feat: ucore-update healthchecks

.sops.yaml

@@ -5,7 +5,7 @@ creation_rules:
     key_groups:
       - age:
           - age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq
-  - path_regex: \.sops\.(conf|crt|key)$
+  - path_regex: \.sops\.(conf|crt|key|sh)$
     key_groups:
       - age:
           - age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq

Containerfile.storage

@@ -41,6 +41,9 @@ COPY apps/traefik/traefik.volume /usr/share/containers/systemd/
 COPY apps/traefik/config.sops.env /usr/share/traefik/config.sops.env
 COPY apps/traefik/config/storage.yaml /usr/etc/traefik/traefik.yaml
 
+# Apps - Ucore
+COPY apps/ucore/lib.sops.sh /usr/share/ucore/lib.sops.sh
+
 # Apps - Zrepl
 COPY apps/zrepl /tmp/apps/zrepl
 COPY systemd/zrepl-secrets.service /etc/systemd/system/

Containerfile.storage-remote

@@ -11,6 +11,9 @@ COPY apps/node-exporter/node-exporter.container /usr/share/containers/systemd/
 COPY apps/scrutiny-collector/storage-remote.container /usr/share/containers/systemd/scrutiny-collector.container
 COPY apps/scrutiny-collector/storage-remote.sops.env /usr/share/scrutiny-collector/config.sops.env
 
+# Apps - Ucore
+COPY apps/ucore/lib.sops.sh /usr/share/ucore/lib.sops.sh
+
 # Apps - Wireguard
 COPY apps/wireguard/wg0-client.sops.conf /usr/share/wireguard/wg0-client.sops.conf
 COPY systemd/wg0-client.service /etc/systemd/system/

apps/ucore/lib.sops.sh

@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:obK7czVMPKNzihNu7Tm6VleZ4nQxlBeMLo3WCEOB3zlziudSIvZNppj2lvSynr9R5PO9vo5LRKetZzV3DFxy26FipUIXKCcIsuISelYuPfXvKznUs46I3zyPyuFbSQCxF+egVPl0yuE/0lc5s8NSY4EbPh5qcQv6wrAZdIaOAJQkMzQQ7Vgo41fp4xdodq/y7aTGXCKNDAPGwdUFm02X45hAQzFUYMo+Z8keusAFX5e/U+F9hTInFK+7F3lAihrDyAA0Q9RHJFt8PkFw2Gbe14IPLBG6y92YvTNfxQejVDWJkjTD2NQXmgU7eK17/im8iC5/C+jT0KC/h8Uuv8fpVDKQwTr4z/+vPXnzMCkFYI1A,iv:99YW/BqpU5+FGPc8DQ1RUrt6gd+rBmiT2VmLtWp89rg=,tag:zwVWkEG6qgO0RVw120KuaA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKamxUTm5VVVViWHVyby8r\nMm93UWkzMDRhcnVueEhGdkFNcHdnU2xFMkRZCnY4ZGZxQ3U2YmpWU1hIdU5BeW9J\nWVp0anFaOWxrRk1MUlBDM2FiRUNEVUUKLS0tIHBXcWEzQllJK3hYTytYdFU2R1I3\nZEhzdSt3RVNMM0Qxb2E3OUZMTXRjNVkKJs+UJtJOlaf1lwacNklMbTeAQ1vb+ZVz\nJCt6KTEv2tZjC8YF32iRePE+uB5NtkmGlcPGtrQT5J9JV2dwRZojaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-08-17T16:56:16Z",
+		"mac": "ENC[AES256_GCM,data:gBxEXZMDqcau0fNtKLMqg5w+k6I519zfNgD+ip6cmgMYM921rA0l1Pyu0b898fP2h9V8nuynH3/pck7QjU1B9viem+98xxfdmjyWzejVI+vA5j3mWUqA42103w8da6utuGZBaGZ9ODvAp63BRYhGie5zYT4UmPb1I/4ZCFV34U0=,iv:Ts99qY7jokXlx5wHHoAzcJcM+jFu36jdm4dthbICNxA=,tag:iOGgSNxTmtEMQ9zmeD7yWw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}

scripts/install.sh

@@ -23,7 +23,6 @@ rpm-ostree install \
 if [[ "${HOST}" = "storage" ]]; then
 
     rpm-ostree install \
-        nfs-utils \
         samba
 
     /tmp/apps/zrepl.sh storage storage-remote

systemd/ucore-update.service

@@ -4,4 +4,10 @@ After=local-fs.target
 After=network-online.target
 
 [Service]
-ExecStart=/usr/bin/rpm-ostree update --reboot
+Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt
+ExecStartPre=/bin/sh -c 'test -f "${SOPS_AGE_KEY_FILE}" || exit 1'
+ExecStartPre=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/ucore/lib.sops.sh "cp {} /etc/ucore/lib.sh ; chmod 500 /etc/ucore/lib.sh"
+ExecStart=/bin/sh -c 'source /etc/ucore/lib.sh && /usr/bin/curl -m 10 --retry 5 "https://hc-ping.com/${HEALTHCHECK_ID}/start"'
+ExecStart=/usr/bin/rpm-ostree update
+ExecStartPost=/bin/sh -c '/usr/bin/curl -m 10 --retry 5 "https://hc-ping.com/${HEALTHCHECK_ID}/$?"'
+ExecStartPost=/bin/sh -c 'reboot'