#!/usr/bin/env bash # One-time Drone<->Gitea OAuth bootstrap (the ONLY manual post-`nixos-rebuild` step). # # Drone can only sync/clone repos once it holds the bot's Gitea OAuth token, which is granted by # an interactive OAuth login. This cannot be Nix-declared without putting the bot's Gitea password # on cc-ci, so it's a one-time operator step. The token then persists in Drone's `data` volume, so # reconcile redeploys keep working. Re-run only if that volume is wiped. # # Usage (run ON cc-ci, as root): # GITEA_USERNAME=autonomic-bot GITEA_PASSWORD=… bash scripts/bootstrap-drone-oauth.sh # Optionally ACTIVATE a repo: REPO=recipe-maintainers/cc-ci (default). set -euo pipefail : "${GITEA_USERNAME:?set GITEA_USERNAME}" : "${GITEA_PASSWORD:?set GITEA_PASSWORD}" GITEA="${GITEA:-https://git.autonomic.zone}" DRONE="${DRONE:-https://drone.ci.commoninternet.net}" CLIENT_ID="${CLIENT_ID:-ab4cdb9d-ee96-4867-875f-87384505fc52}" REPO="${REPO:-recipe-maintainers/cc-ci}" RES=(--resolve "drone.ci.commoninternet.net:443:127.0.0.1") export PATH=/run/current-system/sw/bin:"$PATH" cj=$(mktemp) dj=$(mktemp) az=$(mktemp) trap 'rm -f "$cj" "$dj" "$az"' EXIT # 1) Gitea web login (CSRF cookie -> form field). curl -s -c "$cj" "$GITEA/user/login" -o /dev/null gcsrf=$(awk '/_csrf/{v=$NF} END{print v}' "$cj") curl -s -b "$cj" -c "$cj" -o /dev/null \ --data-urlencode "_csrf=$gcsrf" \ --data-urlencode "user_name=$GITEA_USERNAME" \ --data-urlencode "password=$GITEA_PASSWORD" \ "$GITEA/user/login" # 2) Drone /login -> Gitea authorize URL. loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r') azh=$(mktemp) trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT curl -sk -b "$cj" -c "$cj" -o "$az" -D "$azh" "$loc" # 3) Either the OAuth app auto-approves (bot already granted it earlier => Gitea 302s straight to the # code callback, no consent form) or it shows a consent form we must POST. Handle both. cb=$(awk 'tolower($1)=="location:"{print $2}' "$azh" | tr -d '\r') if [ -z "$cb" ]; then acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/') state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/') cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \ --data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \ --data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \ --data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \ "$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r') fi # code callback -> complete Drone login (sets Drone session + persists the token in Drone's volume). curl -sk -b "$dj" -c "$dj" -o /dev/null -L "${RES[@]}" "$cb" # 4) Verify + sync + activate the repo. admin=$(curl -sk -b "$dj" "${RES[@]}" "$DRONE/api/user" | jq -r '.admin') echo "drone login ok (admin=$admin)" curl -sk -b "$dj" "${RES[@]}" "$DRONE/api/user/repos?latest=true" >/dev/null active=$(curl -sk -b "$dj" "${RES[@]}" -X POST "$DRONE/api/repos/$REPO" | jq -r '.active') echo "repo $REPO active=$active"