Merge pull request 'Packer-ized Gitea' (#1) from jdormit/git-jeremydormitzer-com-packer into master

Reviewed-on: #1

.envrc

@@ -1,9 +1,9 @@
 PATH_add bin
 
-export TF_VAR_do_token=$(pass jdormit-infra-do-token)
+# export TF_VAR_do_token=$(pass jdormit-infra-do-token)
-export DIGITALOCEAN_API_TOKEN=$(pass jdormit-infra-do-token)
+# export DIGITALOCEAN_API_TOKEN=$(pass jdormit-infra-do-token)
-export TF_VAR_spaces_access_id=$(pass jdormit-infra-spaces-access-id)
+# export TF_VAR_spaces_access_id=$(pass jdormit-infra-spaces-access-id)
-export TF_VAR_spaces_secret_key=$(pass jdormit-infra-spaces-secret-key)
+# export TF_VAR_spaces_secret_key=$(pass jdormit-infra-spaces-secret-key)
 
 if [ -f ".env.local" ]; then
     echo "sourcing .env.local"

.gitignore

@@ -1,4 +1,4 @@
-/.env.local
+.env.local
 /backend-config.tf
 */**/.terraform
 *.tfstate*

mgmt/do-jeremydormitzer-com/terraform/data.tf

@@ -9,7 +9,7 @@ data "terraform_remote_state" "git_jeremydormitzer_com" {
     region                      = "us-east-1"
     endpoint                    = "nyc3.digitaloceanspaces.com"
     bucket                      = "jdormit-tf-state"
-    key                         = "prod/git-jeremydormitzer-com.tfstate"
+    key                         = "prod/gitea.tfstate"
   }
 }
 

mgmt/do-jeremydormitzer-com/terraform/main.tf

@@ -46,7 +46,7 @@ resource "digitalocean_record" "git" {
   domain = digitalocean_domain.jeremydormitzer_com.name
   type   = "A"
   name   = "git"
-  value  = data.terraform_remote_state.git_jeremydormitzer_com.outputs.git_ip_address
+  value  = data.terraform_remote_state.git_jeremydormitzer_com.outputs.gitea_ip_address
   ttl    = 3600
 }
 

mgmt/do-project-jeremydormitzer/terraform/data.tf

@@ -1,4 +1,4 @@
-data "terraform_remote_state" "jdormit_website" {
+data "terraform_remote_state" "gitea" {
   backend = "s3"
 
   config = {
@@ -9,22 +9,7 @@ data "terraform_remote_state" "jdormit_website" {
     region                      = "us-east-1"
     endpoint                    = "nyc3.digitaloceanspaces.com"
     bucket                      = "jdormit-tf-state"
-    key                         = "prod/jdormit-website.tfstate"
+    key                         = "prod/gitea.tfstate"
-  }
-}
-
-data "terraform_remote_state" "git_jeremydormitzer_com" {
-  backend = "s3"
-
-  config = {
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    access_key                  = var.spaces_access_id
-    secret_key                  = var.spaces_secret_key
-    region                      = "us-east-1"
-    endpoint                    = "nyc3.digitaloceanspaces.com"
-    bucket                      = "jdormit-tf-state"
-    key                         = "prod/git-jeremydormitzer-com.tfstate"
   }
 }
 
@@ -72,3 +57,33 @@ data "terraform_remote_state" "jeremydormitzer_com" {
     key                         = "mgmt/do-dns.tfstate"
   }
 }
+
+data "terraform_remote_state" "spaces" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "mgmt/do-spaces.tfstate"
+  }
+}
+
+data "terraform_remote_state" "wallabag" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/wallabag.tfstate"
+  }
+}

