From 97cd002bf52df5c8f87a72eb1ff79ae295dee9f4 Mon Sep 17 00:00:00 2001 From: Drew Haven Date: Mon, 18 May 2026 15:23:10 -0700 Subject: [PATCH] [SiriusA] Sets up webhooks for deployment --- .sops.yaml | 16 ++--- secrets/sirius.yaml | 26 +++++++ system/hosts/mcp/README.md | 9 ++- system/hosts/sirius-a/README.md | 9 +++ system/hosts/sirius-a/configuration.nix | 2 + system/hosts/sirius-a/default.nix | 3 +- system/hosts/sirius-a/sops.nix | 14 ++++ system/hosts/sirius-a/webhooks.nix | 92 +++++++++++++++++++++++++ 8 files changed, 161 insertions(+), 10 deletions(-) create mode 100644 secrets/sirius.yaml create mode 100644 system/hosts/sirius-a/README.md create mode 100644 system/hosts/sirius-a/sops.nix create mode 100644 system/hosts/sirius-a/webhooks.nix diff --git a/.sops.yaml b/.sops.yaml index 77d8b57..7414989 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,12 +6,12 @@ keys: creation_rules: - path_regex: secrets/mcp.yaml key_groups: - - age: - - *drew_vega - - *drew_mcp - - *server_mcp - - path_regex: secrets/mcp.yaml + - age: + - *drew_vega + - *drew_mcp + - *server_mcp + - path_regex: secrets/sirius.yaml key_groups: - - age: - - *drew_vega - - *server_mcp + - age: + - *drew_vega + - *server_mcp diff --git a/secrets/sirius.yaml b/secrets/sirius.yaml new file mode 100644 index 0000000..800bc74 --- /dev/null +++ b/secrets/sirius.yaml @@ -0,0 +1,26 @@ +webhook: + deploy-key: ENC[AES256_GCM,data:Gd+cCNmWI/SCab8dnXnWxXFTT7EBAi9LTJVLVF/+ouCn7dI5LE0Ndwq8KVadNEbDPE3LFXAgylpzRIJawWd5saAXPAw5HtrcBgGZDN9ehebAPWNzrGpy4pVgwak6ByQ04Y13PaBK9vG8OR3wG8yQqcZLrdk5TWdYPZ8Q2mdcl3hgItEJMBuOeYMBFiMyBdvbYPQixi9dF21owBjHQr5oZjWzDAS3V+X46Qgq5LYLr74BSYpBQzs/yEOi9CV4H39hdYmFyyPzgSiJljnH2E56iahScQfuQuwqHHdtHGmLYz9CxnHnUGvdzqC8PCu8T8zUuq8qwtbF6+UVISYwhjWmNLq7zUTabLhFjafqQcqdd9PcMMoNhSNQsTVfM0vYrpdfiot3u5AD7HGrORY1WWE71i8CQ7ETO28gsfJB8fWX7s+/FNFNau6fcMw1TCkt+qhnon5zS/OwmFG4596vCTyQ0CVCnHeQDiaqdexJVrVS7w1gROrI266fBPLH0yaSri/ps72A,iv:itchCa14rgALz5Gurm9dh+nWvz0pGi0EFtUlF+Jh3pU=,tag:ucrpJbZmPf9z5x5bHUXnRQ==,type:str] +sops: + age: + - recipient: age1dstsz5g4qthwt2sssu5wp787ku7rnfqm02mqaefsaueswhvqzpmsyft4p4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ellCLzVCdmFtN0grU3FO + Y3BEOW53ejVZZjlYWFNmOG4yUHB5MUV2UUhzCnZ6UTQ2VXVXZFp4MzgzRE1xdGJk + Z0VrTytJeXdQYzFCbkFHUWFVSXA5ZjAKLS0tIEo4UjJvMGlxcjdEcFBhYXNlMEli + MysyWkdHZ09lV29mMnJoUnRTNVU4bXMKSkL3VBnBTqrLpG3fuiDTCPNZTFWZbJEW + VLwB6g/K3b573MgfXGCCPs9nwdDurqpz0zxB4pEBl0N6fU2CwqAxqQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jrk4h7x4qzhr6z5m4d099mlfyjc4n5n9s52r4gfsdz0slnqlqa9sss735v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWDJZQ2ZESkltQjFHRHpI + cXU0WFo1aFJrT2VTNlFTY2s5T0gxSWRoa0F3Ck9tVnFtZ3c4T0tWQTNhYXRrU3Ri + dFRrcWp3VnRPRDc5Y3JZZ1U1SDNSbXMKLS0tIFFqMUdNU3VFODhMdmJZN0ZuZGgz + Z2JFS25iM3YvaVh0L3JkRk5DODZwZzgKg8C2kboc7EojVva+8KWW+pVhSbovwHp9 + noZ68vZ8NxsBP3CNFBBN1xKT7gQduShUcmSQUQizZ6fxtxO+GLy4Pg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-05-18T22:16:11Z" + mac: ENC[AES256_GCM,data:+/cn2b06HsQ23UL4YyTa51eepBelypcfBCVrG9a6HWhuX0KMpi9bn55IuZ6VbyN2uGc5+yCJcQBtAPm4+Mdi9UdGAWoePYIvQwu6ct12xIOLBF4P7eDRwjlWykANF9/jWFoPfd/hu+LiM2Ow09RTZTnExgAjYiCrq7YJRTrjIfU=,iv:ODluo/RXmSu7PzzXS/ZnFNMzUOjcrCpkzHoAviCNDUU=,tag:2LW9hIP6dq23/coQbTLOww==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/system/hosts/mcp/README.md b/system/hosts/mcp/README.md index a459e8b..5588108 100644 --- a/system/hosts/mcp/README.md +++ b/system/hosts/mcp/README.md @@ -1,3 +1,10 @@ # mcp -Configuration for the MCP server \ No newline at end of file +Configuration for the MCP server. + +## Sops + +```bash +nix-shell -p sops --run "sops secrets/mcp.yaml" +``` + diff --git