This Terraform plan contains deploying Epicyon in AWS Lightsail

deploy/aws-lightsail/.gitignore

@@ -0,0 +1,20 @@
+**/.terraform/*
+
+*.tfstate
+*.tfstate.*
+.terraform.lock.hcl
+
+crash.log
+crash.*.log
+
+*.tfvars
+
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+*tfplan*
+
+.terraformrc
+terraform.rc

deploy/aws-lightsail/README.md

@@ -0,0 +1,50 @@
+# terraform-aws-epicyon
+
+This Terraform plan contains deploying Epicyon on an AWS Lightsail instance
+
+## Requirements
+
+| Name | Version |
+| ---- | ------- |
+| terraform | >=v1.0.7 |
+| aws | ~> 4.0 |
+
+## Providers
+
+|Name | Version |
+| --- | ------- |
+| aws | ~> 4.0 |
+
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_lightsail_static_ip.epicyon_static_ip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_static_ip) | resource |
+| [aws_lightsail_static_ip_attachment.for_epicyon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_static_ip_attachment) | resource |
+| [aws_lightsail_key_pair.ssh_key_pair](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_key_pair) | resource |
+| [aws_lightsail_instance.epicyon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_instance) | resource |
+| [aws_lightsail_domain.epicyon_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_domain) | resource |
+| [aws_lightsail_domain_entry.epicyon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_domain_entry) | resource |
+| [null_resource.null_resource_epicyon](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| name | Name of instance. | `string` | `""` | yes |
+| blueprint\_id | The ID for a virtual private server image | `string` | `"ubuntu_20_04"` | yes |
+| bundle\_id | The bundle of specification information | `string` | `"nano_2_0"` | yes |
+| availability\_zone | The Availability Zone in which to create your instance | `string` | `""` | yes |
+| create\_static\_ip | Create and attach a statis IP to the instance | `` | `` | no |
+| key_pair_name | Key pair name of the Key Pair to use for the instance | `string` | `""` | yes |
+| domain | A public domain for Epicyon | `string` | `""` | yes |
+| email | Email used to order a certificate from Let's Encrypt | `string` | `""` | yes |
+
+## Output
+
+| Name | Description |
+| ---- | ----------- |
+| domain_name | The URL to epicyon |
+| ipv4_address | The public IP address of the epicyon instance |
+

deploy/aws-lightsail/main.tf

@@ -0,0 +1,60 @@
+resource "aws_lightsail_static_ip" "epicyon_static_ip" {
+  name = "epicyon"
+}
+resource "aws_lightsail_static_ip_attachment" "for_epicyon" {
+  static_ip_name = aws_lightsail_static_ip.epicyon_static_ip.id
+  instance_name  = aws_lightsail_instance.epicyon.id
+}
+
+resource "aws_lightsail_key_pair" "ssh_key_pair" {
+  name       = "epicyon_key"
+  public_key = var.publickey
+}
+
+resource "aws_lightsail_instance" "epicyon" {
+  name              = var.instance_name
+  availability_zone = "us-east-1a"
+  blueprint_id      = "ubuntu_20_04"
+  bundle_id         = "nano_2_0"
+  key_pair_name     = var.key
+
+}
+
+resource "aws_lightsail_domain" "epicyon_domain" {
+  domain_name = var.domain
+}
+
+resource "aws_lightsail_domain_entry" "epicyon" {
+  depends_on = [aws_lightsail_static_ip.epicyon_static_ip]
+  domain_name = aws_lightsail_domain.epicyon_domain.domain_name
+  name        = var.epicyon_sub_domain
+  type        = "A"
+  target      = aws_lightsail_static_ip.epicyon_static_ip.ip_address
+}
+
+resource "null_resource" "null_resource_epicyon" {
+  depends_on = [aws_lightsail_domain_entry.epicyon]
+  triggers = {
+    id = timestamp()
+  }
+   connection {
+    agent       = false
+    type        = "ssh"
+    host        = aws_lightsail_static_ip.epicyon_static_ip.ip_address
+    private_key = file(var.private_key)
+    user        = aws_lightsail_instance.epicyon.username
+  }
+  provisioner "file" {
+    source      = "./templates/startup.sh"
+    destination = "~/startup.sh"
+  }
+  provisioner "remote-exec" {
+    inline = [
+      "chmod +x ~/startup.sh",
+      "export domain=${var.epicyon_sub_domain}",
+      "export email=${var.email}",
+      "bash ~/startup.sh"
+    ]
+  }
+}
+

deploy/aws-lightsail/outputs.tf

@@ -0,0 +1,8 @@
+output "aws_lightsail_domain" {
+  description = "The name of the record"
+  value       = format("https://%s", var.epicyon_sub_domain)
+}
+output "ipv4_address" {
+  description = "The instance ip"
+  value       = aws_lightsail_instance.epicyon.public_ip_address
+}

