aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.build.yml2
-rw-r--r--[l---------].envrc38
-rw-r--r--.gitignore10
-rw-r--r--ansible.cfg2
-rw-r--r--generated/.gitignore2
-rw-r--r--provision.yaml6
-rwxr-xr-xscripts/box/user-data.env.sh (renamed from user-data.env.sh)0
-rwxr-xr-xscripts/ci/deploy.sh (renamed from scripts/ci/provision.sh)44
-rwxr-xr-xscripts/ci/mail.sh9
-rwxr-xr-xscripts/ci/setup.sh24
-rwxr-xr-xscripts/local/rotate-ssh-keys.sh (renamed from rotate-ssh-keys.sh)1
-rw-r--r--secrets/envrc.shbin2772 -> 0 bytes
-rw-r--r--secrets/secret-envrc.shbin0 -> 2537 bytes
-rw-r--r--ssh.env.conf2
-rw-r--r--vps.tf2
15 files changed, 72 insertions, 70 deletions
diff --git a/.build.yml b/.build.yml
index b2cc924..87f463c 100644
--- a/.build.yml
+++ b/.build.yml
@@ -20,4 +20,4 @@ tasks:
nix-build -A test
- deploy: |
cd vps/
- ./scripts/ci/provision.sh
+ ./scripts/ci/deploy.sh
diff --git a/.envrc b/.envrc
index c488fc8..6c6861e 120000..100644
--- a/.envrc
+++ b/.envrc
@@ -1 +1,37 @@
-secrets/envrc.sh \ No newline at end of file
+#!/usr/bin/env bash
+set -Eeuo pipefail
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+#
+# Operational toggle
+#
+export DESTROY_VOLUME=1
+
+#
+# Variables defined by commands
+#
+VPS_COMMIT_SHA="$(git rev-parse HEAD)"
+export VPS_COMMIT_SHA
+SSH_SERVER_PRIVATE_KEY="$(cat ./secrets/ssh/vps-box-server)"
+export SSH_SERVER_PRIVATE_KEY
+SSH_SERVER_PUBLIC_KEY="$(cat ./secrets/ssh/vps-box-server.pub)"
+export SSH_SERVER_PUBLIC_KEY
+# Used for keeping bash variables for run-time substituion instead of execution time substitution.
+# Taken from:
+# https://stackoverflow.com/questions/24963705/is-there-an-escape-character-for-envsubst
+export DOLLAR='$'
+
+#
+# docker-compose
+#
+export VOLUME_HOME="/home/vps/volumes"
+
+#
+# Nix
+#
+# Use the same $NIX_PATH as in the CI
+# See also:
+# https://discourse.nixos.org/t/inconsistent-hash-of-buildgomodule/3127/4
+export NIX_PATH=nixpkgs=channel:nixos-unstable
+
+source ./secrets/secret-envrc.sh \ No newline at end of file
diff --git a/.gitignore b/.gitignore
index c7dd6ca..a7e698a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,18 +1,8 @@
# Terraform
/.terraform/
-/terraform-provider-godaddy
# Nix
/result
-# Template files
-/docker-compose.yaml
-/cloud-config.yaml
-/hosts
-/user-data.sh
-/scripts/box/create-backup.sh
-/scripts/box/restore-backup.sh
-/generated-known-hosts.txt
-
# Logs
/logs.txt
diff --git a/ansible.cfg b/ansible.cfg
index a8518f7..4b7160e 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,3 @@
[defaults]
-inventory = ./hosts
+inventory = ./generated/hosts
retry_files_enabled = False \ No newline at end of file
diff --git a/generated/.gitignore b/generated/.gitignore
new file mode 100644
index 0000000..d6b7ef3
--- /dev/null
+++ b/generated/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/provision.yaml b/provision.yaml
index 9137a09..801c010 100644
--- a/provision.yaml
+++ b/provision.yaml
@@ -29,13 +29,13 @@
- name: Copy local interpolated files to remote
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }}
with_items:
- - { src: './scripts/box/create-backup.sh', dest: '/home/vps/create-backup.sh', mode: '500' }
- - { src: './scripts/box/restore-backup.sh', dest: '/home/vps/restore-backup.sh', mode: '500' }
+ - { src: './generated/create-backup.sh', dest: '/home/vps/create-backup.sh', mode: '500' }
+ - { src: './generated/restore-backup.sh', dest: '/home/vps/restore-backup.sh', mode: '500' }
- { src: './secrets/borg/borg-remote.pub', dest: '/root/.ssh/id_rsa.pub', mode: '400' }
- { src: './secrets/borg/borg-remote', dest: '/root/.ssh/id_rsa', mode: '400' }
- { src: './secrets/borg/known-hosts.txt', dest: '/root/.ssh/known_hosts', mode: '400' }
- { src: './scripts/box/bash-profile.sh', dest: '/root/.bash_profile', mode: '400' }
- - { src: './docker-compose.yaml', dest: '/home/vps/docker-compose.yaml', mode: '400' }
+ - { src: './generated/docker-compose.yaml', dest: '/home/vps/docker-compose.yaml', mode: '400' }
- name: Restore borg backup when we have a fresh volume
shell: /home/vps/restore-backup.sh
when: lookup('env', 'DESTROY_VOLUME') == "1"
diff --git a/user-data.env.sh b/scripts/box/user-data.env.sh
index f9da5d7..f9da5d7 100755
--- a/user-data.env.sh
+++ b/scripts/box/user-data.env.sh
diff --git a/scripts/ci/provision.sh b/scripts/ci/deploy.sh
index d96d854..7fcfda7 100755
--- a/scripts/ci/provision.sh
+++ b/scripts/ci/deploy.sh
@@ -5,14 +5,10 @@ set -Eeuo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
cd ../../
-VPS_COMMIT_SHA="$(git rev-parse HEAD)"
-export VPS_COMMIT_SHA
-gpg --import "${GPG_TO}.gpg"
-
mail_debug_log() {
local -r ec="${?}"
echo "Sending logs via email..."
