stashphoto.jinwei.me

23 files changed, 479 insertions, 59 deletions

diff --git a/photo.jinwei.me/config/ansible.cfg b/photo.jinwei.me/config/ansible.cfg
new file mode 100644
index 0000000..9345045
--- /dev/null
+++ b/photo.jinwei.me/config/ansible.cfg
@@ -0,0 +1,14 @@
+[defaults]
+host_key_checking = False
+transport = ssh
+remote_user = admin
+roles_path = roles
+inventory = inventory
+force_color = True
+interpreter_python = auto_silent
+
+[connection]
+pipelining = True
+
+[privilege_escalation]
+become = True
diff --git a/photo.jinwei.me/config/inventory/aws_ec2.yaml b/photo.jinwei.me/config/inventory/aws_ec2.yaml
new file mode 100644
index 0000000..c35e172
--- /dev/null
+++ b/photo.jinwei.me/config/inventory/aws_ec2.yaml
@@ -0,0 +1,7 @@
+plugin: aws_ec2
+regions:
+  - eu-central-1
+hostnames:
+  - tag:Name
+compose:
+  ansible_host: public_ip_address
diff --git a/photo.jinwei.me/config/requirements.yaml b/photo.jinwei.me/config/requirements.yaml
new file mode 100644
index 0000000..5229cc7
--- /dev/null
+++ b/photo.jinwei.me/config/requirements.yaml
@@ -0,0 +1,10 @@
+---
+collections:
+  - name: amazon.aws
+    version: 3.2.0
+  - name: community.general
+    version: 4.7.0
+  - name: ansible.posix
+    version: 1.3.0
+  - name: community.docker
+    version: 3.2.1
diff --git a/photo.jinwei.me/config/role.yaml b/photo.jinwei.me/config/role.yaml
new file mode 100644
index 0000000..ab3fca5
--- /dev/null
+++ b/photo.jinwei.me/config/role.yaml
@@ -0,0 +1,3 @@
+- hosts: "{{ target }}"
+  roles:
+    - role: "{{ role }}"
diff --git a/photo.jinwei.me/config/roles/debian_init/defaults/main.yaml b/photo.jinwei.me/config/roles/debian_init/defaults/main.yaml
new file mode 100644
index 0000000..685f0b6
--- /dev/null
+++ b/photo.jinwei.me/config/roles/debian_init/defaults/main.yaml
@@ -0,0 +1 @@
+user_home: /home/clarkzjw
diff --git a/photo.jinwei.me/config/roles/debian_init/tasks/main.yaml b/photo.jinwei.me/config/roles/debian_init/tasks/main.yaml
new file mode 100644
index 0000000..19b0ed8
--- /dev/null
+++ b/photo.jinwei.me/config/roles/debian_init/tasks/main.yaml
@@ -0,0 +1,72 @@
+- name: Disable unattended-upgrades
+  ansible.builtin.systemd:
+    name: unattended-upgrades
+    state: stopped
+    enabled: false
+
+- name: install packages
+  apt:
+    update_cache: true
+    name:
+      - apt-transport-https
+      - build-essential
+      - ca-certificates
+      - mariadb-client
+      - lsb-release
+      - python3
+      - python3-dev
+      - python3-pip
+      - unzip
+      - gnupg
+      - htop
+      - curl
+      - tree
+      - zip
+      - vim
+      - zsh
+      - git
+
+- name: add user
+  user:
+    name: clarkzjw
+    shell: /usr/bin/zsh
+    home: "{{ user_home }}"
+    system: true
+
+- name: Add Docker GPG apt Key
+  apt_key:
+    url: https://download.docker.com/linux/debian/gpg
+    keyring: /etc/apt/trusted.gpg.d/docker.gpg
+    state: present
+
+- name: Add Docker Repository
+  apt_repository:
+    repo: deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release | lower }} stable
+    state: present
+
+- name: Update apt and install docker-ce
+  apt:
+    name:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-compose-plugin
+    state: latest
+    update_cache: true
+
+- name: Install Docker Module for Python
+  pip:
+    name:
+    - docker
+    - docker-compose
+
+- name: enable docker service
+  systemd:
+    name: docker
+    enabled: true
+    daemon_reload: true
+
+- name: Clean unneeded packages
+  ansible.builtin.apt:
+    autoremove: true
+    purge: true
diff --git a/photo.jinwei.me/config/roles/wordpress/Dockerfile b/photo.jinwei.me/config/roles/wordpress/Dockerfile
new file mode 100644
index 0000000..34704c0
--- /dev/null
+++ b/photo.jinwei.me/config/roles/wordpress/Dockerfile
@@ -0,0 +1,5 @@
+FROM wordpress:apache
+
+RUN apt-get update -y && apt-get install -y libgmp-dev && docker-php-ext-install gmp
+
+ADD uploads.ini /usr/local/etc/php/conf.d/uploads.ini
diff --git a/photo.jinwei.me/config/roles/wordpress/build.sh b/photo.jinwei.me/config/roles/wordpress/build.sh
new file mode 100755
index 0000000..55d7c0e
--- /dev/null
+++ b/photo.jinwei.me/config/roles/wordpress/build.sh
@@ -0,0 +1,5 @@
+docker_repo=docker.io/clarkzjw
+docker_image=wordpress
+docker_image_tag=$(date -u +%Y%m%d)
+sudo docker build -t $docker_repo/$docker_image:"$docker_image_tag" .
