Like 0
Fork 0

Last active 1746278176

dch's Avatar dch revised this gist 1746278176. Go to revision

2 files changed, 134 insertions

environment(file created)

@@ -0,0 +1,75 @@
1 + #!/bin/sh
2 + log() { printf '\n\033[m\033[38;5;11m~~~ %s %s ~~~\033[m\n' $1 $2; }
3 +
4 + log "deploy environment"
5 +
6 + # obvious stuff
7 + export PATH=${PATH}:/usr/local/bin
8 + export SHELL=/bin/sh
9 + # a righteous secure umask
10 + umask 027
11 +
12 + log "deploy ssh_agent"
13 +
14 + # ensure we have a usable running ssh agent to inject keys into
15 + # reuse an existing agent if there is one
16 + SSH_AUTH_SOCK=$(find /tmp/ssh-* -type s -name agent.\* -print | head -1 )
17 +
18 + # else, clean up and acquire a new one
19 + if test ! -S "${SSH_AUTH_SOCK:-}" ; then
20 + echo no existing ssh-agent found, spawning a new one
21 + /bin/pkill -U $USER ssh-agent
22 + eval $(/usr/bin/ssh-agent)
23 + fi
24 +
25 + echo ssh-agent: $SSH_AUTH_SOCK
26 + export SSH_AUTH_SOCK
27 +
28 + log "vault authn"
29 +
30 + # obtain a vault token for use during this session
31 + # ensure we have address and auth key for vault
32 + if test -z "${VAULT_ADDR:-}" ; then
33 + echo vault: missing VAULT_ADDR url
34 + exit 1
35 + fi
36 +
37 + if test -z "${VAULT_SECRET:-}" ; then
38 + echo vault: missing VAULT_SECRET token
39 + exit 1
40 + fi
41 +
42 + # from here on error handling can be enabled safely
43 + set -o pipefail
44 + set -e
45 +
46 + # acquire a valid token
47 + export VAULT_TOKEN=$(/usr/local/bin/vault login -token-only -method=github token=${VAULT_SECRET})
48 + /usr/local/bin/vault read secret/test > /dev/null 2>&1
49 + log "vault tokens_valid"
50 +
51 + # acquire ssh keys
52 + # first, the deploy key as github only checks the first presented key
53 + /usr/local/bin/vault read -field=ssh_private_key secret/enso-bot | ssh-add -
54 + # then, the ansible key, as ssh daemon on servers will check both
55 + /usr/local/bin/vault read -field=ssh_private_key secret/ansible | ssh-add -
56 + log "ssh_agent keys_loaded"
57 + ssh-add -L
58 +
59 +
60 + log "cleaning environment"
61 +
62 + export VAULT_SECRET=""
63 + test "$PHASE" == "webhook" && export BUILDKITE_REPO=''
64 + test "$PHASE" != "webhook" && export CABAL_HMAC_SECRET=''
65 +
66 + log "setup tmpdir"
67 + # set a per-job custom TMPDIR
68 + export TMPDIR=$(mktemp -d -t buildkite)
69 + echo tmpdir: $TMPDIR
70 + echo home: $HOME
71 + echo pwd: $(pwd -P)
72 +
73 + ############ end common section ############
74 +
75 + log "buildkite env ready"

main.yml(file created)

@@ -0,0 +1,59 @@
1 + ---
2 + - name: install buildkite agent
3 + pkgng:
4 + state: latest
5 + name:
6 + - devel/buildkite-agent
7 + - devel/git
8 + - devel/gmake
9 + - security/vault
10 + - www/gurl
11 + tags: buildkite, pkg
12 +
13 + - name: deploy buildkite agent template
14 + copy:
15 + content: |
16 + name='{{ instance.fqdn | default(inventory_hostname_short) }}-%spawn'
17 + spawn={{ buildkite_concurrency | default(1) }}
18 + tags='os={{ ansible_distribution }},queue={{ buildkite_queue }}'
19 + build-path='/var/db/ci/buildkite'
20 + hooks-path='/usr/local/etc/buildkite/hooks'
21 + plugins-path='/usr/local/etc/buildkite/plugins'
22 + debug=false
23 + dest: /usr/local/etc/buildkite/agent.cfg
24 + owner: root
25 + group: '{{ buildkite_group | default("wheel") }}'
26 + mode: 0440
27 + notify: restart buildkite
28 + tags: buildkite
29 +
30 + - name: enable buildkite daemon
31 + copy:
32 + content: |
33 + # https://buildkite.com/docs/agent
34 + # mandatory parameters
35 + buildkite_enable=YES
36 + buildkite_token={{ buildkite_token }}
37 + buildkite_account={{ ci_user | default("root") }}
38 + # optional parameters
39 + buildkite_config=/usr/local/etc/buildkite/agent.cfg
40 + buildkite_vars='CABAL_HMAC_SECRET={{ cabal_hmac_signing_key }} \
41 + VAULT_ADDR=https://vault.{{ admin_domain }}/ \
42 + VAULT_SECRET={{ ci_vault_auth_token }} \
43 + '
44 + dest: /etc/rc.conf.d/buildkite
45 + owner: root
46 + group: wheel
47 + mode: 0440
48 + notify: restart buildkite
49 + tags: buildkite
50 +
51 + - name: deploy buildkite environment script
52 + template:
53 + src: buildkite_environment.j2
54 + dest: /usr/local/etc/buildkite/hooks/environment
55 + mode: 0750
56 + owner: root
57 + group: '{{ buildkite_group | default("wheel") }}'
58 + notify: restart buildkite
59 + tags: buildkite
Newer Older

Powered by Opengist Load: 104ms

English