lets see if we can implement the tested solution for the real VM

.github/workflows/aws-vm-packer-build.yml

@@ -26,12 +26,12 @@ jobs:
 
       - name: Run `packer init`
         id: init
-        working-directory: ./aws/test-ec2-secrets/packer
+        working-directory: ./aws/packer
         run: "packer init ./aws-ubuntu.pkr.hcl"
 
       - name: Run `packer validate`
         id: validate
-        working-directory: ./aws/test-ec2-secrets/packer
+        working-directory: ./aws/packer
         run: "packer validate ./aws-ubuntu.pkr.hcl"
 
       - name: configure aws credentials
@@ -47,7 +47,7 @@ jobs:
 
       - name: Run `packer build`
         id: build
-        working-directory: ./aws/test-ec2-secrets/packer
+        working-directory: ./aws/packer
         run: | 
           packer build ./aws-ubuntu.pkr.hcl
           cat manifest.json | jq -r '.builds[-1].artifact_id' |  cut -d':' -f2
@@ -75,17 +75,17 @@ jobs:
         uses: hashicorp/setup-terraform@v3
       - id: tf-init
         name: Terraform Init
-        working-directory: ./aws/test-ec2-secrets/terraform
+        working-directory: ./aws/terraform
         run: terraform init
       - id: tf-validate
         name: Terraform Validate
-        working-directory: ./aws/test-ec2-secrets/terraform
+        working-directory: ./aws/terraform
         run: terraform validate -no-color
       - id: tf-plan
         name: Terraform Plan
         env:
           AMI_ID: ${{ needs.packer-build.outputs.ami_id }}
-        working-directory: ./aws/test-ec2-secrets/terraform
+        working-directory: ./aws/terraform
         run: |
           echo "AMI_ID=${AMI_ID}"
           export TF_VAR_ami_id=${AMI_ID}

aws/docker-compose/default.env

@@ -0,0 +1,5 @@
+AWS_ACCESS_KEY_ID=INVALID
+AWS_SECRET_ACCESS_KEY=INVALID
+OAUTH_TOKEN=NOT_THE_REAL_TOKEN
+SENTRY_DSN=https://something.ingest.us.sentry.io/something
+OTEL_ENABLED=false

aws/docker-compose/docker-compose.yml

@@ -0,0 +1,117 @@
+services:
+  cert-copy:
+    image: bitnami/minideb:latest
+    restart: unless-stopped
+    command: ["./etc/copy_script.sh"]
+    depends_on:
+      - certbot
+    configs:
+      - source: copy_script
+        target: /etc/copy_script.sh
+    volumes:
+      - certbot-certificates:/etc/certbot/certificates:ro
+      - envoy-certificates:/etc/envoy/certificates:rw
+    deploy:
+      restart_policy:
+        condition: unless-stopped
+        delay: 60s
+
+
+  certbot:
+#    restart: unless-stopped
+    image: certbot/dns-route53:arm64v8-v2.11.0
+    command: [ "certonly", "-v", "--dns-route53", "-d", "events.gitstafette.joostvdg.net", "--email", "[email protected]", "--keep-until-expiring", "--agree-tos", "--non-interactive" ]
+    volumes:
+      - certbot-certificates:/etc/letsencrypt
+    deploy:
+      restart_policy:
+        condition: unless-stopped
+        delay: 60s
+    env_file:
+      - path: ./default.env
+        required: true # default
+      - path: ./override.env
+        required: false
+
+  envoy:
+    image: envoyproxy/envoy:v1.22.8
+    restart: unless-stopped
+    configs:
+      - source: envoy_proxy
+        target: /etc/envoy/envoy-proxy.yaml
+        uid: "103"
+        gid: "103"
+        mode: 0440
+    command: /usr/local/bin/envoy -c /etc/envoy/envoy-proxy.yaml -l debug
+    depends_on:
+      - cert-copy
+      - gitstafette-server
+    volumes:
+      - type: volume
+        source: envoy-certificates
+        target: /etc/envoy/certificates
+    ports:
+      - 443:443
+      - 8081:8081
+      - 8082:8082
+
+  gitstafette-server:
+    restart: unless-stopped
+    init: true
+    image: ghcr.io/joostvdg/gitstafette/server:0.3.0 #ghcr.io/joostvdg/gitstafette/server:0.1.0-3dfea6d
+    command: [
+      "--repositories=537845873,478599060,758715872,763032882,502306743",
+      "--grpcPort=50051",
+      "--port=1323",
+      "--grpcHealthPort=50051",
+      "--caFileLocation=/run/secrets/ca.cert",
+      "--certFileLocation=/run/secrets/server.cert",
+      "--certKeyFileLocation=/run/secrets/server.key"
+    ]
+    secrets:
+      - source: certificate
+        target: server.cert
+        uid: "103"
+        gid: "103"
+        mode: 0440
+      - source: certificate-key
+        target: server.key
+        uid: "103"
+        gid: "103"
+        mode: 0440
+      - source: ca
+        target: ca.cert
+        uid: "103"
+        gid: "103"
+        mode: 0440
+    ports:
+      - "8080:1323"
+      - "50051:50051"
+    env_file:
+      - path: ./default.env
+        required: true # default
+      - path: ./override.env
+        required: false
+
+secrets:
+  certificate:
+    file: ./certs/events-aws.pem
+  certificate-key:
+    file: ./certs/events-aws-key.pem
+  ca:
+    file: ./certs/ca.pem
+
+configs:
+  envoy_proxy:
+    file: ./envoy/envoy.yaml
+  copy_script:
+    file: ./scripts/copy_certs.sh
+
+volumes:
+  certbot-certificates:
+  envoy-certificates:
+
+networks:
+  gitstafette:
+    driver: bridge
+    enable_ipv6: false

