From 967377f1719907777df5d3e83b505557362401f8 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Wed, 27 Dec 2023 17:59:09 +0400 Subject: [PATCH] pass ENCODED_PASSWORD to nixos-infect instead of USER_PASS --- .drone.yml | 5 ++++- nixos-infect | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 4d9eadb..5b6a5d1 100644 --- a/.drone.yml +++ b/.drone.yml @@ -19,6 +19,9 @@ steps: INFECT_COMMIT_SHA: ${DRONE_COMMIT_SHA} commands: + - set -o nounset + - > # TODO pass Base64 encoded password from Drone instead of this + ENCODED_PASSWORD="$(base64 <<<"$USER_PASS")" # Create infect user script and then push it to a remote machine on server creation. - | cat << EOF > infect.sh @@ -34,6 +37,7 @@ steps: DNS_PROVIDER_TOKEN=$CLOUDFLARE_TOKEN DNS_PROVIDER_TYPE=CLOUDFLARE DOMAIN=$DOMAIN + ENCODED_PASSWORD="$ENCODED_PASSWORD" HOSTNAME=selfprivacy-ci-test LUSER=cicdcicd NIXOS_CONFIG_ID=default @@ -41,7 +45,6 @@ steps: PROVIDER=hetzner SSH_AUTHORIZED_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBb3yVhYF4slhf1iQCiGLOVcbGKP/MmkQiEMl2un+4K" STAGING_ACME=true - USER_PASS="$USER_PASS" curl --fail https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect/raw/commit/$INFECT_COMMIT_SHA/nixos-infect \ | bash 2>&1 | tee /root/nixos-infect.log diff --git a/nixos-infect b/nixos-infect index 3d24392..b04f95a 100755 --- a/nixos-infect +++ b/nixos-infect @@ -13,7 +13,7 @@ : "${STAGING_ACME:?STAGING_ACME variable is not set}" : "${DNS_PROVIDER_TOKEN:?DNS_PROVIDER_TOKEN variable is not set}" : "${DB_PASSWORD:?DB_PASSWORD variable is not set}" -: "${USER_PASS:?USER_PASS variable is not set}" +: "${ENCODED_PASSWORD:?ENCODED_PASSWORD variable is not set}" : "${NIX_VERSION:?NIX_VERSION variable is not set}" : "${NIXOS_CONFIG_ID:?NIXOS_CONFIG_ID variable is not set}" : "${CONFIG_URL:?CONFIG_URL variable is not set}" @@ -293,6 +293,12 @@ findESP() { } prepareEnv() { + if ! USER_PASS="$(base64 -d <<<"$ENCODED_PASSWORD")"; then + echo "Error decoding ENCODED_PASSWORD from Base64!" + exit 1 + fi + readonly USER_PASS + isEFI=0 [ -d /sys/firmware/efi ] && isEFI=1