aesthetic.computer / core
Monorepo for Aesthetic.Computer aesthetic.computer
4
fork

Configure Feed

Select the types of activity you want to include in your feed.

lith/deploy.fish: ship DO Spaces creds for notepat build stream

Decrypt aesthetic-computer-vault/spaces/.env.gpg during deploy,
scp the plaintext to /tmp/notepat-spaces.env on lith, source it for
just the build command, and remove. Keeps S3 keys off
/opt/ac/system/.env while still letting --sync-spaces push the
versioned amxd + latest.json to s3://assets-aesthetic-computer/m4l/
notepat.com/ on every deploy that triggered a rebuild.

Falls back to a build-without-sync (with a yellow warning) when the
vault file is absent or GPG can't decrypt without a passphrase
prompt — so deploys can still run in contexts where Spaces uploads
aren't required.

prompt.ac/@jeffrey e396fd65 4a3497f3

+29 -3
+29 -3
lith/deploy.fish
··· 182 182 # when an amxd input actually changed since the last successful build 183 183 # (via --if-stale), then push the versioned artifact + latest.json to 184 184 # DO Spaces (--sync-spaces) so each release has a durable CDN URL 185 - # outside lith. Sourcing /opt/ac/system/.env before running picks up 186 - # DO_SPACES_* / AWS_* creds that lith.service already has configured. 185 + # outside lith. 186 + # 187 + # DO Spaces credentials live in aesthetic-computer-vault/spaces/.env 188 + # (canonical: spaces/.env.gpg). We decrypt locally, ship to /tmp on 189 + # lith for the build's lifetime, then remove — avoids storing S3 keys 190 + # permanently in /opt/ac/system/.env. If the vault file is missing or 191 + # GPG can't decrypt it, the build still runs — `--sync-spaces` just 192 + # gracefully skips the upload with a warning. 193 + set SPACES_ENV_SRC "$VAULT_DIR/spaces/.env" 194 + set SPACES_ENV_GPG "$VAULT_DIR/spaces/.env.gpg" 195 + set TMP_SPACES (mktemp) 196 + set SPACES_READY false 197 + if test -f $SPACES_ENV_SRC 198 + cp $SPACES_ENV_SRC $TMP_SPACES 199 + set SPACES_READY true 200 + else if test -f $SPACES_ENV_GPG 201 + if gpg --batch --pinentry-mode loopback -d $SPACES_ENV_GPG >$TMP_SPACES 2>/dev/null 202 + set SPACES_READY true 203 + end 204 + end 205 + 187 206 echo -e "$GREEN-> Refreshing notepat.com.amxd build stream...$NC" 188 - ssh -i $SSH_KEY $LITH_USER@$TARGET_HOST "cd $REMOTE_DIR && set -a && source system/.env 2>/dev/null || true; set +a; node ac-m4l/build-notepat.mjs --if-stale --sync-spaces" 207 + if test $SPACES_READY = true 208 + scp -i $SSH_KEY -q $TMP_SPACES $LITH_USER@$TARGET_HOST:/tmp/notepat-spaces.env 209 + ssh -i $SSH_KEY $LITH_USER@$TARGET_HOST "cd $REMOTE_DIR && set -a && . /tmp/notepat-spaces.env && set +a && node ac-m4l/build-notepat.mjs --if-stale --sync-spaces; rc=\$?; rm -f /tmp/notepat-spaces.env; exit \$rc" 210 + else 211 + echo -e "$YELLOW spaces creds unavailable — building without S3 sync.$NC" 212 + ssh -i $SSH_KEY $LITH_USER@$TARGET_HOST "cd $REMOTE_DIR && node ac-m4l/build-notepat.mjs --if-stale" 213 + end 214 + rm -f $TMP_SPACES 189 215 190 216 # Install service file + Caddy config from the deployed checkout 191 217 echo -e "$GREEN-> Updating service + Caddy config...$NC"