Commit 7bf15d81 authored by lukegb's avatar lukegb
Browse files

lukegbcom: autodeploy using Vault

parent 78bbce164a2a
Pipeline #1379 failed with stages
in 9 seconds
......@@ -37,7 +37,16 @@
nixCacheMacOSIntel = macOS "x86_64-darwin";
nixCacheMacOSARM = macOS "aarch64-darwin";
} // (lib.mapAttrs deployStage deployMachs);
lukegbcom = {
stage = "deploy";
needs = [{ job = "nixCache"; artifacts = false; }];
tags = [ "cacher" ];
only.refs = [ "branch/default" ];
script = ''cd web/lukegbcom && ./deploy.sh'';
};
}; # // (lib.mapAttrs deployStage deployMachs);
deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs;
deployStage = machName: mach: ({
......
......@@ -14,6 +14,8 @@
./servers.nix
./acme-ca.nix
./lukegbcom-deployer.nix
];
terraform = {
......@@ -32,6 +34,9 @@
address = "https://vault.int.lukegb.com";
};
resource.vault_gcp_secret_backend.gcp = {
path = "gcp";
};
data.vault_generic_secret.misc = {
path = "kv/misc-input";
};
......
{ ... }:
{
resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
backend = "\${vault_gcp_secret_backend.gcp.path}";
roleset = "lukegbcom-deployer";
project = "lukegbcom";
secret_type = "access_token";
token_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
"https://www.googleapis.com/auth/firebase"
];
binding = [{
resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
roles = ["roles/firebasehosting.admin"];
}];
};
my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
capabilities = ["read"]
}
'';
}
......@@ -14,6 +14,11 @@
".pnp"
"node_modules"
".pnp.js"
"*.nix"
"*.sh"
"*.log"
"package.json"
"result*"
] ./.;
buildInputs = [ nodejs ];
buildPhase = ''
......
#!/usr/bin/env nix-shell
#!nix-shell -p nodePackages.firebase-tools -i bash
#!nix-shell -p nodePackages.firebase-tools -p vault -i bash
vault_path=unix:///run/tokend/sock
deploycmd="deploy"
postdeploy () {
return
}
if [[ "$(groups)" =~ (.* |^)"users"($| .*) ]] || ! test -f /etc/NIXOS; then
vault_path=https://vault.int.lukegb.com
channelname="$(id -un)"
deploycmd="hosting:channel:deploy $channelname"
postdeploy () {
firebase hosting:channel:open $channelname --token="$token"
}
fi
cd $(nix-build ../.. -A web.lukegbcom)
......@@ -3,3 +18,8 @@
cd $(nix-build ../.. -A web.lukegbcom)
exec firebase deploy
token="$(vault read --field=token --address="$vault_path" gcp/roleset/lukegbcom-deployer/token)"
firebase $deploycmd --token="$token"
# Do it twice because sometimes it doesn't actually do anything the first time
firebase $deploycmd --token="$token"
postdeploy
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment