.gitignore b/.gitignore index d1d76e7..13728e2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -/.env.local +.env.local /backend-config.tf */**/.terraform *.tfstate* diff --git a/mgmt/do-jeremydormitzer-com/terraform/data.tf b/mgmt/do-jeremydormitzer-com/terraform/data.tf index f503fc1..8d58a05 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/data.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf @@ -9,7 +9,7 @@ data "terraform_remote_state" "git_jeremydormitzer_com" { region = "us-east-1" endpoint = "nyc3.digitaloceanspaces.com" bucket = "jdormit-tf-state" - key = "prod/git-jeremydormitzer-com.tfstate" + key = "prod/gitea.tfstate" } } diff --git a/mgmt/do-jeremydormitzer-com/terraform/main.tf b/mgmt/do-jeremydormitzer-com/terraform/main.tf index c635005..b5aade0 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/main.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf @@ -46,7 +46,7 @@ resource "digitalocean_record" "git" { domain = digitalocean_domain.jeremydormitzer_com.name type = "A" name = "git" - value = data.terraform_remote_state.git_jeremydormitzer_com.outputs.git_ip_address + value = data.terraform_remote_state.git_jeremydormitzer_com.outputs.gitea_ip_address ttl = 3600 } diff --git a/prod/git-jeremydormitzer-com/terraform/.terraform.lock.hcl b/mgmt/do-project-jeremydormitzer/terraform/.terraform.lock.hcl similarity index 100% rename from prod/git-jeremydormitzer-com/terraform/.terraform.lock.hcl rename to mgmt/do-project-jeremydormitzer/terraform/.terraform.lock.hcl diff --git a/mgmt/do-project-jeremydormitzer/terraform/data.tf b/mgmt/do-project-jeremydormitzer/terraform/data.tf index 9c59f0e..5a7e749 100644 --- a/mgmt/do-project-jeremydormitzer/terraform/data.tf +++ b/mgmt/do-project-jeremydormitzer/terraform/data.tf @@ -1,4 +1,4 @@ -data "terraform_remote_state" "jdormit_website" { +data "terraform_remote_state" "gitea" { backend = "s3" config = { @@ -9,22 +9,7 @@ data "terraform_remote_state" "jdormit_website" { region = "us-east-1" endpoint = "nyc3.digitaloceanspaces.com" bucket = "jdormit-tf-state" - key = "prod/jdormit-website.tfstate" - } -} - -data "terraform_remote_state" "git_jeremydormitzer_com" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/git-jeremydormitzer-com.tfstate" + key = "prod/gitea.tfstate" } } @@ -72,3 +57,33 @@ data "terraform_remote_state" "jeremydormitzer_com" { key = "mgmt/do-dns.tfstate" } } + +data "terraform_remote_state" "spaces" { + backend = "s3" + + config = { + skip_credentials_validation = true + skip_metadata_api_check = true + access_key = var.spaces_access_id + secret_key = var.spaces_secret_key + region = "us-east-1" + endpoint = "nyc3.digitaloceanspaces.com" + bucket = "jdormit-tf-state" + key = "mgmt/do-spaces.tfstate" + } +} + +data "terraform_remote_state" "wallabag" { + backend = "s3" + + config = { + skip_credentials_validation = true + skip_metadata_api_check = true + access_key = var.spaces_access_id + secret_key = var.spaces_secret_key + region = "us-east-1" + endpoint = "nyc3.digitaloceanspaces.com" + bucket = "jdormit-tf-state" + key = "prod/wallabag.tfstate" + } +} diff --git a/mgmt/do-project-jeremydormitzer/terraform/main.tf b/mgmt/do-project-jeremydormitzer/terraform/main.tf index 44c5af1..20a23bc 100644 --- a/mgmt/do-project-jeremydormitzer/terraform/main.tf +++ b/mgmt/do-project-jeremydormitzer/terraform/main.tf @@ -10,11 +10,13 @@ resource "digitalocean_project" "jeremy_dormitzer" { description = "Personal infrastructure" purpose = "Personal infrastructure" resources = [ - data.terraform_remote_state.jdormit_website.outputs.jdormit_website_urn, - data.terraform_remote_state.git_jeremydormitzer_com.outputs.git_urn, - data.terraform_remote_state.syncthing.outputs.syncthing_urn, - data.terraform_remote_state.syncthing.outputs.syncthing_volume_urn, + data.terraform_remote_state.gitea.outputs.gitea_urn, + data.terraform_remote_state.gitea.outputs.gitea_volume_urn, + data.terraform_remote_state.syncthing.outputs.urn, + data.terraform_remote_state.syncthing.outputs.volume_urn, data.terraform_remote_state.justin_ghost_site.outputs.justin_ghost_site_urn, - data.terraform_remote_state.jeremydormitzer_com.outputs.jeremydormitzer_com_urn + data.terraform_remote_state.jeremydormitzer_com.outputs.jeremydormitzer_com_urn, + data.terraform_remote_state.spaces.outputs.jdormit_infra_bucket_urn, + data.terraform_remote_state.wallabag.outputs.urn ] } diff --git a/mgmt/do-spaces/terraform/.terraform.lock.hcl b/mgmt/do-spaces/terraform/.terraform.lock.hcl new file mode 100755 index 0000000..f7f7ed8 --- /dev/null +++ b/mgmt/do-spaces/terraform/.terraform.lock.hcl @@ -0,0 +1,23 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/digitalocean/digitalocean" { + version = "2.3.0" + constraints = "~> 2.3.0" + hashes = [ + "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=", + "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9", + "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84", + "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca", + "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb", + "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6", + "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021", + "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907", + "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8", + "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6", + "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be", + "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5", + "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7", + "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d", + ] +} diff --git a/mgmt/do-spaces/terraform/outputs.tf b/mgmt/do-spaces/terraform/outputs.tf new file mode 100644 index 0000000..fe9bd2e --- /dev/null +++ b/mgmt/do-spaces/terraform/outputs.tf @@ -0,0 +1,3 @@ +output "jdormit_infra_bucket_urn" { + value = digitalocean_spaces_bucket.jdormit_tf_state.urn +} diff --git a/prod/git-jeremydormitzer-com/ansible/.envrc b/prod/git-jeremydormitzer-com/ansible/.envrc deleted file mode 100644 index 0512d72..0000000 --- a/prod/git-jeremydormitzer-com/ansible/.envrc +++ /dev/null @@ -1 +0,0 @@ -export ANSIBLE_INVENTORY="$(expand_path hosts.ini)" diff --git a/prod/git-jeremydormitzer-com/ansible/hosts.ini b/prod/git-jeremydormitzer-com/ansible/hosts.ini deleted file mode 100644 index da66b1c..0000000 --- a/prod/git-jeremydormitzer-com/ansible/hosts.ini +++ /dev/null @@ -1 +0,0 @@ -git.jeremydormitzer.com \ No newline at end of file diff --git a/prod/git-jeremydormitzer-com/terraform/main.tf b/prod/git-jeremydormitzer-com/terraform/main.tf deleted file mode 100644 index 1c05446..0000000 --- a/prod/git-jeremydormitzer-com/terraform/main.tf +++ /dev/null @@ -1,14 +0,0 @@ -provider "digitalocean" { - token = var.do_token - spaces_access_id = var.spaces_access_id - spaces_secret_key = var.spaces_secret_key -} - -resource "digitalocean_droplet" "git_jeremydormitzer_com" { - name = "git.jeremydormitzer.com" - image = "41695378" - region = "nyc3" - size = "s-1vcpu-1gb" - backups = true - tags = ["terraform"] -} diff --git a/prod/git-jeremydormitzer-com/terraform/outputs.tf b/prod/git-jeremydormitzer-com/terraform/outputs.tf deleted file mode 100644 index 2954a17..0000000 --- a/prod/git-jeremydormitzer-com/terraform/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "git_ip_address" { - value = digitalocean_droplet.git_jeremydormitzer_com.ipv4_address -} - -output "git_urn" { - value = digitalocean_droplet.git_jeremydormitzer_com.urn -} diff --git a/prod/gitea/packer/.envrc b/prod/gitea/packer/.envrc new file mode 100644 index 0000000..31e4204 --- /dev/null +++ b/prod/gitea/packer/.envrc @@ -0,0 +1,15 @@ +source_up + +# export GITEA_MAILGUN_PASSWORD=$(pass noreply@mg.git.jeremydormitzer.com) +# export GITEA_LFS_JWT_SECRET=$(pass packer-gitea-lfs-jwt-secret) +# export GITEA_SECRET_KEY=$(pass packer-gitea-secret-key) +# export GITEA_INTERNAL_TOKEN=$(pass packer-gitea-internal-token) +# export GITEA_JWT_SECRET=$(pass packer-gitea-jwt-secret) +# export CERTBOT_EMAIL=$(pass certbot-email) + +if [ -f ".env.local" ]; then + echo "sourcing .env.local" + set -a + source ".env.local" + set +a +fi diff --git a/prod/gitea/packer/.gitignore b/prod/gitea/packer/.gitignore new file mode 100644 index 0000000..6f7c105 --- /dev/null +++ b/prod/gitea/packer/.gitignore @@ -0,0 +1,3 @@ +files/app.ini +tmp/ +certbot/ \ No newline at end of file diff --git a/prod/gitea/packer/Makefile b/prod/gitea/packer/Makefile new file mode 100644 index 0000000..2975d85 --- /dev/null +++ b/prod/gitea/packer/Makefile @@ -0,0 +1,39 @@ +.PHONY: reissue-certs + +packer-manifest.json: gitea.json \ + scripts/dependencies.sh \ + scripts/volume.sh \ + files/gitea.service \ + files/app.ini \ + scripts/gitea.sh \ + files/gitea-nginx.conf \ + scripts/nginx.sh \ + certbot/live/git.jeremydormitzer.com/fullchain.pem \ + certbot/live/git.jeremydormitzer.com/privkey.pem + packer build gitea.json + +files/app.ini: templates/app.ini.template + sigil -p -f templates/app.ini.template > files/app.ini + +certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini + certbot certonly -n \ + --agree-tos \ + --email ${CERTBOT_EMAIL} \ + --dns-digitalocean \ + --dns-digitalocean-credentials tmp/do.ini \ + --config-dir ./certbot \ + --work-dir ./certbot \ + --logs-dir ./certbot \ + -d git.jeremydormitzer.com + + +tmp/do.ini: templates/do.ini.template tmp + sigil -p -f templates/do.ini.template > tmp/do.ini + chmod 600 tmp/do.ini + +tmp: + mkdir tmp + +reissue-certs: + rm -rf certbot + make diff --git a/prod/gitea/packer/files/gitea-nginx.conf b/prod/gitea/packer/files/gitea-nginx.conf new file mode 100644 index 0000000..9353285 --- /dev/null +++ b/prod/gitea/packer/files/gitea-nginx.conf @@ -0,0 +1,28 @@ +server { + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + + ssl_certificate /var/www/gitea/fullchain.pem; + ssl_certificate_key /var/www/gitea/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + + error_log /var/log/nginx/gitea_error.log; + access_log /var/log/nginx/gitea_access.log; + + location / { + proxy_pass http://localhost:3000; + } +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; +} \ No newline at end of file diff --git a/prod/gitea/packer/files/gitea.service b/prod/gitea/packer/files/gitea.service new file mode 100644 index 0000000..6226843 --- /dev/null +++ b/prod/gitea/packer/files/gitea.service @@ -0,0 +1,74 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +### +# Don't forget to add the database service requirements +### +# +#Requires=mysql.service +#Requires=mariadb.service +#Requires=postgresql.service +#Requires=memcached.service +#Requires=redis.service +# +### +# If using socket activation for main http/s +### +# +#After=gitea.main.socket +#Requires=gitea.main.socket +# +### +# (You