-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathentrypoint.sh
46 lines (39 loc) · 1.58 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env bash
set -euo pipefail
# Ran by dockerfile as entrypoint
# Ran from the volume of the website source mounted at /website-source
# Load sshkeys
if [ -f /run/secrets/KEY_PRIVATE ]; then
# Start ssh-agent
eval "$(ssh-agent)"
# Create config file with required keys
mkdir -p ~/.ssh
echo "AddKeysToAgent yes" > ~/.ssh/config
# Tighten permissions to keep ssh-add happy
chmod 400 /run/secrets/KEY_*
PASSWORD="$(cat "/run/secrets/KEY_PASSWORD")"
PRIVATE="$(cat "/run/secrets/KEY_PRIVATE")"
# Really should be able to just read from the private path, but for some reason ssh-add fails when using the actual path
# But works when you cat the path into another file and then load it
# Or cat the file and pipe it in through stdin
# Piping stdin to an expect command is quite complex, so we just make and remove a temporary key file.
# Absolutely bizarre, and not quite ideal security wise
echo "$PRIVATE" >/tmp/key
chmod 600 /tmp/key
# Use our wrapper expect script to handle interactive input
./exp.exp "$PASSWORD" ssh-add "/tmp/key"
rm /tmp/key
echo "SSH Key Loaded"
else
echo "Secret not defined!"
fi
if [ -f /run/secrets/GIT_TOKEN ]; then
export GIT_TOKEN="$(cat "/run/secrets/GIT_TOKEN")"
fi
# Rsync files over, do not use the mtimes as they are wrong due to docker shenanigans
# Use the .gitignore as a filter to not remove any files generated by previous runs
rsync -rlpgoDz --delete --checksum --filter=':- .gitignore' ./ /website-cached/source
# Change to source repo
cd /website-cached/source
# run build script expaning all args passed to this script
python3 ./build.py "$@"