init: copy from lawndale-infra

.drone.yml

@@ -0,0 +1,85 @@
+---
+kind: pipeline
+type: kubernetes
+name: Terraform root module
+
+environment:
+  TF_IN_AUTOMATION: "1"
+  GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no -i $${PWD}/id_rsa"
+
+trigger:
+  ref:
+    - refs/heads/main
+    - refs/pull/*/head
+
+steps:
+- name: terraform init
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa
+    - chmod 600 id_rsa
+    - terraform init
+  environment:
+    CI_SSH_KEY:
+      from_secret: ci-ssh-key
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+
+- name: terraform plan
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - terraform plan -out .tfplan
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+
+- name: terraform apply
+  when:
+    branch:
+    - main
+    event:
+    - push
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - terraform apply .tfplan
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: terraform-aws-key-id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: terraform-aws-secret-access-key
+    KUBE_TOKEN:
+      from_secret: lawndale-k8s-ci-token
+
+---
+kind: pipeline
+type: kubernetes
+name: Check docs and format
+
+environment:
+  TF_IN_AUTOMATION: "1"
+
+trigger:
+  ref:
+    - refs/pull/*/head
+
+steps:
+- name: format and generate docs
+  image: hashicorp/terraform:1.1.8
+  commands:
+    - apk add bash wget 
+    - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
+    - terraform fmt
+    - terraform-docs .
+    - git diff --exit-code
+
+---
+kind: signature
+hmac: 368164860598a6980892222216f3b14f9effbe392f5b13616df251115ae82719
+
+...

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.terraform-docs.yml

@@ -0,0 +1,5 @@
+formatter: markdown document
+
+output:
+  mode: inject
+  file: README.md

README.md

@@ -0,0 +1,69 @@
+# Terraform module for Gitea deployment
+[![Build Status](https://drone.thomasklein.me/api/badges/thomasklein/terraform-app-gitea/status.svg)](https://drone.thomasklein.me/thomasklein/terraform-app-gitea)
+
+This module manages the gitea installation on lawndale.
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_aws"></a> [aws](#requirement\_aws) (~> 4.9.0)
+
+- <a name="requirement_helm"></a> [helm](#requirement\_helm) (~> 2.5.1)
+
+- <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) (~> 2.11.0)
+
+## Providers
+
+The following providers are used by this module:
+
+- <a name="provider_aws"></a> [aws](#provider\_aws) (~> 4.9.0)
+
+- <a name="provider_helm"></a> [helm](#provider\_helm) (~> 2.5.1)
+
+- <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) (~> 2.11.0)
+
+- <a name="provider_random"></a> [random](#provider\_random)
+
+## Modules
+
+The following Modules are called:
+
+### <a name="module_gitea_persistance"></a> [gitea\_persistance](#module\_gitea\_persistance)
+
+Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume
+
+Version:
+
+### <a name="module_postgres_persistance"></a> [postgres\_persistance](#module\_postgres\_persistance)
+
+Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume
+
+Version:
+
+## Resources
+
+The following resources are used by this module:
+
+- [aws_cognito_user_pool_client.gitea](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) (resource)
+- [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) (resource)
+- [kubernetes_manifest.ingress_tcp_route](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) (resource)
+- [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) (resource)
+- [random_password.gitea_admin](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) (resource)
+- [aws_cognito_user_pools.thomasklein_infra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pools) (data source)
+- [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) (data source)
+
+## Required Inputs
+
+No required inputs.
+
+## Optional Inputs
+
+No optional inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

backend.tf

@@ -0,0 +1,10 @@
+terraform {
+  backend "s3" {
+    bucket         = "thomasklein-global-states"
+    key            = "apps/lawndale/gitea"
+    region         = "eu-central-1"
+    encrypt        = true
+    kms_key_id     = "a767a3ce-c505-44c0-9f93-6f53678c69c7"
+    dynamodb_table = "thomasklein-global-state-locks"
+  }
+}