mgmt/do-project-jeremydormitzer/terraform/main.tf

@@ -10,11 +10,13 @@ resource "digitalocean_project" "jeremy_dormitzer" {
   description = "Personal infrastructure"
   purpose     = "Personal infrastructure"
   resources = [
-    data.terraform_remote_state.jdormit_website.outputs.jdormit_website_urn,
+    data.terraform_remote_state.gitea.outputs.gitea_urn,
-    data.terraform_remote_state.git_jeremydormitzer_com.outputs.git_urn,
+    data.terraform_remote_state.gitea.outputs.gitea_volume_urn,
-    data.terraform_remote_state.syncthing.outputs.syncthing_urn,
+    data.terraform_remote_state.syncthing.outputs.urn,
-    data.terraform_remote_state.syncthing.outputs.syncthing_volume_urn,
+    data.terraform_remote_state.syncthing.outputs.volume_urn,
     data.terraform_remote_state.justin_ghost_site.outputs.justin_ghost_site_urn,
-    data.terraform_remote_state.jeremydormitzer_com.outputs.jeremydormitzer_com_urn
+    data.terraform_remote_state.jeremydormitzer_com.outputs.jeremydormitzer_com_urn,
+    data.terraform_remote_state.spaces.outputs.jdormit_infra_bucket_urn,
+    data.terraform_remote_state.wallabag.outputs.urn
   ]
 }

mgmt/do-spaces/terraform/.terraform.lock.hcl

@@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.3.0"
+  constraints = "~> 2.3.0"
+  hashes = [
+    "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=",
+    "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9",
+    "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84",
+    "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca",
+    "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb",
+    "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6",
+    "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021",
+    "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907",
+    "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8",
+    "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6",
+    "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be",
+    "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5",
+    "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7",
+    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
+  ]
+}

mgmt/do-spaces/terraform/outputs.tf

@@ -0,0 +1,3 @@
+output "jdormit_infra_bucket_urn" {
+  value = digitalocean_spaces_bucket.jdormit_tf_state.urn
+}

prod/git-jeremydormitzer-com/ansible/.envrc

@@ -1 +0,0 @@
-export ANSIBLE_INVENTORY="$(expand_path hosts.ini)"

prod/git-jeremydormitzer-com/ansible/hosts.ini

@@ -1 +0,0 @@
-git.jeremydormitzer.com

prod/git-jeremydormitzer-com/terraform/main.tf

@@ -1,14 +0,0 @@
-provider "digitalocean" {
-  token             = var.do_token
-  spaces_access_id  = var.spaces_access_id
-  spaces_secret_key = var.spaces_secret_key
-}
-
-resource "digitalocean_droplet" "git_jeremydormitzer_com" {
-  name    = "git.jeremydormitzer.com"
-  image   = "41695378"
-  region  = "nyc3"
-  size    = "s-1vcpu-1gb"
-  backups = true
-  tags    = ["terraform"]
-}

prod/git-jeremydormitzer-com/terraform/outputs.tf

@@ -1,7 +0,0 @@
-output "git_ip_address" {
-  value = digitalocean_droplet.git_jeremydormitzer_com.ipv4_address
-}
-
-output "git_urn" {
-  value = digitalocean_droplet.git_jeremydormitzer_com.urn
-}

prod/gitea/packer/.envrc

@@ -0,0 +1,15 @@
+source_up
+
+# export GITEA_MAILGUN_PASSWORD=$(pass noreply@mg.git.jeremydormitzer.com)
+# export GITEA_LFS_JWT_SECRET=$(pass packer-gitea-lfs-jwt-secret)
+# export GITEA_SECRET_KEY=$(pass packer-gitea-secret-key)
+# export GITEA_INTERNAL_TOKEN=$(pass packer-gitea-internal-token)
+# export GITEA_JWT_SECRET=$(pass packer-gitea-jwt-secret)
+# export CERTBOT_EMAIL=$(pass certbot-email)
+
+if [ -f ".env.local" ]; then
+    echo "sourcing .env.local"
+    set -a
+    source ".env.local"
+    set +a
+fi

prod/gitea/packer/.gitignore

@@ -0,0 +1,3 @@
+files/app.ini
+tmp/
+certbot/

prod/gitea/packer/Makefile

@@ -0,0 +1,39 @@
+.PHONY: reissue-certs
+
+packer-manifest.json: gitea.json \
+                      scripts/dependencies.sh \
+                      scripts/volume.sh \
+                      files/gitea.service \
+                      files/app.ini \
+                      scripts/gitea.sh \
+                      files/gitea-nginx.conf \
+                      scripts/nginx.sh \
+                      certbot/live/git.jeremydormitzer.com/fullchain.pem \
+                      certbot/live/git.jeremydormitzer.com/privkey.pem
+	packer build gitea.json
+
+files/app.ini: templates/app.ini.template
+	sigil -p -f templates/app.ini.template > files/app.ini
+
+certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini
+	certbot certonly -n \
+                         --agree-tos \
+                         --email ${CERTBOT_EMAIL} \
+                         --dns-digitalocean \
+                         --dns-digitalocean-credentials tmp/do.ini \
+                         --config-dir ./certbot \
+                         --work-dir ./certbot \
+                         --logs-dir ./certbot \
+                         -d git.jeremydormitzer.com
+
+
+tmp/do.ini: templates/do.ini.template tmp
+	sigil -p -f templates/do.ini.template > tmp/do.ini
+	chmod 600 tmp/do.ini
+
+tmp:
+	mkdir tmp
+
+reissue-certs:
+	rm -rf certbot
+	make

