From da00227813b1fbeebae8c90e2122a8b73acb1af9 Mon Sep 17 00:00:00 2001 From: EuAndreh Date: Sun, 26 May 2019 11:51:51 -0300 Subject: Automate provisioning and deployment of VPS In order to perform that I had to remove Terraform's =.tfstate= files from the repository. Terraform does support "backends" for storing the state files, but I settled for storing it on a separate repo (vps-state). For now it solves the state management problem: - it has history of states; - all state files are GPG encrypted; - there's no coordination however, but only the CI should perform a deploy in order to avoid race conditions. I had to add GPG and SSH keys to sr.ht to achieve that: - SSH public key to my profile to authorize it to push to vps-state repo; - SSH private key to the secret builds.sr.ht environment to enable push to the repository from the pipeline; - GPG public key to git-crypt to make it possible for the pipeline to unlock the encrypted content; - GPG private key to the secret builds.sr.ht environment to enable decrypting git-crypt content from the pipeline. In order to avoid divergent environment from local and CI, the ./provision.sh script is ran through nix-shell. --- default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'default.nix') diff --git a/default.nix b/default.nix index c7c5bc4..67830e2 100644 --- a/default.nix +++ b/default.nix @@ -95,8 +95,9 @@ with pkgs.stdenv; rec { touch $out ''; }); + # Used in .build.yml to run ./provision.sh shell = mkShell rec { name = "vps-shell"; - buildInputs = [ nixfmt terraform-full ]; + buildInputs = [ terraform terraform-providers.digitalocean git-crypt ]; }; } -- cgit v1.2.3