lukegbcom: autodeploy using Vault

7bf15d81 · lukegb · 78bbce164a2a · 7bf15d81 · 7bf15d81 · 7bf15d81
Commit 7bf15d81 authored Apr 05, 2022 by lukegb
--- a/nix/gitlab-ci/default.nix
+++ b/nix/gitlab-ci/default.nix
@@ -37,7 +37,16 @@

    nixCacheMacOSIntel = macOS "x86_64-darwin";
    nixCacheMacOSARM = macOS "aarch64-darwin";
-  } // (lib.mapAttrs deployStage deployMachs);
+
+    lukegbcom = {
+      stage = "deploy";
+      needs = [{ job = "nixCache"; artifacts = false; }];
+      tags = [ "cacher" ];
+      only.refs = [ "branch/default" ];
+
+      script = ''cd web/lukegbcom && ./deploy.sh'';
+    };
+  }; # // (lib.mapAttrs deployStage deployMachs);

  deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs;
  deployStage = machName: mach: ({

--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@@ -14,6 +14,8 @@
    ./servers.nix

    ./acme-ca.nix
+
+    ./lukegbcom-deployer.nix
  ];

  terraform = {
@@ -32,6 +34,9 @@
    address = "https://vault.int.lukegb.com";
  };

+  resource.vault_gcp_secret_backend.gcp = {
+    path = "gcp";
+  };
  data.vault_generic_secret.misc = {
    path = "kv/misc-input";
  };

--- a/ops/vault/cfg/lukegbcom-deployer.nix
+++ b/ops/vault/cfg/lukegbcom-deployer.nix
+{ ... }:
+
+{
+  resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
+    backend = "\${vault_gcp_secret_backend.gcp.path}";
+    roleset = "lukegbcom-deployer";
+    project = "lukegbcom";
+    secret_type = "access_token";
+    token_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform"
+      "https://www.googleapis.com/auth/firebase"
+    ];
+    binding = [{
+      resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
+      roles = ["roles/firebasehosting.admin"];
+    }];
+  };
+
+  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
+    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
+      capabilities = ["read"]
+    }
+  '';
+}
--- a/web/lukegbcom/default.nix
+++ b/web/lukegbcom/default.nix
@@ -14,6 +14,11 @@
    ".pnp"
    "node_modules"
    ".pnp.js"
+    "*.nix"
+    "*.sh"
+    "*.log"
+    "package.json"
+    "result*"
  ] ./.;
  buildInputs = [ nodejs ];
  buildPhase = ''

--- a/web/lukegbcom/deploy.sh
+++ b/web/lukegbcom/deploy.sh
 #!/usr/bin/env nix-shell
-#!nix-shell -p nodePackages.firebase-tools -i bash
+#!nix-shell -p nodePackages.firebase-tools -p vault -i bash
+
+vault_path=unix:///run/tokend/sock
+deploycmd="deploy"
+postdeploy () {
+  return
+}
+
+if [[ "$(groups)" =~ (.* |^)"users"($| .*) ]] || ! test -f /etc/NIXOS; then
+  vault_path=https://vault.int.lukegb.com
+  channelname="$(id -un)"
+  deploycmd="hosting:channel:deploy $channelname"
+  postdeploy () {
+    firebase hosting:channel:open $channelname --token="$token"
+  }
+fi

 cd $(nix-build ../.. -A web.lukegbcom)
@@ -3,3 +18,8 @@

 cd $(nix-build ../.. -A web.lukegbcom)
-exec firebase deploy
+token="$(vault read --field=token --address="$vault_path" gcp/roleset/lukegbcom-deployer/token)"
+
+firebase $deploycmd --token="$token"
+# Do it twice because sometimes it doesn't actually do anything the first time
+firebase $deploycmd --token="$token"
+postdeploy