prod/gitea/packer/files/gitea-nginx.conf

@@ -0,0 +1,28 @@
+server {
+    listen [::]:443 ssl ipv6only=on;
+    listen 443 ssl;
+
+    ssl_certificate /var/www/gitea/fullchain.pem;
+    ssl_certificate_key /var/www/gitea/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+
+    error_log /var/log/nginx/gitea_error.log;
+    access_log /var/log/nginx/gitea_access.log;
+
+    location / {
+        proxy_pass http://localhost:3000;
+    }
+}
+
+server {
+       listen 80;
+       listen [::]:80;
+       return 301 https://$host$request_uri;
+}

prod/gitea/packer/files/gitea.service

@@ -0,0 +1,74 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+###
+# Don't forget to add the database service requirements
+###
+#
+#Requires=mysql.service
+#Requires=mariadb.service
+#Requires=postgresql.service
+#Requires=memcached.service
+#Requires=redis.service
+#
+###
+# If using socket activation for main http/s
+###
+#
+#After=gitea.main.socket
+#Requires=gitea.main.socket
+#
+###
+# (You can also provide gitea an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/gitea.main.socket
+###
+##
+## [Unit]
+## Description=Gitea Web Socket
+## PartOf=gitea.service
+##
+## [Socket]
+## Service=gitea.service
+## ListenStream=<some_port>
+## NoDelay=true
+##
+## [Install]
+## WantedBy=sockets.target
+##
+###
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/mnt/gitea/
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/mnt/gitea
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target

prod/gitea/packer/gitea.json

@@ -0,0 +1,60 @@
+{
+  "builders": [
+    {
+      "type": "digitalocean",
+      "image": "ubuntu-20-04-x64",
+      "region": "nyc1",
+      "size": "s-1vcpu-1gb",
+      "snapshot_name": "packer-gitea-{{timestamp}}",
+      "ssh_username": "root"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "script": "scripts/dependencies.sh"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/volume.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/app.ini",
+      "destination": "/tmp/app.ini"
+    },
+    {
+      "type": "file",
+      "source": "files/gitea.service",
+      "destination": "/tmp/gitea.service"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/gitea.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/gitea-nginx.conf",
+      "destination": "/tmp/gitea-nginx.conf"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem",
+      "destination": "/tmp/fullchain.pem"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/git.jeremydormitzer.com/privkey.pem",
+      "destination": "/tmp/privkey.pem"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/nginx.sh"
+    }
+  ],
+  "post-processors": [
+    {
+      "type": "manifest"
+    }
+  ]
+}

