diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 15f70bc3..f398c7ac 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -25,11 +25,17 @@ web: script: - > if [ "$RELEASE_TYPE" == "staging" ]; then - echo "Handle staging artifact here"; + # USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA! + # USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY + # example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data + sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY fi if [ "$RELEASE_TYPE" == "production" ]; then - echo "Handle production artifact here"; + # USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA! + # USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY + # example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data + sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY fi artifacts: untracked: false diff --git a/Dockerfile b/Dockerfile index 2231ad9b..ca732d17 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,8 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends \ xmlstarlet \ ruby-full \ - zip + zip \ + openssh-client RUN gem install bundler diff --git a/Makefile b/Makefile index 32dcb7e9..7c5aa2c4 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,7 @@ web-build: configuration-web cd app && ionic build --prod web: web-build - cd app && zip -r ../www.zip www + cd app/www && zip -r ../../www.zip . echo "Web application artifact for version ${VERSION} is archived in www.zip" prepare-android: configuration-android diff --git a/app.conf.sample b/app.conf.sample index 202b77f1..4c218e55 100644 --- a/app.conf.sample +++ b/app.conf.sample @@ -20,6 +20,7 @@ APPLE_API_KEY_ID="123ACAB456" # Your API key i APPLE_API_KEY_ISSUER_ID="1234578-1234-1234-1234-12345678901" # Your API key issuer id # Provide the following environment variable in a secure fashion. +# When used in CI protect and mask the variable. # Don't change the following line! APPLE_API_KEY_CONTENT="${APPLE_API_KEY_CONTENT:-'unset'}" # Base64 encoded contents of Apple API key file (.p8 file) @@ -29,6 +30,7 @@ APPLE_API_KEY_CONTENT="${APPLE_API_KEY_CONTENT:-'unset'}" # Base64 encoded ANDROID_PACKAGE_NAME="de.anyschool.app.android" # Your Google Playconsole app package name # Provide the following environment variables in a secure fashion. +# When used in CI protect and mask the variables. # Don't change the following lines! ANDROID_API_KEY_CONTENT="${ANDROID_API_KEY_CONTENT:-'unset'}" # Base64 encoded contents of your API key file (.json file) ANDROID_KEYSTORE_PASSWORD="${ANDROID_KEYSTORE_PASSWORD:-'unset'}" # Passwort to your keyfile diff --git a/static/scripts/ssh_deploy.sh b/static/scripts/ssh_deploy.sh new file mode 100644 index 00000000..2d1bab2d --- /dev/null +++ b/static/scripts/ssh_deploy.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +set -e + +SSH_DEPLOY_TARGET=$1 +SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-"missingtarget"}" + +SSH_PRIVATE_KEY=$2 +SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-"missingkey"}" + +GOTO_FAIL=false + +if [ "$SSH_DEPLOY_TARGET" = "missingtarget" ]; then + echo "SSH target for web deployment job is unset!" + GOTO_FAIL=true +fi + +if [ "$SSH_PRIVATE_KEY" = "missingkey" ]; then + echo "SSH key for web deployment job is unset!" + GOTO_FAIL=true +fi + +if [ "$GOTO_FAIL" = true ]; then + return 1 +fi + +IFS='@' read -ra TARGET_COMPONENTS <<< "$SSH_DEPLOY_TARGET" + +SSH_DEPLOY_TARGET_USER="${TARGET_COMPONENTS[0]:-"missinguser"}" + +IFS=':' read -ra TARGET_COMPONENTS <<< "$TARGET_COMPONENTS" + +SSH_DEPLOY_TARGET_HOST="${TARGET_COMPONENTS[0]:-"missinghost"}" +SSH_DEPLOY_TARGET_PATH="${TARGET_COMPONENTS[1]:-"missingpath"}" + +## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store +## We're using tr to fix line endings which makes ed25519 keys work +## without extra base64 encoding. +## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556 +## +echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - +## +## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com +## with your own domain name. You can copy and repeat that command if you have +## more than one server to connect to. + +mkdir -p ~/.ssh +chmod 700 ~/.ssh +ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts +chmod 644 ~/.ssh/known_hosts + +scp www.zip "$SSH_DEPLOY_TARGET" +ssh "$SSH_DEPLOY_TARGET_USER@$SSH_DEPLOY_TARGET_HOST" "cd $SSH_DEPLOY_TARGET_PATH && unzip -o www.zip && rm -f www.zip"