From d4c3bb6629326b67c41a2d20949dfd8efdbfb7e1 Mon Sep 17 00:00:00 2001 From: Stephan D Date: Mon, 16 Mar 2026 14:04:43 +0100 Subject: [PATCH] Initial dev deployment [infra] --- .woodpecker/bff.yml | 6 +--- .woodpecker/billing_documents.yml | 6 +--- .woodpecker/billing_fees.yml | 6 +--- .woodpecker/callbacks.yml | 6 +--- .woodpecker/db.yml | 7 +--- .woodpecker/discovery.yml | 6 +--- .woodpecker/frontend.yml | 6 +--- .woodpecker/fx_ingestor.yml | 6 +--- .woodpecker/fx_oracle.yml | 6 +--- .woodpecker/gateway_chain.yml | 6 +--- .woodpecker/gateway_mntx.yml | 6 +--- .woodpecker/gateway_tgsettle.yml | 6 +--- .woodpecker/gateway_tron.yml | 6 +--- .woodpecker/ledger.yml | 6 +--- .woodpecker/nats.yml | 6 +--- .woodpecker/notification.yml | 6 +--- .woodpecker/payments_methods.yml | 6 +--- .woodpecker/payments_orchestrator.yml | 6 +--- .woodpecker/payments_quotation.yml | 6 +--- ci/devserver/.env.runtime | 1 + ci/prod/.env.runtime | 1 + ci/scripts/common/fetch_deploy_ssh_key.sh | 41 +++++++++++++++++++++++ 22 files changed, 62 insertions(+), 96 deletions(-) create mode 100644 ci/scripts/common/fetch_deploy_ssh_key.sh diff --git a/.woodpecker/bff.yml b/.woodpecker/bff.yml index 52d6f099..ed30ace7 100644 --- a/.woodpecker/bff.yml +++ b/.woodpecker/bff.yml @@ -78,11 +78,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/billing_documents.yml b/.woodpecker/billing_documents.yml index 4ffdc2bf..4b60409e 100644 --- a/.woodpecker/billing_documents.yml +++ b/.woodpecker/billing_documents.yml @@ -73,11 +73,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/billing_fees.yml b/.woodpecker/billing_fees.yml index dd90ae0f..8fb88395 100644 --- a/.woodpecker/billing_fees.yml +++ b/.woodpecker/billing_fees.yml @@ -73,11 +73,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/callbacks.yml b/.woodpecker/callbacks.yml index 6dc4ef09..b38be049 100644 --- a/.woodpecker/callbacks.yml +++ b/.woodpecker/callbacks.yml @@ -74,11 +74,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/db.yml b/.woodpecker/db.yml index 9389e737..3cec0553 100644 --- a/.woodpecker/db.yml +++ b/.woodpecker/db.yml @@ -27,12 +27,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - # Retrieve SSH private key for deploy (existing helper) - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - name: deploy image: alpine:latest diff --git a/.woodpecker/discovery.yml b/.woodpecker/discovery.yml index 445ab2ef..91a1eae5 100644 --- a/.woodpecker/discovery.yml +++ b/.woodpecker/discovery.yml @@ -72,11 +72,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/frontend.yml b/.woodpecker/frontend.yml index ea31555f..07743d3f 100644 --- a/.woodpecker/frontend.yml +++ b/.woodpecker/frontend.yml @@ -46,11 +46,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/fx_ingestor.yml b/.woodpecker/fx_ingestor.yml index f9be6270..f4283368 100644 --- a/.woodpecker/fx_ingestor.yml +++ b/.woodpecker/fx_ingestor.yml @@ -78,11 +78,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/fx_oracle.yml b/.woodpecker/fx_oracle.yml index cb16b427..a24f0d26 100644 --- a/.woodpecker/fx_oracle.yml +++ b/.woodpecker/fx_oracle.yml @@ -79,11 +79,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/gateway_chain.yml b/.woodpecker/gateway_chain.yml index 613716af..2cd2569a 100644 --- a/.woodpecker/gateway_chain.yml +++ b/.woodpecker/gateway_chain.yml @@ -77,11 +77,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/gateway_mntx.yml b/.woodpecker/gateway_mntx.yml index 35b1fd1a..3bb0eef4 100644 --- a/.woodpecker/gateway_mntx.yml +++ b/.woodpecker/gateway_mntx.yml @@ -76,11 +76,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/gateway_tgsettle.yml b/.woodpecker/gateway_tgsettle.yml index b3b97e23..4093bb51 100644 --- a/.woodpecker/gateway_tgsettle.yml +++ b/.woodpecker/gateway_tgsettle.yml @@ -74,11 +74,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/gateway_tron.yml