Automate provisioning and deployment of VPS

In order to perform that I had to remove Terraform's =.tfstate= files from the
repository. Terraform does support "backends" for storing the state files, but I
settled for storing it on a separate repo (vps-state).

For now it solves the state management problem:
- it has history of states;
- all state files are GPG encrypted;
- there's no coordination however, but only the CI should perform a deploy in
order to avoid race conditions.

I had to add GPG and SSH keys to sr.ht to achieve that:
- SSH public key to my profile to authorize it to push to vps-state repo;
- SSH private key to the secret builds.sr.ht environment to enable push to the
repository from the pipeline;
- GPG public key to git-crypt to make it possible for the pipeline to unlock the
encrypted content;
- GPG private key to the secret builds.sr.ht environment to enable decrypting
git-crypt content from the pipeline.

In order to avoid divergent environment from local and CI, the ./provision.sh
script is ran through nix-shell.

1 files changed, 36 insertions, 0 deletions

diff --git a/provision.sh b/provision.sh
new file mode 100644
index 0000000..b13be57
--- /dev/null
+++ b/provision.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+cd "${BASH_SOURCE%/*}/"
+
+echo "Unlocking git-crypt repositories and loading secrets..."
+git crypt unlock
+pushd ../vps-state/
+git crypt unlock
+popd
+source .envrc
+echo "Done.\n"
+
+alias ssh="ssh -i secrets/id_rsa root@$TLD"
+
+echo "Shutting down running containers..."
+ssh "cd /home/vps/ && docker-compose down"
+echo "Done.\n"
+
+echo "Running `terraform apply`..."
+terraform apply
+echo "Done.\n"
+
+echo "Storing .tfstate file"
+pushd ../vps-state/
+git add secrets/terraform.tfstate secrets/terraform.tfstate.backup
+git commit -m "CI: update Terraform .tfstate files"
+git push origin master
+popd
+echo "Done.\n"
+
+echo "Locking git-crypt repositories back..."
+git crypt lock
+pushd ../vps-state/
+git crypt lock
+popd
+echo "Done.\n"