add git.mari.zip terraform files

infra/.gitignore

@@ -0,0 +1,32 @@
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+*tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

infra/README.md

@@ -0,0 +1,6 @@
+# `git.mari.zip` infrastructure
+
+This folder contains Terraform (OpenTofu) files for managing the `git.mari.zip` GitArena instance and the required stack.
+Use it as reference for deploying your GitArena on your own infrastructure.
+
+Later down the road, ansible playbooks will be added to auto setup GitArena on the terraform-provisioned cloud instance.

infra/cloudflare.tf

@@ -0,0 +1,30 @@
+resource "cloudflare_r2_bucket" "artifacts" {
+  account_id = var.cloudflare_account_id
+  name       = "gitarena"
+  location   = "WEUR"
+}
+
+resource "cloudflare_r2_custom_domain" "artifacts" {
+  account_id  = var.cloudflare_account_id
+  bucket_name = cloudflare_r2_bucket.artifacts.name
+  domain      = "objects.${var.frontend_domain}"
+  zone_id     = var.cloudflare_zone_id
+  enabled     = true
+}
+
+resource "cloudflare_r2_bucket_cors" "artifacts" {
+  account_id  = var.cloudflare_account_id
+  bucket_name = cloudflare_r2_bucket.artifacts.name
+
+  rules = [{
+    allowed = {
+      origins = ["https://${var.frontend_domain}", "https://${var.backend_domain}"]
+      methods = ["GET", "PUT"]
+      headers = ["*"]
+    }
+    expose = {
+      headers = ["ETag"]
+    }
+    max_age_seconds = 3600
+  }]
+}

infra/dns.tf

@@ -0,0 +1,45 @@
+resource "cloudflare_dns_record" "backend" {
+  zone_id = var.cloudflare_zone_id
+  name    = var.backend_domain
+  type    = "A"
+  content = tencentcloud_lighthouse_instance.main.public_addresses[0]
+  proxied = false
+  ttl     = 1
+}
+
+resource "cloudflare_dns_record" "frontend" {
+  zone_id = var.cloudflare_zone_id
+  name    = var.frontend_domain
+  type    = "CNAME"
+  content = trimsuffix(data.vercel_domain_config.frontend.recommended_cname, ".")
+  proxied = false
+  ttl     = 600
+}
+
+resource "cloudflare_dns_record" "mail" {
+  zone_id  = var.cloudflare_zone_id
+  name     = resend_domain.main.spf_mx_record.name
+  type     = resend_domain.main.spf_mx_record.type
+  content  = resend_domain.main.spf_mx_record.value
+  priority = resend_domain.main.spf_mx_record.priority
+  proxied  = false
+  ttl      = try(tonumber(resend_domain.main.spf_mx_record.ttl), 3600)
+}
+
+resource "cloudflare_dns_record" "mail_txt" {
+  zone_id = var.cloudflare_zone_id
+  name    = resend_domain.main.spf_txt_record.name
+  type    = resend_domain.main.spf_txt_record.type
+  content = resend_domain.main.spf_txt_record.value
+  proxied = false
+  ttl     = try(tonumber(resend_domain.main.spf_txt_record.ttl), 3600)
+}
+
+resource "cloudflare_dns_record" "mail_dkim" {
+  zone_id = var.cloudflare_zone_id
+  name    = resend_domain.main.dkim_records[0].name
+  type    = resend_domain.main.dkim_records[0].type
+  content = resend_domain.main.dkim_records[0].value
+  proxied = false
+  ttl     = try(tonumber(resend_domain.main.dkim_records[0].ttl), 3600)
+}

infra/main.tf

@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">= 1.11"
+
+  required_providers {
+    tencentcloud = {
+      source  = "tencentcloudstack/tencentcloud"
+      version = "1.82.74"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "5.19.0-beta.1"
+    }
+    aiven = {
+      source  = "aiven/aiven"
+      version = "4.52.0"
+    }
+    vercel = {
+      source  = "vercel/vercel"
+      version = "4.6.1"
+    }
+    resend = {
+      source  = "registry.terraform.io/jhoward321/resend"
+      version = "0.1.3"
+    }
+    newrelic = {
+      source  = "newrelic/newrelic"
+      version = "3.81.0"
+    }
+  }
+}
+
+

infra/postgres.tf

@@ -0,0 +1,17 @@
+resource "aiven_pg" "main" {
+  project      = "gitarena"
+  service_name = "gitarena"
+  cloud_name   = "do-ams"
+  plan         = "free-1-1gb"
+
+  termination_protection = true
+
+  pg_user_config {
+    pg_version = "17"
+
+    ip_filter_string = [
+      "${tencentcloud_lighthouse_instance.main.public_addresses[0]}/32",
+      var.local_ip_block,
+    ]
+  }
+}

infra/providers.tf

@@ -0,0 +1,28 @@
+provider "tencentcloud" {
+  secret_id  = var.tencent_cloud_secret_id
+  secret_key = var.tencent_cloud_secret_key
+  region     = "eu-frankfurt"
+}
+
+provider "cloudflare" {
+  api_token = var.cloudflare_api_token
+}
+
+provider "aiven" {
+  api_token = var.aiven_api_token
+}
+
+provider "vercel" {
+  api_token = var.vercel_api_token
+  team      = var.vercel_team
+}
+
+provider "resend" {
+  api_key = var.resend_api_key
+}
+
+provider "newrelic" {
+  account_id = var.newrelic_account_id
+  api_key    = var.newrelic_api_token
+  region     = "EU"
+}

infra/resend.tf

@@ -0,0 +1,4 @@
+resource "resend_domain" "main" {
+  name   = var.frontend_domain
+  region = "eu-west-1"
+}

infra/tencent.tf

@@ -0,0 +1,44 @@
+resource "tencentcloud_lighthouse_instance" "main" {
+  instance_name        = "Ubuntu-YUz3"
+  zone                 = "eu-frankfurt-1"
+  bundle_id            = "bundle_starter_nmc_lin_med2_01"
+  blueprint_id         = "lhbp-b46k6f98"
+  renew_flag           = "NOTIFY_AND_MANUAL_RENEW"
+  firewall_template_id = tencentcloud_lighthouse_firewall_template.empty.id
+
+  lifecycle {
+    ignore_changes = [firewall_template_id]
+  }
+}
+
+resource "tencentcloud_lighthouse_firewall_rule" "main_firewall" {
+  instance_id = tencentcloud_lighthouse_instance.main.id
+
+  firewall_rules {
+    protocol                  = "TCP"
+    port                      = "443,80"
+    cidr_block                = "0.0.0.0/0"
+    action                    = "ACCEPT"
+    firewall_rule_description = "caddy"
+  }
+
+  firewall_rules {
+    protocol                  = "TCP"
+    port                      = "22,2222"
+    cidr_block                = "0.0.0.0/0"
+    action                    = "ACCEPT"
+    firewall_rule_description = "ssh"
+  }
+
+  firewall_rules {
+    protocol                  = "ICMP"
+    port                      = "ALL"
+    cidr_block                = "0.0.0.0/0"
+    action                    = "ACCEPT"
+    firewall_rule_description = "ping"
+  }
+}
+
+resource "tencentcloud_lighthouse_firewall_template" "empty" {
+  template_name = "empty"
+}