can also provide gitea an http fallback and/or ssh socket too) +# +# An example of /etc/systemd/system/gitea.main.socket +### +## +## [Unit] +## Description=Gitea Web Socket +## PartOf=gitea.service +## +## [Socket] +## Service=gitea.service +## ListenStream= +## NoDelay=true +## +## [Install] +## WantedBy=sockets.target +## +### + +[Service] +# Modify these two values and uncomment them if you have +# repos with lots of files and get an HTTP error 500 because +# of that +### +#LimitMEMLOCK=infinity +#LimitNOFILE=65535 +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/mnt/gitea/ +# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file +# (manually creating /run/gitea doesn't work, because it would not persist across reboots) +#RuntimeDirectory=gitea +ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/mnt/gitea +# If you install Git to directory prefix other than default PATH (which happens +# for example if you install other versions of Git side-to-side with +# distribution version), uncomment below line and add that prefix to PATH +# Don't forget to place git-lfs binary on the PATH below if you want to enable +# Git LFS support +#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin +# If you want to bind Gitea to a port below 1024, uncomment +# the two values below, or use socket activation to pass Gitea its ports as above +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE +### + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/prod/gitea/packer/gitea.json b/prod/gitea/packer/gitea.json new file mode 100644 index 0000000..a77da3e --- /dev/null +++ b/prod/gitea/packer/gitea.json @@ -0,0 +1,60 @@ +{ + "builders": [ + { + "type": "digitalocean", + "image": "ubuntu-20-04-x64", + "region": "nyc1", + "size": "s-1vcpu-1gb", + "snapshot_name": "packer-gitea-{{timestamp}}", + "ssh_username": "root" + } + ], + "provisioners": [ + { + "type": "shell", + "script": "scripts/dependencies.sh" + }, + { + "type": "shell", + "script": "scripts/volume.sh" + }, + { + "type": "file", + "source": "files/app.ini", + "destination": "/tmp/app.ini" + }, + { + "type": "file", + "source": "files/gitea.service", + "destination": "/tmp/gitea.service" + }, + { + "type": "shell", + "script": "scripts/gitea.sh" + }, + { + "type": "file", + "source": "files/gitea-nginx.conf", + "destination": "/tmp/gitea-nginx.conf" + }, + { + "type": "file", + "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem", + "destination": "/tmp/fullchain.pem" + }, + { + "type": "file", + "source": "certbot/live/git.jeremydormitzer.com/privkey.pem", + "destination": "/tmp/privkey.pem" + }, + { + "type": "shell", + "script": "scripts/nginx.sh" + } + ], + "post-processors": [ + { + "type": "manifest" + } + ] +} diff --git a/prod/gitea/packer/packer-manifest.json b/prod/gitea/packer/packer-manifest.json new file mode 100644 index 0000000..5005ad4 --- /dev/null +++ b/prod/gitea/packer/packer-manifest.json @@ -0,0 +1,131 @@ +{ + "builds": [ + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611352765, + "files": null, + "artifact_id": "nyc1:77396506", + "packer_run_uuid": "a93bca03-f67e-e630-7606-c12222ae21db", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611355972, + "files": null, + "artifact_id": "nyc1:77399380", + "packer_run_uuid": "2c306ac5-20fe-3e4e-9329-c62b03621d95", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611356707, + "files": null, + "artifact_id": "nyc1:77400402", + "packer_run_uuid": "1d401331-1f3f-cfaa-d610-66f06eef5986", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611357084, + "files": null, + "artifact_id": "nyc1:77400747", + "packer_run_uuid": "c40a3d6a-e3a8-099a-1bd1-86f4026a158f", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611357475, + "files": null, + "artifact_id": "nyc1:77401090", + "packer_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611589317, + "files": null, + "artifact_id": "nyc1:77556065", + "packer_run_uuid": "e2582fd0-50a1-ff12-55d4-e2b8c3d8f219", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611590422, + "files": null, + "artifact_id": "nyc1:77556468", + "packer_run_uuid": "fc433d91-57be-76b1-8556-9db7db2bec1a", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611592717, + "files": null, + "artifact_id": "nyc1:77557404", + "packer_run_uuid": "263c77ab-063b-0cdc-fa3b-2ade99fc7c13", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611593408, + "files": null, + "artifact_id": "nyc1:77557615", + "packer_run_uuid": "19edc202-d12a-44ac-45ca-b4bb7ad9b50d", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611597797, + "files": null, + "artifact_id": "nyc1:77559148", + "packer_run_uuid": "e6bf1c31-9406-7aec-c5b4-e1a7e43bb712", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611598412, + "files": null, + "artifact_id": "nyc1:77559258", + "packer_run_uuid": "808d4681-7b0f-cda7-9dde-fc47861f18c5", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611599594, + "files": null, + "artifact_id": "nyc1:77560033", + "packer_run_uuid": "dfbec72e-764d-5f5c-8a58-f82102f1b295", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611608782, + "files": null, + "artifact_id": "nyc1:77566816", + "packer_run_uuid": "88d9d9f3-e664-2d8b-fafb-8c0a63bdc418", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611613275, + "files": null, + "artifact_id": "nyc1:77570642", + "packer_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64", + "custom_data": null + } + ], + "last_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64" +} \ No newline at end of file diff --git a/prod/gitea/packer/scripts/dependencies.sh b/prod/gitea/packer/scripts/dependencies.sh new file mode 100644 index 0000000..5955e1a --- /dev/null +++ b/prod/gitea/packer/scripts/dependencies.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +set -ex + +sudo apt-get update +sudo apt-get install -y git bindfs diff --git a/prod/gitea/packer/scripts/gitea.sh b/prod/gitea/packer/scripts/gitea.sh new file mode 100644 index 0000000..17d3a51 --- /dev/null +++ b/prod/gitea/packer/scripts/gitea.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +set -ex + +adduser \ + --system \ + --shell /bin/bash \ + --gecos 'Git Version Control' \ + --group \ + --disabled-password \ + --home /home/git \ + git + +mkdir /etc/gitea +mv /tmp/app.ini /etc/gitea/app.ini +chown -R root:git /etc/gitea +chmod 770 /etc/gitea +chmod 660 /etc/gitea/app.ini + +wget -O gitea https://dl.gitea.io/gitea/1.13.1/gitea-1.13.1-linux-amd64 +chmod +x gitea +mv gitea /usr/local/bin/ + +mv /tmp/gitea.service /etc/systemd/system/gitea.service +systemctl enable gitea diff --git a/prod/gitea/packer/scripts/nginx.sh b/prod/gitea/packer/scripts/nginx.sh new file mode 100644 index 0000000..a9d6244 --- /dev/null +++ b/prod/gitea/packer/scripts/nginx.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -ex + +sudo apt-get install -y nginx +sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf +sudo ln -s /etc/nginx/sites-available/gitea.conf \ + /etc/nginx/sites-enabled/ +sudo unlink /etc/nginx/sites-enabled/default + +sudo mkdir -p /var/www/gitea +sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem +sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem +chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem + +sudo systemctl enable nginx diff --git a/prod/gitea/packer/scripts/volume.sh b/prod/gitea/packer/scripts/volume.sh new file mode 100644 index 0000000..8687fcd --- /dev/null +++ b/prod/gitea/packer/scripts/volume.