From bc7092899ac483282dd3e95b063ed8f1cb2f155b Mon Sep 17 00:00:00 2001
From: Jacques ROUSSEL <jacques.roussel@rouaje.com>
Date: Tue, 30 Apr 2024 10:20:46 +0200
Subject: [PATCH] [CI] Add docker build

---
 .github/workflows/docker-build.yaml | 55 +++++++++++++++++++++++++++++
 .github/workflows/secrets.enc.env   | 11 ++++++
 .sops.yaml                          |  7 ++++
 scripts/install-hooks.sh            | 30 ++++++++++++++++
 scripts/sync-dns.sh                 | 31 ++++++++++++++++
 scripts/updatekeys.sh               |  3 ++
 6 files changed, 137 insertions(+)
 create mode 100644 .github/workflows/docker-build.yaml
 create mode 100644 .github/workflows/secrets.enc.env
 create mode 100644 .sops.yaml
 create mode 100755 scripts/install-hooks.sh
 create mode 100755 scripts/sync-dns.sh
 create mode 100755 scripts/updatekeys.sh

diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
new file mode 100644
index 0000000..d705bac
--- /dev/null
+++ b/.github/workflows/docker-build.yaml
@@ -0,0 +1,55 @@
+name: Docker Hub Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  DOCKER_USER: 1001:127
+
+jobs:
+  build-and-push-backend:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - dockerfile: ./dockerfiles/goofys/Dockerfile
+            image: lasuite/goofys
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.image }}
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: .github/workflows/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: ${{ matrix.dockerfile }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
diff --git a/.github/workflows/secrets.enc.env b/.github/workflows/secrets.enc.env
new file mode 100644
index 0000000..829676d
--- /dev/null
+++ b/.github/workflows/secrets.enc.env
@@ -0,0 +1,11 @@
+SOPS_PRIVATE=ENC[AES256_GCM,data:dnmMX41o1puCyAdtURv1O63zi23MJfATLDL+Os3QJS5jemm6rEa5g3Yrm19U+WOVKpNA8gTU1OXen1JbLgvjQLzSlbIbXWushDg=,iv:AsWQ3VsFw8LsreGx9VxvDhaeCQS3sSw7yebdDEmjNvc=,tag:XhOAwuIe8jEshXo9T1ghLA==,type:str]
+DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:cl8ULZC2/AYeDN8=,iv:ZnokC118+ECokaIbNOU1YVFkWkxkGPUpBCx9iYsncWE=,tag:KlZ4EBB4iwMcZBFLhm0R8g==,type:str]
+DOCKER_HUB_USER=ENC[AES256_GCM,data:Jnf+l4GWmQ==,iv:OWvqUFg2wvCRH8/OJ/HBeE7WCEOdWqe1q9NEKsJJdzI=,tag:K6XzPXQ4U1oYd65eXn0Y8A==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZml0NlpIYllrZ20vN1Fl\ncUpRSERpNzhQMWFnT0ZibGV5cC9ueXcyMHlVCnpxY3BxbmNLNXpaVW9odkNLUjNR\nMnNvNmZ1WXcreThOZUtoVEdGNStTSDAKLS0tIFdETXo4ekVJSEJDeXFpWnZMVkFW\ncDFxZEg0VUswOGVJRmlIRmhoeTF1TEEKMWTYcmopAk1DDrB48r3VMdSbhbIiAIcv\nezr3p1TlnyddN7mCJQDwxYdiIc/fo3KGzmh+NxCuG7N2+M48YKIr9g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ1dOcXp0Q2hiaW1hYm1W\nN3ZlR2hjbVphclU2MDViNjJFWmx3cHlDaGx3CitSMlBZRWJFQlZSL2RTNjNJNDlH\nZXVtUmxqbUIxY0IrVGZaTmxlc2N6VUEKLS0tIDJjOWp5OXdKcUMxSmZYRUI0ck9G\ndUFNMk9aRFlKVGVMYm5zcTAyTFAvTncKtreq0BMHA11PRV7LXTvGdEx47C+CfbM1\ng9QhopVofsKYqnwFblcRIL31XiiGIBRNo9mskZcNauY87axQYj22ZQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1lj633f3hmscvy0nsewqej8k3jrk9wkhrgw4lafx0p9748ncvjs3qkvdd3d
+sops_lastmodified=2024-04-30T08:20:26Z
+sops_mac=ENC[AES256_GCM,data:49O5/5tbLVOAgZQITlKdD6kdGb7k8AMU25NIQEX/h96uLbsld9OK6R55pZet318sD/vbT38Kr+GZ50arZKiFCxqkQ51CdNWnmnXLOrpkDYiBTC6oL4F3SruQyK5iHXg1gxMWOGwT2kaFnqejltx5ksIexJdz9D+E8rLi38+fogE=,iv:H/m/xY3L/mvYWA36dzh6EQWC3+UcySzwf1JbqY+ueXI=,tag:ePRjHn0hmOPO2l3/K6GSJw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..9c12943
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+creation_rules:
+  # Using a single-key group to be able to use per-key comments,
+  # see https://github.com/getsops/sops/issues/845#issuecomment-1364109772
+  - key_groups:
+    - age:
+      - age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x # jacques
+      - age1lj633f3hmscvy0nsewqej8k3jrk9wkhrgw4lafx0p9748ncvjs3qkvdd3d # github
diff --git a/scripts/install-hooks.sh b/scripts/install-hooks.sh
new file mode 100755
index 0000000..7d1c790
--- /dev/null
+++ b/scripts/install-hooks.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+mkdir -p "$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/"
+PRE_COMMIT_FILE="$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/pre-commit"
+
+cat <<'EOF' >$PRE_COMMIT_FILE
+#!/bin/bash
+
+# directories containing potential secrets
+DIRS="."