gitea.tf

@@ -0,0 +1,121 @@
+resource "kubernetes_namespace" "this" {
+  metadata {
+    name = "gitea"
+  }
+}
+
+resource "helm_release" "this" {
+  name      = "gitea"
+  namespace = kubernetes_namespace.this.metadata.0.name
+
+  repository = "https://dl.gitea.io/charts/"
+  chart      = "gitea"
+  version    = "5.0.0"
+
+  create_namespace = false
+
+  values = [
+    jsonencode({
+      ingress = {
+        enabled = true
+        annotations = {
+          "kubernetes.io/ingress.class"                             = "traefik"
+          "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
+          "traefik.ingress.kubernetes.io/router.tls"                = "true"
+          "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
+          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
+        }
+        hosts = [
+          {
+            host = local.ingress_domain
+            paths = [
+              {
+                path     = "/"
+                pathType = "Prefix"
+              }
+            ]
+          }
+        ]
+      }
+    }),
+    jsonencode({
+      gitea = {
+        oauth = [
+          {
+            name            = "Cognito"
+            provider        = "openidConnect"
+            autoDiscoverUrl = "https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${data.aws_cognito_user_pools.thomasklein_infra.ids[0]}/.well-known/openid-configuration"
+            #useCustomUrls =
+            #customAuthUrl =
+            #customTokenUrl =
+            #customProfileUrl =
+            #customEmailUrl =
+          }
+        ]
+      }
+    }),
+    jsonencode({
+      gitea = {
+        config = {
+          # APP_NAME = ""
+          server = {
+            ROOT_URL = "https://${local.ingress_domain}/"
+          }
+          indexer = {
+            ISSUE_INDEXER_TYPE = "db" # bleve doesn't like 9p filesystems :/
+          }
+          metrics = {
+              ENABLED = false ## the metrics not really worth it
+          }
+          service = {
+              DISABLE_REGISTRATION = true
+          }
+        }
+        admin = {
+          username = "thomasklein"
+          email    = "kiss.tamas94@gmail.com"
+        }
+      }
+    }),
+    jsonencode({
+      persistence = {
+        enabled       = true
+        existingClaim = module.gitea_persistance.pvc_name
+      }
+    }),
+    jsonencode({
+      postgresql = {
+        enabled = true
+        persistence = {
+          enabled       = true
+          existingClaim = module.postgres_persistance.pvc_name
+        }
+        podSecurityContext = {
+          enabled = true
+        }
+        volumePermissions = {
+          enabled = true
+        }
+      }
+    }),
+  ]
+
+  set_sensitive {
+    name  = "gitea.oauth[0].key"
+    value = aws_cognito_user_pool_client.gitea.id
+  }
+  set_sensitive {
+    name  = "gitea.oauth[0].secret"
+    value = aws_cognito_user_pool_client.gitea.client_secret
+  }
+
+  set_sensitive {
+    name  = "gitea.admin.password"
+    value = random_password.gitea_admin.result
+  }
+}
+
+resource "random_password" "gitea_admin" {
+  length  = 16
+  special = true
+}

locals.tf

@@ -0,0 +1,5 @@
+locals {
+  ingress_domain = "git.thomasklein.me"
+}
+
+data "aws_region" "current" {}

oauth.tf

@@ -0,0 +1,18 @@
+data "aws_cognito_user_pools" "thomasklein_infra" {
+  name = "thomasklein-infra"
+}
+
+resource "aws_cognito_user_pool_client" "gitea" {
+  name = "gitea"
+
+  user_pool_id = data.aws_cognito_user_pools.thomasklein_infra.ids[0]
+
+  allowed_oauth_flows_user_pool_client = true
+  allowed_oauth_flows                  = ["code"]
+  allowed_oauth_scopes                 = ["profile", "email", "openid"]
+
+  supported_identity_providers = ["COGNITO"]
+
+  generate_secret = true
+  callback_urls   = ["https://${local.ingress_domain}/user/oauth2/Cognito/callback"]
+}

provider.tf

@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.9.0"
+    }
+
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.5.1"
+    }
+
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.11.0"
+    }
+
+  }
+}
+
+provider "aws" {
+  # Configuration options
+  default_tags {
+    tags = {
+      "managed-by" = "terraform"
+    }
+  }
+}

ssh-ingresstcproute.tf

@@ -0,0 +1,26 @@
+resource "kubernetes_manifest" "ingress_tcp_route" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind = "IngressRouteTCP"
+        metadata = {
+            name = "gitea-ssh"
+            namespace = kubernetes_namespace.this.metadata.0.name
+        }
+        spec = {
+            entryPoints = [
+                "gitssh",
+            ]
+            routes: [
+                {
+                    match = "HostSNI(`*`)"
+                    services = [
+                        {
+                            name = "gitea-ssh"
+                            port = 22
+                        }
+                    ]
+                }
+            ]
+        }
+    }
+}

volume.tf

@@ -0,0 +1,21 @@
+# This is actually a self reference as these modules would only be available IF
+# This lawndale gitea instance is running and available.
+# Here it would be wiser to reference a mirror of this repository
+# TODO: setup repository mirror for terraform-modules
+# TODO: user mirrored repository
+
+module "gitea_persistance" {
+  source = "git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume"
+
+  namespace               = kubernetes_namespace.this.metadata.0.name
+  name                    = "gitea"
+  volume_storage_capacity = "5Gi"
+}
+
+module "postgres_persistance" {
+  source = "git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume"
+
+  namespace               = kubernetes_namespace.this.metadata.0.name
+  name                    = "gitea-postgres"
+  volume_storage_capacity = "5Gi"
+}