environment
· 2.0 KiB · Text
Raw
#!/bin/sh
log() { printf '\n\033[m\033[38;5;11m~~~ %s %s ~~~\033[m\n' $1 $2; }
log "deploy environment"
# obvious stuff
export PATH=${PATH}:/usr/local/bin
export SHELL=/bin/sh
# a righteous secure umask
umask 027
log "deploy ssh_agent"
# ensure we have a usable running ssh agent to inject keys into
# reuse an existing agent if there is one
SSH_AUTH_SOCK=$(find /tmp/ssh-* -type s -name agent.\* -print | head -1 )
# else, clean up and acquire a new one
if test ! -S "${SSH_AUTH_SOCK:-}" ; then
echo no existing ssh-agent found, spawning a new one
/bin/pkill -U $USER ssh-agent
eval $(/usr/bin/ssh-agent)
fi
echo ssh-agent: $SSH_AUTH_SOCK
export SSH_AUTH_SOCK
log "vault authn"
# obtain a vault token for use during this session
# ensure we have address and auth key for vault
if test -z "${VAULT_ADDR:-}" ; then
echo vault: missing VAULT_ADDR url
exit 1
fi
if test -z "${VAULT_SECRET:-}" ; then
echo vault: missing VAULT_SECRET token
exit 1
fi
# from here on error handling can be enabled safely
set -o pipefail
set -e
# acquire a valid token
export VAULT_TOKEN=$(/usr/local/bin/vault login -token-only -method=github token=${VAULT_SECRET})
/usr/local/bin/vault read secret/test > /dev/null 2>&1
log "vault tokens_valid"
# acquire ssh keys
# first, the deploy key as github only checks the first presented key
/usr/local/bin/vault read -field=ssh_private_key secret/enso-bot | ssh-add -
# then, the ansible key, as ssh daemon on servers will check both
/usr/local/bin/vault read -field=ssh_private_key secret/ansible | ssh-add -
log "ssh_agent keys_loaded"
ssh-add -L
log "cleaning environment"
export VAULT_SECRET=""
test "$PHASE" == "webhook" && export BUILDKITE_REPO=''
test "$PHASE" != "webhook" && export CABAL_HMAC_SECRET=''
log "setup tmpdir"
# set a per-job custom TMPDIR
export TMPDIR=$(mktemp -d -t buildkite)
echo tmpdir: $TMPDIR
echo home: $HOME
echo pwd: $(pwd -P)
############ end common section ############
log "buildkite env ready"
| 1 | #!/bin/sh |
| 2 | log() { printf '\n\033[m\033[38;5;11m~~~ %s %s ~~~\033[m\n' $1 $2; } |
| 3 | |
| 4 | log "deploy environment" |
| 5 | |
| 6 | # obvious stuff |
| 7 | export PATH=${PATH}:/usr/local/bin |
| 8 | export SHELL=/bin/sh |
| 9 | # a righteous secure umask |
| 10 | umask 027 |
| 11 | |
| 12 | log "deploy ssh_agent" |
| 13 | |
| 14 | # ensure we have a usable running ssh agent to inject keys into |
| 15 | # reuse an existing agent if there is one |
| 16 | SSH_AUTH_SOCK=$(find /tmp/ssh-* -type s -name agent.\* -print | head -1 ) |
| 17 | |
| 18 | # else, clean up and acquire a new one |
| 19 | if test ! -S "${SSH_AUTH_SOCK:-}" ; then |
| 20 | echo no existing ssh-agent found, spawning a new one |
| 21 | /bin/pkill -U $USER ssh-agent |
| 22 | eval $(/usr/bin/ssh-agent) |
| 23 | fi |
| 24 | |
| 25 | echo ssh-agent: $SSH_AUTH_SOCK |
| 26 | export SSH_AUTH_SOCK |
| 27 | |
| 28 | log "vault authn" |
| 29 | |
| 30 | # obtain a vault token for use during this session |
| 31 | # ensure we have address and auth key for vault |
| 32 | if test -z "${VAULT_ADDR:-}" ; then |
| 33 | echo vault: missing VAULT_ADDR url |
| 34 | exit 1 |
| 35 | fi |
| 36 | |
| 37 | if test -z "${VAULT_SECRET:-}" ; then |
| 38 | echo vault: missing VAULT_SECRET token |
| 39 | exit 1 |
| 40 | fi |
| 41 | |
| 42 | # from here on error handling can be enabled safely |
| 43 | set -o pipefail |
| 44 | set -e |
| 45 | |
| 46 | # acquire a valid token |
| 47 | export VAULT_TOKEN=$(/usr/local/bin/vault login -token-only -method=github token=${VAULT_SECRET}) |
| 48 | /usr/local/bin/vault read secret/test > /dev/null 2>&1 |
| 49 | log "vault tokens_valid" |
| 50 | |
| 51 | # acquire ssh keys |
| 52 | # first, the deploy key as github only checks the first presented key |
| 53 | /usr/local/bin/vault read -field=ssh_private_key secret/enso-bot | ssh-add - |
| 54 | # then, the ansible key, as ssh daemon on servers will check both |
| 55 | /usr/local/bin/vault read -field=ssh_private_key secret/ansible | ssh-add - |
| 56 | log "ssh_agent keys_loaded" |
| 57 | ssh-add -L |
| 58 | |
| 59 | |
