Periodic/system-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[SiriusA] Sets up webhooks for deployment

Browse Source
This commit is contained in:
Drew Haven
2026-05-18 15:23:10 -07:00
parent 209bb054c4
commit 6f94becc22
7 changed files with 159 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.sops.yaml
View File

@@ -6,12 +6,12 @@ keys:
creation_rules: creation_rules:
- path_regex: secrets/mcp.yaml - path_regex: secrets/mcp.yaml
key_groups: key_groups:
- age: - age:
- *drew_vega - *drew_vega
- *drew_mcp - *drew_mcp
- *server_mcp - *server_mcp
- path_regex: secrets/mcp.yaml - path_regex: secrets/sirius.yaml
key_groups: key_groups:
- age: - age:
- *drew_vega - *drew_vega
- *server_mcp - *server_mcp

26
secrets/sirius.yaml Normal file
View File

@@ -0,0 +1,26 @@
webhook:
deploy-key: ENC[AES256_GCM,data:Gd+cCNmWI/SCab8dnXnWxXFTT7EBAi9LTJVLVF/+ouCn7dI5LE0Ndwq8KVadNEbDPE3LFXAgylpzRIJawWd5saAXPAw5HtrcBgGZDN9ehebAPWNzrGpy4pVgwak6ByQ04Y13PaBK9vG8OR3wG8yQqcZLrdk5TWdYPZ8Q2mdcl3hgItEJMBuOeYMBFiMyBdvbYPQixi9dF21owBjHQr5oZjWzDAS3V+X46Qgq5LYLr74BSYpBQzs/yEOi9CV4H39hdYmFyyPzgSiJljnH2E56iahScQfuQuwqHHdtHGmLYz9CxnHnUGvdzqC8PCu8T8zUuq8qwtbF6+UVISYwhjWmNLq7zUTabLhFjafqQcqdd9PcMMoNhSNQsTVfM0vYrpdfiot3u5AD7HGrORY1WWE71i8CQ7ETO28gsfJB8fWX7s+/FNFNau6fcMw1TCkt+qhnon5zS/OwmFG4596vCTyQ0CVCnHeQDiaqdexJVrVS7w1gROrI266fBPLH0yaSri/ps72A,iv:itchCa14rgALz5Gurm9dh+nWvz0pGi0EFtUlF+Jh3pU=,tag:ucrpJbZmPf9z5x5bHUXnRQ==,type:str]
sops:
age:
- recipient: age1dstsz5g4qthwt2sssu5wp787ku7rnfqm02mqaefsaueswhvqzpmsyft4p4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ellCLzVCdmFtN0grU3FO
Y3BEOW53ejVZZjlYWFNmOG4yUHB5MUV2UUhzCnZ6UTQ2VXVXZFp4MzgzRE1xdGJk
Z0VrTytJeXdQYzFCbkFHUWFVSXA5ZjAKLS0tIEo4UjJvMGlxcjdEcFBhYXNlMEli
MysyWkdHZ09lV29mMnJoUnRTNVU4bXMKSkL3VBnBTqrLpG3fuiDTCPNZTFWZbJEW
VLwB6g/K3b573MgfXGCCPs9nwdDurqpz0zxB4pEBl0N6fU2CwqAxqQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrk4h7x4qzhr6z5m4d099mlfyjc4n5n9s52r4gfsdz0slnqlqa9sss735v
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWDJZQ2ZESkltQjFHRHpI
cXU0WFo1aFJrT2VTNlFTY2s5T0gxSWRoa0F3Ck9tVnFtZ3c4T0tWQTNhYXRrU3Ri
dFRrcWp3VnRPRDc5Y3JZZ1U1SDNSbXMKLS0tIFFqMUdNU3VFODhMdmJZN0ZuZGgz
Z2JFS25iM3YvaVh0L3JkRk5DODZwZzgKg8C2kboc7EojVva+8KWW+pVhSbovwHp9
noZ68vZ8NxsBP3CNFBBN1xKT7gQduShUcmSQUQizZ6fxtxO+GLy4Pg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-18T22:16:11Z"
mac: ENC[AES256_GCM,data:+/cn2b06HsQ23UL4YyTa51eepBelypcfBCVrG9a6HWhuX0KMpi9bn55IuZ6VbyN2uGc5+yCJcQBtAPm4+Mdi9UdGAWoePYIvQwu6ct12xIOLBF4P7eDRwjlWykANF9/jWFoPfd/hu+LiM2Ow09RTZTnExgAjYiCrq7YJRTrjIfU=,iv:ODluo/RXmSu7PzzXS/ZnFNMzUOjcrCpkzHoAviCNDUU=,tag:2LW9hIP6dq23/coQbTLOww==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

9
system/hosts/mcp/README.md
View File

@@ -1,3 +1,10 @@
# mcp # mcp
Configuration for the MCP server Configuration for the MCP server.
## Sops
```bash
nix-shell -p sops --run "sops secrets/mcp.yaml"
```

9
system/hosts/sirius-a/README.md Normal file
View File

@@ -0,0 +1,9 @@
# Sirius
The brightest star in the sky.
## Sops
```bash
nix-shell -p sops --run "sops secrets/sirius.yaml"
```

2
system/hosts/sirius-a/configuration.nix
View File

@@ -6,6 +6,8 @@
{ {
imports = [ imports = [
./gandicloud.nix ./gandicloud.nix
./sops.nix
./webhooks.nix
]; ];
networking = { networking = {

14
system/hosts/sirius-a/sops.nix Normal file
View File

@@ -0,0 +1,14 @@
_: {
### Secrets
sops = {
defaultSopsFile = ../../../secrets/sirius.yaml;
age = {
# Use the host key for sops
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Where to store the key
keyFile = "/var/lib/sops-nix/key.txt";
# Generate the key if it doesn't exist
generateKey = true;
};
};
}

92
system/hosts/sirius-a/webhooks.nix Normal file
View File

@@ -0,0 +1,92 @@
{ config, pkgs, ... }:
let
gitKnownHosts = pkgs.writeText "known_hosts" ''
[git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ==
'';
deployNpmApp =
with pkgs;
writeShellApplication {
name = "build-npm-app";
runtimeInputs = [
openssh
gitFull
nodejs_22
bashNonInteractive
rsync
];
text = ''
set -e
echo "Deploying in $(pwd) as $(id)"
OUTPUT_DIR="./$(date --utc --iso-8601=seconds)"
echo "Deploying into $OUTPUT_DIR"
export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${
config.sops.secrets."webhook/deploy-key".path
}"'
# Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json`
export ASTRO_TELEMETRY_DISABLED=1
# Fetch the repository and make sure we are reset to HEAD
git fetch origin main
git reset --hard
git checkout main
git reset --hard origin/main
# Use a local cache with --cache .npm
npm ci --cache .npm
npm run build -- --outDir "$OUTPUT_DIR"
echo "Activating $OUTPUT_DIR"
# Trailing slash on source to only copy contents, not the directory itself
rsync --archive --delete "$OUTPUT_DIR"/ deployed
echo "Deployment complete"
'';
};
in
{
sops.secrets = {
"webhook/deploy-key" = {
restartUnits = [ "webhook.service" ];
owner = config.users.users.webhook.name;
};
};
services.webhook =
let
trigger-rule = {
or = [
{
match = {
type = "payload-hmac-sha1";
secret = "mysecret";
parameter = {
source = "header";
name = "X-Hub-Signature";
};
};
}
];
};
in
{
enable = true;
verbose = true;
port = 9000;
openFirewall = true;
hooks = {
"deploy-blazestar-net" = {
id = "deploy-blazestar-net";
http-methods = [ "POST" ];
command-working-directory = "/web/blazestar.net";
include-command-output-in-response-on-error = true;
execute-command = "${deployNpmApp}/bin/build-npm-app";
trigger-rule-mismatch-http-response-code = 400;
inherit trigger-rule;
};
};
};
}