aws/docker-compose/envoy/envoy.yaml

@@ -0,0 +1,108 @@
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8082
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                codec_type: AUTO
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: gitstafette-server
+                      domains:
+                        - "*"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: gitstafette-server
+                http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 443
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                codec_type: AUTO
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: gitstafette-server
+                      domains:
+                        - "events.gitstafette.joostvdg.net"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: gitstafette-server
+                http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          transport_socket:
+            name: envoy.transport_sockets.tls
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+              common_tls_context:
+                tls_certificates:
+                  - certificate_chain:
+                      filename: /etc/envoy/certificates/fullchain.pem
+                    private_key:
+                      filename: /etc/envoy/certificates/privkey.pem
+
+  clusters:
+    - name: gitstafette-server
+      connect_timeout: 8s
+      type: STATIC
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: gitstafette-server
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 172.18.0.1
+                      port_value: 8080
+#  clusters:
+#    - name: gitstafette-server
+#      type: STRICT_DNS
+#      lb_policy: ROUND_ROBIN
+#      load_assignment:
+#        cluster_name: gitstafette-server
+#        endpoints:
+#          - lb_endpoints:
+#              - endpoint:
+#                  address:
+#                    socket_address:
+#                      address: gitstafette-server
+#                      port_value: 1323
+
+admin:
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 8001
+layered_runtime:
+  layers:
+    - name: static_layer_0
+      static_layer:
+        envoy:
+          resource_limits:
+            listener:
+              example_listener_name:
+                connection_limit: 10000

aws/docker-compose/scripts/copy_certs.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+echo "> Reading source location"
+ls -lath /etc/certbot/certificates/live/events.gitstafette.joostvdg.net
+
+echo "> Copy to target location"
+cp /etc/certbot/certificates/live/events.gitstafette.joostvdg.net/*.pem /etc/envoy/certificates/
+
+echo "> Reading target location"
+ls -lath /etc/envoy/certificates
+
+echo "> Set Cert permissions"
+chmod 0444 /etc/envoy/certificates/fullchain.pem
+chmod 0444 /etc/envoy/certificates/cert.pem
+chmod 0444 /etc/envoy/certificates/privkey.pem
+
+echo "> Sleeping for 1 hour"
+sleep 3600

aws/packer/Makefile

@@ -0,0 +1,9 @@
+format:
+	packer fmt .
+
+validate:
+	packer validate .
+
+build:
+	packer build aws-ubuntu.pkr.hcl
+	cat manifest.json | jq -r '.builds[-1].artifact_id' |  cut -d':' -f2

aws/packer/aws-ubuntu.pkr.hcl

@@ -8,12 +8,12 @@ packer {
 }
 
 source "amazon-ebs" "ubuntu" {
-  ami_name      = "gitstafette-server"
+  ami_name      = "${var.ami_prefix}-${local.date}"
   instance_type = "t4g.nano"
   region        = "eu-central-1"
   source_ami_filter {
     filters = {
-      name                = "ubuntu/images/*ubuntu-jammy-22.04-arm64-server-*"
+      name                = "ubuntu/images/*ubuntu-*-24.04-arm64-server-*"
       root-device-type    = "ebs"
       virtualization-type = "hvm"
     }
@@ -28,6 +28,8 @@ build {
   sources = [
     "source.amazon-ebs.ubuntu"
   ]
+
+
   provisioner "shell" {
     inline = [
       "sudo apt-get update",
@@ -40,8 +42,42 @@ build {
       "sudo systemctl status docker",
       "sudo usermod -aG docker ubuntu",
       "docker compose version",
+      "sudo snap install btop",
+      "sudo snap install aws-cli --classic",
+      "aws --version",
+      "sudo apt upgrade -y",
+    ]
+  }
+
+  provisioner "file" {
+    source = "../docker-compose"
+    destination = "/home/ubuntu/gitstafette"
+  }
+
+  provisioner "shell" {
+    inline = [
+      "cd /home/ubuntu/gitstafette",
+      "chmod +x /home/ubuntu/gitstafette/scripts/*.sh",
+      "sudo su - ubuntu -c 'docker compose version'",
+      "sudo su - ubuntu -c 'docker compose --project-directory=/home/ubuntu/gitstafette --progress=plain pull '",
     ]
   }
+
+
+  post-processor "manifest" {
+    output     = "manifest.json"
+    strip_path = true
+  }
+
+}
+
+
+locals {
+  date = formatdate("YYYY-MM-DD-hh-mm", timestamp())
+}
+
+variable "ami_prefix" {
+  type    = string
+  default = "gitstafette-server"
 }
 
-// MY IP: 77.174.22.146/32

aws/packer/export-ami-id.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+export AMI_ID=$(jq -r '.builds[-1].artifact_id | split(":") | .[1]' manifest.json)
+echo "AMI_ID=$AMI_ID"