require 'capistrano/magic_recipes/base_helpers' include Capistrano::MagicRecipes::BaseHelpers namespace :load do task :defaults do set :secrets_roles, -> { :app } set :secrets_profile, -> { "bashrc" } # "profile" | "bashrc" | "bach_profile" | "bash_login" set :secrets_key_base, -> { generate_secrect_key } set :secrets_key_name, -> { "#{ fetch(:application) }_#{ fetch(:stage) }_SECRET_KEY_BASE".gsub(/-/, "_").gsub(/[^a-zA-Z_]/, "").upcase } set :secrets_user_path, -> { "/home/#{fetch(:user)}" } set :secrets_set_both, -> { false } set :secrets_set_env, -> { true } set :secrets_set_etc, -> { false } set :secrets_hooks, -> { true } set :secrets_symlink, -> { false } end end namespace :secrets do desc "upload secrets yaml" task :upload do on release_roles fetch(:secrets_roles) do within shared_path do magic_template("secrets_yml", '/tmp/secrets.yml') execute :sudo, :mv, '/tmp/secrets.yml', "config/secrets.yml" end end end desc "set secret-key in .profile or .bashrc or .bash_profile or .." task :profile do on release_roles fetch(:secrets_roles) do within fetch(:secrets_user_path) do execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> .#{fetch(:secrets_profile)}" if fetch(:secrets_set_both, false) execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> .#{fetch(:secrets_profile)}" end end end end desc "set secret-key in /etc/environment .. for rvm usage" task :environment do on release_roles fetch(:secrets_roles) do within "/etc" do # execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> environment" execute "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' | sudo tee -a /etc/environment" if fetch(:secrets_set_both, false) # execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> environment" execute "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' | sudo tee -a /etc/environment" end end end end desc "set secret-key in /etc/profile .. set for all users" task :etc_profile do on release_roles fetch(:secrets_roles) do within "/etc" do # execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> profile" execute "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' | sudo tee -a /etc/profile" if fetch(:secrets_set_both, false) # execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> profile" execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' | sudo tee -a /etc/profile" end end end end desc "export secret-key in actual bash env" task :export do on release_roles fetch(:secrets_roles) do within fetch(:secrets_user_path) do execute "export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}" if fetch(:secrets_set_both, false) execute "export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}" end end end end desc "export secret-key in actual bash env" task :printenv do on release_roles fetch(:secrets_roles) do within fetch(:secrets_user_path) do execute "printenv" execute :echo, "$SECRET_KEY_BASE" execute :echo, "$#{fetch(:secrets_key_name)}" end end end desc 'secrets setup task (upload and set)' task :setup do invoke "secrets:profile" invoke "secrets:environment" if fetch(:secrets_set_env) invoke "secrets:etc_profile" if fetch(:secrets_set_etc) invoke "secrets:export" invoke "secrets:upload" end task :secrets_yml_symlink do set :linked_files, fetch(:linked_files, []).push('config/secrets.yml') if fetch(:secrets_symlink) end after 'deploy:started', 'secrets:secrets_yml_symlink' end namespace :keys do desc "upload master.key to server" task :upload_master do on roles %w{app db web} do %w(master.key credentials.yml.enc).each do |that| puts "syncing: #{that}" local_dir = "./config/#{ that }" remote_dir = "#{host.user}@#{host.hostname}:#{shared_path}/config/#{ that }" run_locally { execute "rsync -av --delete #{local_dir} #{remote_dir}" } end end end end desc 'Server setup tasks' task :setup do invoke "secrets:setup" if fetch(:secrets_hooks) end