prod/gitea/packer/packer-manifest.json

@@ -0,0 +1,131 @@
+{
+  "builds": [
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611352765,
+      "files": null,
+      "artifact_id": "nyc1:77396506",
+      "packer_run_uuid": "a93bca03-f67e-e630-7606-c12222ae21db",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611355972,
+      "files": null,
+      "artifact_id": "nyc1:77399380",
+      "packer_run_uuid": "2c306ac5-20fe-3e4e-9329-c62b03621d95",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611356707,
+      "files": null,
+      "artifact_id": "nyc1:77400402",
+      "packer_run_uuid": "1d401331-1f3f-cfaa-d610-66f06eef5986",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611357084,
+      "files": null,
+      "artifact_id": "nyc1:77400747",
+      "packer_run_uuid": "c40a3d6a-e3a8-099a-1bd1-86f4026a158f",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611357475,
+      "files": null,
+      "artifact_id": "nyc1:77401090",
+      "packer_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611589317,
+      "files": null,
+      "artifact_id": "nyc1:77556065",
+      "packer_run_uuid": "e2582fd0-50a1-ff12-55d4-e2b8c3d8f219",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611590422,
+      "files": null,
+      "artifact_id": "nyc1:77556468",
+      "packer_run_uuid": "fc433d91-57be-76b1-8556-9db7db2bec1a",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611592717,
+      "files": null,
+      "artifact_id": "nyc1:77557404",
+      "packer_run_uuid": "263c77ab-063b-0cdc-fa3b-2ade99fc7c13",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611593408,
+      "files": null,
+      "artifact_id": "nyc1:77557615",
+      "packer_run_uuid": "19edc202-d12a-44ac-45ca-b4bb7ad9b50d",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611597797,
+      "files": null,
+      "artifact_id": "nyc1:77559148",
+      "packer_run_uuid": "e6bf1c31-9406-7aec-c5b4-e1a7e43bb712",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611598412,
+      "files": null,
+      "artifact_id": "nyc1:77559258",
+      "packer_run_uuid": "808d4681-7b0f-cda7-9dde-fc47861f18c5",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611599594,
+      "files": null,
+      "artifact_id": "nyc1:77560033",
+      "packer_run_uuid": "dfbec72e-764d-5f5c-8a58-f82102f1b295",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611608782,
+      "files": null,
+      "artifact_id": "nyc1:77566816",
+      "packer_run_uuid": "88d9d9f3-e664-2d8b-fafb-8c0a63bdc418",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611613275,
+      "files": null,
+      "artifact_id": "nyc1:77570642",
+      "packer_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64",
+      "custom_data": null
+    }
+  ],
+  "last_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64"
+}

prod/gitea/packer/scripts/dependencies.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo apt-get update
+sudo apt-get install -y git bindfs

prod/gitea/packer/scripts/gitea.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -ex
+
+adduser \
+   --system \
+   --shell /bin/bash \
+   --gecos 'Git Version Control' \
+   --group \
+   --disabled-password \
+   --home /home/git \
+   git
+
+mkdir /etc/gitea
+mv /tmp/app.ini /etc/gitea/app.ini
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 660 /etc/gitea/app.ini
+
+wget -O gitea https://dl.gitea.io/gitea/1.13.1/gitea-1.13.1-linux-amd64
+chmod +x gitea
+mv gitea /usr/local/bin/
+
+mv /tmp/gitea.service /etc/systemd/system/gitea.service
+systemctl enable gitea

prod/gitea/packer/scripts/nginx.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo apt-get install -y nginx
+sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf
+sudo ln -s /etc/nginx/sites-available/gitea.conf \
+     /etc/nginx/sites-enabled/
+sudo unlink /etc/nginx/sites-enabled/default
+
+sudo mkdir -p /var/www/gitea
+sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem
+sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem
+chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem
+
+sudo systemctl enable nginx

prod/gitea/packer/scripts/volume.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo echo "/dev/disk/by-label/gitea-volume /mnt/gitea-volume ext4 defaults,nofail,discard,noatime 0 2" >> /etc/fstab
+sudo echo "/mnt/gitea-volume /mnt/gitea fuse.bindfs force-user=git,force-group=git 0 0" >> /etc/fstab
+sudo echo "/mnt/gitea/.ssh /home/git/.ssh fuse.bindfs force-user=git,force-group=git,perms=700" >> /etc/fstab

prod/gitea/packer/templates/app.ini.template

@@ -0,0 +1,77 @@
+APP_NAME = Jeremy Dormitzer's Git Forge
+RUN_USER = git
+RUN_MODE = prod
+
+[oauth2]
+JWT_SECRET = ${GITEA_JWT_SECRET:?}
+
+[security]
+INSTALL_LOCK   = true
+INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN:?}
+SECRET_KEY     = ${GITEA_SECRET_KEY:?}
+
+[database]
+DB_TYPE  = sqlite3
+HOST     = 127.0.0.1:3306
+NAME     = gitea
+USER     = gitea
+PASSWD   = 
+SCHEMA   = 
+SSL_MODE = disable
+CHARSET  = utf8
+PATH     = /mnt/gitea/gitea.db
+LOG_SQL  = false
+
+[repository]
+ROOT = /mnt/gitea/gitea-repositories
+ENABLE_PUSH_CREATE_USER = true
+
+[server]
+SSH_DOMAIN       = git.jeremydormitzer.com
+DOMAIN           = git.jeremydormitzer.com
+HTTP_PORT        = 3000
+ROOT_URL         = https://git.jeremydormitzer.com/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /mnt/gitea/lfs
+LFS_JWT_SECRET   = ${GITEA_LFS_JWT_SECRET:?}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = true
+HOST    = smtp.mailgun.org:587
+FROM    = Jeremy Dormitzer's Git Forge <noreply@git.jeremydormitzer.com>
+USER    = noreply@mg.git.jeremydormitzer.com
+PASSWD  = ${GITEA_MAILGUN_PASSWORD:?}
+
+[service]
+REGISTER_EMAIL_CONFIRM            = true
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE                 = console
+LEVEL                = info
+ROOT_PATH            = /mnt/gitea/log
+REDIRECT_MACARON_LOG = true
+MACARON              = console
+ROUTER               = console