b/.woodpecker/gateway_tron.yml index 2c88f15a..ef28b305 100644 --- a/.woodpecker/gateway_tron.yml +++ b/.woodpecker/gateway_tron.yml @@ -77,11 +77,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/ledger.yml b/.woodpecker/ledger.yml index 54ba3350..fffc1527 100644 --- a/.woodpecker/ledger.yml +++ b/.woodpecker/ledger.yml @@ -73,11 +73,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/nats.yml b/.woodpecker/nats.yml index 4e7e7c3e..3f9f8408 100644 --- a/.woodpecker/nats.yml +++ b/.woodpecker/nats.yml @@ -27,11 +27,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - name: deploy image: alpine:latest diff --git a/.woodpecker/notification.yml b/.woodpecker/notification.yml index dd1be0cd..cd678859 100644 --- a/.woodpecker/notification.yml +++ b/.woodpecker/notification.yml @@ -76,11 +76,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/payments_methods.yml b/.woodpecker/payments_methods.yml index 7cdaae1f..216f242e 100644 --- a/.woodpecker/payments_methods.yml +++ b/.woodpecker/payments_methods.yml @@ -74,11 +74,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/payments_orchestrator.yml b/.woodpecker/payments_orchestrator.yml index 35de9dcb..0cc7cf5e 100644 --- a/.woodpecker/payments_orchestrator.yml +++ b/.woodpecker/payments_orchestrator.yml @@ -74,11 +74,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/.woodpecker/payments_quotation.yml b/.woodpecker/payments_quotation.yml index c5288ad0..fdc000a7 100644 --- a/.woodpecker/payments_quotation.yml +++ b/.woodpecker/payments_quotation.yml @@ -74,11 +74,7 @@ steps: commands: - set -euo pipefail - apk add --no-cache bash coreutils openssh-keygen curl sed python3 - - mkdir -p secrets - - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600 - - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY - - chmod 600 secrets/SSH_KEY - - ssh-keygen -y -f secrets/SSH_KEY >/dev/null + - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD diff --git a/ci/devserver/.env.runtime b/ci/devserver/.env.runtime index f590aa0c..8a3a716c 100644 --- a/ci/devserver/.env.runtime +++ b/ci/devserver/.env.runtime @@ -7,3 +7,4 @@ WS_PROTOCOL=ws SSH_HOST=178.57.67.136 SSH_USER=cloud +DEPLOY_SSH_KEY_PATH=ops/deploy/dev_ssh_key diff --git a/ci/prod/.env.runtime b/ci/prod/.env.runtime index 8caca209..63716a38 100644 --- a/ci/prod/.env.runtime +++ b/ci/prod/.env.runtime @@ -35,6 +35,7 @@ PBM_S3_BUCKET=backup SSH_HOST=178.57.67.248 SSH_USER=cloud +DEPLOY_SSH_KEY_PATH=ops/deploy/ssh_key REMOTE_BASE=/srv/sendico DB_DIR=db DB_COMPOSE_PROJECT=sendico-db diff --git a/ci/scripts/common/fetch_deploy_ssh_key.sh b/ci/scripts/common/fetch_deploy_ssh_key.sh new file mode 100644 index 00000000..f1abbdc8 --- /dev/null +++ b/ci/scripts/common/fetch_deploy_ssh_key.sh @@ -0,0 +1,41 @@ +#!/bin/sh +set -eu + +REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)" +cd "${REPO_ROOT}" + +DEST_FILE="${1:-secrets/SSH_KEY}" +DEST_DIR="$(dirname "${DEST_FILE}")" +ENCODED_FILE="${DEST_FILE}.b64" + +. ci/scripts/common/runtime_env.sh + +env_name="${CI_TARGET_ENV:-$(resolve_runtime_env_name)}" +runtime_file="$(resolve_runtime_env_file "${env_name}")" +cleanup_runtime_file=0 +case "${runtime_file}" in + ./.runtime.*.merged.*) + cleanup_runtime_file=1 + ;; +esac + +cleanup() { + rm -f "${ENCODED_FILE}" + if [ "${cleanup_runtime_file}" -eq 1 ]; then + rm -f "${runtime_file}" + fi +} +trap cleanup EXIT INT TERM + +normalize_env_file "${runtime_file}" +load_env_file "${runtime_file}" + +DEPLOY_SSH_KEY_PATH="${DEPLOY_SSH_KEY_PATH:-ops/deploy/ssh_key}" + +mkdir -p "${DEST_DIR}" +./ci/vlt kv_to_file kv "${DEPLOY_SSH_KEY_PATH}" private_b64 "${ENCODED_FILE}" 600 +base64 -d "${ENCODED_FILE}" > "${DEST_FILE}" +chmod 600 "${DEST_FILE}" +ssh-keygen -y -f "${DEST_FILE}" >/dev/null + +printf '[fetch-deploy-ssh-key] env=%s path=%s\n' "${env_name}" "${DEPLOY_SSH_KEY_PATH}" >&2