From 0eae57ba2e41a7f0c903cd01aa1d16706f8ede89 Mon Sep 17 00:00:00 2001
From: Nilstrieb <48135649+Nilstrieb@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:16:03 +0100
Subject: [PATCH] call me stuff the way i  do stuff

---
 playbooks/basic-setup.yml |  1 +
 playbooks/vps2.yml        | 11 +++++++
 tf-infra/aws.tf           | 21 ------------
 tf-infra/backup.tf        | 68 +++++++++++++++++++++++++++++++++++++++
 tf-infra/state.sh         | 15 +++++++++
 tf-infra/state.tf         | 10 ++++++
 6 files changed, 105 insertions(+), 21 deletions(-)
 delete mode 100644 tf-infra/aws.tf
 create mode 100644 tf-infra/backup.tf
 create mode 100755 tf-infra/state.sh
 create mode 100644 tf-infra/state.tf

diff --git a/playbooks/basic-setup.yml b/playbooks/basic-setup.yml
index b924591..a8e1d86 100644
--- a/playbooks/basic-setup.yml
+++ b/playbooks/basic-setup.yml
@@ -24,6 +24,7 @@
         state: present
       with_items:
         - htop
+        - awscli
     - name: Install keyring packages
       ansible.builtin.apt:
         name: "{{ item }}"
diff --git a/playbooks/vps2.yml b/playbooks/vps2.yml
index ca65349..268ef62 100644
--- a/playbooks/vps2.yml
+++ b/playbooks/vps2.yml
@@ -3,6 +3,17 @@
   hosts: vps2
   gather_facts: false
   tasks:
+    - name: Copy backup file
+      ansible.builtin.copy:
+        src: "../vps2/backup.sh"
+        dest: "/apps/backup.sh"
+        mode: "u=rx,g=rx,o=rx"
+    - name: Configure backup cron
+      ansible.builtin.cron:
+        name: Daily backup
+        minute: "5"
+        hour: "7"
+        job: "/apps/backup.sh"
     #####
     # APP: docker registry, /apps/registry
     #####
diff --git a/tf-infra/aws.tf b/tf-infra/aws.tf
deleted file mode 100644
index 82608b9..0000000
--- a/tf-infra/aws.tf
+++ /dev/null
@@ -1,21 +0,0 @@
-resource "aws_s3_bucket" "backups" {
-    bucket = "nilstrieb-backups"
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "backups_lifecycle" {
-    bucket = aws_s3_bucket.backups.bucket
-    rule {
-      id = "1-cold"
-
-      filter {
-        prefix = "1/"
-      }
-
-      transition {
-        days = 30
-        storage_class = "GLACIER_IR"
-      }
-
-      status = "Enabled"
-    }
-}
diff --git a/tf-infra/backup.tf b/tf-infra/backup.tf
new file mode 100644
index 0000000..c8658f1
--- /dev/null
+++ b/tf-infra/backup.tf
@@ -0,0 +1,68 @@
+resource "aws_s3_bucket" "backups" {
+    bucket = "nilstrieb-backups"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "backups_lifecycle" {
+    bucket = aws_s3_bucket.backups.bucket
+    rule {
+      id = "1-cold"
+
+      filter {
+        prefix = "1/"
+      }
+
+      transition {
+        days = 30
+        storage_class = "GLACIER_IR"
+      }
+
+      status = "Enabled"
+    }
+}
+
+resource "aws_iam_user" "backup_uploader" {
+  name = "backup-uploader"
+}
+
+resource "aws_iam_access_key" "backup_uploader" {
+  user = aws_iam_user.backup_uploader.name
+}
+
+
+resource "aws_iam_group" "backup_uploaders" {
+  name = "backup-uploaders"
+}
+
+resource "aws_iam_user_group_membership" "backup_uploader" {
+  user =  aws_iam_user.backup_uploader.name
+  groups = [ aws_iam_group.backup_uploaders.name ]
+}
+
+resource "aws_iam_group_policy" "upload_backup" {
+  name = "nilstrieb-backups-upload"
+  group = aws_iam_group.backup_uploaders.name
+  policy = jsonencode({
+    "Version":"2012-10-17",
+    "Statement":[
+        {
+          "Effect":"Allow",
+          "Action":"s3:PutObject",
+          "Resource":"arn:aws:s3:::${aws_s3_bucket.backups.bucket}/1/*"
+        },
+        {
+          "Effect":"Deny",
+          "Action":"s3:*",
+          "NotResource":"arn:aws:s3:::${aws_s3_bucket.backups.bucket}/1/*"
+        }
+    ]
+  })
+}
+
+
+output "backup_access_key_id" {
+  value = aws_iam_access_key.backup_uploader.id
+}
+output "backup_access_key_secret" {
+  value = aws_iam_access_key.backup_uploader.secret
+  sensitive = true
+}
diff --git a/tf-infra/state.sh b/tf-infra/state.sh
new file mode 100755
index 0000000..d7060db
--- /dev/null
+++ b/tf-infra/state.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/bash
+
+BUCKET="nilstrieb-states"
+
+case "$1" in
+    download)
+        aws s3api get-object --bucket "$BUCKET" --key "terraform.tfstate" "terraform.tfstate"
+        ;;
+    upload)
+        aws s3api put-object --bucket "$BUCKET" --key "terraform.tfstate" --body "terraform.tfstate"
+        ;;
+    *)
+        echo "subcommand download or upload required"
+        exit 1
+esac
diff --git a/tf-infra/state.tf b/tf-infra/state.tf
new file mode 100644
index 0000000..026cddd
--- /dev/null
+++ b/tf-infra/state.tf
@@ -0,0 +1,10 @@
+resource "aws_s3_bucket" "state" {
+    bucket = "nilstrieb-states"
+}
+
+resource "aws_s3_bucket_versioning" "state" {
+    bucket = aws_s3_bucket.state.bucket
+    versioning_configuration {
+      status = "Enabled"
+    }
+}