Prod vms on focal

.gitignore

@@ -145,6 +145,9 @@ securedrop/static/.webassets-cache
 # https://github.com/mitchellh/vagrant/issues/6705
 .bundle
 
+# Vagrant-added ansible-galaxy roles
+.galaxy_roles
+
 # ignore ansible retry files
 *.retry
 

Vagrantfile

@@ -71,7 +71,11 @@ Vagrant.configure("2") do |config|
       config.ssh.port = 22
     end
     prod.vm.hostname = "mon-prod"
-    prod.vm.box = "bento/ubuntu-16.04"
+    if ENV['USE_FOCAL']
+      prod.vm.box = "bento/ubuntu-20.04"
+    else
+      prod.vm.box = "bento/ubuntu-16.04"
+    end
     prod.vm.network "private_network", ip: "10.0.1.5", virtualbox__intnet: internal_network_name
     prod.vm.synced_folder './', '/vagrant', disabled: true
     prod.vm.provider "libvirt" do |lv, override|
@@ -86,7 +90,11 @@ Vagrant.configure("2") do |config|
       config.ssh.port = 22
     end
     prod.vm.hostname = "app-prod"
-    prod.vm.box = "bento/ubuntu-16.04"
+    if ENV['USE_FOCAL']
+      prod.vm.box = "bento/ubuntu-20.04"
+    else
+      prod.vm.box = "bento/ubuntu-16.04"
+    end
     prod.vm.network "private_network", ip: "10.0.1.4", virtualbox__intnet: internal_network_name
     prod.vm.synced_folder './', '/vagrant', disabled: true
     prod.vm.provider "virtualbox" do |v|
@@ -113,6 +121,32 @@ Vagrant.configure("2") do |config|
     end
   end
 
+  config.vm.define 'apt-local', autostart: false do |prod|
+    prod.vm.hostname = "apt-local"
+    prod.vm.box = "bento/ubuntu-20.04"
+    prod.vm.network "private_network", ip: "10.0.1.7", virtualbox__intnet: internal_network_name
+    prod.vm.synced_folder './', '/vagrant', disabled: true
+    prod.vm.provider "virtualbox" do |v|
+      v.memory = 1024
+    end
+    prod.vm.provider "libvirt" do |lv, override|
+      lv.memory = 1024
+      lv.video_type = "virtio"
+    end
+    prod.vm.provision "ansible" do |ansible|
+      ansible.playbook = "devops/apt-local.yml"
+      ansible.galaxy_role_file = "molecule/upgrade/requirements.yml"
+      ansible.galaxy_roles_path = ".galaxy_roles"
+      ansible.verbose = 'v'
+      # the production playbook verifies that staging default values are not
+      # used will need to skip the this role to run in Vagrant
+      ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS']
+      # Taken from the parallel execution tips and tricks
+      # https://docs.vagrantup.com/v2/provisioning/ansible.html
+      ansible.limit = 'all,localhost'
+    end
+  end
+
 end
 
 

devops/apt-local.yml

@@ -0,0 +1,48 @@
+---
+- name: Confirm local debs present
+  hosts: localhost
+  gather_facts: no
+  tasks:
+      # Before running apt-server logic, confirm we have local
+      # debs built.
+    - name: Find local deb files
+      find:
+        paths: "../build/focal/"
+        patterns: "*.deb"
+      register: _find_debs_result
+
+    - name: Ensure debs were found
+      assert:
+        that:
+          - "_find_debs_result.files|length >= 8"
+        msg: "No local debs found, run 'make build-debs-focal'"
+
+- name: Configure apt-server
+  hosts: apt-local
+  become: yes
+  tasks:
+    - import_tasks: ../molecule/upgrade/local_apt_mirror.yml
+    - import_tasks: ../molecule/upgrade/local_apt_with_debs.yml
+
+  vars:
+    QA_APTTEST: False
+    rep_dist: "focal"
+    molecule_dir: "../molecule/upgrade"
+    dpkg_dir: /var/repos/debs
+    rep_component: main
+    rep_arch: i386 amd64
+    release_file: "/var/repos/base/dists/{{ rep_dist }}/Release"
+    nginx_sites:
+      default:
+        - listen 80
+        - root "/var/repos/base"
+        - location / { autoindex on; }
+        - location /gpg { alias /var/repos/base/; }
+      encrypted:
+        - listen 443 ssl
+        - server_name apt.freedom.press
+        - ssl_certificate /etc/ssl/certs/apt_freedom_press.pem
+        - ssl_certificate_key /etc/ssl/private/apt_freedom_press.priv
+        - root "/var/repos/base"
+        - location / { autoindex on; }
+

install_files/ansible-base/securedrop-apt-local.yml

@@ -0,0 +1,33 @@
+---
+# Playbook to update SecureDrop VMs to install Focal packages from a local repo
+#
+# Steps to use this playbook:
+#
+#   1. On host machine, build packages with `make build-debs-focal`
+#   2. On host machine, provision local apt repo with `vagrant up apt-local`
+#   3. Switch to Admin Workstation
+#   3. Continue with prod provisioning as far as `./securedrop-admin sdconfig`
+#   5. Run `source admin/.venv3/bin/activate` (so ansible commands work)
+#   6. Run `cd install_files/ansible-base`
+#   7. Run `ansible-playbook -vv --diff securedrop-apt-local.yml`
+#   8. Proceed with `./securedrop-admin install`
+
+- name: Configure prod host to prioritize local packages.
+  environment:
+    LC_ALL: C
+  max_fail_percentage: 0
+  any_errors_fatal: yes
+  hosts: securedrop
+  tasks:
+    - name: Add apt public key for local repo.
+      apt_key:
+        data: "{{ lookup('file', '../../molecule/upgrade/files/apt-test.pub') }}"
+        state: present
+
+    - name: Add local repo
+      apt_repository:
+        repo: deb [arch=amd64] http://10.0.1.7 focal main
+        state: present
+        update_cache: yes
+  become: yes
+

molecule/upgrade/local_apt_with_debs.yml

@@ -31,5 +31,5 @@
   changed_when: false
 
 - name: Sign release file
-  command: "gpg -b -u C5D5CD3B6D65484B -o {{ release_file }}.gpg {{ release_file }}"
+  command: "gpg --armor -b -u C5D5CD3B6D65484B -o {{ release_file }}.gpg {{ release_file }}"
   changed_when: false