Periodic/system-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
430a041724ce583f6a9f45865f356e03f5b6a008
system-config/system/hosts/mcp/static-site-hooks.nix

135 lines
4.4 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
gitKnownHosts = pkgs.writeText "known_hosts" ''
[git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ==
'';
migratePocketbase =
with pkgs;
writeShellScript "migrate-pocketbase" ''
set -e
id
pwd
${pkgs.pocketbase}/bin/pocketbase migrate up
'';
deployNpmApp =
with pkgs;
writeShellApplication {
name = "build-npm-app";
runtimeInputs = [
openssh
gitFull
nodejs_22
bashNonInteractive
rsync
];
text = ''
set -e
id
pwd
output_dir="./$(date --utc --iso-8601=seconds)"
export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${
config.sops.secrets."deploy-key/mcp".path
}"'
# Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json`
export ASTRO_TELEMETRY_DISABLED=1
# Fetch the repository and make sure we are reset to HEAD
git fetch origin main
git reset --hard
git checkout main
git reset --hard origin/main
# Use a local cache with --cache .npm
npm ci --cache .npm
npm run build -- --outDir "$output_dir"
# Trailing slash on source to only copy contents, not the directory itself
rsync --archive --delete "$output_dir"/ deployed
'';
};
in
{
sops.secrets = {
"deploy-key/mcp" = {
restartUnits = [ "webhook.service" ];
owner = config.users.users.webhook.name;
};
};
services.webhook =
let
trigger-rule = {
or = [
# There were some issues getting the payload signature validation to work.
# Switching to only accepting requests from internal IPs.
# {
# match = {
# type = "payload-hmac-sha1";
# secret = "mysecret";
# parameter = {
# source = "header";
# name = "X-Hub-Signature";
# };
# };
# }
{
match = {
type = "ip-whitelist";
ip-range = "192.168.0.0/16";
};
}
{
match = {
type = "ip-whitelist";
ip-range = "10.88.0.0/16";
};
}
];
};
in
{
enable = true;
verbose = true;
port = 9000;
openFirewall = true;
hooks = {
"deploy-terakoda-com" = {
id = "deploy-terakoda-com";
http-methods = [ "POST" ];
command-working-directory = "/tank/web/terakoda.com";
include-command-output-in-response-on-error = true;
execute-command = "${deployNpmApp}/bin/build-npm-app";
trigger-rule-mismatch-http-response-code = 400;
inherit trigger-rule;
};
"deploy-dm-terakoda-com" = {
id = "deploy-dm-terakoda-com";
http-methods = [ "POST" ];
command-working-directory = "/tank/web/dm.terakoda.com";
include-command-output-in-response-on-error = true;
execute-command = toString (
pkgs.writeShellScript "deploy-dm-terakoda-com" ''
"${deployNpmApp}/bin/build-npm-app";
"${migratePocketbase}";
''
);
trigger-rule-mismatch-http-response-code = 400;
inherit trigger-rule;
};
"deploy-blazestar-net" = {
id = "deploy-blazestar-net";
http-methods = [ "POST" ];
command-working-directory = "/tank/web/blazestar.net";
include-command-output-in-response-on-error = true;
execute-command = "${deployNpmApp}/bin/build-npm-app";
trigger-rule-mismatch-http-response-code = 400;
inherit trigger-rule;
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink