Make it work on Nix

Author: nsychev

README.md

@@ -13,31 +13,51 @@ To install manually, create a GitHub App in your personal account on an organiza
 
 Acquire client ID webhook secret, private key (PEM file). Install the application on your own account.
 
+Put private key in `/etc/gh-deploy/key.pem` and webhook secret in `/etc/gh-deploy/webhook-secret` file.
+
 Then follow with one of the installation options:
 
 ### Systems that have systemd enabled
 
-Decide which user will be running the tool. The following instructions suppose this user will be named `user` and has default group named `usergroup`. Execute these commands:
-
-```bash
-sudo install -Ddm 755 -o root -g usergroup /etc/gh-deploy
-```
+Run this command. It will download the latest release to `/usr/local/bin/gh-deploy`, create default config, install and start systemd unit.
 
-Then create files `/etc/gh-deploy/key.pem` and `/etc/gh-deploy/webhook-secret` with PEM file and webhook secret respectively. Then:
+Set `CLIENT_ID` variable to your GitHub App Client ID (required). Also it’s recommended (but not required) to set `APP_USER` to the name
+of your Linux user that will pull the repositories and run the deploy scripts. It should have enough privileges to do that. If not provided,
+the current user will be used.
 
 ```bash
-sudo chmod 640 /etc/gh-deploy/key.pem /etc/gh-deploy/webhook-secret
-sudo chown root:usergroup /etc/gh-deploy/key.pem /etc/gh-deploy/webhook-secret
-
-# This will download the latest release to /usr/local/bin/gh-deploy, create default config, install and start systemd unit.
-curl https://teamteam.dev/gh-deploy/install.sh | sudo APP_ID=<your-github-app-id> USER=user bash -
+curl https://teamteam.dev/gh-deploy/install.sh | sudo CLIENT_ID=<your-github-app-id> APP_USER=<username> bash -
 ```
 
-Then update `/etc/gh-deploy/config.toml` to your preference and make the webhook available at URL specified before.
+Then update `/etc/gh-deploy/config.toml` to your preference and make the webhook available at URL specified when creating the app.
+Use `systemctl restart gh-deploy` to restart app after configuration changes.
 
 ### NixOS
 
-Use `flake.nix` that provides `gh-deploy` service.
+Use `flake.nix` that provides `gh-deploy` service. Example configuration:
+
+```nix
+services.gh-deploy = {
+    enable = true;
+    domain = "prod.teamteam.dev";
+    gitLfs = true;
+    githubApp = {
+        clientId = "123456abcdef";
+        privateKeyFile = "/etc/gh-deploy/key.pem";
+        webhookSecretFile = "/etc/gh-deploy/webhook-secret";
+    };
+    projects = [{
+        repository = "teamteamdev/gh-deploy";
+        branch = "pages";
+        timeout = 300;
+        path = ''
+            systemctl restart nginx
+        '';
+    }];
+};
+```
+
+> Note that NixOS module registers user and group `gh-deploy` to run the service, so change file ownership respectively.
 
 ### Other systems
 
@@ -59,6 +79,9 @@ go build -o gh-deploy
 
 See [config.example.toml](config.example.toml) for configuration examples.
 
+Use `systemctl reload gh-deploy` to reload the configuration. Updating HTTP server settings (bind address, port or TLS) on-the-fly is not supported,
+except for replacing TLS key pair.
+
 ## License
 
 Contents of this repository are available under [MIT License](LICENSE).

config.example.toml

@@ -1,6 +1,10 @@
 # Server configuration
-# bind = "127.0.0.1" # Default is "::" (all IPv4 and IPv6 interfaces)"
-port = 8080          # Required
+bind = "[::1]:8080" # Required
+# Examples:
+# "[::]:80" - listen on port 80 on all IPv4/IPv6 addresses
+# "[::1]:80" - listen on port 80 on localhost
+# "192.168.1.1:12345" - listen on port 12345 on a specific IPv4 address
+# "unix:/run/gh-deploy/http.sock" - listen on a Unix socket
 
 # Enable Git LFS support
 # git_lfs = true
@@ -12,14 +16,14 @@ port = 8080          # Required
 
 # GitHub App configuration
 [github_app]
-client_id = "123456"                                     # GitHub App client ID
-private_key_file = "/path/to/github-app-private-key.pem" # GitHub App private key file
-webhook_secret_file = "/path/to/webhook-secret"          # File with webhook secret
+client_id = "123456abcdefGHIJKLMN"                    # GitHub App client ID
+private_key_file = "/etc/gh-deploy/key.pem"           # GitHub App private key file
+webhook_secret_file = "/etc/gh-deploy/webhook-secret" # File with webhook secret
 