deploy/aws-lightsail/provider.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "aws" {
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+  region     = var.aws_region
+}

deploy/aws-lightsail/templates/startup.sh

@@ -0,0 +1,136 @@
+#!/usr/bin/env bash
+sleep 1m
+sudo apt update -y
+sudo apt install -y tor python3-socks imagemagick python3-setuptools python3-cryptography python3-dateutil python3-idna python3-requests python3-flake8 python3-django-timezone-field python3-pyqrcode python3-png python3-bandit libimage-exiftool-perl certbot nginx wget
+cd /opt || exit
+sudo git clone https://gitlab.com/bashrc2/epicyon
+cd /opt/epicyon || exit
+sudo adduser --system --home=/opt/epicyon --group epicyon
+sudo mkdir /var/www/$domain
+sudo mkdir -p /opt/epicyon/accounts/newsmirror
+sudo ln -s /opt/epicyon/accounts/newsmirror /var/www/$domain/newsmirror
+
+sudo tee /tmp/epicyon.service >/dev/null <<EOF
+[Unit]
+Description=epicyon
+After=syslog.target
+After=network.target
+[Service]
+Type=simple
+User=epicyon
+Group=epicyon
+WorkingDirectory=/opt/epicyon
+ExecStart=/usr/bin/python3 /opt/epicyon/epicyon.py --port 443 --proxy 7156 --domain $domain --registration open --log_login_failures
+Environment=USER=epicyon
+Environment=PYTHONUNBUFFERED=true
+Restart=always
+StandardError=syslog
+CPUQuota=80%
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectHostname=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+PrivateTmp=true
+PrivateUsers=true
+PrivateDevices=true
+PrivateIPC=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+SystemCallArchitectures=native
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo mv /tmp/epicyon.service /etc/systemd/system/
+sudo chown -R epicyon:epicyon /opt/epicyon 
+sudo systemctl daemon-reload && sudo systemctl start epicyon &&  sudo systemctl enable epicyon
+
+sudo tee /tmp/$domain >/dev/null <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $domain;
+    access_log /dev/null;
+    error_log /dev/null;
+    client_max_body_size 31m;
+    client_body_buffer_size 128k;
+    index index.html;
+    rewrite ^ https://\$server_name\$request_uri? permanent;
+}
+server {
+    listen 443 ssl;
+    server_name $domain;
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_min_length 1024;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/ld+json application/javascript text/xml application/xml application/rdf+xml application/xml+rss text/javascript;
+    ssl_stapling off;
+    ssl_stapling_verify off;
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+    access_log /dev/null;
+    error_log /dev/null;
+    index index.html;
+    location /newsmirror {
+        root /var/www/$domain;
+        try_files \$uri =404;
+    }
+    keepalive_timeout 70;
+    sendfile on;
+    location / {
+        proxy_http_version 1.1;
+        client_max_body_size 31M;
+        proxy_set_header Host \$http_host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forward-Proto http;
+        proxy_set_header X-Nginx-Proxy true;
+        proxy_temp_file_write_size 64k;
+        proxy_connect_timeout 10080s;
+        proxy_send_timeout 10080;
+        proxy_read_timeout 10080;
+        proxy_buffer_size 64k;
+        proxy_buffers 16 32k;
+        proxy_busy_buffers_size 64k;
+        proxy_redirect off;
+        proxy_request_buffering off;
+        proxy_buffering off;
+        proxy_pass http://localhost:7156;
+        tcp_nodelay on;
+    }
+}
+EOF
+
+sudo mv /tmp/$domain /etc/nginx/sites-available/
+sudo ln -s /etc/nginx/sites-available/$domain /etc/nginx/sites-enabled/
+sudo systemctl stop nginx
+sudo certbot certonly -n --server https://acme-v02.api.letsencrypt.org/directory --standalone -d $domain --renew-by-default --agree-tos --email $email
+sudo systemctl enable nginx
+sudo systemctl start nginx

deploy/aws-lightsail/vars.tf

@@ -0,0 +1,39 @@
+variable "aws_access_key" {
+  default = ""
+}
+
+variable "aws_secret_key" {
+  default = ""
+}
+
+variable "aws_region" {
+  default = ""
+}
+
+variable "private_key" {
+  default = ""
+}
+
+variable "publickey" {
+  default = ""
+}
+
+variable "key" {
+  default = ""
+}
+
+variable "instance_name" {
+  default = ""
+}
+
+variable "email" {
+  default = ""
+} 
+
+variable "domain" {
+  default = ""
+}
+
+variable "epicyon_sub_domain" {
+  default = ""
+}