From fa34b885976b4f47253a6e4033c03b1b4af374e3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?C=C3=A1ssio=20Gabriel?= Date: Fri, 23 Jan 2026 17:37:57 -0300 Subject: [PATCH 1/1] First commit --- .gitignore | 5 ++ terraform/main.tf | 149 ++++++++++++++++++++++++++++++++++ terraform/outputs.tf | 7 ++ terraform/user_data_config.sh | 72 ++++++++++++++++ terraform/variables.tf | 24 ++++++ terraform/versions.tf | 10 +++ 6 files changed, 267 insertions(+) create mode 100644 .gitignore create mode 100644 terraform/main.tf create mode 100644 terraform/outputs.tf create mode 100644 terraform/user_data_config.sh create mode 100644 terraform/variables.tf create mode 100644 terraform/versions.tf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3188071 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +**/.terraform/ +**/.terraform.lock.hcl +**/*.tfstate +**/*.tfstate.* +**/terraform.tfvars diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..59eb6c7 --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,149 @@ +provider "aws" { + region = var.region +***REMOVED*** + +# Using default AWS values for Network +data "aws_vpc" "default" { + default = true +***REMOVED*** + +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + ***REMOVED*** +***REMOVED*** + +# Ubuntu linux AMI version +data "aws_ami" "ubuntu" { + most_recent = true + owners = ["099720109477"] # Offical Canonical ID + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + ***REMOVED*** +***REMOVED*** + +# CloudFront with restrict origin access +data "aws_ec2_managed_prefix_list" "cloudfront_origin" { + name = "com.amazonaws.global.cloudfront.origin-facing" +***REMOVED*** + +# Security group +resource "aws_security_group" "gitweb" { + name = "${var.project_name***REMOVED***-sg" + description = "SSH from my IP; HTTP only from CloudFront origin-facing" + vpc_id = "data.aws_vpc.default.id" + + ingress { + description = "SSH only from my IP" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [var.my_ip_cidr] + ***REMOVED*** + + ingress { + description = "HTTP only from CloudFront origin-facing" + from_port = 80 + to_port = 80 + protocol = "tcp" + prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront_origin.id] + ***REMOVED*** + + egress { + description = "Allow outbound for updates" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + + tags { + Name = "${var.project_name***REMOVED***-sg" + ***REMOVED*** + ***REMOVED*** +***REMOVED*** + +# EC2 instance +resource "aws_instance" "gitweb" { + ami = data.aws_ami.ubuntu.id + instance_type = var.instance_type + subnet_id = data.aws_subnets.default.ids[0] + vpc_security_group_ids = [aws_security_group.gitweb.id] + key_name = var.key_name + + user_data = file("${path.module/user_data_config.sh***REMOVED***") + + tags { + Name = "${var.project_name***REMOVED***-ec2" + ***REMOVED*** +***REMOVED*** + +# Elastic IP for stability (because of CloudFront) + +resource "aws_eip" "gitweb" { + domanin = "vpc" + instance = aws_instance.gitweb.id + + tags { + Name = "${var.project_name***REMOVED***-eip" + ***REMOVED*** +***REMOVED*** + +# CloudFront distribuition +resource "aws_cloudfront_distribution" "gitweb" { + enabled = true + is_ipv6_enabeld = true + comment = "GitWeb behind CloudFront (origin restricted)" + + origin { + # CloudFront custom origin can use IP addr directly + domain_name = aws_eip.gitweb.public_ip + origin_id = "${var.project_name***REMOVED***-origin" + + custom_origin_config { + http_port = 80 + https_port = 443 + origin_protocol_policy = "http-only" + origin_ssl_protocols = ["TLSv1.3"] + ***REMOVED*** + ***REMOVED*** + + default_cache_bahavior { + target_origin_id = "${var.project_name***REMOVED***-origin" + viewer_protocol_policy = "redirect-to-https" + + allowed-methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + + # GitWeb relies on query strings + forward_values { + query_string = true + headers = [] + cookies { + forward = "none" + ***REMOVED*** + ***REMOVED*** + + # Caching