[tor-commits] [tor-browser-build/master] Bug 25102: Setup nightly signing
gk at torproject.org
gk at torproject.org
Sun Oct 25 12:48:01 UTC 2020
commit 17804f5ada032276eabf7e33d41feef46ca511d7
Author: Nicolas Vigier <boklm at torproject.org>
Date: Thu Dec 19 16:46:07 2019 +0100
Bug 25102: Setup nightly signing
---
tools/ansible/Makefile | 3 ++
tools/ansible/README | 7 +++
tools/ansible/ansible.cfg | 6 +++
tools/ansible/inventory | 1 +
.../roles/tbb-nightly-signing/defaults/main.yml | 7 +++
.../roles/tbb-nightly-signing/tasks/main.yml | 54 ++++++++++++++++++++++
tools/ansible/tbb-nightly-signing.yml | 6 +++
7 files changed, 84 insertions(+)
diff --git a/tools/ansible/Makefile b/tools/ansible/Makefile
index ea63a44..97a63c1 100644
--- a/tools/ansible/Makefile
+++ b/tools/ansible/Makefile
@@ -6,3 +6,6 @@ fpcentral:
boklm-tbb-nightly-build:
ansible-playbook --vault-password-file=~/ansible-vault/boklm-tbb-nightly -i inventory boklm-tbb-nightly-build.yml
+
+tbb-nightly-signing:
+ ANSIBLE_CONFIG='$(@D)/ansible.cfg' ansible-playbook -i inventory tbb-nightly-signing.yml
diff --git a/tools/ansible/README b/tools/ansible/README
index 6056372..5407a73 100644
--- a/tools/ansible/README
+++ b/tools/ansible/README
@@ -25,6 +25,13 @@ boklm-tbb-nightly-build:
For more details, see also this ticket:
https://trac.torproject.org/projects/tor/ticket/33948
+tbb-nightly-signing:
+ This target is used to deploy a nightly signing machine. The
+ configuration of nightly signing is done in the following files:
+ tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
+ tools/signing/nightly/config.yml
+ tools/signing/nightly/update-responses-base-config.yml
+
Adding, removing, updating users on the Tor Browser team build machine
======================================================================
diff --git a/tools/ansible/ansible.cfg b/tools/ansible/ansible.cfg
new file mode 100644
index 0000000..0663746
--- /dev/null
+++ b/tools/ansible/ansible.cfg
@@ -0,0 +1,6 @@
+[ssh_connection]
+; When connecting to a v3 onion, we get the error:
+; "unix_listener: [...] too long for Unix domain socket"
+; We solve this by using %n (The original remote hostname, as given on
+; the command line) instead of %h (The remote hostname) in the control path.
+control_path=%(directory)s/%%r-%%n-%%r
diff --git a/tools/ansible/inventory b/tools/ansible/inventory
index fc25842..47fda66 100644
--- a/tools/ansible/inventory
+++ b/tools/ansible/inventory
@@ -1,6 +1,7 @@
build-sunet-a ansible_ssh_user=root ansible_ssh_host=build-sunet-a.torproject.net
fpcentral ansible_become=True ansible_become_method=sudo ansible_become_user=fpcentral ansible_ssh_host=forrestii.torproject.org allow_world_readable_tmpfiles=True
boklm-tbb-nightly-build ansible_ssh_user=root ansible_become_method=su
+tbb-nightly-signing ansible_ssh_user=root ansible_become_method=su
[tbb-build]
build-sunet-a
diff --git a/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml b/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
new file mode 100644
index 0000000..cbe3b82
--- /dev/null
+++ b/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+nightly_signing_user: nightly-signing
+nightly_signing_cron_hour: '*'
+nightly_signing_cron_minute: '0,30'
+tor_browser_build_dir: "/home/{{ nightly_signing_user }}/tor-browser-build"
+tor_browser_build_git_url: https://git.torproject.org/builders/tor-browser-build.git
+tor_browser_build_commit: 8d66414b7860751ffec6a83a6bc6dbfbd94f801a
diff --git a/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml b/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml
new file mode 100644
index 0000000..3cc96ba
--- /dev/null
+++ b/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Install dependencies
+ apt:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - git
+ - libdatetime-perl
+ - libfindbin-libs-perl
+ - libfile-slurp-perl
+ - libxml-writer-perl
+ - libio-captureoutput-perl
+ - libparallel-forkmanager-perl
+ - libxml-libxml-perl
+ - libwww-perl
+ - libjson-perl
+ - libyaml-libyaml-perl
+ - libyaml-perl
+ - libtemplate-perl
+ - libio-handle-util-perl
+ - libio-all-perl
+ - libio-captureoutput-perl
+ - libpath-tiny-perl
+ - libstring-shellquote-perl
+ - libsort-versions-perl
+ - libdigest-sha-perl
+ - libdata-uuid-perl
+ - libdata-dump-perl
+ - libfile-copy-recursive-perl
+ - libnss3-tools
+ - rsync
+
+- name: create nightly-signing user
+ user:
+ name: "{{ nightly_signing_user }}"
+ comment: "Tor Browser Nightly Signing"
+ createhome: yes
+ home: "/home/{{ nightly_signing_user }}"
+
+- name: clone tor-browser-build
+ become: yes
+ become_user: "{{ nightly_signing_user }}"
+ git:
+ repo: "{{ tor_browser_build_git_url }}"
+ dest: "{{ tor_browser_build_dir }}"
+ version: "{{ tor_browser_build_commit }}"
+
+- name: add cron to sign nighly build
+ cron:
+ name: tbb-sign-nightly-build
+ user: "{{ nightly_signing_user }}"
+ hour: "{{ nightly_signing_cron_hour }}"
+ minute: "{{ nightly_signing_cron_minute }}"
+ job: "torsocks /home/{{ nightly_signing_user }}/tor-browser-build/tools/signing/nightly/sign-nightly"
diff --git a/tools/ansible/tbb-nightly-signing.yml b/tools/ansible/tbb-nightly-signing.yml
new file mode 100644
index 0000000..bc0c681
--- /dev/null
+++ b/tools/ansible/tbb-nightly-signing.yml
@@ -0,0 +1,6 @@
+---
+
+- hosts: tbb-nightly-signing
+ roles:
+ - role: tbb-nightly-signing
+ - role: unattended-upgrades
More information about the tor-commits
mailing list