Initial commit

.balena/balena.yml

@@ -0,0 +1,5 @@
+---
+build-secrets:
+  global:
+    - source: id_ed25519
+      dest: id_ed25519

.balena/secrets/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2R77+XZKfO0NnZGA0SPEZeGimopF/q4wJOwRxauM3F os-config

.gitignore

@@ -0,0 +1,5 @@
+.gitsecret/keys/random_seed
+!*.secret
+.balena/secrets/staging/balena_api_token.txt
+.balena/secrets/production/balena_api_token.txt
+.balena/secrets/id_ed25519

.gitsecret/paths/mapping.cfg

@@ -0,0 +1,3 @@
+.balena/secrets/staging/balena_api_token.txt:68ce4c1e6b4a9a453d42607ade05d426d77b173693736a89fdd8c838b72e87e5
+.balena/secrets/production/balena_api_token.txt:757a166ccd17922b1c64e4ad68908a85e3d5aafff1c1d05558a66e3f280b2df6
+.balena/secrets/id_ed25519:02d11afd52ecd19500051e1fa97ff9cac5f01e401bb77a436e3c839d36f852be

.resinci.yml

@@ -0,0 +1,23 @@
+---
+docker:
+  builds:
+    - path: .
+      dockerfile: Dockerfile
+      docker_repo: balena-push
+      publish: false
+      args:
+        - RESINRC_RESIN_URL=balena-staging.com
+        - BALENA_APPS=[{"app":"cloud-config-aarch64","type":"generic-aarch64"},{"app":"cloud-config-amd64","type":"generic"}]
+      secrets:
+        - id: balena-api-token
+          src: .balena/secrets/staging/balena_api_token.txt
+    - path: .
+      dockerfile: Dockerfile
+      docker_repo: balena-push
+      publish: false
+      args:
+        - RESINRC_RESIN_URL=balena-cloud.com
+        - BALENA_APPS=[{"app":"cloud-config-aarch64","type":"generic-aarch64"},{"app":"cloud-config-amd64","type":"generic"}]
+      secrets:
+        - id: balena-api-token
+          src: .balena/secrets/production/balena_api_token.txt

Dockerfile

@@ -0,0 +1,18 @@
+# syntax=docker/dockerfile:1
+
+# https://github.com/product-os/ci-images/tree/master/pipelines/balena
+FROM resinci/balena-x86_64-ubuntu
+
+ARG BALENA_APPS
+ARG RESINRC_RESIN_URL
+
+WORKDIR /tmp/build
+
+COPY . ./
+
+RUN --mount=type=secret,id=balena-api-token set -eu \
+    && sha="$(git rev-parse --short HEAD)" \
+    && balena login --token "$(cat < /run/secrets/balena-api-token)" \
+    && org="$(balena whoami | grep USERNAME | cut -c 11-)" \
+    && (echo "${BALENA_APPS}" | jq -r --arg org "${org}" '.[] | .app + " -o " + $org + " --type " + .type' | xargs -n 5 balena app create || true) \
+    && echo "${BALENA_APPS}" | jq -r --arg org "${org}" --arg sha "${sha}" '.[] | $org + "/" + .app + " --release-tag git-commit " + $sha' | xargs -n 4 balena push

Dockerfile.template

@@ -0,0 +1,10 @@
+FROM balenalib/%%BALENA_ARCH%%-alpine
+
+RUN set -eu && install_packages openssh-client \
+    && mkdir -p /root/.ssh \
+    && ([ -f /run/secrets/id_ed25519 ] && cat < /run/secrets/id_ed25519 > /root/.ssh/id_ed25519) \
+    && ([ -f /root/.ssh/id_ed25519 ] && chmod 600 /root/.ssh/id_ed25519)
+
+COPY balena.sh /usr/local/bin/
+
+CMD [ "balena.sh" ]

README.md

@@ -0,0 +1,33 @@
+# cloud-config
+> balenaCloud app which is usually preloaded into a balenaOS image to automatically join devices to the cloud using `config.json` data passed in from supported provider metadata service
+
+## create keys
+> [update](https://github.com/product-os/balena-concourse/tree/master/provision/app/console) local GPG keyring with public keys from GitHub
+
+	git secret whoknows && git secret reveal -f
+
+	[ -f .balena/secrets/id_ed25519 ] \
+	  || ssh-keygen -o -a 100 -t ed25519 -f .balena/secrets/id_ed25519 -C 'os-config' -N ''
+
+	PRIKEY_ED25519=$(cat .balena/secrets/id_ed25519 | openssl base64 | tr -d '\n')
+
+	PUBKEY_ED25519=$(cat .balena/secrets/id_ed25519.pub)
+
+	git secret add .balena/secrets/id_ed25519
+
+	git secret hide
+
+
+## deploy (manually)
+> (e.g) staging
+
+    git secret reveal -f
+
+    image="$(yq e '.docker.builds[] | select(.args[]=="*staging*").docker_repo' .resinci.yml)"
+
+    for ev in "$(yq e '.docker.builds[] | select(.args[]=="*staging*").args[]' .resinci.yml | sed 's/"/\\"/g')"; do eval export "${ev}"; done
+
+    docker build -t ${image} \
+      --build-arg "BALENA_APPS=${BALENA_APPS}" \
+      --build-arg RESINRC_RESIN_URL \
+      --secret id=balena-api-token,src=.balena/secrets/staging/balena_api_token.txt .

balena.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -e
+
+metadata_urls=( \
+  'http://169.254.169.254/latest/user-data' \
+  'http://169.254.169.254/metadata/v1/user-data' \
+  'https://metadata.platformequinix.com/userdata' \
+)
+
+curl_with_opts() {
+    curl --fail --silent --connect-timeout 3 "$@"
+}
+
+ssh_with_opts() {
+    ssh -p 22222 \
+      "root@$(ip route | awk '/balena0|br-[0-9a-fA-F]/ { print $7 }' | head -n 1)" \
+      -o 'StrictHostKeyChecking=no' \
+      -o 'UserKnownHostsFile=/dev/null' \
+      "$@"
+}
+
+config_from_metadata() {
+    #shellcheck disable=SC2034,SC2039 # /bin/sh is a symbolic link to bash on balenaOS
+    for url in "${metadata_urls[@]}"; do
+        user_data="$(curl_with_opts "${url}")"
+        [ -n "${user_data}" ] && echo "${user_data}" && break
+    done
+}
+
+ssh_with_opts "os-config join '$(config_from_metadata)'"
+
+exec balena-idle "$@"

repo.yml

@@ -0,0 +1,2 @@
+---
+type: "docker"