|
|
||
|---|---|---|
| .forgejo/workflows | ||
| templates | ||
| .gitignore | ||
| gomplate-ci.yaml | ||
| gomplate.yaml | ||
| prod-config.enc.yaml | ||
| README.md | ||
| render-stack.sh | ||
deployment-source
Demo repo for deployment, for clevermicro repos and swarm-cd. This repo will demo how to render the stack file with encrypted secrects and how to commit to the target repo and make PR. This is all down by the pipeline.
The encrypted file is prod-config.enc.yaml. Currently it is encrypted by SOPS with AGE, here is the recipient list:
- age1kj66pvftzmz7t7klnghacleymtmj2szckkc50dvq8yldqp2gavpsegrfvl (Rui Hu)
- age18rl4xxj6m55u44k82vwleurx5d5xhf5vj84n3ewg9rj5nh69rsjsjzqw66 (test key, the private key is
AGE-SECRET-KEY-1DEACUTGUPQWVPR29MVM3LV8JMW8RXS8A4UC2QGERN3VAQ225Z6XQN36C5D, this is only for testing!!!) - age18ust9l2rx59n9t6h9chpqvhm3j5kc9p75rpxefm83w95s7fqq59qxjzfuj (pipeline runner)
For VSC, use extension: https://marketplace.visualstudio.com/items/?itemName=signageos.signageos-vscode-sops to automatically
decrypt the sops file, by placing your private age key in ~/.config/sops/age/keys.txt (one private key per line, with # for comments).
This is similar to sops prod-config.enc.yaml but instead of vm, you got vsc.
The script to render the stack file: render-stack.sh, it will decrypt the yaml, call gomplate and renders the final stack file to compose.prod.yaml
Runner secrets:
SOPS_AGE_KEY: The private key for containerGIT_USERNAME: Forgejo usernameGIT_PASSWORD: Forgejo access token