lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

lukegbcom: autodeploy using Vault

Browse source
This commit is contained in:
Luke Granger-Brown 2022-04-05 22:04:32 +01:00
parent 57c5a7d1ce
commit 97a2e46eeb
5 changed files with 66 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
nix/gitlab-ci/default.nix
View file

@ -37,7 +37,16 @@ let
nixCacheMacOSIntel = macOS "x86_64-darwin"; nixCacheMacOSIntel = macOS "x86_64-darwin";
nixCacheMacOSARM = macOS "aarch64-darwin"; nixCacheMacOSARM = macOS "aarch64-darwin";
} // (lib.mapAttrs deployStage deployMachs);
lukegbcom = {
stage = "deploy";
needs = [{ job = "nixCache"; artifacts = false; }];
tags = [ "cacher" ];
only.refs = [ "branch/default" ];
script = ''cd web/lukegbcom && ./deploy.sh'';
};
}; # // (lib.mapAttrs deployStage deployMachs);
deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs; deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs;
deployStage = machName: mach: ({ deployStage = machName: mach: ({

5
ops/vault/cfg/config.nix
View file

@ -14,6 +14,8 @@
./servers.nix ./servers.nix
./acme-ca.nix ./acme-ca.nix
./lukegbcom-deployer.nix
]; ];
terraform = { terraform = {
@ -32,6 +34,9 @@
address = "https://vault.int.lukegb.com"; address = "https://vault.int.lukegb.com";
}; };
resource.vault_gcp_secret_backend.gcp = {
path = "gcp";
};
data.vault_generic_secret.misc = { data.vault_generic_secret.misc = {
path = "kv/misc-input"; path = "kv/misc-input";
}; };

24
ops/vault/cfg/lukegbcom-deployer.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
backend = "\${vault_gcp_secret_backend.gcp.path}";
roleset = "lukegbcom-deployer";
project = "lukegbcom";
secret_type = "access_token";
token_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
"https://www.googleapis.com/auth/firebase"
];
binding = [{
resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
roles = ["roles/firebasehosting.admin"];
}];
};
my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
capabilities = ["read"]
}
'';
}

5
web/lukegbcom/default.nix
View file

@ -14,6 +14,11 @@ pkgs.stdenv.mkDerivation {
".pnp" ".pnp"
"node_modules" "node_modules"
".pnp.js" ".pnp.js"
"*.nix"
"*.sh"
"*.log"
"package.json"
"result*"
] ./.; ] ./.;
buildInputs = [ nodejs ]; buildInputs = [ nodejs ];
buildPhase = '' buildPhase = ''

24
web/lukegbcom/deploy.sh
View file

@ -1,5 +1,25 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -p nodePackages.firebase-tools -i bash #!nix-shell -p nodePackages.firebase-tools -p vault -i bash
vault_path=unix:///run/tokend/sock
deploycmd="deploy"
postdeploy () {
return
}
if [[ "$(groups)" =~ (.* |^)"users"($| .*) ]] || ! test -f /etc/NIXOS; then
vault_path=https://vault.int.lukegb.com
channelname="$(id -un)"
deploycmd="hosting:channel:deploy $channelname"
postdeploy () {
firebase hosting:channel:open $channelname --token="$token"
}
fi
cd $(nix-build ../.. -A web.lukegbcom) cd $(nix-build ../.. -A web.lukegbcom)
exec firebase deploy token="$(vault read --field=token --address="$vault_path" gcp/roleset/lukegbcom-deployer/token)"
firebase $deploycmd --token="$token"
# Do it twice because sometimes it doesn't actually do anything the first time
firebase $deploycmd --token="$token"
postdeploy