From 978f0453781bf77f8542485ad94b7a1877c71c85 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Wed, 15 Feb 2023 01:29:03 +0000 Subject: [PATCH] flipperzero-firmware.upload: use vault to fetch service account token --- nix/pkgs/flipperzero-firmware/default.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nix/pkgs/flipperzero-firmware/default.nix b/nix/pkgs/flipperzero-firmware/default.nix index 071f15188d..8817cda867 100644 --- a/nix/pkgs/flipperzero-firmware/default.nix +++ b/nix/pkgs/flipperzero-firmware/default.nix @@ -106,8 +106,18 @@ pkgs.stdenvNoCC.mkDerivation rec { firmware = depot.nix.pkgs.flipperzero-firmware; in pkgs.writeShellApplication { name = "upload-f0"; - runtimeInputs = [ pkgs.google-cloud-sdk ]; + runtimeInputs = [ pkgs.google-cloud-sdk pkgs.vault ]; text = '' + vault_path=unix:///run/tokend/sock + + if [[ "$(groups)" =~ (.* |^)"users"($| .*) ]] || ! test -f /etc/NIXOS; then + vault_path=https://vault.int.lukegb.com + fi + + echo "Fetching token from Vault at $vault_path..." + token="$(vault read --field=token --address="$vault_path" gcp/roleset/lukegbcom-deployer/token)" + export CLOUDSDK_AUTH_ACCESS_TOKEN="$token" + echo "Uploading ${firmware.version}" gcloud storage cp "${firmware}/f7-C/*-update-*.tgz" "gs://lukegb-flipperzero/${firmware.name}.tgz" '';