a/system/hosts/sirius-a/README.md b/system/hosts/sirius-a/README.md new file mode 100644 index 0000000..3b1336f --- /dev/null +++ b/system/hosts/sirius-a/README.md @@ -0,0 +1,9 @@ +# Sirius + +The brightest star in the sky. + +## Sops + +```bash +nix-shell -p sops --run "sops secrets/sirius.yaml" +``` diff --git a/system/hosts/sirius-a/configuration.nix b/system/hosts/sirius-a/configuration.nix index c2c788d..5dd030c 100644 --- a/system/hosts/sirius-a/configuration.nix +++ b/system/hosts/sirius-a/configuration.nix @@ -6,6 +6,8 @@ { imports = [ ./gandicloud.nix + ./sops.nix + ./webhooks.nix ]; networking = { diff --git a/system/hosts/sirius-a/default.nix b/system/hosts/sirius-a/default.nix index 09b9d3a..f342913 100644 --- a/system/hosts/sirius-a/default.nix +++ b/system/hosts/sirius-a/default.nix @@ -1,9 +1,10 @@ -{ ... }: +{ inputs, ... }: { imports = [ ./configuration.nix ../../authorized-keys.nix ../../features/gc.nix + inputs.sops-nix.nixosModules.sops ]; nixpkgs.config.allowUnfree = true; diff --git a/system/hosts/sirius-a/sops.nix b/system/hosts/sirius-a/sops.nix new file mode 100644 index 0000000..0dc67fb --- /dev/null +++ b/system/hosts/sirius-a/sops.nix @@ -0,0 +1,14 @@ +_: { + ### Secrets + sops = { + defaultSopsFile = ../../../secrets/sirius.yaml; + age = { + # Use the host key for sops + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # Where to store the key + keyFile = "/var/lib/sops-nix/key.txt"; + # Generate the key if it doesn't exist + generateKey = true; + }; + }; +} diff --git a/system/hosts/sirius-a/webhooks.nix b/system/hosts/sirius-a/webhooks.nix new file mode 100644 index 0000000..d26272b --- /dev/null +++ b/system/hosts/sirius-a/webhooks.nix @@ -0,0 +1,92 @@ +{ config, pkgs, ... }: +let + gitKnownHosts = pkgs.writeText "known_hosts" '' + [git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ== + ''; + deployNpmApp = + with pkgs; + writeShellApplication { + name = "build-npm-app"; + runtimeInputs = [ + openssh + gitFull + nodejs_22 + bashNonInteractive + rsync + ]; + text = '' + set -e + + echo "Deploying in $(pwd) as $(id)" + + OUTPUT_DIR="./$(date --utc --iso-8601=seconds)" + + echo "Deploying into $OUTPUT_DIR" + + export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${ + config.sops.secrets."webhook/deploy-key".path + }"' + + # Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json` + export ASTRO_TELEMETRY_DISABLED=1 + + # Fetch the repository and make sure we are reset to HEAD + git fetch origin main + git reset --hard + git checkout main + git reset --hard origin/main + + # Use a local cache with --cache .npm + npm ci --cache .npm + npm run build -- --outDir "$OUTPUT_DIR" + + echo "Activating $OUTPUT_DIR" + # Trailing slash on source to only copy contents, not the directory itself + rsync --archive --delete "$OUTPUT_DIR"/ deployed + echo "Deployment complete" + ''; + }; +in +{ + sops.secrets = { + "webhook/deploy-key" = { + restartUnits = [ "webhook.service" ]; + owner = config.users.users.webhook.name; + }; + }; + + services.webhook = + let + trigger-rule = { + or = [ + { + match = { + type = "payload-hmac-sha1"; + secret = "mysecret"; + parameter = { + source = "header"; + name = "X-Hub-Signature"; + }; + }; + } + ]; + }; + in + { + enable = true; + verbose = true; + port = 9000; + openFirewall = true; + hooks = { + "deploy-blazestar-net" = { + id = "deploy-blazestar-net"; + http-methods = [ "POST" ]; + command-working-directory = "/web/blazestar.net"; + include-command-output-in-response-on-error = true; + execute-command = "${deployNpmApp}/bin/build-npm-app"; + trigger-rule-mismatch-http-response-code = 400; + inherit trigger-rule; + }; + }; + }; +}