Skip to content

Commit

Permalink
nix stdlib: use github token from vault via template
Browse files Browse the repository at this point in the history
  • Loading branch information
@dermetfan
dermetfan committed Jan 17, 2022
1 parent 0adeff6 commit 6384d32
Showing 1 changed file with 52 additions and 56 deletions.
108 changes: 52 additions & 56 deletions pkgs/cicero/evaluators/nix/lib.nix
View file
Expand Up @@ -304,68 +304,64 @@ rec {

github.reportStatus = statuses_url: action: next:
data-merge.merge
(wrapScript "bash"
(inner: ''
export SSL_CERT_FILE=/current-profile/etc/ssl/certs/ca-bundle.crt
# TODO Only get from vault. Env var is just for development.
if [[ -z "''${GITHUB_TOKEN:-}" ]]; then
GITHUB_TOKEN=$(vault kv get -field=token kv/data/cicero/github)
fi
function cleanup {
rm -f "$secret_headers"
}
trap cleanup EXIT
secret_headers="$(mktemp)"
cat >> "$secret_headers" <<EOF
Authorization: token $GITHUB_TOKEN
EOF
function report {
jq -nc '{
state: $state,
context: $action_name,
description: $description,
target_url: "\(env.CICERO_WEB_URL)/action/\($action_id)",
}' \
--arg state "$1" \
--arg description "Run $NOMAD_JOB_ID" \
--arg action_id ${lib.escapeShellArg action.id} \
--arg action_name ${lib.escapeShellArg action.name} \
| curl ${lib.escapeShellArg statuses_url} \
> /dev/null --no-progress-meter \
-H 'Accept: application/vnd.github.v3+json' \
-H @"$secret_headers" \
--data-binary @-
}
function err {
report error
}
trap err ERR
report pending
if ${lib.escapeShellArgs inner}; then
report success
else
status=$?
report failure
exit $status
fi
'')
action
next)
(wrapScript "bash" (inner: ''
export SSL_CERT_FILE=/current-profile/etc/ssl/certs/ca-bundle.crt
function cleanup {
rm -f "$secret_headers"
}
trap cleanup EXIT
secret_headers="$(mktemp)"
cat >> "$secret_headers" <<EOF
Authorization: token $(< "$NOMAD_SECRETS_DIR"/github/token)
EOF
function report {
jq -nc '{
state: $state,
context: $action_name,
description: $description,
target_url: "\(env.CICERO_WEB_URL)/action/\($action_id)",
}' \
--arg state "$1" \
--arg description "Run $NOMAD_JOB_ID" \
--arg action_id ${lib.escapeShellArg action.id} \
--arg action_name ${lib.escapeShellArg action.name} \
| curl ${lib.escapeShellArg statuses_url} \
> /dev/null --no-progress-meter \
-H 'Accept: application/vnd.github.v3+json' \
-H @"$secret_headers" \
--data-binary @-
}
function err {
report error
}
trap err ERR
report pending
if ${lib.escapeShellArgs inner}; then
report success
else
status=$?
report failure
exit $status
fi
'') action next)
{
config.packages = data-merge.append [
"github:NixOS/nixpkgs/${self.inputs.nixpkgs.rev}#curl"
"github:NixOS/nixpkgs/${self.inputs.nixpkgs.rev}#jq"
"github:NixOS/nixpkgs/${self.inputs.nixpkgs.rev}#vault"
"github:NixOS/nixpkgs/${self.inputs.nixpkgs.rev}#cacert"
];

template = data-merge.append [{
destination = "secrets/cicero/github/token";
data = "{{with secret "kv/cicero/github"}}{{.Data.data.token}}{{end}}";
}];
};
};
};
Expand Down

0 comments on commit 6384d32

Please sign in to comment.