{ config, pkgs, ... }: let gitKnownHosts = pkgs.writeText "known_hosts" '' [git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ== ''; migratePocketbase = with pkgs; writeShellScript "migrate-pocketbase" '' set -e id pwd ${pkgs.pocketbase}/bin/pocketbase migrate up ''; deployNpmApp = with pkgs; writeShellApplication { name = "build-npm-app"; runtimeInputs = [ openssh gitFull nodejs_22 bashNonInteractive rsync ]; text = '' set -e id pwd output_dir="./$(date --utc --iso-8601=seconds)" export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${ config.sops.secrets."deploy-key/mcp".path }"' # Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json` export ASTRO_TELEMETRY_DISABLED=1 # Fetch the repository and make sure we are reset to HEAD git fetch origin main git reset --hard git checkout main git reset --hard origin/main # Use a local cache with --cache .npm npm ci --cache .npm npm run build -- --outDir "$output_dir" # Trailing slash on source to only copy contents, not the directory itself rsync --archive --delete "$output_dir"/ deployed ''; }; in { sops.secrets = { "deploy-key/mcp" = { restartUnits = [ "webhook.service" ]; owner = config.users.users.webhook.name; }; }; services.webhook = let trigger-rule = { or = [ # There were some issues getting the payload signature validation to work. # Switching to only accepting requests from internal IPs. # { # match = { # type = "payload-hmac-sha1"; # secret = "mysecret"; # parameter = { # source = "header"; # name = "X-Hub-Signature"; # }; # }; # } { match = { type = "ip-whitelist"; ip-range = "192.168.0.0/16"; }; } { match = { type = "ip-whitelist"; ip-range = "10.88.0.0/16"; }; } ]; }; in { enable = true; verbose = true; port = 9000; openFirewall = true; hooks = { "deploy-terakoda-com" = { id = "deploy-terakoda-com"; http-methods = [ "POST" ]; command-working-directory = "/tank/web/terakoda.com"; include-command-output-in-response-on-error = true; execute-command = "${deployNpmApp}/bin/build-npm-app"; trigger-rule-mismatch-http-response-code = 400; inherit trigger-rule; }; "deploy-dm-terakoda-com" = { id = "deploy-dm-terakoda-com"; http-methods = [ "POST" ]; command-working-directory = "/tank/web/dm.terakoda.com"; include-command-output-in-response-on-error = true; execute-command = toString ( pkgs.writeShellScript "deploy-dm-terakoda-com" '' "${deployNpmApp}/bin/build-npm-app"; "${migratePocketbase}"; '' ); trigger-rule-mismatch-http-response-code = 400; inherit trigger-rule; }; "deploy-blazestar-net" = { id = "deploy-blazestar-net"; http-methods = [ "POST" ]; command-working-directory = "/tank/web/blazestar.net"; include-command-output-in-response-on-error = true; execute-command = "${deployNpmApp}/bin/build-npm-app"; trigger-rule-mismatch-http-response-code = 400; inherit trigger-rule; }; }; }; }