call me stuff the way i do stuff

2026-01-14 08:45:02 +01:00 · 2024-02-05 17:16:03 +01:00 · 2024-02-05 17:16:03 +01:00 · 0eae57ba2e
commit 0eae57ba2e
parent 8331b28f5d
6 changed files with 105 additions and 21 deletions
--- a/playbooks/basic-setup.yml
+++ b/playbooks/basic-setup.yml
@ -24,6 +24,7 @@
        state: present
      with_items:
        - htop
+        - awscli
    - name: Install keyring packages
      ansible.builtin.apt:
        name: "{{ item }}"
--- a/playbooks/vps2.yml
+++ b/playbooks/vps2.yml
@ -3,6 +3,17 @@
  hosts: vps2
  gather_facts: false
  tasks:
+    - name: Copy backup file
+      ansible.builtin.copy:
+        src: "../vps2/backup.sh"
+        dest: "/apps/backup.sh"
+        mode: "u=rx,g=rx,o=rx"
+    - name: Configure backup cron
+      ansible.builtin.cron:
+        name: Daily backup
+        minute: "5"
+        hour: "7"
+        job: "/apps/backup.sh"
    #####
    # APP: docker registry, /apps/registry
    #####
--- a/tf-infra/aws.tf
+++ b/tf-infra/aws.tf
@ -1,21 +0,0 @@
-resource "aws_s3_bucket" "backups" {
-    bucket = "nilstrieb-backups"
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "backups_lifecycle" {
-    bucket = aws_s3_bucket.backups.bucket
-    rule {
-      id = "1-cold"
-
-      filter {
-        prefix = "1/"
-      }
-
-      transition {
-        days = 30
-        storage_class = "GLACIER_IR"
-      }
-
-      status = "Enabled"
-    }
-}
--- a/tf-infra/backup.tf
+++ b/tf-infra/backup.tf
@ -0,0 +1,68 @@
+resource "aws_s3_bucket" "backups" {
+    bucket = "nilstrieb-backups"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "backups_lifecycle" {
+    bucket = aws_s3_bucket.backups.bucket
+    rule {
+      id = "1-cold"
+
+      filter {
+        prefix = "1/"
+      }
+
+      transition {
+        days = 30
+        storage_class = "GLACIER_IR"
+      }
+
+      status = "Enabled"
+    }
+}
+
+resource "aws_iam_user" "backup_uploader" {
+  name = "backup-uploader"
+}
+
+resource "aws_iam_access_key" "backup_uploader" {
+  user = aws_iam_user.backup_uploader.name
+}
+
+
+resource "aws_iam_group" "backup_uploaders" {
+  name = "backup-uploaders"
+}
+
+resource "aws_iam_user_group_membership" "backup_uploader" {
+  user =  aws_iam_user.backup_uploader.name
+  groups = [ aws_iam_group.backup_uploaders.name ]
+}
+
+resource "aws_iam_group_policy" "upload_backup" {
+  name = "nilstrieb-backups-upload"
+  group = aws_iam_group.backup_uploaders.name
+  policy = jsonencode({
+    "Version":"2012-10-17",
+    "Statement":[
+        {
+          "Effect":"Allow",
+          "Action":"s3:PutObject",
+          "Resource":"arn:aws:s3:::${aws_s3_bucket.backups.bucket}/1/*"
+        },
+        {
+          "Effect":"Deny",
+          "Action":"s3:*",
+          "NotResource":"arn:aws:s3:::${aws_s3_bucket.backups.bucket}/1/*"
+        }
+    ]
+  })
+}
+
+
+output "backup_access_key_id" {
+  value = aws_iam_access_key.backup_uploader.id
+}
+output "backup_access_key_secret" {
+  value = aws_iam_access_key.backup_uploader.secret
+  sensitive = true
+}
--- a/tf-infra/state.sh
+++ b/tf-infra/state.sh
@ -0,0 +1,15 @@
+#!/usr/bin/bash
+
+BUCKET="nilstrieb-states"
+
+case "$1" in
+    download)
+        aws s3api get-object --bucket "$BUCKET" --key "terraform.tfstate" "terraform.tfstate"
+        ;;
+    upload)
+        aws s3api put-object --bucket "$BUCKET" --key "terraform.tfstate" --body "terraform.tfstate"
+        ;;
+    *)
+        echo "subcommand download or upload required"
+        exit 1
+esac
--- a/tf-infra/state.tf
+++ b/tf-infra/state.tf
@ -0,0 +1,10 @@
+resource "aws_s3_bucket" "state" {
+    bucket = "nilstrieb-states"
+}
+
+resource "aws_s3_bucket_versioning" "state" {
+    bucket = aws_s3_bucket.state.bucket
+    versioning_configuration {
+      status = "Enabled"
+    }
+}