Sign hosts multihost#38
Open
anfimovdm wants to merge 7 commits into
Open
Conversation
Introduce a sign-host stack where each host co-locates albs-sign-node and albs-sign-file, sharing one per-host GnuPG keyring. - sign_common: shared role that creates the service user, installs base packages, and resolves the host signing key(s) into the gpg_keys fact (explicit pgp_keys -> existing keyring -> optional dev key, else fail). - separate_sign_file: clone/venv/config/systemd for the sign-file API, with sqlite or existing-postgres backend and alembic schema setup. - bitwarden_cli: reusable role installing the bw CLI + bw-ensure-session helper for prod passphrase retrieval. - separate_sign_node: drop inline user/GPG setup (now in sign_common); add sign_dev_mode toggle and Bitwarden block to the config template. - New inventories/sign_nodes multi-host inventory and vars template.
- bitwarden_cli: add bitwarden_master_password (vault-supplied) and write it to a managed bitwarden_password_file (0600, service user, no_log) so bw-ensure-session and the service configs have a source; guarded so the file can still be provisioned out-of-band. - sign_common: fail the play when a declared pgp_keys id is not present as a secret key in the host keyring, instead of silently writing an unusable id into the service configs. - Document the "bring your own key" path (pgp_keys / gpg_import_keys) and the Bitwarden secret vars in the inventory and vars template.
- Back up managed configs and unit files on the host before overwriting them (backup: yes) for sign_node.yml, config.yaml, both systemd units, and the nginx pulp.conf. - separate_sign_node: drop recurse from the working-dir task so it no longer tries to chown volume contents (e.g. beholder-data) as the unprivileged service user, which failed with EPERM. - separate_sign_node: remove the stale codenotary.repo download and its enablerepo entry; notarization now uses the immudb_wrapper pip package. - separate_sign_file: default the repo branch to main (was master).
Get albs-sign-node to actually start under enforcing SELinux with a clean dependency tree: - sign_common: set SELinux state (default permissive) before other setup. Both services run from the user home (user_home_t), which enforcing SELinux blocks systemd from exec'ing/reading. Overridable via sign_common_selinux_state. - separate_sign_node: build the venv WITHOUT system site-packages, so the system google.* package no longer shadows the venv's google.protobuf (pulled in by immudb_wrapper) and breaks startup. - separate_sign_node: pin the immudb/protobuf/google stack (sign_node_dep_pins) to the versions running in production; unpinned, a fresh install pulls protobuf 6 whose PEP420 google namespace is broken by the bogus google-api dep immudb-py drags in.
- Resolve bitwarden_password_file via service_user (not the role-scoped
bitwarden_cli_config_user), so the write path and every consumer
(sign-node/sign-file configs, bw-ensure-session) agree instead of the
consumers falling back to /home/root/.config/.bw-master.
- Move the password file under ~/.config and create its parent dir before
writing (bitwarden_cli runs before the service roles that make .config).
- Skip `bw config server` when the server is already configured; the CLI
refuses it while logged in ("Logout required before server config update").
- Document the pgp_keys/gpg_import_keys "bring your own key" path and the
Bitwarden vars in the inventory and vars template.
- Install the package as .[bitwarden] when Bitwarden is enabled; the bitwarden-wrapper client is an optional extra in setup.py, so a plain install left the service unable to fetch key passphrases in prod. - Move the sign-file config from /etc/sign-file/config.yaml to /home/<service_user>/.config/sign_file.yaml, alongside the sign-node config.
immudb-py declares a spurious dependency on the google-api PyPI stub, which installs a regular google/__init__.py and shadows the PEP420 google namespace, so google.protobuf / google.api fail to import at startup. immudb-py never imports google-api, so uninstall it after the venv build; this keeps modern protobuf instead of freezing the whole stack on protobuf 3. - separate_sign_node: replace the sign_node_dep_pins reconciliation with a google-api uninstall step, and add an import smoke-test so a broken dependency tree fails the deploy rather than the service. - Drop the now-unused sign_node_dep_pins default.
Kwaizer
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: AlmaLinux/build-system#539