[tor-browser-build/master] Bug 25102: Setup nightly signing

25 Oct 2020

commit 17804f5ada032276eabf7e33d41feef46ca511d7
Author: Nicolas Vigier <boklm@torproject.org>
Date:   Thu Dec 19 16:46:07 2019 +0100

    Bug 25102: Setup nightly signing
---
 tools/ansible/Makefile                             |  3 ++
 tools/ansible/README                               |  7 +++
 tools/ansible/ansible.cfg                          |  6 +++
 tools/ansible/inventory                            |  1 +
 .../roles/tbb-nightly-signing/defaults/main.yml    |  7 +++
 .../roles/tbb-nightly-signing/tasks/main.yml       | 54 ++++++++++++++++++++++
 tools/ansible/tbb-nightly-signing.yml              |  6 +++
 7 files changed, 84 insertions(+)

diff --git a/tools/ansible/Makefile b/tools/ansible/Makefile
index ea63a44..97a63c1 100644
--- a/tools/ansible/Makefile
+++ b/tools/ansible/Makefile
@@ -6,3 +6,6 @@ fpcentral:
 
 boklm-tbb-nightly-build:
 	ansible-playbook --vault-password-file=~/ansible-vault/boklm-tbb-nightly -i inventory boklm-tbb-nightly-build.yml
+
+tbb-nightly-signing:
+	ANSIBLE_CONFIG='$(@D)/ansible.cfg' ansible-playbook -i inventory tbb-nightly-signing.yml
diff --git a/tools/ansible/README b/tools/ansible/README
index 6056372..5407a73 100644
--- a/tools/ansible/README
+++ b/tools/ansible/README
@@ -25,6 +25,13 @@ boklm-tbb-nightly-build:
   For more details, see also this ticket:
   https://trac.torproject.org/projects/tor/ticket/33948
 
+tbb-nightly-signing:
+  This target is used to deploy a nightly signing machine. The
+  configuration of nightly signing is done in the following files:
+   tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
+   tools/signing/nightly/config.yml
+   tools/signing/nightly/update-responses-base-config.yml
+
 
 Adding, removing, updating users on the Tor Browser team build machine
 ======================================================================
diff --git a/tools/ansible/ansible.cfg b/tools/ansible/ansible.cfg
new file mode 100644
index 0000000..0663746
--- /dev/null
+++ b/tools/ansible/ansible.cfg
@@ -0,0 +1,6 @@
+[ssh_connection]
+; When connecting to a v3 onion, we get the error:
+; "unix_listener: [...] too long for Unix domain socket"
+; We solve this by using %n (The original remote hostname, as given on
+; the command line) instead of %h (The remote hostname) in the control path.
+control_path=%(directory)s/%%r-%%n-%%r
diff --git a/tools/ansible/inventory b/tools/ansible/inventory
index fc25842..47fda66 100644
--- a/tools/ansible/inventory
+++ b/tools/ansible/inventory
@@ -1,6 +1,7 @@
 build-sunet-a ansible_ssh_user=root ansible_ssh_host=build-sunet-a.torproject.net
 fpcentral ansible_become=True ansible_become_method=sudo ansible_become_user=fpcentral ansible_ssh_host=forrestii.torproject.org allow_world_readable_tmpfiles=True
 boklm-tbb-nightly-build ansible_ssh_user=root ansible_become_method=su
+tbb-nightly-signing ansible_ssh_user=root ansible_become_method=su
 
 [tbb-build]
 build-sunet-a
diff --git a/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml b/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
new file mode 100644
index 0000000..cbe3b82
--- /dev/null
+++ b/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+nightly_signing_user: nightly-signing
+nightly_signing_cron_hour: '*'
+nightly_signing_cron_minute: '0,30'
+tor_browser_build_dir: "/home/{{ nightly_signing_user }}/tor-browser-build"
+tor_browser_build_git_url: https://git.torproject.org/builders/tor-browser-build.git
+tor_browser_build_commit: 8d66414b7860751ffec6a83a6bc6dbfbd94f801a
diff --git a/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml b/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml
new file mode 100644
index 0000000..3cc96ba
--- /dev/null
+++ b/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Install dependencies
+  apt:
+      name: "{{ item }}"
+      state: present
+  with_items:
+      - git
+      - libdatetime-perl
+      - libfindbin-libs-perl
+      - libfile-slurp-perl
+      - libxml-writer-perl
+      - libio-captureoutput-perl
+      - libparallel-forkmanager-perl
+      - libxml-libxml-perl
+      - libwww-perl
+      - libjson-perl
+      - libyaml-libyaml-perl
+      - libyaml-perl
+      - libtemplate-perl
+      - libio-handle-util-perl
+      - libio-all-perl
+      - libio-captureoutput-perl
+      - libpath-tiny-perl
+      - libstring-shellquote-perl
+      - libsort-versions-perl
+      - libdigest-sha-perl
+      - libdata-uuid-perl
+      - libdata-dump-perl
+      - libfile-copy-recursive-perl
+      - libnss3-tools
+      - rsync
+
+- name: create nightly-signing user
+  user:
+      name: "{{ nightly_signing_user }}"
+      comment: "Tor Browser Nightly Signing"
+      createhome: yes
+      home: "/home/{{ nightly_signing_user }}"
+
+- name: clone tor-browser-build
+  become: yes
+  become_user: "{{ nightly_signing_user }}"
+  git:
+      repo: "{{ tor_browser_build_git_url }}"
+      dest: "{{ tor_browser_build_dir }}"
+      version: "{{ tor_browser_build_commit }}"
+
+- name: add cron to sign nighly build
+  cron:
+      name: tbb-sign-nightly-build
+      user: "{{ nightly_signing_user }}"
+      hour: "{{ nightly_signing_cron_hour }}"
+      minute: "{{ nightly_signing_cron_minute }}"
+      job: "torsocks /home/{{ nightly_signing_user }}/tor-browser-build/tools/signing/nightly/sign-nightly"
diff --git a/tools/ansible/tbb-nightly-signing.yml b/tools/ansible/tbb-nightly-signing.yml
new file mode 100644
index 0000000..bc0c681
--- /dev/null
+++ b/tools/ansible/tbb-nightly-signing.yml
@@ -0,0 +1,6 @@
+---
+
+- hosts: tbb-nightly-signing
+  roles:
+      - role: tbb-nightly-signing
+      - role: unattended-upgrades

    

gk＠torproject.org

tags

participants (1)