+sudo docker push $docker_repo/$docker_image:"$docker_image_tag"
diff --git a/photo.jinwei.me/config/roles/wordpress/defaults/main.yaml b/photo.jinwei.me/config/roles/wordpress/defaults/main.yaml
new file mode 100644
index 0000000..250e0a5
--- /dev/null
+++ b/photo.jinwei.me/config/roles/wordpress/defaults/main.yaml
@@ -0,0 +1,4 @@
+wordpress_image: clarkzjw/wordpress
+wordpress_image_tag: 20221211
+wordpress_port: 30080
+wordpress_home: /opt/wordpress
diff --git a/photo.jinwei.me/config/roles/wordpress/tasks/main.yaml b/photo.jinwei.me/config/roles/wordpress/tasks/main.yaml
new file mode 100644
index 0000000..3835145
--- /dev/null
+++ b/photo.jinwei.me/config/roles/wordpress/tasks/main.yaml
@@ -0,0 +1,16 @@
+- name: Pull wordpress Docker image
+  community.docker.docker_image:
+    name: "{{ wordpress_image }}:{{ wordpress_image_tag }}"
+    source: pull
+
+- name: render config file
+  template:
+    src: docker-compose.yaml.j2
+    dest: "{{ wordpress_home }}/docker-compose.yaml"
+    mode: 0644
+
+- name: Start wordpress container using docker-compose
+  community.docker.docker_compose:
+    project_name: wordpress
+    project_src: "{{ wordpress_home }}"
+  register: output
diff --git a/photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2 b/photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2
new file mode 100644
index 0000000..447b80b
--- /dev/null
+++ b/photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2
@@ -0,0 +1,22 @@
+version: '3'
+services:
+    cloudflared:
+        image: cloudflare/cloudflared
+        container_name: cloudflare-tunnel
+        network_mode: host
+        restart: always
+        command: tunnel run
+        environment:
+        - TUNNEL_TOKEN={{ lookup('aws_ssm', '/jinwei-me/cloudflare/tunnel_token') }}
+    wordpress:
+        image: "{{ wordpress_image }}:{{ wordpress_image_tag }}"
+        volumes:
+        - "{{ wordpress_home }}/wp-content:/var/www/html/wp-content"
+        restart: always
+        ports:
+        - 30081:80
+        environment:
+        - WORDPRESS_DB_HOST={{ lookup('aws_ssm', '/jinwei-me/mysql/host') }}:{{ lookup('aws_ssm', '/jinwei-me/mysql/port') }}
+        - WORDPRESS_DB_USER={{ lookup('aws_ssm', '/jinwei-me/mysql/username') }}
+        - WORDPRESS_DB_PASSWORD={{ lookup('aws_ssm', '/jinwei-me/mysql/password') }}
+        - WORDPRESS_DB_NAME={{ lookup('aws_ssm', '/jinwei-me/mysql/name') }}
diff --git a/photo.jinwei.me/config/roles/wordpress/uploads.ini b/photo.jinwei.me/config/roles/wordpress/uploads.ini
new file mode 100644
index 0000000..cd6e86c
--- /dev/null
+++ b/photo.jinwei.me/config/roles/wordpress/uploads.ini
@@ -0,0 +1,5 @@
+file_uploads = On
+post_max_size = 100M
+upload_max_filesize = 100M
+memory_limit = 512M
+max_execution_time = 600
diff --git a/photo.jinwei.me/config/site.yaml b/photo.jinwei.me/config/site.yaml
new file mode 100644
index 0000000..3dbcc71
--- /dev/null
+++ b/photo.jinwei.me/config/site.yaml
@@ -0,0 +1,3 @@
+- hosts: jinwei-me
+  roles:
+    - role: debian_init
diff --git a/photo.jinwei.me/infra/.terraform.lock.hcl b/photo.jinwei.me/infra/.terraform.lock.hcl
index 6007472..26d65b6 100644
--- a/photo.jinwei.me/infra/.terraform.lock.hcl
+++ b/photo.jinwei.me/infra/.terraform.lock.hcl
@@ -1,24 +1,66 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/hetznercloud/hcloud" {