+
+bold=$(tput bold)
+normal=$(tput sgr0)
+
+# allow to read user input, assigns stdin to keyboard
+exec </dev/tty
+
+for d in $DIRS; do
+	# find files containing secrets that should be encrypted
+	for f in $(find "${d}" -type f -regex ".*\.enc\..*"); do
+		if ! $(grep -q "unencrypted_suffix" $f); then
+			printf '\xF0\x9F\x92\xA5 '
+			echo "File $f has non encrypted secrets!"
+			exit 1
+		fi
+	done
+done
+EOF
+
+chmod +x $PRE_COMMIT_FILE
diff --git a/scripts/sync-dns.sh b/scripts/sync-dns.sh
new file mode 100755
index 0000000..473d827
--- /dev/null
+++ b/scripts/sync-dns.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+DOMAIN_LIST=$(find dns -name "records.txt")
+curl_api='curl -Ls --basic --user '$TOKEN_API': account=beta-numerique'
+#TIme to wait between to record because the api is limited to 10rpm
+TIME_TO_WAIT=20
+
+for ITEM in $DOMAIN_LIST; do
+	DOMAIN=$(echo $ITEM | awk -F '/' '{print $2}')
+	DOMAIN_ID=$($curl_api https://api.alwaysdata.com/v1/domain | jq '.[] | select(.name | test("^'$DOMAIN'$")) | .id')
+	if [ -z "$DOMAIN_ID" ]; then
+		echo "$DOMAIN not found on alwaysdata"
+	else
+		echo "Manage $DOMAIN"
+		for RECORD in $(cat $ITEM | sed -e '/^[ \t]*#/d'); do
+			TYPE=$(echo $RECORD | awk -F',' '{print $1}')
+			NAME=$(echo $RECORD | awk -F',' '{print $2}')
+			TTL=$(echo $RECORD | awk -F',' '{print $3}')
+			VALUE=$(echo $RECORD | awk -F',' '{print $4}')
+			ID_RECORD=$($curl_api https://api.alwaysdata.com/v1/record | jq '.[] | select(.name | test("^'$NAME'$")) | .id')
+			if [ -z "$ID_RECORD" ]; then
+				echo "$NAME not present we will add it"
+				$curl_api -X POST -d'{"name": "'$NAME'", "domain": '$DOMAIN_ID', "ttl": '$TTL', "value": "'$VALUE'", "type": "'$TYPE'"}' https://api.alwaysdata.com/v1/record/
+			else
+				echo "$NAME already present we will update it"
+				$curl_api -X PATCH -d'{"name": "'$NAME'", "domain": '$DOMAIN_ID', "ttl": '$TTL', "value": "'$VALUE'", "type": "'$TYPE'"}' https://api.alwaysdata.com/v1/record/$ID_RECORD/
+			fi
+			sleep $TIME_TO_WAIT
+		done
+	fi
+done
diff --git a/scripts/updatekeys.sh b/scripts/updatekeys.sh
new file mode 100755
index 0000000..43e2f9d
--- /dev/null
+++ b/scripts/updatekeys.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+find . -name "*.enc.*" -exec sops updatekeys -y {} \;