Skip to content

Sign hosts multihost#38

Open
anfimovdm wants to merge 7 commits into
masterfrom
sign-hosts-multihost
Open

Sign hosts multihost#38
anfimovdm wants to merge 7 commits into
masterfrom
sign-hosts-multihost

Conversation

@anfimovdm

Copy link
Copy Markdown
Contributor

anfimovdm added 7 commits July 8, 2026 10:15
Introduce a sign-host stack where each host co-locates albs-sign-node and
albs-sign-file, sharing one per-host GnuPG keyring.

- sign_common: shared role that creates the service user, installs base
  packages, and resolves the host signing key(s) into the gpg_keys fact
  (explicit pgp_keys -> existing keyring -> optional dev key, else fail).
- separate_sign_file: clone/venv/config/systemd for the sign-file API,
  with sqlite or existing-postgres backend and alembic schema setup.
- bitwarden_cli: reusable role installing the bw CLI + bw-ensure-session
  helper for prod passphrase retrieval.
- separate_sign_node: drop inline user/GPG setup (now in sign_common);
  add sign_dev_mode toggle and Bitwarden block to the config template.
- New inventories/sign_nodes multi-host inventory and vars template.
- bitwarden_cli: add bitwarden_master_password (vault-supplied) and write
  it to a managed bitwarden_password_file (0600, service user, no_log) so
  bw-ensure-session and the service configs have a source; guarded so the
  file can still be provisioned out-of-band.
- sign_common: fail the play when a declared pgp_keys id is not present as a
  secret key in the host keyring, instead of silently writing an unusable id
  into the service configs.
- Document the "bring your own key" path (pgp_keys / gpg_import_keys) and the
  Bitwarden secret vars in the inventory and vars template.
- Back up managed configs and unit files on the host before overwriting
  them (backup: yes) for sign_node.yml, config.yaml, both systemd units,
  and the nginx pulp.conf.
- separate_sign_node: drop recurse from the working-dir task so it no longer
  tries to chown volume contents (e.g. beholder-data) as the unprivileged
  service user, which failed with EPERM.
- separate_sign_node: remove the stale codenotary.repo download and its
  enablerepo entry; notarization now uses the immudb_wrapper pip package.
- separate_sign_file: default the repo branch to main (was master).
Get albs-sign-node to actually start under enforcing SELinux with a clean
dependency tree:

- sign_common: set SELinux state (default permissive) before other setup.
  Both services run from the user home (user_home_t), which enforcing SELinux
  blocks systemd from exec'ing/reading. Overridable via
  sign_common_selinux_state.
- separate_sign_node: build the venv WITHOUT system site-packages, so the
  system google.* package no longer shadows the venv's google.protobuf
  (pulled in by immudb_wrapper) and breaks startup.
- separate_sign_node: pin the immudb/protobuf/google stack (sign_node_dep_pins)
  to the versions running in production; unpinned, a fresh install pulls
  protobuf 6 whose PEP420 google namespace is broken by the bogus google-api
  dep immudb-py drags in.
- Resolve bitwarden_password_file via service_user (not the role-scoped
  bitwarden_cli_config_user), so the write path and every consumer
  (sign-node/sign-file configs, bw-ensure-session) agree instead of the
  consumers falling back to /home/root/.config/.bw-master.
- Move the password file under ~/.config and create its parent dir before
  writing (bitwarden_cli runs before the service roles that make .config).
- Skip `bw config server` when the server is already configured; the CLI
  refuses it while logged in ("Logout required before server config update").
- Document the pgp_keys/gpg_import_keys "bring your own key" path and the
  Bitwarden vars in the inventory and vars template.
- Install the package as .[bitwarden] when Bitwarden is enabled; the
  bitwarden-wrapper client is an optional extra in setup.py, so a plain
  install left the service unable to fetch key passphrases in prod.
- Move the sign-file config from /etc/sign-file/config.yaml to
  /home/<service_user>/.config/sign_file.yaml, alongside the sign-node config.
immudb-py declares a spurious dependency on the google-api PyPI stub, which
installs a regular google/__init__.py and shadows the PEP420 google namespace,
so google.protobuf / google.api fail to import at startup. immudb-py never
imports google-api, so uninstall it after the venv build; this keeps modern
protobuf instead of freezing the whole stack on protobuf 3.

- separate_sign_node: replace the sign_node_dep_pins reconciliation with a
  google-api uninstall step, and add an import smoke-test so a broken
  dependency tree fails the deploy rather than the service.
- Drop the now-unused sign_node_dep_pins default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Ansible roles for deploying albs-sign-node and albs-sign-file as systemd services

2 participants