-  version     = "1.36.1"
-  constraints = "1.36.1"
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "3.29.0"
+  constraints = "~> 3.29"
   hashes = [
-    "h1:xZSvxx6aUo0oZp2uqNxi/+wqnCNEBBuu8y7GeXIO9qA=",
-    "zh:16558b25c7f92f187278e94e951b0ab687882b06acff5b1387f3293f27939f8c",
-    "zh:28fc79ac2189ff0f5e6c9535ada8f57552b6e21c978b59dc78e086c27b9e4b23",
-    "zh:373907f9f7f2cefa94e2d5638bf5bef3d3b17e7655dc84dd6089346c6f4f9096",
-    "zh:394716cd877de682a0772d660f1bdb3838c5d751eca2211105d5ede248c48c39",
-    "zh:3c438c6590fcc8ac65a10039b2f5ba9ee379a734cb93a59c6cf74f385d891e87",
-    "zh:3f777a460a62fd23b283c269f1533b3887bf0c5564581e1e96cf294e077f5a8a",
-    "zh:4f62967553d7ce81ec14db7685306b625970ba6640b5764dc0137675ab97af0b",
-    "zh:56da08f8d75f596d6f9da4f0fd16bd60d1733cabcc260e885e1d7a711d6d3d8b",
-    "zh:62776c885bfa8e715dba6662f1744b5251f4cdd523dd4d1e4ccb2e25489593e9",
-    "zh:64cbb68139aa65f95ab3e654d872f9d34ef991fbf667fc30e0f29b96b5e8b4ed",
-    "zh:75a4b7a73ff0a537214d12d820438b7ae7a33d660e5d793f4ae0ebe3152bff00",
-    "zh:7b59d72538772ada7d51eaa50c905285200b1889ab29948b533412ccdf4d18de",
-    "zh:b84eeaa82bf765c6dd945ae83f1a9271fa5fad53b861b18b09cb8deda67dae13",
-    "zh:e81c3ea971e32a6ca3fdb0cd9e644614308ab2cf2a19482dd8a109d67fe3fb6f",
+    "h1:iGDvVJ6kdlopyhR3ONeoh8gZWZg8+M/seP7VM7gOp1I=",
+    "zh:0947f7f9e0234aaeb6b5f344de4148a6379d05370937e1c255872697803c17cc",
+    "zh:17abb230abd852e0e4ed9921cd9aaf03336ad4a13a25b1040ed86cdbddf05123",
+    "zh:2ddf550dbdf5c58bbb8d14de6b2dc76627bb92787b99328300fb312c51e12d1f",
+    "zh:4645758bdefe52c1aa260368522aff6fcb4e508c918e9b2c263c9debd7d71684",
+    "zh:6047320a05d07045f7fb4b24c2540600473a94fc15a24ef99339a6690ab47dfe",
+    "zh:6db2d4e4bc3ab8b6107aec80a8041388c2a7722472c5efa6caf8435a453b1f33",
+    "zh:8b6b75a75567ae44a788128aebcbb59cebd9a9dbc4ddc1b05f4455734363d55a",
+    "zh:90c51deb4e96690ed73d8b8498d5ab2d7bb78597861bbef23fab18764371deb0",
+    "zh:9b0f89952afb5d00e31fb745f1ebb4ef677591ca62c002c744d23bcaa0d51e9a",
+    "zh:9cfe38d8ef5515d164f59b5f4ddc14bb8817051ea4efed54cb7834c66492dd79",
+    "zh:acf89e44b8643d52186ef5155c8889845681471abb60a933017cda9bc38d86ef",
+    "zh:c09205c6f1e39994c2f707cce0758a2cd16949b33566a724644593d2a616ea41",
+    "zh:c5412f2868592db091b91361b7a85fa3a1a97282e9e6e1c5883dd5f6b5f2e86c",
+    "zh:ff93702ca9a99863914718ae4214acffa1a72d481c8e1d3254ccf5930a2d7e10",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.46.0"
+  constraints = ">= 3.73.0, ~> 4.46"
+  hashes = [
+    "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=",
+    "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2",
+    "zh:329903acf86ef6072502736dff4c43c2b50f762a958f76aa924e2d74c7fca1e3",
+    "zh:33db8131fe0ec7e1d9f30bc9f65c2440e9c1f708d681b6062757a351f1df7ce6",
+    "zh:3a3b010bc393784c16f4b6cdce7f76db93d5efa323fce4920bfea9e9ba6abe44",
+    "zh:979e2713a5759a7483a065e149e3cb69db9225326fc0457fa3fc3a48aed0c63f",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9efcf0067e16ad53da7504178a05eb2118770b4ae00c193c10ecad4cbfce308e",
+    "zh:a10655bf1b6376ab7f3e55efadf54dc70f7bd07ca11369557c312095076f9d62",
+    "zh:b0394dd42cbd2a718a7dd7ae0283f04769aaf8b3d52664e141da59c0171a11ab",
+    "zh:b958e614c2cf6d9c05a6ad5e94dc5c04b97ebfb84415da068be5a081b5ebbe24",
+    "zh:ba5069e624210c63ad9e633a8eb0108b21f2322bc4967ba2b82d09168c466888",
