diff --git a/.gitignore b/.gitignore index 2d435ae..4f3e6d2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ result* /secrets +.secrets age.key **/*.tmp.sops.yaml **/*.sops.tmp.yaml diff --git a/.taskfiles/_scripts/build_import_and_push.sh b/.taskfiles/_scripts/build_import_and_push.sh new file mode 100644 index 0000000..4443f34 --- /dev/null +++ b/.taskfiles/_scripts/build_import_and_push.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Function to check if a command was successful +check_command() { + if [ $? -ne 0 ]; then + echo "Error: $1 failed" + exit 1 + fi +} + +# Build the qemu image and get the path +qemuImageBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) +check_command "Building qemu image" + +# Build the metadata and get the path +metadataBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths) +check_command "Building metadata" + +# Set the paths for the metadata and qemu image +MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz" +QBP="${qemuImageBuildPath}/nixos.qcow2" + +# Import the image to Incus and capture the instance name +instance_name=$(incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" | grep -oP '(?<=Instance ).*(?= created)') +check_command "Importing image to Incus" + +echo "Instance created: $instance_name" + +# Call the push_token.sh script with the new instance name +./push_token.sh "$instance_name" +check_command "Pushing token to instance" + +echo "Process completed successfully" diff --git a/.taskfiles/_scripts/push_token.sh b/.taskfiles/_scripts/push_token.sh new file mode 100644 index 0000000..a116a77 --- /dev/null +++ b/.taskfiles/_scripts/push_token.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# Prerequisites: +# 1password vault created with a single item in it with the property 'runner_token'. +# Define the vault and item used. +# Usage: ./push_token.sh + +set -euo pipefail + +# Check if instance name is provided +if [ "$#" -ne 1 ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +INCUS_INSTANCE="$1" # Use the provided instance name + +# Set variables +OP_ITEM_NAME="forgejo-runner" # Name of the 1Password item containing the runner token +OP_VAULT_NAME="forgejo-runner" # Name of the 1Password vault +TOKEN_FILE="tokenfile" # Name of the temporary file to store the token +INCUS_PATH="$INCUS_INSTANCE/var/lib/gitea-runner/default/$TOKEN_FILE" + +# Check if OP_SESSION environment variable exists, if not, sign in +if [ -z "${OP_SESSION:-}" ]; then + echo "Not logged in to 1Password CLI. Attempting to sign in..." + if ! eval $(op signin); then + echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 + exit 1 + fi +fi + +# Ensure the target directory exists in the Incus instance +#incus exec "$INCUS_INSTANCE" -- mkdir -p /var/lib/gitea-runner/default +#incus exec "$INCUS_INSTANCE" -- chown gitea-runner:gitea-runner /var/lib/gitea-runner/default + +# Retrieve the token from 1Password +TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token) + +if [ -z "$TOKEN" ]; then + echo "Failed to retrieve token from 1Password" >&2 + exit 1 +fi + +# Create the token file +echo "TOKEN=$TOKEN" > "$TOKEN_FILE" + +# Push the file to Incus +echo "Running: incus file push $INCUS_PATH" +if incus file push "$TOKEN_FILE" "$INCUS_PATH"; then + echo "Token file successfully pushed to Incus instance $INCUS_INSTANCE" +else + echo "Failed to push token file to Incus instance $INCUS_INSTANCE" >&2 + rm "$TOKEN_FILE" + exit 1 +fi + +# Clean up the local token file +rm "$TOKEN_FILE" + +echo "Operation completed successfully"