| 60 | log "cleaning environment" |
| 61 | |
| 62 | export VAULT_SECRET="" |
| 63 | test "$PHASE" == "webhook" && export BUILDKITE_REPO='' |
| 64 | test "$PHASE" != "webhook" && export CABAL_HMAC_SECRET='' |
| 65 | |
| 66 | log "setup tmpdir" |
| 67 | # set a per-job custom TMPDIR |
| 68 | export TMPDIR=$(mktemp -d -t buildkite) |
| 69 | echo tmpdir: $TMPDIR |
| 70 | echo home: $HOME |
| 71 | echo pwd: $(pwd -P) |
| 72 | |
| 73 | ############ end common section ############ |
| 74 | |
| 75 | log "buildkite env ready" |
main.yml
· 1.7 KiB · YAML
Raw
---
- name: install buildkite agent
pkgng:
state: latest
name:
- devel/buildkite-agent
- devel/git
- devel/gmake
- security/vault
- www/gurl
tags: buildkite, pkg
- name: deploy buildkite agent template
copy:
content: |
name='{{ instance.fqdn | default(inventory_hostname_short) }}-%spawn'
spawn={{ buildkite_concurrency | default(1) }}
tags='os={{ ansible_distribution }},queue={{ buildkite_queue }}'
build-path='/var/db/ci/buildkite'
hooks-path='/usr/local/etc/buildkite/hooks'
plugins-path='/usr/local/etc/buildkite/plugins'
debug=false
dest: /usr/local/etc/buildkite/agent.cfg
owner: root
group: '{{ buildkite_group | default("wheel") }}'
mode: 0440
notify: restart buildkite
tags: buildkite
- name: enable buildkite daemon
copy:
content: |
# https://buildkite.com/docs/agent
# mandatory parameters
buildkite_enable=YES
buildkite_token={{ buildkite_token }}
buildkite_account={{ ci_user | default("root") }}
# optional parameters
buildkite_config=/usr/local/etc/buildkite/agent.cfg
buildkite_vars='CABAL_HMAC_SECRET={{ cabal_hmac_signing_key }} \
VAULT_ADDR=https://vault.{{ admin_domain }}/ \
VAULT_SECRET={{ ci_vault_auth_token }} \
'
dest: /etc/rc.conf.d/buildkite
owner: root
group: wheel
mode: 0440
notify: restart buildkite
tags: buildkite
- name: deploy buildkite environment script
template:
src: buildkite_environment.j2
dest: /usr/local/etc/buildkite/hooks/environment
mode: 0750
owner: root
group: '{{ buildkite_group | default("wheel") }}'
notify: restart buildkite
tags: buildkite
| 1 | --- |
| 2 | - name: install buildkite agent |
| 3 | pkgng: |
| 4 | state: latest |
| 5 | name: |
| 6 | - devel/buildkite-agent |
| 7 | - devel/git |
| 8 | - devel/gmake |
| 9 | - security/vault |
| 10 | - www/gurl |
| 11 | tags: buildkite, pkg |
| 12 | |
| 13 | - name: deploy buildkite agent template |
| 14 | copy: |
| 15 | content: | |
| 16 | name='{{ instance.fqdn | default(inventory_hostname_short) }}-%spawn' |
| 17 | spawn={{ buildkite_concurrency | default(1) }} |
| 18 | tags='os={{ ansible_distribution }},queue={{ buildkite_queue }}' |
| 19 | build-path='/var/db/ci/buildkite' |
| 20 | hooks-path='/usr/local/etc/buildkite/hooks' |
| 21 | plugins-path='/usr/local/etc/buildkite/plugins' |
| 22 | debug=false |
| 23 | dest: /usr/local/etc/buildkite/agent.cfg |
| 24 | owner: root |
| 25 | group: '{{ buildkite_group | default("wheel") }}' |
| 26 | mode: 0440 |
| 27 | notify: restart buildkite |
| 28 | tags: buildkite |
| 29 | |
| 30 | - name: enable buildkite daemon |
| 31 | copy: |
| 32 | content: | |
| 33 | # https://buildkite.com/docs/agent |
| 34 | # mandatory parameters |
| 35 | buildkite_enable=YES |
| 36 | buildkite_token={{ buildkite_token }} |
| 37 | buildkite_account={{ ci_user | default("root") }} |
| 38 | # optional parameters |
| 39 | buildkite_config=/usr/local/etc/buildkite/agent.cfg |
| 40 | buildkite_vars='CABAL_HMAC_SECRET={{ cabal_hmac_signing_key }} \ |
| 41 | VAULT_ADDR=https://vault.{{ admin_domain }}/ \ |
| 42 | VAULT_SECRET={{ ci_vault_auth_token }} \ |
| 43 | ' |
| 44 | dest: /etc/rc.conf.d/buildkite |
| 45 | owner: root |
| 46 | group: wheel |
| 47 | mode: 0440 |
| 48 | notify: restart buildkite |
| 49 | tags: buildkite |
| 50 | |
| 51 | - name: deploy buildkite environment script |
| 52 | template: |
| 53 | src: buildkite_environment.j2 |
| 54 | dest: /usr/local/etc/buildkite/hooks/environment |
| 55 | mode: 0750 |
| 56 | owner: root |
| 57 | group: '{{ buildkite_group | default("wheel") }}' |
| 58 | notify: restart buildkite |
| 59 | tags: buildkite |
| 60 |