+    "zh:d7dfa597a17186e7f4d741dd7111849f1c0dd6f7ebc983043d8262d2fb37b408",
+    "zh:e8a641ca2c99f96d64fa2725875e797273984981d3e54772a2823541c44e3cd3",
+    "zh:f89898b7067c4246293a8007f59f5cfcac7b8dd251d39886c7a53ba596251466",
+    "zh:fb1e1df1d5cc208e08a850f8e84423bce080f01f5e901791c79df369d3ed52f2",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.4.3"
+  hashes = [
+    "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=",
+    "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752",
+    "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b",
+    "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3",
+    "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5",
+    "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda",
+    "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6",
+    "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1",
+    "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d",
+    "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8",
+    "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93",
   ]
 }
diff --git a/photo.jinwei.me/infra/data.tf b/photo.jinwei.me/infra/data.tf
new file mode 100644
index 0000000..2102273
--- /dev/null
+++ b/photo.jinwei.me/infra/data.tf
@@ -0,0 +1,11 @@
+data "aws_ami" "debian" {
+  most_recent = true
+  owners      = ["136693071363"]
+
+  filter {
+    name   = "name"
+    values = ["debian-11-amd64-*"]
+  }
+}
+
+data "aws_availability_zones" "available" {}
diff --git a/photo.jinwei.me/infra/keypair.tf b/photo.jinwei.me/infra/keypair.tf
new file mode 100644
index 0000000..a73a0af
--- /dev/null
+++ b/photo.jinwei.me/infra/keypair.tf
@@ -0,0 +1,4 @@
+resource "aws_key_pair" "framework" {
+  key_name   = "framework"
+  public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILS2i5/x9r+cv2j2/SUZ2x2fgQeGnJP1I7PUHC0UdWN6 framework"
+}
diff --git a/photo.jinwei.me/infra/main.tf b/photo.jinwei.me/infra/main.tf
index aabde19..5d3a001 100644
--- a/photo.jinwei.me/infra/main.tf
+++ b/photo.jinwei.me/infra/main.tf
@@ -1,54 +1,46 @@
-terraform {
-  required_providers {
-    hcloud = {
-      source  = "hetznercloud/hcloud"
-      version = "1.36.1"
-    }
-  }
-}
-
-variable "hcloud_token" {
-  sensitive = true
+locals {
+  name = var.name
 }
 
-variable "ip_range" {
-  default = "10.0.1.0/24"
+data "aws_subnet" "ec2" {
+  filter {
+    name   = "availability-zone"
+    values = [aws_db_instance.jinwei-me.availability_zone]
+  }
+  filter {
+    name   = "subnet-id"
+    values = module.vpc.public_subnets
+  }
 }
 
-resource "hcloud_ssh_key" "framework" {
-  name       = "framework"
-  public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILS2i5/x9r+cv2j2/SUZ2x2fgQeGnJP1I7PUHC0UdWN6 framework"
-}
+resource "aws_instance" "jinwei_me" {
+  ami           = data.aws_ami.debian.id
+  instance_type = var.ec2_instance_type
 
-data "hcloud_image" "debian" {
-  name = "debian-11"
-}
+  subnet_id = data.aws_subnet.ec2.id
+  key_name  = "framework"
 
-resource "hcloud_server" "default" {
-  name        = "photo"
-  image       = data.hcloud_image.debian.name
-  server_type = "cpx11"
-  location    = "fsn1"
-  ssh_keys    = [hcloud_ssh_key.framework.id]
+  vpc_security_group_ids = [aws_security_group.backend.id]
 
-  public_net {
-    ipv4_enabled = true
-    ipv4         = hcloud_primary_ip.primary_ip_1.id
+  root_block_device {
+    volume_type = "gp3"
+    // how to resize partition and file system after resizing ebs volume
+    // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html
+    volume_size = "30"
+    tags = {
+      Name = "${local.name}-root"
+    }
   }
-  delete_protection  = false
-  rebuild_protection = false
 
-  firewall_ids = [hcloud_firewall.default.id]
-}
+  tags = {
+    Name = local.name
+  }
 
-resource "hcloud_primary_ip" "primary_ip_1" {
-  name          = "primary_ip_test"
-  datacenter    = "fsn1-dc14"
-  type          = "ipv4"
-  assignee_type = "server"
-  auto_delete   = true
+  lifecycle {
+    ignore_changes = [ami]
+  }
 }
 
-resource "hcloud_firewall" "default" {
-  name = "default"
+resource "aws_eip" "jinwei-me" {
+  instance = aws_instance.jinwei_me.id
 }
diff --git a/photo.jinwei.me/infra/outputs.tf b/photo.jinwei.me/infra/outputs.tf
new file mode 100644
index 0000000..d24426f
--- /dev/null
+++ b/photo.jinwei.me/infra/outputs.tf
@@ -0,0 +1,29 @@
+output "rds_hostname" {
+  description = "RDS instance hostname"
+  value       = aws_db_instance.jinwei-me.address
+}
+
+output "rds_port" {
+  description = "RDS instance port"
+  value       = aws_db_instance.jinwei-me.port
+}
+
+output "rds_username" {
+  description = "RDS instance username"
+  value       = aws_db_instance.jinwei-me.username
+}
+
+output "rds_password" {
+  description = "RDS instance password"
+  value       = random_password.rds_password.result
+  sensitive   = true
+}
+
+output "instance" {
+  description = "The main EC2 instance."
+  value = {
+    arn        = aws_instance.jinwei_me.arn
+    public_ip  = aws_eip.jinwei-me.public_ip
+    private_ip = aws_instance.jinwei_me.private_ip
+  }
+}
diff --git a/photo.jinwei.me/infra/rds.tf b/photo.jinwei.me/infra/rds.tf
new file mode 100644
index 0000000..f596107
--- /dev/null
+++ b/photo.jinwei.me/infra/rds.tf
@@ -0,0 +1,49 @@
+resource "aws_db_parameter_group" "jinwei-me" {
+  name   = var.name
+  family = var.rds_parameter_group
+}
+
+resource "aws_db_instance" "jinwei-me" {
+  identifier             = var.name
+  instance_class         = var.rds_instance_class
+  allocated_storage      = var.rds_storage
+  engine                 = var.rds_engine
+  engine_version         = var.rds_engine_version
+  username               = var.rds_username
+  password               = random_password.rds_password.result
+  port                   = var.rds_port
+  db_subnet_group_name   = aws_db_subnet_group.jinwei-me.name
+  vpc_security_group_ids = [aws_security_group.rds.id]
+  parameter_group_name   = aws_db_parameter_group.jinwei-me.name
+  publicly_accessible    = true
+  skip_final_snapshot    = true
+}
+
+resource "random_password" "rds_password" {
+  length  = 16
+  special = false
+}
+
+resource "aws_ssm_parameter" "rds_host" {
+  name  = "/${var.name}/mysql/host"
+  type  = "String"
+  value = aws_db_instance.jinwei-me.address
+}
+
+resource "aws_ssm_parameter" "rds_port" {
+  name  = "/${var.name}/mysql/port"
+  type  = "String"
+  value = aws_db_instance.jinwei-me.port
+}
+
+resource "aws_ssm_parameter" "rds_user" {
+  name  = "/${local.name}/mysql/username"
+  type  = "String"
+  value = aws_db_instance.jinwei-me.username
+}
+
+resource "aws_ssm_parameter" "rds_password" {
+  name  = "/${local.name}/mysql/password"
