Whack with club until builds work with new repository and scripts.

README

@@ -1,9 +1,3 @@
 Tools and scripts related to automated building of Debian packages and
 maintenance of an APT repository containing the result.  At present,
 this is based on pbuilder and reprepro running on Ubuntu.
-
-This used to be part of the buildtools/ directory in the main
-repository, but the build automation isn't really tied to any
-particular branch, and now that it has to maintain packages from
-multiple branches it's less confusing to put it in its own little
-corner of the repository.

rpki-pbuilder.py

@@ -51,8 +51,6 @@ parser.add_argument("--git-tree", default = os.path.expanduser("~/source/master/
                     help = "git tree")
 parser.add_argument("--apt-tree", default = os.path.expanduser("~/repository/"),
                     help = "reprepro repository")
-parser.add_argument("--apt-user", default = "aptbot",
-                    help = "username for uploading apt repository to public web server")
 parser.add_argument("--url-host", default = "download.rpki.net",
                     help = "hostname of public web server")
 parser.add_argument("--url-scheme", default = "http",
@@ -103,7 +101,7 @@ except (IOError, OSError), e:
     sys.exit(0 if e.errno == errno.EAGAIN else "Error {!r} opening lock {!r}".format(e, args.lockfile))
 
 run("git", "fetch", "--all", "--prune", cwd = args.git_tree)
-run("git", "pull", cwd = args.git_tree)
+run("git", "pull",                      cwd = args.git_tree)
 
 source_version = subprocess.check_output((sys.executable, os.path.join(args.git_tree, "buildtools/make-version.py"),
                                           "--build-tag", "--stdout"), cwd = args.git_tree).strip()
@@ -334,12 +332,16 @@ for r in args.releases:
 
 Release.do_all_releases()
 
+# Push any tags created above to the public git repository.
+
+if upload:
+    run("git", "push", "--tags", cwd = args.git_tree)
+
 # Upload results, maybe.  We do this in two stages, to minimize the window
 # during which the uploaded repository might be in an inconsistent state.
 
 def rsync(*flags):
-    cmd = ["rsync", "--archive", "--itemize-changes",
-           "--rsh", "ssh -l {}".format(args.apt_user)]
+    cmd = ["rsync", "--archive", "--itemize-changes", "--rsh", "ssh"]
     cmd.extend(flags)
     cmd.append(args.apt_tree)
     cmd.append("rsync://{host}/{path}/".format(host = args.url_host,

rpki-pbuilder.sh

@@ -9,7 +9,7 @@ set -x
 cd $HOME
 
 python rpki-pbuilder.py					\
-    --git-tree $HOME/source.ng/master/			\
+    --git-tree $HOME/source.ng/rpki.net/		\
     --apt-tree $HOME/repository.ng/			\
     --url-path /APTng					\
     --releases debian/jessie ubuntu/xenial

rpki-pbuilder.ssh_config

@@ -0,0 +1,34 @@
+# Fake hostnames here correspond to git remote URLs, which turns out
+# to be the easy way to use separate keys for push and fetch:
+#
+#   $ git remote -v
+#   origin  pull.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (fetch)
+#   origin  push.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (push)
+#
+# The third key is used for rsync daemon-mode-over-ssh, as the name suggests:
+#
+#   $ rsync --rsh ssh rsync://download.rpki.net/
+#   APT    APT repository for old stable RPKI code (trunk)
+#   APTng  APT repository for new development RPKI code
+#
+# The reason for using three separate keys is simple: this is a robot, keys are cheap,
+# and using a separate key for each allowed action gives us a trivial way to lock down
+# the server side.
+
+Host pull.download.rpki.net
+    HostName download.rpki.net
+    User aptbot
+    IdentityFile ~/.ssh/id_rsa_pull
+    IdentitiesOnly yes
+
+Host push.download.rpki.net
+    HostName download.rpki.net
+    User aptbot
+    IdentityFile ~/.ssh/id_rsa_push
+    IdentitiesOnly yes
+
+Host download.rpki.net
+    HostName download.rpki.net
+    User aptbot
+    IdentityFile ~/.ssh/id_rsa_rsync
+    IdentitiesOnly yes