Merge pull request #3 from n4veenkumar/infra-provisioning

Add Route53 support. Changes to bootstrap script.
2023-02-24 20:25:46 +00:00 · 2023-02-24 20:25:46 +00:00 · 5181086e18
parent aa533092dd faaf51793a
commit 5181086e18
4 changed files with 62 additions and 37 deletions
--- a/deploy/aws/README.md
+++ b/deploy/aws/README.md
@ -33,6 +33,8 @@ This repo contains a Terraform plan for deploying Epicyon on an AWS EC2 instance
 | [aws_internet_gateway.epicyon_gw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
 | [aws_route_table.epicyon_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
 | [aws_route_table_association.epicyon_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route53_record.epicyon_route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [null_resource.null_resource_epicyon](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |

 ## Inputs

--- a/deploy/aws/main.tf
+++ b/deploy/aws/main.tf
@ -1,10 +1,3 @@
-locals {
-  user_data_vars = {
-    domain = var.domain
-    email  = var.email
-  }
-}
-
 resource "aws_vpc" "epicyon_vpc" {
  cidr_block       = var.vpc_cidr_block

@ -91,13 +84,21 @@ resource "aws_instance" "epicyon_web" {
  associate_public_ip_address = true
  subnet_id                   = aws_subnet.epicyon_subnet.id
  vpc_security_group_ids      = [aws_security_group.epicyon_sg.id]
-  user_data                   = base64encode(templatefile("${path.module}/templates/startup.sh", local.user_data_vars))
  key_name                    = var.key_name
  tags = {
    Name = "epicyon_web"
  }
 }

+resource "aws_route53_record" "epicyon_route53" {
+  zone_id = var.zone_id
+  name    = var.domain
+  type    = "A"
+  ttl     = 300
+  records = [aws_instance.epicyon_web.public_ip]
+  depends_on = [aws_instance.epicyon_web]
+}
+
 resource "aws_iam_role" "epicyon_iam_role" {
  name = "epicyon_iam_role"
  assume_role_policy = jsonencode({
@ -134,3 +135,29 @@ resource "aws_eip_association" "epicyon" {
  instance_id   = aws_instance.epicyon_web.id
  allocation_id = aws_eip.elastic.id
 }
+
+resource "null_resource" "null_resource_epicyon" {
+  depends_on=[aws_route53_record.epicyon_route53]
+  triggers = {
+    id = timestamp()
+  }
+   connection {
+    agent       = false
+    type        = "ssh"
+    host        = [aws_instance.epicyon_web.public_ip]
+    private_key = file(var.private_key)
+    user        = "ubuntu"
+  }
+  provisioner "file" {
+    source      = "./templates/startup.sh"
+    destination = "~/startup.sh"
+  }
+  provisioner "remote-exec" {
+    inline = [
+      "chmod +x ~/startup.sh",
+      "export domain=${var.epicyon_domain}",
+      "export email=${var.email}",
+      "bash ~/startup.sh"
+    ]
+  }
+}
--- a/deploy/aws/templates/startup.sh
+++ b/deploy/aws/templates/startup.sh
@ -1,17 +1,13 @@
 #!/usr/bin/env bash
-
-export YOUR_DOMAIN=${domain}
-export YOUR_EMAIL=${email}
-
 sudo apt update -y
 sudo apt install -y tor python3-socks imagemagick python3-setuptools python3-cryptography python3-dateutil python3-idna python3-requests python3-flake8 python3-django-timezone-field python3-pyqrcode python3-png python3-bandit libimage-exiftool-perl certbot nginx wget
 cd /opt || exit
 sudo git clone https://gitlab.com/bashrc2/epicyon
 cd /opt/epicyon || exit
 sudo adduser --system --home=/opt/epicyon --group epicyon
-sudo mkdir /var/www/${domain}
+sudo mkdir /var/www/$domain
 sudo mkdir -p /opt/epicyon/accounts/newsmirror
-sudo ln -s /opt/epicyon/accounts/newsmirror /var/www/${domain}/newsmirror
+sudo ln -s /opt/epicyon/accounts/newsmirror /var/www/$domain/newsmirror

 sudo tee /tmp/epicyon.service >/dev/null <<EOF
 [Unit]
@ -23,7 +19,7 @@ Type=simple
 User=epicyon
 Group=epicyon
 WorkingDirectory=/opt/epicyon
-ExecStart=/usr/bin/python3 /opt/epicyon/epicyon.py --port 443 --proxy 7156 --domain ${domain} --registration open --log_login_failures
+ExecStart=/usr/bin/python3 /opt/epicyon/epicyon.py --port 443 --proxy 7156 --domain $domain --registration open --log_login_failures
 Environment=USER=epicyon
 Environment=PYTHONUNBUFFERED=true
 Restart=always
@ -57,24 +53,21 @@ sudo mv /tmp/epicyon.service /etc/systemd/system/
 sudo chown -R epicyon:epicyon /opt/epicyon 
 sudo systemctl daemon-reload && sudo systemctl start epicyon &&  sudo systemctl enable epicyon

-sudo tee /tmp/${domain} >/dev/null <<EOF
+sudo tee /tmp/$domain >/dev/null <<EOF
 server {
    listen 80;
    listen [::]:80;
-    server_name ${domain};
+    server_name $domain;
    access_log /dev/null;
    error_log /dev/null;
    client_max_body_size 31m;
    client_body_buffer_size 128k;
-
    index index.html;
    rewrite ^ https://\$server_name\$request_uri? permanent;
 }
-
 server {
    listen 443 ssl;
-    server_name ${domain};
-
+    server_name $domain;
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
@ -84,19 +77,16 @@ server {
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/ld+json application/javascript text/xml application/xml application/rdf+xml application/xml+rss text/javascript;
-
    ssl_stapling off;
    ssl_stapling_verify off;
    ssl on;
-    ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
-
+    ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
-
    add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
@ -104,20 +94,15 @@ server {
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
 	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
-
    access_log /dev/null;
    error_log /dev/null;
-
    index index.html;
-
    location /newsmirror {
-        root /var/www/${domain};
+        root /var/www/$domain;
        try_files \$uri =404;
    }
-
    keepalive_timeout 70;
    sendfile on;
-
    location / {
        proxy_http_version 1.1;
        client_max_body_size 31M;
@ -142,10 +127,9 @@ server {
 }
 EOF

-sudo mv /tmp/${domain} /etc/nginx/sites-available/
-sudo ln -s /etc/nginx/sites-available/${domain} /etc/nginx/sites-enabled/
+sudo mv /tmp/$domain /etc/nginx/sites-available/
+sudo ln -s /etc/nginx/sites-available/$domain /etc/nginx/sites-enabled/
 sudo systemctl stop nginx
-sudo certbot certonly -n --server https://acme-v02.api.letsencrypt.org/directory --standalone -d ${domain} --renew-by-default --agree-tos --email ${email}
+sudo certbot certonly -n --server https://acme-v02.api.letsencrypt.org/directory --standalone -d $domain --renew-by-default --agree-tos --email $email
 sudo systemctl enable nginx
-sudo systemctl start nginx
-
+sudo systemctl start nginx
--- a/deploy/aws/vars.tf
+++ b/deploy/aws/vars.tf
@ -32,3 +32,15 @@ variable "email" {
  type    = string
  default = ""
 }
+
+variable "private_key" {
+  default = ""
+}
+
+variable "epicyon_domain" {
+  default = ""
+}
+
+variable "email" {
+  default = ""
+}