the often GitWeb content change + min_ttl = 0 + default_ttl = 0 + max_ttl = 60 + ***REMOVED*** + + restrictions { + geo_restriction { + restriction_type = "none" + ***REMOVED*** + ***REMOVED*** + + # Default CloudFront certificate (HTTPS on CF domain) + viewer_certificate { + cloudfront_default_certificate = true + ***REMOVED*** + + tags = { + Name = "${var.project_name***REMOVED***-cf" + ***REMOVED*** +***REMOVED*** diff --git a/terraform/outputs.tf b/terraform/outputs.tf new file mode 100644 index 0000000..b9b3856 --- /dev/null +++ b/terraform/outputs.tf @@ -0,0 +1,7 @@ +output "instance_public_ip" { + value = aws_eip.gitweb.public_ip +***REMOVED*** + +output "gitweb_url" { + value = "https://${aws_cloudfront_distribution.gitweb.domain_name***REMOVED***/cgi-bin/gitweb.cgi" +***REMOVED*** diff --git a/terraform/user_data_config.sh b/terraform/user_data_config.sh new file mode 100644 index 0000000..0db6db1 --- /dev/null +++ b/terraform/user_data_config.sh @@ -0,0 +1,72 @@ +#!/bin/bash +set -euo pipefail +export DEBIAN_FRONTEND=noninteractive + +apt-get update +apt-get install -y git gitweb fcgiwrap nginx + +# --- A dedicated 'git' user, git-shell only --- +if ! id git >/dev/null 2>&1; then + useradd -m -d /home/git -s /usr/bin/git-shell git +fi + +# Repo root +mkdir -p /var/lib/git +chown -R git:git /var/lib/git +chmod 2750 /var/lib/git + +# --- GitWeb config --- +cat >/etc/gitweb.conf <<'***REMOVED***' +$projectroot = "/var/lib/git"; +$projects_list = $projectroot; +$site_name = "My Git Server (GitWeb)"; +$feature{'blame'***REMOVED*** = 1; +$feature{'snapshot'***REMOVED*** = 1; +***REMOVED*** + +systemctl enable --now fcgiwrap + +# --- Nginx serving GitWeb via fcgiwrap --- +cat >/etc/nginx/sites-available/gitweb <<'***REMOVED***' +server { + listen 80; + server_name _; + + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options SAMEORIGIN always; + add_header Referrer-Policy no-referrer always; + + location = / { return 302 /cgi-bin/gitweb.cgi; ***REMOVED*** + + location /gitweb/static/ { + alias /usr/share/gitweb/static/; + ***REMOVED*** + + location /cgi-bin/gitweb.cgi { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/gitweb.cgi; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_pass unix:/run/fcgiwrap.socket; + ***REMOVED*** +***REMOVED*** +***REMOVED*** + +rm -f /etc/nginx/sites-enabled/default +ln -sf /etc/nginx/sites-available/gitweb /etc/nginx/sites-enabled/gitweb +nginx -t +systemctl enable --now nginx + +# --- SSH hardening +sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config + +# Your requirement: allow root login (key-only) +sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config +systemctl restart ssh + +# Convenience: allow same key used for ubuntu user to be used for git user +if [ -f /home/ubuntu/.ssh/authorized_keys ]; then + install -d -m 700 -o git -g git /home/git/.ssh + cat /home/ubuntu/.ssh/authorized_keys > /home/git/.ssh/authorized_keys + chown git:git /home/git/.ssh/authorized_keys + chmod 600 /home/git/.ssh/authorized_keys +fi diff --git a/terraform/variables.tf b/terraform/variables.tf new file mode 100644 index 0000000..be2a4c2 --- /dev/null +++ b/terraform/variables.tf @@ -0,0 +1,24 @@ +variable "region" { + type = string + default = "us-east-1" +***REMOVED*** + +***REMOVED*** +***REMOVED*** +***REMOVED*** +***REMOVED*** + +variable "key_name" { + type = string + description = "gitweb-key" +***REMOVED*** + +variable "instance_type" { + type = string + default = "t3.small" +***REMOVED*** + +variable "project_name" { + type = string + description = "host-gitweb" +***REMOVED*** diff --git a/terraform/versions.tf b/terraform/versions.tf new file mode 100644 index 0000000..deae65d --- /dev/null +++ b/terraform/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.14.0" + + required_versions { + aws = { + source = "hashicorp/aws" + version = ">= 6.0" + ***REMOVED*** + ***REMOVED*** +***REMOVED*** -- 2.34.1