48 lines
1.7 KiB
Bash
48 lines
1.7 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
# Ran by dockerfile as entrypoint
|
|
# Ran from the volume of the website source mounted at /website-source
|
|
|
|
# Load sshkeys
|
|
if [ -f /run/secrets/KEY_PRIVATE ] && [ "$(cat /run/secrets/KEY_PRIVATE)" != "none" ]; then
|
|
|
|
# Start ssh-agent
|
|
eval "$(ssh-agent)"
|
|
|
|
# Create config file with required keys
|
|
mkdir -p ~/.ssh
|
|
echo "AddKeysToAgent yes" >~/.ssh/config
|
|
# Tighten permissions to keep ssh-add happy
|
|
chmod 400 /run/secrets/KEY_*
|
|
PASSWORD="$(cat "/run/secrets/KEY_PASSWORD")"
|
|
PRIVATE="$(cat "/run/secrets/KEY_PRIVATE")"
|
|
# Really should be able to just read from the private path, but for some reason ssh-add fails when using the actual path
|
|
# But works when you cat the path into another file and then load it
|
|
# Or cat the file and pipe it in through stdin
|
|
# Piping stdin to an expect command is quite complex, so we just make and remove a temporary key file.
|
|
# Absolutely bizarre, and not quite ideal security wise
|
|
echo "$PRIVATE" >/tmp/key
|
|
chmod 600 /tmp/key
|
|
|
|
# Use our wrapper expect script to handle interactive input
|
|
./exp.exp "$PASSWORD" ssh-add "/tmp/key"
|
|
rm /tmp/key
|
|
echo "SSH Key Loaded"
|
|
else
|
|
echo "Secret not defined!"
|
|
fi
|
|
|
|
if [ -f /run/secrets/GIT_TOKEN ] && [ "$(cat /run/secrets/GIT_TOKEN)" != "none" ]; then
|
|
export GIT_TOKEN="$(cat "/run/secrets/GIT_TOKEN")"
|
|
fi
|
|
|
|
# Rsync files over, do not use the mtimes as they are wrong due to docker shenanigans
|
|
# Use the .gitignore as a filter to not remove any files generated by previous runs
|
|
rsync -rlpgoDz --delete --checksum --filter=':- .gitignore' ./ /website-cached/source
|
|
|
|
# Change to source repo
|
|
cd /website-cached/source
|
|
|
|
# run build script expaning all args passed to this script
|
|
python3 ./build.py "$@"
|