prod/gitea/packer/templates/do.ini.template

@@ -0,0 +1 @@
+dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}

prod/gitea/terraform/.terraform.lock.hcl

@@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.3.0"
+  constraints = "~> 2.3.0"
+  hashes = [
+    "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=",
+    "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9",
+    "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84",
+    "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca",
+    "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb",
+    "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6",
+    "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021",
+    "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907",
+    "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8",
+    "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6",
+    "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be",
+    "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5",
+    "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7",
+    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.0.0"
+  hashes = [
+    "h1:pO1ANXtOCRfecKsY9Hn4UsXoPBLv6LFiDIEiS1MZ09E=",
+    "zh:34ce8b79493ace8333d094752b579ccc907fa9392a2c1d6933a6c95d0786d3f1",
+    "zh:5c5a19c4f614a4ffb68bae0b0563f3860115cf7539b8adc21108324cfdc10092",
+    "zh:67ddb1ca2cd3e1a8f948302597ceb967f19d2eeb2d125303493667388fe6330e",
+    "zh:68e6b16f3a8e180fcba1a99754118deb2d82331b51f6cca39f04518339bfdfa6",
+    "zh:8393a12eb11598b2799d51c9b0a922a3d9fadda5a626b94a1b4914086d53120e",
+    "zh:90daea4b2010a86f2aca1e3a9590e0b3ddcab229c2bd3685fae76a832e9e836f",
+    "zh:99308edc734a0ac9149b44f8e316ca879b2670a1cae387a8ae754c180b57cdb4",
+    "zh:c76594db07a9d1a73372a073888b672df64adb455d483c2426cc220eda7e092e",
+    "zh:dc09c1fb36c6a706bdac96cce338952888c8423978426a09f5df93031aa88b84",
+    "zh:deda88134e9780319e8de91b3745520be48ead6ec38cb662694d09185c3dac70",
+  ]
+}

prod/gitea/terraform/main.tf

@@ -0,0 +1,32 @@
+provider "digitalocean" {
+  token             = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
+
+module "packer_droplet" {
+  source            = "../../../terraform-modules/packer_droplet"
+  name              = "gitea"
+  do_token          = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
+
+resource "digitalocean_volume" "gitea_volume" {
+  name                     = "gitea-volume"
+  description              = "The volume to hold Gitea repositories and data"
+  region                   = "nyc1"
+  size                     = 20
+  initial_filesystem_label = "gitea-volume"
+  initial_filesystem_type  = "ext4"
+  tags                     = ["terraform"]
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "digitalocean_volume_attachment" "gitea" {
+  droplet_id = module.packer_droplet.droplet_id
+  volume_id  = digitalocean_volume.gitea_volume.id
+}

prod/gitea/terraform/outputs.tf

@@ -0,0 +1,11 @@
+output "gitea_ip_address" {
+  value = module.packer_droplet.droplet_ip_address
+}
+
+output "gitea_urn" {
+  value = module.packer_droplet.droplet_urn
+}
+
+output "gitea_volume_urn" {
+  value = digitalocean_volume.gitea_volume.urn
+}

prod/gitea/terraform/terraform.tf

@@ -13,6 +13,6 @@ terraform {
     region                      = "us-east-1"
     endpoint                    = "nyc3.digitaloceanspaces.com"
     bucket                      = "jdormit-tf-state"
-    key                         = "prod/git-jeremydormitzer-com.tfstate"
+    key                         = "prod/gitea.tfstate"
   }
 }

prod/jdormit-website-netlify/terraform/.envrc

@@ -1,3 +1,10 @@
 source_up
 
-export TF_VAR_netlify_token=$(pass netlify-terraform-access-token)
+# export TF_VAR_netlify_token=$(pass netlify-terraform-access-token)
+
+if [ -f ".env.local" ]; then
+    echo "sourcing .env.local"
+    set -a
+    source ".env.local"
+    set +a
+fi

