call me stuff the way i do stuff

2026-01-14 16:55:00 +01:00 · 2024-02-05 17:16:03 +01:00 · 2024-02-05 17:16:03 +01:00 · 0eae57ba2e
commit 0eae57ba2e
parent 8331b28f5d
6 changed files with 105 additions and 21 deletions
--- a/playbooks/basic-setup.yml
+++ b/playbooks/basic-setup.yml
@ -24,6 +24,7 @@
        state: present
      with_items:
        - htop
        - awscli
    - name: Install keyring packages
      ansible.builtin.apt:
        name: "{{ item }}"
--- a/playbooks/vps2.yml
+++ b/playbooks/vps2.yml
@ -3,6 +3,17 @@
  hosts: vps2
  gather_facts: false
  tasks:
    - name: Copy backup file
      ansible.builtin.copy:
        src: "../vps2/backup.sh"
        dest: "/apps/backup.sh"
        mode: "u=rx,g=rx,o=rx"
    - name: Configure backup cron
      ansible.builtin.cron:
        name: Daily backup
        minute: "5"
        hour: "7"
        job: "/apps/backup.sh"
    #####
    # APP: docker registry, /apps/registry
    #####
--- a/tf-infra/aws.tf
+++ b/tf-infra/aws.tf
@ -1,21 +0,0 @@
 resource "aws_s3_bucket" "backups" {
    bucket = "nilstrieb-backups"
 }
 resource "aws_s3_bucket_lifecycle_configuration" "backups_lifecycle" {
    bucket = aws_s3_bucket.backups.bucket
    rule {
      id = "1-cold"
      filter {
        prefix = "1/"
      }
      transition {
        days = 30
        storage_class = "GLACIER_IR"
      }
      status = "Enabled"
    }
 }
--- a/tf-infra/backup.tf
+++ b/tf-infra/backup.tf
@ -0,0 +1,68 @@
 resource "aws_s3_bucket" "backups" {
    bucket = "nilstrieb-backups"
 }
 resource "aws_s3_bucket_lifecycle_configuration" "backups_lifecycle" {
    bucket = aws_s3_bucket.backups.bucket
    rule {
      id = "1-cold"
      filter {
        prefix = "1/"
      }
      transition {
        days = 30
        storage_class = "GLACIER_IR"
      }
      status = "Enabled"
    }
 }
 resource "aws_iam_user" "backup_uploader" {
  name = "backup-uploader"
 }
 resource "aws_iam_access_key" "backup_uploader" {
  user = aws_iam_user.backup_uploader.name
 }
 resource "aws_iam_group" "backup_uploaders" {
  name = "backup-uploaders"
 }
 resource "aws_iam_user_group_membership" "backup_uploader" {
  user =  aws_iam_user.backup_uploader.name
  groups = [ aws_iam_group.backup_uploaders.name ]
 }
 resource "aws_iam_group_policy" "upload_backup" {
  name = "nilstrieb-backups-upload"
  group = aws_iam_group.backup_uploaders.name
  policy = jsonencode({
    "Version":"2012-10-17",
    "Statement":[
        {
          "Effect":"Allow",
          "Action":"s3:PutObject",
          "Resource":"arn:aws:s3:::${aws_s3_bucket.backups.bucket}/1/*"
        },
        {
          "Effect":"Deny",
          "Action":"s3:*",
          "NotResource":"arn:aws:s3:::${aws_s3_bucket.backups.bucket}/1/*"
        }
    ]
  })
 }
 output "backup_access_key_id" {
  value = aws_iam_access_key.backup_uploader.id
 }
 output "backup_access_key_secret" {
  value = aws_iam_access_key.backup_uploader.secret
  sensitive = true
 }
--- a/tf-infra/state.sh
+++ b/tf-infra/state.sh
@ -0,0 +1,15 @@
 #!/usr/bin/bash
 BUCKET="nilstrieb-states"
 case "$1" in
    download)
        aws s3api get-object --bucket "$BUCKET" --key "terraform.tfstate" "terraform.tfstate"
        ;;
    upload)
        aws s3api put-object --bucket "$BUCKET" --key "terraform.tfstate" --body "terraform.tfstate"
        ;;
    *)
        echo "subcommand download or upload required"
        exit 1
 esac
--- a/tf-infra/state.tf
+++ b/tf-infra/state.tf
@ -0,0 +1,10 @@
 resource "aws_s3_bucket" "state" {
    bucket = "nilstrieb-states"
 }
 resource "aws_s3_bucket_versioning" "state" {
    bucket = aws_s3_bucket.state.bucket
    versioning_configuration {
      status = "Enabled"
    }
 }