| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
It wasn't trivial to configure: Ansible tried to work on /homeless-shelter :facepalm:
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This way we make sure the =shell= derivation always builds, instead of seeing
these kinds of failure during CI runs when it's trying to deploy.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This derivation sources =.envrc= and it's output can potentially leak secret
environment variables from it.
|
| |
|
|
|
|
|
| |
Add gitMinimal package to baseTasks to allow any derivation to =source .envrc=
freely.
dockerComposeLint sources it to properly lint the file that will be ran.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Instead of adding them to the =packages= section of .build.yml.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to perform that I had to remove Terraform's =.tfstate= files from the
repository. Terraform does support "backends" for storing the state files, but I
settled for storing it on a separate repo (vps-state).
For now it solves the state management problem:
- it has history of states;
- all state files are GPG encrypted;
- there's no coordination however, but only the CI should perform a deploy in
order to avoid race conditions.
I had to add GPG and SSH keys to sr.ht to achieve that:
- SSH public key to my profile to authorize it to push to vps-state repo;
- SSH private key to the secret builds.sr.ht environment to enable push to the
repository from the pipeline;
- GPG public key to git-crypt to make it possible for the pipeline to unlock the
encrypted content;
- GPG private key to the secret builds.sr.ht environment to enable decrypting
git-crypt content from the pipeline.
In order to avoid divergent environment from local and CI, the ./provision.sh
script is ran through nix-shell.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