prod/justin-ghost-site/ansible/.envrc

@@ -1 +0,0 @@
-export ANSIBLE_INVENTORY="$(expand_path hosts.ini)"

prod/justin-ghost-site/ansible/hosts.ini

@@ -1 +0,0 @@
-justindormitzer.com ansible_host=167.71.186.105 ansible_user=root

prod/syncthing/packer/.envrc

@@ -1,8 +1,15 @@
 source_up
 
-export SYNCTHING_USER=$(pass packer-syncthing-user)
+# export SYNCTHING_USER=$(pass packer-syncthing-user)
-export SYNCTHING_PW=$(pass packer-syncthing-pw)
+# export SYNCTHING_PW=$(pass packer-syncthing-pw)
-export SYNCTHING_API_KEY=$(pass packer-syncthing-api-key)
+# export SYNCTHING_API_KEY=$(pass packer-syncthing-api-key)
-export SYNCTHING_CERT_PEM=$(pass packer-syncthing-cert.pem)
+# export SYNCTHING_CERT_PEM=$(pass packer-syncthing-cert.pem)
-export SYNCTHING_KEY_PEM=$(pass packer-syncthing-key.pem)
+# export SYNCTHING_KEY_PEM=$(pass packer-syncthing-key.pem)
-export CERTBOT_EMAIL=$(pass certbot-email)
+# export CERTBOT_EMAIL=$(pass certbot-email)
+
+if [ -f ".env.local" ]; then
+    echo "sourcing .env.local"
+    set -a
+    source ".env.local"
+    set +a
+fi

prod/wallabag/packer/.envrc

@@ -1,14 +1,21 @@
 source_up
 
-export WALLABAG_MAILGUN_PASSWORD=$(pass packer-wallabag-mailgun-password)
+# export WALLABAG_MAILGUN_PASSWORD=$(pass packer-wallabag-mailgun-password)
-export WALLABAG_SECRET=$(pass packer-wallabag-secret)
+# export WALLABAG_SECRET=$(pass packer-wallabag-secret)
-export WALLABAG_PASSWORD=$(pass wallabag.jeremydormitzer.com)
+# export WALLABAG_PASSWORD=$(pass wallabag.jeremydormitzer.com)
-export WALLABAG_WALLABAGER_ID=$(pass packer-wallabag-wallabager-id)
+# export WALLABAG_WALLABAGER_ID=$(pass packer-wallabag-wallabager-id)
-export WALLABAG_WALLABAGER_SECRET=$(pass packer-wallabag-wallabager-secret)
+# export WALLABAG_WALLABAGER_SECRET=$(pass packer-wallabag-wallabager-secret)
-export WALLABAG_ANDROID_APP_ID=$(pass packer-wallabag-android-app-id)
+# export WALLABAG_ANDROID_APP_ID=$(pass packer-wallabag-android-app-id)
-export WALLABAG_ANDROID_APP_SECRET=$(pass packer-wallabag-android-app-secret)
+# export WALLABAG_ANDROID_APP_SECRET=$(pass packer-wallabag-android-app-secret)
-export WALLABAG_IPAD_ID=$(pass packer-wallabag-ipad-id)
+# export WALLABAG_IPAD_ID=$(pass packer-wallabag-ipad-id)
-export WALLABAG_IPAD_SECRET=$(pass packer-wallabag-ipad-secret)
+# export WALLABAG_IPAD_SECRET=$(pass packer-wallabag-ipad-secret)
-export WALLABAG_WALLABAG_EL_ID=$(pass packer-wallabag-wallabag.el-id)
+# export WALLABAG_WALLABAG_EL_ID=$(pass packer-wallabag-wallabag.el-id)
-export WALLABAG_WALLABAG_EL_SECRET=$(pass packer-wallabag-wallabag.el-secret)
+# export WALLABAG_WALLABAG_EL_SECRET=$(pass packer-wallabag-wallabag.el-secret)
-export CERTBOT_EMAIL=$(pass certbot-email)
+# export CERTBOT_EMAIL=$(pass certbot-email)
+
+if [ -f ".env.local" ]; then
+    echo "sourcing .env.local"
+    set -a
+    source ".env.local"
+    set +a
+fi