- ./scripts/ci/mail.sh "${VPS_COMMIT_SHA}" "${ec}"
+ ./scripts/ci/mail.sh "${ec}"
echo "Done."
echo "Storing file changes to '.tfstate' files..."
@@ -26,26 +22,18 @@ mail_debug_log() {
trap mail_debug_log EXIT
create_known_hosts_file() {
- echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated-known-hosts.txt
-}
-
-setup_borg_files() {
- local -r template_file="${1}"
- local -r destination_name="${2}"
- scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub
- scp ./secrets/borg/borg-remote "$TLD":/root/.ssh/id_rsa
- scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts
- ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa'
- # shellcheck disable=SC2029
- envsubst < "${template_file}" | ssh "$TLD" "cat > /home/vps/${destination_name} && chmod +x /home/vps/${destination_name}"
- # shellcheck disable=SC2029
- ssh "$TLD" "chmod +x /home/vps/${destination_name}"
+ echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated/generated-known-hosts.txt
}
echo "Shutting down running containers and backing up data..."
create_known_hosts_file
ssh "$TLD" "cd /home/vps/ && docker-compose down"
-setup_borg_files ./scripts/box/create-backup.env.sh create-backup.sh
+scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub
+scp ./secrets/borg/borg-remote "$TLD":/root/.ssh/id_rsa
+scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts
+scp ./generated/create-backup.sh "$TLD":/home/vps/create-backup.sh
+ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa'
+ssh "$TLD" "chmod +x /home/vps/create-backup.sh"
ssh "$TLD" /home/vps/create-backup.sh > ./logs/borg-create.txt 2>&1
echo "Done."
@@ -64,31 +52,31 @@ echo "Done."
echo "Running 'terraform plan' and storing the planfile..."
mkdir -p "../vps-state/secrets/plan-files/"
-PLAN_FILE_NAME="$(date -Iseconds)-$VPS_COMMIT_SHA.tfplan"
-PLAN_FILE_PATH="../vps-state/secrets/plan-files/$PLAN_FILE_NAME"
-terraform plan -input=false -out="$PLAN_FILE_PATH" > ./logs/terraform-plan.txt 2>&1
+PLAN_FILE_NAME="$(date -Iseconds)-${VPS_COMMIT_SHA}.tfplan"
+PLAN_FILE_PATH="../vps-state/secrets/plan-files/${PLAN_FILE_NAME}"
+terraform plan -input=false -out="${PLAN_FILE_PATH}" > ./logs/terraform-plan.txt 2>&1
pushd ../vps-state/
-git add "secrets/plan-files/$PLAN_FILE_NAME"
-git commit -m "CI: add .tfplan plan file for CI run $VPS_COMMIT_SHA"
+git add "secrets/plan-files/${PLAN_FILE_NAME}"
+git commit -m "CI: add .tfplan plan file for CI run ${VPS_COMMIT_SHA}"
git push origin master
popd
echo "Done."
echo "Running 'terraform apply'..."
-terraform apply -input=false -auto-approve "$PLAN_FILE_PATH" > ./logs/terraform-apply.txt 2>&1
+terraform apply -input=false -auto-approve "${PLAN_FILE_PATH}" > ./logs/terraform-apply.txt 2>&1
echo "Done."
echo "Storing .tfstate file..."
pushd ../vps-state/
git add secrets/terraform.tfstate secrets/terraform.tfstate.backup
-git commit -m "CI: update Terraform .tfstate files for CI run $VPS_COMMIT_SHA"
+git commit -m "CI: update Terraform .tfstate files for CI run ${VPS_COMMIT_SHA}"
git push origin master
popd
echo "Done."
echo "Running the Ansible playbook..."
create_known_hosts_file
-ansible-playbook -vvv provision.yaml > ./logs/ansible.txt
+ansible-playbook -v provision.yaml > ./logs/ansible.txt 2>&1
echo "Done."
echo "Locking git-crypt repositories back..."
diff --git a/scripts/ci/mail.sh b/scripts/ci/mail.sh
index 7058233..29420fa 100755
--- a/scripts/ci/mail.sh
+++ b/scripts/ci/mail.sh
@@ -3,14 +3,7 @@ set -Eeuo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
cd ../../
-VPS_COMMIT_SHA="${1:-}"
-EXIT_CODE="${2:-}"
-
-[[ -z "${VPS_COMMIT_SHA}" ]] && {
- # shellcheck disable=SC2016
- echo 'Error: missing $VPS_COMMIT_SHA positional argument.'