-# Repository definitions
-[[repos]]
-full_name = "owner/repo"
-branch = "main"              # Branch to watch for changes
-clone_path = "/var/www/repo" # This folder should be writable by user running the gh-deploy
-command = "make deploy"      # Optional: command to run after update
-timeout = 300                # in seconds, default is 120
+# Repositories and branches to deploy
+[[projects]]
+repository = "owner/repo"
+branch = "main"           # Branch to watch for changes
+path = "/var/www/repo"    # This folder should be writable by user running the gh-deploy
+command = "make deploy"   # Optional: command to run after update
+timeout = 300             # in seconds, default is 120

config.go

@@ -0,0 +1,119 @@
+package main
+
+import (
+	"crypto/rsa"
+	"crypto/tls"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/BurntSushi/toml"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type Config struct {
+	Bind string `toml:"bind"`
+	TLS  *struct {
+		CertFile    string `toml:"cert_file"`
+		KeyFile     string `toml:"key_file"`
+		certificate tls.Certificate
+	} `toml:"tls"`
+	GitHubApp struct {
+		ClientID          string `toml:"client_id"`
+		PrivateKeyFile    string `toml:"private_key_file"`
+		WebhookSecretFile string `toml:"webhook_secret_file"`
+		privateKey        *rsa.PrivateKey
+		webhookSecret     string
+	} `toml:"github_app"`
+	GitLFS   bool         `toml:"git_lfs"`
+	Projects []RepoConfig `toml:"projects"`
+}
+
+type RepoConfig struct {
+	Repository string `toml:"repository"`
+	Branch     string `toml:"branch"`
+	Path       string `toml:"path"`
+	Command    string `toml:"command"`
+	Timeout    int    `toml:"timeout"`
+}
+
+var (
+	config      Config
+	configPath  string
+	configMutex = sync.Mutex{}
+)
+
+func loadConfig(initial bool) error {
+	var newConfig Config
+	_, err := toml.DecodeFile(configPath, &newConfig)
+	if err != nil {
+		return fmt.Errorf("failed to decode TOML config: %w", err)
+	}
+
+	if newConfig.Bind == "" {
+		return fmt.Errorf("configuration 'bind' parameter is required")
+	}
+
+	// Weird way to set default values
+	for i, repo := range newConfig.Projects {
+		if repo.Timeout == 0 {
+			newConfig.Projects[i].Timeout = 120
+		}
+	}
+
+	if newConfig.TLS != nil {
+		newConfig.TLS.certificate, err = tls.LoadX509KeyPair(os.ExpandEnv(newConfig.TLS.CertFile), os.ExpandEnv(newConfig.TLS.KeyFile))
+		if err != nil {
+			return fmt.Errorf("failed to load TLS certificate: %w", err)
+		}
+	}
+
+	keyBytes, err := os.ReadFile(os.ExpandEnv(newConfig.GitHubApp.PrivateKeyFile))
+	if err != nil {
+		return fmt.Errorf("failed to read PEM key: %w", err)
+	}
+
+	newConfig.GitHubApp.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(keyBytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse PEM key: %w", err)
+	}
+
+	webhookSecretBytes, err := os.ReadFile(os.ExpandEnv(newConfig.GitHubApp.WebhookSecretFile))
+	if err != nil {
+		return fmt.Errorf("failed to read webhook secret: %w", err)
+	}
+
+	newConfig.GitHubApp.webhookSecret = strings.TrimSpace(string(webhookSecretBytes))
+
+	if !initial && ((config.TLS == nil) != (newConfig.TLS == nil) || config.Bind != newConfig.Bind) {
+		log.Printf("Warning: Changing bind address or toggling TLS requires a restart of the server, updates to these settings are ignored")
+	}
+
+	config = newConfig
+
+	return nil
+}
+
+func handleConfigReload() {
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGHUP)
+
+	go func() {
+		for range sigChan {
+			configMutex.Lock()
+			log.Printf("Received SIGHUP, reloading configuration...")
+
+			if err := loadConfig(false); err != nil {
+				log.Fatalf("Failed to reload config: %v", err)
+			}
+
+			log.Printf("Configuration reloaded successfully")
+
+			tokenCache.Storage.Flush()
+		}
+	}()
+}

creds.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-github/v57/github"
+	"github.com/kofalt/go-memoize"
+	"github.com/patrickmn/go-cache"
+)
+
+var (
+	tokenCache = memoize.NewMemoizer(
+		10*time.Minute,
+		cache.NoExpiration,
+	)
+)
+
+func fetchAccessToken(installationID int64) (string, error) {
+	now := time.Now()
+	claims := jwt.MapClaims{
+		"iat": now.Unix(),
+		"exp": now.Add(10 * time.Minute).Unix(),
+		"iss": config.GitHubApp.ClientID,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	tokenString, err := token.SignedString(config.GitHubApp.privateKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign JWT: %w", err)
+	}
+
+	client := github.NewClient(nil).WithAuthToken(tokenString)
+
+	installationToken, _, err := client.Apps.CreateInstallationToken(
+		context.Background(),
+		installationID,
+		&github.InstallationTokenOptions{},
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to create installation token: %w", err)
+	}
+
+	return installationToken.GetToken(), nil
+}
+
+func getAccessToken(installationID int64) (string, error) {
+	fetch := func() (string, error) {
+		return fetchAccessToken(installationID)
+	}
+
+	token, err, _ := memoize.Call(tokenCache, fmt.Sprintf("fetch-access-token-%d", installationID), fetch)
+	return token, err
+}