Skip to content

Release/adopt the Onionspray Ansible role

Description

The Mediapart role is a good starting point to build a general Ansible recipe for managing Onionspray.

This ticket is about forking and improving it towards making the official role.

Tasks

  • Fork the Mediapart role into the tpo/onion-services/ansible subgroup.
  • Create a 2.0.0 branch to integrate all changes, so it's easy to run/test/review?
  • Improve the existing codebase (one feature/fix per branch/merge request):
  • Add new features:
    • Rename onionspray_user_homedir as onionspray_homedir and make it more configurable. Done at 110879db.
    • Incorporate the Project 145 use case into Mediapart role (split this is smaller tasks if needed), including:
      • Support for multiple sites/projects in the same Onionspray instances (!5 (merged)).
      • Add tests CI for multiple sites/projects (onionspray_project_settings and onionspray_keys) (!6 (merged)).
      • Improve the Onionspray config template to support additional options. Task related with tpo/onion-services/onionspray#44. While the role now uses a settings dictionary accepting whichever existing config options, some setting might benefit from having it's own variables, allowing for encrypted secrets etc. Implemented on !8 (merged).
      • Support for custom procedures for storing and uploading keys and certificates (!9 (merged)).
      • Porting other features from our old (and internal) Onionspray Ansible role:
    • Keyring should be a positional argument in the keys/certs uploader scripts.
    • Rename tor_address and proxied_domain variables to onion_address and upstream_address. Done on f861167d.
    • Request changes in the self-signed cert script directly upstream at make-selfsigned-wildcard-ssl-cert.sh. Done at tpo/onion-services/onionspray#72 (closed).
    • Check whether the systemd service is working.
  • Documentation:
    • Move variable documentation from the README directly to defaults/main.yml, but leave a reference. Done at f861167d.
    • Add comments into the generated project configuration (!17 (merged)).
    • Fix incomplete documentation on key and cert management, including (!17 (merged)):
      • The example upload scripts.
      • How to create keys and certificates. The certificate part is out-of-scope here, and is tracked at tpo/onion-services/ecosystem#14.
    • Create a HOWTO section with many examples (!17 (merged)).
    • Simplify the quick start example: it should be minimal (!17 (merged)).
  • Management:
    • Create merge requests in the original Mediapart role.
    • Improve the role documentation, including (!17 (merged)):
      • A Development section in the README, using onionprobe-role's as base.
      • Example procedure to create Onion Service keys.
    • Tag the version with !5 (merged) as 2.0.0.
    • Create a migration guidance from 1.0 to 2.0.0 to 3.0.0, including breaking changes (!18 (merged)).
    • Setup monthly CI jobs.
    • Ping the contact point about this fork, since they're the Mediapart role's mantainers, pointing to the changes and inviting to be a co-maintainer in the new, official role repository.
    • Remove the forking relationship between the official role and the original role, should be in Project settings > General > Advanced
  • Launch:
    • Add other needed files (meta/main.yml (!3 (merged)), CODE_OF_CONDUCT.md, LICENSE.spdx, .github/* etc).
    • List it in the deployment tools doc.
    • Additional testing and bug fixes.
    • Make a release (3.0.0).
    • Consider inclusion at the Ansible Galaxy. Check onionprobe-role#3 (closed) for a sample procedure.

Time estimation

  • Complexity: medium (3 days)
  • Uncertainty: high (x2)
  • Reference (adapted)
Edited by Silvio Rhatto