Bug 25102: Setup nightly signing

17804f5a · boklm · 8d66414b · 17804f5a · 17804f5a · 17804f5a
Unverified Commit 17804f5a authored 5 years ago by boklm
--- a/tools/ansible/Makefile
+++ b/tools/ansible/Makefile
@@ -6,3 +6,6 @@ fpcentral:

 boklm-tbb-nightly-build:
 	ansible-playbook --vault-password-file=~/ansible-vault/boklm-tbb-nightly -i inventory boklm-tbb-nightly-build.yml
+
+tbb-nightly-signing:
+	ANSIBLE_CONFIG='$(@D)/ansible.cfg' ansible-playbook -i inventory tbb-nightly-signing.yml
--- a/tools/ansible/README
+++ b/tools/ansible/README
@@ -25,6 +25,13 @@ boklm-tbb-nightly-build:
  For more details, see also this ticket:
  https://trac.torproject.org/projects/tor/ticket/33948

+tbb-nightly-signing:
+  This target is used to deploy a nightly signing machine. The
+  configuration of nightly signing is done in the following files:
+   tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
+   tools/signing/nightly/config.yml
+   tools/signing/nightly/update-responses-base-config.yml
+

 Adding, removing, updating users on the Tor Browser team build machine
 ======================================================================

--- a/tools/ansible/ansible.cfg
+++ b/tools/ansible/ansible.cfg
+[ssh_connection]
+; When connecting to a v3 onion, we get the error:
+; "unix_listener: [...] too long for Unix domain socket"
+; We solve this by using %n (The original remote hostname, as given on
+; the command line) instead of %h (The remote hostname) in the control path.
+control_path=%(directory)s/%%r-%%n-%%r
--- a/tools/ansible/inventory
+++ b/tools/ansible/inventory
 build-sunet-a ansible_ssh_user=root ansible_ssh_host=build-sunet-a.torproject.net
 fpcentral ansible_become=True ansible_become_method=sudo ansible_become_user=fpcentral ansible_ssh_host=forrestii.torproject.org allow_world_readable_tmpfiles=True
 boklm-tbb-nightly-build ansible_ssh_user=root ansible_become_method=su
+tbb-nightly-signing ansible_ssh_user=root ansible_become_method=su

 [tbb-build]
 build-sunet-a

--- a/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
+++ b/tools/ansible/roles/tbb-nightly-signing/defaults/main.yml
+---
+nightly_signing_user: nightly-signing
+nightly_signing_cron_hour: '*'
+nightly_signing_cron_minute: '0,30'
+tor_browser_build_dir: "/home/{{ nightly_signing_user }}/tor-browser-build"
+tor_browser_build_git_url: https://git.torproject.org/builders/tor-browser-build.git
+tor_browser_build_commit: 8d66414b7860751ffec6a83a6bc6dbfbd94f801a
--- a/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml
+++ b/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml
+---
+- name: Install dependencies
+  apt:
+      name: "{{ item }}"
+      state: present
+  with_items:
+      - git
+      - libdatetime-perl
+      - libfindbin-libs-perl
+      - libfile-slurp-perl
+      - libxml-writer-perl
+      - libio-captureoutput-perl
+      - libparallel-forkmanager-perl
+      - libxml-libxml-perl
+      - libwww-perl
+      - libjson-perl
+      - libyaml-libyaml-perl
+      - libyaml-perl
+      - libtemplate-perl
+      - libio-handle-util-perl
+      - libio-all-perl
+      - libio-captureoutput-perl
+      - libpath-tiny-perl
+      - libstring-shellquote-perl
+      - libsort-versions-perl
+      - libdigest-sha-perl
+      - libdata-uuid-perl
+      - libdata-dump-perl
+      - libfile-copy-recursive-perl
+      - libnss3-tools
+      - rsync
+
+- name: create nightly-signing user
+  user:
+      name: "{{ nightly_signing_user }}"
+      comment: "Tor Browser Nightly Signing"
+      createhome: yes
+      home: "/home/{{ nightly_signing_user }}"
+
+- name: clone tor-browser-build
+  become: yes
+  become_user: "{{ nightly_signing_user }}"
+  git:
+      repo: "{{ tor_browser_build_git_url }}"
+      dest: "{{ tor_browser_build_dir }}"
+      version: "{{ tor_browser_build_commit }}"
+
+- name: add cron to sign nighly build
+  cron:
+      name: tbb-sign-nightly-build
+      user: "{{ nightly_signing_user }}"
+      hour: "{{ nightly_signing_cron_hour }}"
+      minute: "{{ nightly_signing_cron_minute }}"
+      job: "torsocks /home/{{ nightly_signing_user }}/tor-browser-build/tools/signing/nightly/sign-nightly"
--- a/tools/ansible/tbb-nightly-signing.yml
+++ b/tools/ansible/tbb-nightly-signing.yml
+---
+
+- hosts: tbb-nightly-signing
+  roles:
+      - role: tbb-nightly-signing
+      - role: unattended-upgrades