use 1Password op cli tool to set fly app secrets (#101)

westerveltco · Apr 4, 2024 · 49cca0e · 49cca0e
1 parent a4873a6
commit 49cca0e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Added
+
+- A `.env.prod` template to be used with 1Password's `op` CLI tool.
+
+### Changed
+
+- Now using 1Password's `op` CLI tool for managing and injecting secrets when deploying to Fly.io.
+
 ## [2024.12]
 
 ### Changed

diff --git a/src/django_twc_project/.env.prod.jinja b/src/django_twc_project/.env.prod.jinja
@@ -0,0 +1,4 @@
+DATABASE_URL={{ postgres_uri_scheme }}://{{"{{"}} op://crunchy/{{ fly_app_name | replace("-","_") }}/username {{"}}"}}:{{"{{"}} op://crunchy/{{ fly_app_name | replace("-","_") }}/password {{"}}"}}@{{"{{"}} op://crunchy/westerveltco-db-pg{{ postgres_docker_version }}/tailscale/ip {{"}}"}}:{{"{{"}} op://crunchy/westerveltco-db-pg{{ postgres_docker_version }}/pgbouncer_port {{"}}"}}/{{"{{"}} op://crunchy/{{ fly_app_name | replace("-","_") }}/database {{"}}"}}
+EMAIL_RELAY_DATABASE_URL=postgres://{{"{{"}} op://crunchy/email_relay/username {{"}}"}}:{{"{{"}} op://crunchy/email_relay/password {{"}}"}}@{{"{{"}} op://crunchy/westerveltco-db-pg{{ postgres_docker_version }}/tailscale/ip {{"}}"}}:{{"{{"}} op://crunchy/westerveltco-db-pg{{ postgres_docker_version }}/pgbouncer_port {{"}}"}}/{{"{{"}} op://crunchy/email_relay/database {{"}}"}}
+SECRET_KEY={{"{{"}} op://fly/{{ fly_app_name }}/secret_key {{"}}"}}
+TAILSCALE_AUTHKEY={{"{{"}} op://tailscale/flyio/secret {{"}}"}}
diff --git a/src/django_twc_project/.github/workflows/deploy.yml.jinja b/src/django_twc_project/.github/workflows/deploy.yml.jinja
@@ -51,19 +51,26 @@ jobs:
  runs-on: ubuntu-latest
  needs: bumpver
  environment: production
+ env:
+ OP_SERVICE_ACCOUNT_TOKEN: {% raw %}${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}{% endraw %}
  steps:
  - uses: actions/checkout@v4
 
- - uses: 1password/load-secrets-action@v2
- with:
- export-env: true
- env:
- OP_SERVICE_ACCOUNT_TOKEN: {% raw %}${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}{% endraw %}
- FLY_API_TOKEN: "op://GitHub Actions/{{ op_vault }}/FLY_API_TOKEN"
+ - uses: 1password/install-cli-action@v1
 
  - uses: superfly/flyctl-actions/setup-flyctl@master
 
- - run: flyctl deploy --remote-only
+ - name: Set Fly.io deployment API token
+ run: |
+ echo "FLY_API_TOKEN={{"{{"}} op://fly/{{ fly_app_name }}/fly/api_token {{"}}"}}" | op inject >> $GITHUB_ENV
+
+ - name: Stage Fly.io secrets
+ run: |
+ op inject -i .env.prod | xargs flyctl secrets set --stage
+
+ - name: Deploy to Fly.io
+ run: |
+ flyctl deploy --remote-only
 
  sentry:
  runs-on: ubuntu-latest