Initial dev deployment [infra]

.woodpecker/bff.yml

@@ -78,11 +78,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/billing_documents.yml

@@ -73,11 +73,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/billing_fees.yml

@@ -73,11 +73,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/callbacks.yml

@@ -74,11 +74,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/db.yml

@@ -27,12 +27,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      # Retrieve SSH private key for deploy (existing helper)
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
 
   - name: deploy
     image: alpine:latest

.woodpecker/discovery.yml

@@ -72,11 +72,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/frontend.yml

@@ -46,11 +46,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/fx_ingestor.yml

@@ -78,11 +78,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/fx_oracle.yml

@@ -79,11 +79,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/gateway_chain.yml

@@ -77,11 +77,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/gateway_mntx.yml

@@ -76,11 +76,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/gateway_tgsettle.yml

@@ -74,11 +74,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/gateway_tron.yml

@@ -77,11 +77,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/ledger.yml

@@ -73,11 +73,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/nats.yml

@@ -27,11 +27,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
 
   - name: deploy
     image: alpine:latest

.woodpecker/notification.yml

@@ -76,11 +76,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/payments_methods.yml

@@ -74,11 +74,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/payments_orchestrator.yml

@@ -74,11 +74,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

.woodpecker/payments_quotation.yml

@@ -74,11 +74,7 @@ steps:
     commands:
       - set -euo pipefail
       - apk add --no-cache bash coreutils openssh-keygen curl sed python3
-      - mkdir -p secrets
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
-      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
-      - chmod 600 secrets/SSH_KEY
-      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
       - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
       - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
 

ci/devserver/.env.runtime

@@ -7,3 +7,4 @@ WS_PROTOCOL=ws
 
 SSH_HOST=178.57.67.136
 SSH_USER=cloud
+DEPLOY_SSH_KEY_PATH=ops/deploy/dev_ssh_key

ci/prod/.env.runtime

@@ -35,6 +35,7 @@ PBM_S3_BUCKET=backup
 
 SSH_HOST=178.57.67.248
 SSH_USER=cloud
+DEPLOY_SSH_KEY_PATH=ops/deploy/ssh_key
 REMOTE_BASE=/srv/sendico
 DB_DIR=db
 DB_COMPOSE_PROJECT=sendico-db

ci/scripts/common/fetch_deploy_ssh_key.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+set -eu
+
+REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "${REPO_ROOT}"
+
+DEST_FILE="${1:-secrets/SSH_KEY}"
+DEST_DIR="$(dirname "${DEST_FILE}")"
+ENCODED_FILE="${DEST_FILE}.b64"
+
+. ci/scripts/common/runtime_env.sh
+
+env_name="${CI_TARGET_ENV:-$(resolve_runtime_env_name)}"
+runtime_file="$(resolve_runtime_env_file "${env_name}")"
+cleanup_runtime_file=0
+case "${runtime_file}" in
+  ./.runtime.*.merged.*)
+    cleanup_runtime_file=1
+    ;;
+esac
+
+cleanup() {
+  rm -f "${ENCODED_FILE}"
+  if [ "${cleanup_runtime_file}" -eq 1 ]; then
+    rm -f "${runtime_file}"
+  fi
+}
+trap cleanup EXIT INT TERM
+
+normalize_env_file "${runtime_file}"
+load_env_file "${runtime_file}"
+
+DEPLOY_SSH_KEY_PATH="${DEPLOY_SSH_KEY_PATH:-ops/deploy/ssh_key}"
+
+mkdir -p "${DEST_DIR}"
+./ci/vlt kv_to_file kv "${DEPLOY_SSH_KEY_PATH}" private_b64 "${ENCODED_FILE}" 600
+base64 -d "${ENCODED_FILE}" > "${DEST_FILE}"
+chmod 600 "${DEST_FILE}"
+ssh-keygen -y -f "${DEST_FILE}" >/dev/null
+
+printf '[fetch-deploy-ssh-key] env=%s path=%s\n' "${env_name}" "${DEPLOY_SSH_KEY_PATH}" >&2