+  type  = "SecureString"
+  value = random_password.rds_password.result
+}
diff --git a/photo.jinwei.me/infra/sg.tf b/photo.jinwei.me/infra/sg.tf
new file mode 100644
index 0000000..4d5ecaa
--- /dev/null
+++ b/photo.jinwei.me/infra/sg.tf
@@ -0,0 +1,38 @@
+# EC 2
+resource "aws_security_group" "backend" {
+  name   = local.name
+  vpc_id = module.vpc.vpc_id
+}
+
+resource "aws_security_group_rule" "backend_ingress_ssh" {
+  security_group_id = aws_security_group.backend.id
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 22
+  to_port           = 22
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "backend_egress_all" {
+  security_group_id = aws_security_group.backend.id
+  type              = "egress"
+  protocol          = "all"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+# RDS
+resource "aws_security_group" "rds" {
+  name   = "${local.name}-db"
+  vpc_id = module.vpc.vpc_id
+}
+
+resource "aws_security_group_rule" "db_ingress_backend" {
+  security_group_id        = aws_security_group.rds.id
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = var.rds_port
+  to_port                  = var.rds_port
+  source_security_group_id = aws_security_group.backend.id
+}
diff --git a/photo.jinwei.me/infra/variables.tf b/photo.jinwei.me/infra/variables.tf
new file mode 100644
index 0000000..7a62b4d
--- /dev/null
+++ b/photo.jinwei.me/infra/variables.tf
@@ -0,0 +1,47 @@
+provider "aws" {
+  region = var.region
+}
+
+variable "name" {
+  description = "Name of the service. It will be used to name EC2, and RDS instances."
+  default     = "jinwei-me"
+}
+
+variable "region" {
+  default     = "eu-central-1"
+  description = "AWS region"
+}
+
+# RDS
+variable "rds_instance_class" {
+  default = "db.t3.micro"
+}
+
+variable "rds_storage" {
+  default = 5
+}
+
+variable "rds_username" {
+  default = "jinweime"
+}
+
+variable "rds_engine" {
+  default = "mariadb"
+}
+
+variable "rds_engine_version" {
+  default = "10.6"
+}
+
+variable "rds_parameter_group" {
+  default = "mariadb10.6"
+}
+
+variable "rds_port" {
+  default = 33060
+}
+
+# EC 2
+variable "ec2_instance_type" {
+  default = "t3.micro"
+}
diff --git a/photo.jinwei.me/infra/versions.tf b/photo.jinwei.me/infra/versions.tf
new file mode 100644
index 0000000..844ac4b
--- /dev/null
+++ b/photo.jinwei.me/infra/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.46"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 3.29"
+    }
+  }
+}
diff --git a/photo.jinwei.me/infra/vpc.tf b/photo.jinwei.me/infra/vpc.tf
new file mode 100644
index 0000000..0776178
--- /dev/null
+++ b/photo.jinwei.me/infra/vpc.tf
@@ -0,0 +1,29 @@
+locals {
+  cidr_block    = "10.31.0.0/16"
+  subnets       = cidrsubnets(local.cidr_block, 4, 4, 4, 4, 4, 4)
+  subnet_groups = chunklist(local.subnets, 3)
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.18.1"
+
+  name                 = local.name
+  cidr                 = local.cidr_block
+  azs                  = data.aws_availability_zones.available.names
+  private_subnets      = local.subnet_groups[0]
+  public_subnets       = local.subnet_groups[1]
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = false
+  single_nat_gateway   = true
+}
+
+resource "aws_db_subnet_group" "jinwei-me" {
+  name       = var.name
+  subnet_ids = module.vpc.public_subnets
+
+  tags = {
+    Name = var.name
+  }
+}