- exit 2
-}
+EXIT_CODE="${1:-}"
[[ -z "${EXIT_CODE}" ]] && {
# shellcheck disable=SC2016
diff --git a/scripts/ci/setup.sh b/scripts/ci/setup.sh
index d9ac70c..84958d0 100755
--- a/scripts/ci/setup.sh
+++ b/scripts/ci/setup.sh
@@ -6,7 +6,7 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
cd ../../
echo "Unlocking git-crypt repos and configuring git..."
-git config --global user.email "ci@euandre.org"
+git config --global user.email "${GIT_CI_USER}"
git config --global user.name "sr.ht CI"
git crypt unlock
@@ -17,25 +17,17 @@ git remote set-url origin git@git.sr.ht:~euandreh/vps-state
popd
echo "Done."
+gpg --import "${GPG_TO}.gpg"
+
# git smudge after git-crypt clears file permissions
chmod 400 ./secrets/ssh/vps-box-client
cat .envrc >> ~/.buildenv
source .envrc
-SSH_SERVER_PRIVATE_KEY="$(cat ./secrets/ssh/vps-box-server)"
-export SSH_SERVER_PRIVATE_KEY
-SSH_SERVER_PUBLIC_KEY="$(cat ./secrets/ssh/vps-box-server.pub)"
-export SSH_SERVER_PUBLIC_KEY
-
-# Used for keeping bash variables for run-time substituion instead of execution time substitution.
-# Taken from:
-# https://stackoverflow.com/questions/24963705/is-there-an-escape-character-for-envsubst
-export DOLLAR='$'
-
envsubst < ./ssh.env.conf >> ~/.ssh/config
-envsubst < ./hosts.env > ./hosts
-envsubst < ./docker-compose.env.yaml > ./docker-compose.yaml
-envsubst < ./user-data.env.sh > ./user-data.sh
-envsubst < ./scripts/box/create-backup.env.sh > ./scripts/box/create-backup.sh
-envsubst < ./scripts/box/restore-backup.env.sh > ./scripts/box/restore-backup.sh
+envsubst < ./hosts.env > ./generated/hosts
+envsubst < ./docker-compose.env.yaml > ./generated/docker-compose.yaml
+envsubst < ./scripts/box/user-data.env.sh > ./generated/user-data.sh
+envsubst < ./scripts/box/create-backup.env.sh > ./generated/create-backup.sh
+envsubst < ./scripts/box/restore-backup.env.sh > ./generated/restore-backup.sh
diff --git a/rotate-ssh-keys.sh b/scripts/local/rotate-ssh-keys.sh
index 7189657..337f351 100755
--- a/rotate-ssh-keys.sh
+++ b/scripts/local/rotate-ssh-keys.sh
@@ -1,6 +1,7 @@
#!/usr/bin/env bash
set -Eeuo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
+cd ../../
rm -f ./secrets/ssh/*
ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-client
diff --git a/secrets/envrc.sh b/secrets/envrc.sh
deleted file mode 100644
index 1389181..0000000
--- a/secrets/envrc.sh
+++ /dev/null
Binary files differ
diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh
new file mode 100644
index 0000000..3382e8f
--- /dev/null
+++ b/secrets/secret-envrc.sh
Binary files differ
diff --git a/ssh.env.conf b/ssh.env.conf
index 6a7ba03..be34b28 100644
--- a/ssh.env.conf
+++ b/ssh.env.conf
@@ -1,7 +1,7 @@
Host $TLD
User root
IdentityFile $PWD/secrets/ssh/vps-box-client
- UserKnownHostsFile $PWD/generated-known-hosts.txt
+ UserKnownHostsFile $PWD/generated/generated-known-hosts.txt
Port $SSH_PORT
Host git.sr.ht
StrictHostKeyChecking no
diff --git a/vps.tf b/vps.tf
index badc698..a329bcf 100644
--- a/vps.tf
+++ b/vps.tf
@@ -37,7 +37,7 @@ resource "digitalocean_droplet" "vps" {
ipv6 = true
monitoring = true
- user_data = "${file("${path.module}/user-data.sh")}"
+ user_data = "${file("${path.module}/generated/user-data.sh")}"
ssh_keys = [
"${digitalocean_ssh_key.client.fingerprint}",
generated by cgit v1.2.3 (git 2.49.0) at 2025-07-12 23:14:34 +0000