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -ex + +sudo echo "/dev/disk/by-label/gitea-volume /mnt/gitea-volume ext4 defaults,nofail,discard,noatime 0 2" >> /etc/fstab +sudo echo "/mnt/gitea-volume /mnt/gitea fuse.bindfs force-user=git,force-group=git 0 0" >> /etc/fstab +sudo echo "/mnt/gitea/.ssh /home/git/.ssh fuse.bindfs force-user=git,force-group=git,perms=700" >> /etc/fstab diff --git a/prod/gitea/packer/templates/app.ini.template b/prod/gitea/packer/templates/app.ini.template new file mode 100644 index 0000000..fa3001f --- /dev/null +++ b/prod/gitea/packer/templates/app.ini.template @@ -0,0 +1,77 @@ +APP_NAME = Jeremy Dormitzer's Git Forge +RUN_USER = git +RUN_MODE = prod + +[oauth2] +JWT_SECRET = ${GITEA_JWT_SECRET:?} + +[security] +INSTALL_LOCK = true +INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN:?} +SECRET_KEY = ${GITEA_SECRET_KEY:?} + +[database] +DB_TYPE = sqlite3 +HOST = 127.0.0.1:3306 +NAME = gitea +USER = gitea +PASSWD = +SCHEMA = +SSL_MODE = disable +CHARSET = utf8 +PATH = /mnt/gitea/gitea.db +LOG_SQL = false + +[repository] +ROOT = /mnt/gitea/gitea-repositories +ENABLE_PUSH_CREATE_USER = true + +[server] +SSH_DOMAIN = git.jeremydormitzer.com +DOMAIN = git.jeremydormitzer.com +HTTP_PORT = 3000 +ROOT_URL = https://git.jeremydormitzer.com/ +DISABLE_SSH = false +SSH_PORT = 22 +LFS_START_SERVER = true +LFS_CONTENT_PATH = /mnt/gitea/lfs +LFS_JWT_SECRET = ${GITEA_LFS_JWT_SECRET:?} +OFFLINE_MODE = false + +[mailer] +ENABLED = true +HOST = smtp.mailgun.org:587 +FROM = Jeremy Dormitzer's Git Forge +USER = noreply@mg.git.jeremydormitzer.com +PASSWD = ${GITEA_MAILGUN_PASSWORD:?} + +[service] +REGISTER_EMAIL_CONFIRM = true +ENABLE_NOTIFY_MAIL = true +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[picture] +DISABLE_GRAVATAR = false +ENABLE_FEDERATED_AVATAR = true + +[openid] +ENABLE_OPENID_SIGNIN = true +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info +ROOT_PATH = /mnt/gitea/log +REDIRECT_MACARON_LOG = true +MACARON = console +ROUTER = console \ No newline at end of file diff --git a/prod/gitea/packer/templates/do.ini.template b/prod/gitea/packer/templates/do.ini.template new file mode 100644 index 0000000..7c6ec3f --- /dev/null +++ b/prod/gitea/packer/templates/do.ini.template @@ -0,0 +1 @@ +dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?} \ No newline at end of file diff --git a/prod/gitea/terraform/.terraform.lock.hcl b/prod/gitea/terraform/.terraform.lock.hcl new file mode 100755 index 0000000..3cc9bda --- /dev/null +++ b/prod/gitea/terraform/.terraform.lock.hcl @@ -0,0 +1,40 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/digitalocean/digitalocean" { + version = "2.3.0" + constraints = "~> 2.3.0" + hashes = [ + "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=", + "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9", + "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84", + "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca", + "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb", + "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6", + "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021", + "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907", + "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8", + "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6", + "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be", + "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5", + "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7", + "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.0.0" + hashes = [ + "h1:pO1ANXtOCRfecKsY9Hn4UsXoPBLv6LFiDIEiS1MZ09E=", + "zh:34ce8b79493ace8333d094752b579ccc907fa9392a2c1d6933a6c95d0786d3f1", + "zh:5c5a19c4f614a4ffb68bae0b0563f3860115cf7539b8adc21108324cfdc10092", + "zh:67ddb1ca2cd3e1a8f948302597ceb967f19d2eeb2d125303493667388fe6330e", + "zh:68e6b16f3a8e180fcba1a99754118deb2d82331b51f6cca39f04518339bfdfa6", + "zh:8393a12eb11598b2799d51c9b0a922a3d9fadda5a626b94a1b4914086d53120e", + "zh:90daea4b2010a86f2aca1e3a9590e0b3ddcab229c2bd3685fae76a832e9e836f", + "zh:99308edc734a0ac9149b44f8e316ca879b2670a1cae387a8ae754c180b57cdb4", + "zh:c76594db07a9d1a73372a073888b672df64adb455d483c2426cc220eda7e092e", + "zh:dc09c1fb36c6a706bdac96cce338952888c8423978426a09f5df93031aa88b84", + "zh:deda88134e9780319e8de91b3745520be48ead6ec38cb662694d09185c3dac70", + ] +} diff --git a/prod/gitea/terraform/main.tf b/prod/gitea/terraform/main.tf new file mode 100644 index 0000000..4efe8a3 --- /dev/null +++ b/prod/gitea/terraform/main.tf @@ -0,0 +1,32 @@ +provider "digitalocean" { + token = var.do_token + spaces_access_id = var.spaces_access_id + spaces_secret_key = var.spaces_secret_key +} + +module "packer_droplet" { + source = "../../../terraform-modules/packer_droplet" + name = "gitea" + do_token = var.do_token + spaces_access_id = var.spaces_access_id + spaces_secret_key = var.spaces_secret_key +} + +resource "digitalocean_volume" "gitea_volume" { + name = "gitea-volume" + description = "The volume to hold Gitea repositories and data" + region = "nyc1" + size = 20 + initial_filesystem_label = "gitea-volume" + initial_filesystem_type = "ext4" + tags = ["terraform"] + + lifecycle { + prevent_destroy = true + } +} + +resource "digitalocean_volume_attachment" "gitea" { + droplet_id = module.packer_droplet.droplet_id + volume_id = digitalocean_volume.gitea_volume.id +} diff --git a/prod/gitea/terraform/outputs.tf b/prod/gitea/terraform/outputs.tf new file mode 100644 index 0000000..5f753b4 --- /dev/null +++ b/prod/gitea/terraform/outputs.tf @@ -0,0 +1,11 @@ +output "gitea_ip_address" { + value = module.packer_droplet.droplet_ip_address +} + +output "gitea_urn" { + value = module.packer_droplet.droplet_urn +} + +output "gitea_volume_urn" { + value = digitalocean_volume.gitea_volume.urn +} diff --git a/prod/git-jeremydormitzer-com/terraform/terraform.tf b/prod/gitea/terraform/terraform.tf similarity index 86% rename from prod/git-jeremydormitzer-com/terraform/terraform.tf rename to prod/gitea/terraform/terraform.tf index 5a46fa2..4db9a04 100644 --- a/prod/git-jeremydormitzer-com/terraform/terraform.tf +++ b/prod/gitea/terraform/terraform.tf @@ -13,6 +13,6 @@ terraform { region = "us-east-1" endpoint = "nyc3.digitaloceanspaces.com" bucket = "jdormit-tf-state" - key = "prod/git-jeremydormitzer-com.tfstate" + key = "prod/gitea.tfstate" } } diff --git a/prod/git-jeremydormitzer-com/terraform/variables.tf b/prod/gitea/terraform/variables.tf similarity index 100% rename from prod/git-jeremydormitzer-com/terraform/variables.tf rename to prod/gitea/terraform/variables.tf diff --git a/prod/jdormit-website-netlify/terraform/.envrc b/prod/jdormit-website-netlify/terraform/.envrc index fdf9587..185907a 100644 --- a/prod/jdormit-website-netlify/terraform/.envrc +++ b/prod/jdormit-website-netlify/terraform/.envrc @@ -1,3 +1,10 @@ source_up -export TF_VAR_netlify_token=$(pass netlify-terraform-access-token) +# export TF_VAR_netlify_token=$(pass