Recently, we had a project deliverable to setup a repository that would auto-deploy to the staging server. I spent a bit of time getting this right, so I figured it’d be useful for someone else who had to do this.
I wrote cloaked-spice, a tiny Flask app to do the job here. Flask documentation has a pretty neat example for doing request checksums. I’ve just modified it to work with HMAC and SHA1. It sounds simple, but thanks to silly mistakes, it took a few days to get it working :)
The Flask app is extremely limited in what it can do on the server. It is run as a user called deploy and a group called deploy. All the files that the app can update are owned by the group deploy and editable by the group. Thanks to sudo’s flexibility, it can only run one sudo command. Here’s the line in sudoers file:
deploy ALL=(ALL) NOPASSWD: /usr/bin/service apache2 *
I’m using gunicorn and Nginx to serve the app and supervisor to manage the gunicorn process. I’m sure other wsgi servers would be up-to the job just as easily.
Credits to Github for suggesting a name for this that sounds less boring that