155 lines
5.4 KiB
YAML
155 lines
5.4 KiB
YAML
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
# SPDX-FileCopyrightText: 2024 GregoryDosh
|
|
---
|
|
name: Common Homelab Forgejo Actions Setup
|
|
description: |
|
|
Configure a handful of common required steps for all homelab related tasks.
|
|
|
|
inputs:
|
|
SUBMODULE_UPDATE:
|
|
description: Whether or not to update submodules after clone.
|
|
default: "true"
|
|
STEP_INSTALL:
|
|
description: Whether or not to install the step-cli.
|
|
default: "false"
|
|
STEP_CA_URL:
|
|
description: Step CA URL
|
|
default: "https://ca.auengun.net"
|
|
STEP_CA_BOOTSTRAP:
|
|
description: Whether or not to bootstrap the image with PKI certs/config.
|
|
default: "false"
|
|
STEP_CA_FINGERPRINT:
|
|
description: Fingerprint to use for online bootstrapping
|
|
default: "${{ secrets.STEP_CA_FINGERPRINT }}"
|
|
STEP_CA_JWK_PASSWORD:
|
|
description: Password for provisioning temporary certificates from the CA
|
|
default: ${{ secrets.JWK_PASSWORD }}
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- shell: bash
|
|
run: |
|
|
echo "::group::Starting SSH Agent"
|
|
if command -v ssh-agent &> /dev/null; then
|
|
ssh_env=$(ssh-agent)
|
|
eval $ssh_env
|
|
{
|
|
printf $ssh_env | grep -v "echo" | xargs -I {} sh -c 'echo "{}" | cut -f "1" -d ";"'
|
|
} >> "$GITHUB_ENV"
|
|
fi
|
|
echo "::endgroup::"
|
|
|
|
- shell: bash
|
|
if: ${{ inputs.STEP_INSTALL == 'true' }}
|
|
env:
|
|
# renovate: datasource=github-releases depName=smallstep/cli
|
|
STEP_VERSION: v0.28.6
|
|
run: |
|
|
echo "::group::Step CLI"
|
|
if ! command -v step &> /dev/null; then
|
|
echo "Installing step-cli binary as \`step\`"
|
|
mkdir ./step
|
|
export STEP_URL="https://github.com/smallstep/cli/releases/download/${STEP_VERSION}/step_linux_${STEP_VERSION##v}_amd64.tar.gz"
|
|
if command -v curl &> /dev/null; then
|
|
curl -s "$STEP_URL" -L -o - | tar xvz --strip-components=1 -C ./step
|
|
elif command -v wget &> /dev/null; then
|
|
wget -qO- "$STEP_URL" | tar xvz --strip-components=1 -C ./step
|
|
else
|
|
exit 1
|
|
fi
|
|
cp ./step/bin/step /usr/local/bin
|
|
else
|
|
echo "Skipping \`step\` install"
|
|
fi
|
|
echo "::endgroup::"
|
|
|
|
- shell: bash
|
|
run: |
|
|
echo "::group::Bootstrapping Local Environment"
|
|
if [ "$INPUT_STEP_CA_BOOTSTRAP" == "true" ]; then
|
|
step ca bootstrap \
|
|
--ca-url "$INPUT_STEP_CA_URL" \
|
|
--fingerprint "$INPUT_STEP_CA_FINGERPRINT" \
|
|
--force
|
|
export STEP_CERT_PATH="$HOME/.step/certs/root_ca.crt"
|
|
else
|
|
if [ -f /spm-root.crt ]; then
|
|
export STEP_CERT_PATH="/spm-root.crt"
|
|
fi
|
|
fi
|
|
|
|
if [ -f $STEP_CERT_PATH ]; then
|
|
{
|
|
printf "STEP_CERT_PATH=%s" "${STEP_CERT_PATH}"
|
|
} >> "$GITHUB_ENV"
|
|
else
|
|
echo "unable to find '$STEP_CERT_PATH'"
|
|
exit 1
|
|
fi
|
|
|
|
# Git
|
|
git config --global http."https://git.auengun.net/".sslCAInfo $STEP_CERT_PATH
|
|
|
|
# System Certs
|
|
if [ -w /usr/local/share/ca-certificates/ ]; then
|
|
cp $STEP_CERT_PATH /usr/local/share/ca-certificates/SPM_Root_CA.crt
|
|
if command -v update-ca-certificates &> /dev/null; then
|
|
update-ca-certificates
|
|
else
|
|
echo "[WARN] Unable to find update-ca-certificates to system trust store."
|
|
fi
|
|
else
|
|
echo "[WARN] Unable to write certificates to system trust store."
|
|
fi
|
|
|
|
echo "Completed bootstrapping"
|
|
echo "::endgroup::"
|
|
echo "SPM Homelab Certificates available at:"
|
|
echo " - System Path: $STEP_CERT_PATH"
|
|
echo " - ENV Var: STEP_CERT_PATH (resolve to $STEP_CERT_PATH)"
|
|
|
|
- shell: bash
|
|
if: ${{ inputs.STEP_CA_JWK_PASSWORD != '' }}
|
|
run: |
|
|
echo "::group::Provisioning a temporal SSH User Certificate"
|
|
export STEP_CA_JWK_PASSWORD_PATH="$HOME/.STEP_CA_JWK_PASSWORD"
|
|
while read -r line; do
|
|
echo "::add-mask::${line}"
|
|
done <<< "$INPUT_STEP_CA_JWK_PASSWORD"
|
|
|
|
echo "$INPUT_STEP_CA_JWK_PASSWORD" > "$STEP_CA_JWK_PASSWORD_PATH"
|
|
chmod 600 "$STEP_CA_JWK_PASSWORD_PATH"
|
|
|
|
mkdir -p ~/.ssh/
|
|
chmod '0700' ~/.ssh/
|
|
step ssh certificate \
|
|
--ca-url "$INPUT_STEP_CA_URL" \
|
|
--root "$STEP_CERT_PATH" \
|
|
${{ github.actor }} \
|
|
--principal ${{ github.actor }} \
|
|
--principal root \
|
|
--principal ubuntu \
|
|
~/.ssh/id_ecdsa \
|
|
--provisioner-password-file "$STEP_CA_JWK_PASSWORD_PATH" \
|
|
--issuer jwk_cicd \
|
|
--insecure \
|
|
--no-password && rm -f "$STEP_CA_JWK_PASSWORD_PATH"
|
|
if [ -f "$STEP_CA_JWK_PASSWORD_PATH" ]; then echo "couldn't safely purge JWK password"; exit 1; fi
|
|
step ssh config --ca-url "$INPUT_STEP_CA_URL" --root "$STEP_CERT_PATH" -f
|
|
echo "Step SSH Config complete"
|
|
echo "::endgroup::"
|
|
|
|
- name: Clone Repo into Workspace
|
|
uses: https://git.auengun.net/actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
github-server-url: https://git.auengun.net
|
|
persist-credentials: true
|
|
|
|
- name: Submodule Update
|
|
if: ${{ inputs.SUBMODULE_UPDATE == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Submodule clone & initialization"
|
|
git submodule update --init --recursive
|
|
echo "::endgroup::"
|