From d3a7300dc8342111a1ba30d6e2ad95e608a7363b Mon Sep 17 00:00:00 2001
From: Owen Jacobson <owen@grimoire.ca>
Date: Sat, 10 Mar 2018 20:56:37 -0500
Subject: Infrastructure for publishing the site to S3/CloudFormation.

---
 .gitignore     |  5 +--
 bin/publish-s3 | 34 ++++++++++++++++++++
 bliki.tf       | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 135 insertions(+), 2 deletions(-)
 create mode 100755 bin/publish-s3
 create mode 100644 bliki.tf

diff --git a/.gitignore b/.gitignore
index 8c0a0c6..d8a2f19 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
-.html
-.tmp
+/.html/
+/.tmp/
+/.terraform/
diff --git a/bin/publish-s3 b/bin/publish-s3
new file mode 100755
index 0000000..caefd67
--- /dev/null
+++ b/bin/publish-s3
@@ -0,0 +1,34 @@
+#!/bin/bash -e
+
+BLIKI_BASE="$(dirname "$(dirname "$0")")"
+HTML="$BLIKI_BASE/.html"
+
+BUCKET="$1"
+
+find "$HTML" -type f | while read SOURCE; do
+  HTML_PATH="${SOURCE#$HTML/}"
+  case "$HTML_PATH" in
+  index.html)
+    KEY="$HTML_PATH"
+    CONTENT_TYPE="text/html; charset=UTF-8"
+    ;;
+  */index.html)
+    KEY="$HTML_PATH"
+    CONTENT_TYPE="text/html; charset=UTF-8"
+    ;;
+  *.html)
+    KEY="${HTML_PATH%.html}"
+    CONTENT_TYPE="text/html; charset=UTF-8"
+    ;;
+  *.css)
+    KEY="${HTML_PATH}"
+    CONTENT_TYPE="text/css"
+    ;;
+  *)
+    KEY="$HTML_PATH"
+    CONTENT_TYPE="$(file --mime-type -b "${SOURCE}")"
+    ;;
+  esac
+
+  aws s3 cp --content-type "$CONTENT_TYPE" "$SOURCE" "s3://$BUCKET/$KEY"
+done
diff --git a/bliki.tf b/bliki.tf
new file mode 100644
index 0000000..d83b5b4
--- /dev/null
+++ b/bliki.tf
@@ -0,0 +1,98 @@
+terraform {
+  backend "s3" {
+    bucket = "terraform.grimoire"
+    key    = "bliki.tfstate"
+    region = "ca-central-1"
+  }
+}
+
+provider "aws" {
+  version = "~> 1.11"
+
+  region = "ca-central-1"
+}
+
+resource "aws_s3_bucket" "bliki" {
+  bucket = "grimoire.ca"
+
+  website {
+    index_document = "index.html"
+  }
+}
+
+resource "aws_s3_bucket_policy" "bliki" {
+  bucket = "${aws_s3_bucket.bliki.id}"
+  policy = <<POLICY
+{
+  "Version":"2012-10-17",
+  "Statement":[
+    {
+      "Effect":"Allow",
+      "Principal": "*",
+      "Action": ["s3:GetObject"],
+      "Resource": ["${aws_s3_bucket.bliki.arn}/*"]
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_cloudfront_distribution" "bliki" {
+  enabled             = true
+  is_ipv6_enabled     = true
+
+  aliases = ["grimoire.ca"]
+
+  default_root_object = "index.html"
+
+  price_class = "PriceClass_100"
+
+  origin {
+    origin_id   = "bliki"
+    # Use the website endpoint, not the bucket endpoint, to get / -> /index.html
+    # translation through S3's website config.
+    domain_name = "${aws_s3_bucket.bliki.website_endpoint}"
+
+    custom_origin_config {
+      http_port  = 80
+      https_port = 443
+
+      # Because the origin is a non-URL-safe bucket name, S3's default TLS
+      # config doesn't apply. Since we can't provide our own cert, force HTTP.
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id = "bliki"
+
+    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
+    cached_methods         = ["GET", "HEAD"]
+    viewer_protocol_policy = "redirect-to-https"
+
+    compress = true
+
+    min_ttl     = 0
+    default_ttl = 900
+    max_ttl     = 3600
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+}
-- 
cgit v1.2.3