Age | Commit message (Collapse) | Author |
|
This gets us a simple apt repository privilege separation:
(a) our key can't be used to forge other repos
(b) other keys can't be used to forge our repo.
From sources.list(5):
· Signed-By (signed-by) is either an absolute path to a keyring
file (has to be accessible and readable for the _apt user, so ensure
everyone has read-permissions on the file) or one or more
fingerprints of keys either in the trusted.gpg keyring or in the
keyrings in the trusted.gpg.d/ directory (see apt-key
fingerprint). If the option is set, only the key(s) in this keyring
or only the keys with these fingerprints are used for the
apt-secure(8) verification of this repository. Defaults to the value
of the option with the same name if set in the previously acquired
Release file. Otherwise all keys in the trusted keyrings are
considered valid signers for this repository.
|
|
|
|
|
|
* Change environment names for clarity:
. Use staging for deploying to latest
. Use production environments to deploy to demo:
production/vpn
production/mail
* Install leap_cli if not present and define default values
* Remove old nodes from cached runs
* Remove no longer used SEEDS variable
* Debugging improvements:
. Hide secrets when calling ci-build.sh with xtrace enabled
. Use unbuffer to we can add debug output locally
. Add debugging to build_from_scratch()
|
|
Pull duplicated bits into a function
|
|
This cuts the number of hops for a tor onion service from 6 to 3,
speeding it up considerably. This removes the anonymity aspect of the
service, so it must be enabled intentionally, knowing that the server's
location no longer is hidden.
|
|
|
|
subrepo:
subdir: "puppet/modules/tor"
merged: "5ef29012"
upstream:
origin: "https://leap.se/git/puppet_tor"
branch: "master"
commit: "5ef29012"
git-subrepo:
version: "0.4.0"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "2e78d5d"
|
|
|
|
|
|
|
|
|
|
. Reorganize script to allow for multiple builds
. Add latest build, pulling from the ibex provider
. Run the build as the cirunner unprivileged user
. Set pipefail because job is run within a pipe
. Change name of 'build' stage to 'deploy'
. Setup an environment for the latest CI deployment
|
|
Add a `leap help` command at the end of the CI setup.sh to ensure that
the command is setup properly before continuing
|
|
|
|
This replaces the secret_token from rails 4.1 on.
Both are used for securing cookies in the browser. The secret_key_base
will also encrypt the cookies while the token will only sign them.
Keeping the token in there for now allows us to migrate existing sessions
/ cookies to the new secrets. We can remove it in the next version once
all providers have run with secret_key_base for a while.
|
|
|
|
|
|
|
|
|
|
8144 remove haproxy
Closes #8144
See merge request !70
|
|
|
|
|
|
We used haproxy because we had multiple bigcouch nodes but now
with a single couchdb node this is not needed anymore.
- Resolves: #8144
|
|
|
|
Install stunnel4 from jessie-backports
Closes #8746
See merge request !72
|
|
The jessie version randonly closes the connection prematurely
see https://0xacab.org/leap/platform/issues/8746
- Resolves: #8746
|
|
Cleanup modified Gemfile.lock before pulling nickserver vcsrepo
Closes #8492
See merge request !71
|
|
Resolves: #8492
|
|
|
|
now that we deprecate wheezy, we can always set
smtpd_relay_restrictions
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Platform CI: Dont run bundle install in parallel
Closes #8684
See merge request !67
|
|
Closes: #8684
|
|
|
|
with @aarni
|
|
|
|
|
|
|
|
|
|
|
|
puppet/modules/systemd
subrepo:
subdir: "puppet/modules/systemd"
merged: "f3c4059"
upstream:
origin: "https://leap.se/git/puppet_systemd"
branch: "master"
commit: "f3c4059"
git-subrepo:
version: "0.3.0"
origin: "https://github.com/ingydotnet/git-subrepo.git"
commit: "841aa43"
|
|
This commit was moved to the systemd puppet repo.
This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9.
|
|
Nickserver systemd
See merge request !65
|