netlify-terraform-access-token) + +if [ -f ".env.local" ]; then + echo "sourcing .env.local" + set -a + source ".env.local" + set +a +fi diff --git a/prod/justin-ghost-site/ansible/.envrc b/prod/justin-ghost-site/ansible/.envrc deleted file mode 100644 index 0512d72..0000000 --- a/prod/justin-ghost-site/ansible/.envrc +++ /dev/null @@ -1 +0,0 @@ -export ANSIBLE_INVENTORY="$(expand_path hosts.ini)" diff --git a/prod/justin-ghost-site/ansible/hosts.ini b/prod/justin-ghost-site/ansible/hosts.ini deleted file mode 100644 index f563a28..0000000 --- a/prod/justin-ghost-site/ansible/hosts.ini +++ /dev/null @@ -1 +0,0 @@ -justindormitzer.com ansible_host=167.71.186.105 ansible_user=root \ No newline at end of file diff --git a/prod/syncthing/packer/.envrc b/prod/syncthing/packer/.envrc index c4eb045..6ab305a 100644 --- a/prod/syncthing/packer/.envrc +++ b/prod/syncthing/packer/.envrc @@ -1,8 +1,15 @@ source_up -export SYNCTHING_USER=$(pass packer-syncthing-user) -export SYNCTHING_PW=$(pass packer-syncthing-pw) -export SYNCTHING_API_KEY=$(pass packer-syncthing-api-key) -export SYNCTHING_CERT_PEM=$(pass packer-syncthing-cert.pem) -export SYNCTHING_KEY_PEM=$(pass packer-syncthing-key.pem) -export CERTBOT_EMAIL=$(pass certbot-email) +# export SYNCTHING_USER=$(pass packer-syncthing-user) +# export SYNCTHING_PW=$(pass packer-syncthing-pw) +# export SYNCTHING_API_KEY=$(pass packer-syncthing-api-key) +# export SYNCTHING_CERT_PEM=$(pass packer-syncthing-cert.pem) +# export SYNCTHING_KEY_PEM=$(pass packer-syncthing-key.pem) +# export CERTBOT_EMAIL=$(pass certbot-email) + +if [ -f ".env.local" ]; then + echo "sourcing .env.local" + set -a + source ".env.local" + set +a +fi diff --git a/prod/wallabag/packer/.envrc b/prod/wallabag/packer/.envrc index 9e78ee2..c2bdd0d 100644 --- a/prod/wallabag/packer/.envrc +++ b/prod/wallabag/packer/.envrc @@ -1,14 +1,21 @@ source_up -export WALLABAG_MAILGUN_PASSWORD=$(pass packer-wallabag-mailgun-password) -export WALLABAG_SECRET=$(pass packer-wallabag-secret) -export WALLABAG_PASSWORD=$(pass wallabag.jeremydormitzer.com) -export WALLABAG_WALLABAGER_ID=$(pass packer-wallabag-wallabager-id) -export WALLABAG_WALLABAGER_SECRET=$(pass packer-wallabag-wallabager-secret) -export WALLABAG_ANDROID_APP_ID=$(pass packer-wallabag-android-app-id) -export WALLABAG_ANDROID_APP_SECRET=$(pass packer-wallabag-android-app-secret) -export WALLABAG_IPAD_ID=$(pass packer-wallabag-ipad-id) -export WALLABAG_IPAD_SECRET=$(pass packer-wallabag-ipad-secret) -export WALLABAG_WALLABAG_EL_ID=$(pass packer-wallabag-wallabag.el-id) -export WALLABAG_WALLABAG_EL_SECRET=$(pass packer-wallabag-wallabag.el-secret) -export CERTBOT_EMAIL=$(pass certbot-email) +# export WALLABAG_MAILGUN_PASSWORD=$(pass packer-wallabag-mailgun-password) +# export WALLABAG_SECRET=$(pass packer-wallabag-secret) +# export WALLABAG_PASSWORD=$(pass wallabag.jeremydormitzer.com) +# export WALLABAG_WALLABAGER_ID=$(pass packer-wallabag-wallabager-id) +# export WALLABAG_WALLABAGER_SECRET=$(pass packer-wallabag-wallabager-secret) +# export WALLABAG_ANDROID_APP_ID=$(pass packer-wallabag-android-app-id) +# export WALLABAG_ANDROID_APP_SECRET=$(pass packer-wallabag-android-app-secret) +# export WALLABAG_IPAD_ID=$(pass packer-wallabag-ipad-id) +# export WALLABAG_IPAD_SECRET=$(pass packer-wallabag-ipad-secret) +# export WALLABAG_WALLABAG_EL_ID=$(pass packer-wallabag-wallabag.el-id) +# export WALLABAG_WALLABAG_EL_SECRET=$(pass packer-wallabag-wallabag.el-secret) +# export CERTBOT_EMAIL=$(pass certbot-email) + +if [ -f ".env.local" ]; then + echo "sourcing .env.local" + set -a + source ".env.local" + set +a +fi