autosign: adjust playbooks for prod

We need to setup things in prod slightly differently, using keyctl. Copy in the service and scripts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-04-26 11:36:10 +08:00 · 2024-01-30 09:33:45 -08:00
parent d3222f83e9
commit c764d1ea86
3 changed files with 48 additions and 3 deletions
--- a/roles/robosignatory/files/robosignatory.service
+++ b/roles/robosignatory/files/robosignatory.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Robosignatory
+
+[Service]
+Type=simple
+User = robosignatory
+Group = robosignatory
+Restart=no
+ExecStart=/usr/bin/keyctl session - /usr/local/bin/sigul-add-key
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/robosignatory/files/sigul-add-key
+++ b/roles/robosignatory/files/sigul-add-key
@@ -0,0 +1,5 @@
+#!/bin/bash -e
+# Courtesy of puiterwijk
+passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
+keyctl add user "sigul:autosign" "${passphrase}" @s
+exec /usr/bin/fedora-messaging --conf /etc/fedora-messaging/robosignatory.toml consume
--- a/roles/robosignatory/tasks/main.yml
+++ b/roles/robosignatory/tasks/main.yml
@@ -165,7 +165,7 @@
  - robosignatory
  - robosignatory-config

- name: Create /etc/systemd/system/fm-consumer@.service.d
+- name: Create /etc/systemd/system/fm-consumer@.service.d (staging)
  file:
    state: directory
    path: /etc/systemd/system/fm-consumer@.service.d
@@ -177,7 +177,7 @@
  - config
  - robosignatory

- name: Configure fm-consumer@.service to run as robosignatory
+- name: Configure fm-consumer@.service to run as robosignatory (staging)
  copy:
    src: fm-consumer@.service
    dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
@@ -192,7 +192,7 @@
  - config
  - robosignatory

- name: Ensure fedora-messaging is enabled and started on the backend
+- name: Ensure fedora-messaging is enabled and started on the backend (staging)
  service:
    name: fm-consumer@robosignatory.service
    enabled: yes
@@ -202,6 +202,34 @@
  - config
  - robosignatory

+- name: Configure key add script
+  copy:
+    src: sigul-add-key
+    dest: /usr/local/bin/sigul-add-key
+    owner: root
+    group: root
+    mode: 0711
+  when: env != 'staging'
+  notify:
+  - reload systemd
+  tags:
+  - config
+  - robosignatory
+
+- name: Configure robosignatory.service
+  copy:
+    src: robosignatory.service
+    dest: /etc/systemd/system/robosignatory.service
+    owner: root
+    group: root
+    mode: 0644
+  when: env != 'staging'
+  notify:
+  - reload systemd
+  tags:
+  - config
+  - robosignatory
+
 - name: Allow robosignatory to use systemd-ask-password
  copy:
    src: ask-password-robosignatory.conf