This used to be the CI configuration for tahoe-lafs/tahoe-lafs. It is no longer used. At the time this repository was archived, the project has switched to CircleCI and GitHub Actions. See the in-repository configuration to learn more.
Buildbot config for Tahoe-LAFS and related projects
Some secrets are managed with sops.
To use sops on the buildmaster, set up sops keyservice forwarding::
Host tahoe-lafs.org
User buildmaster
# Get a sops keyservice
PermitLocalCommand yes
LocalCommand sops keyservice --network unix --address /var/run/user/1000/sops-keyservice.sock &
# Forward the sops keyservice
RemoteForward /var/run/user/1007/<per-user-identifier>-sops-keyservice.sock /var/run/user/1000/sops-keyservice.sock
The first path given to RemoteForward is the remote path.
The per-user-identifier in this path avoids a conflict between multiple clients logging in to the buildmaster with this configuration at the same time.
Take note of the remote path for the next steps.
Note that the sops keyservice command will keep running after the SSH session completes.
Future SSH sessions will not spawn additional keyservices, though.
You can also skip this ssh configuration and run the keyservice manually, of course.
Also note that this use of sops keyservice may be vulnerable to attackers with privileges on the target host.
Consider this when engaging in this workflow.
This is the only step which is typically executed on the buildmaster.
- Update the checkout on the buildmaster.
- Run
sops --keyservice unix://$REMOTE_PATH -d secrets.enc.yaml > secrets.yaml. Only this operation requires the keyservice. - Restart the buildmaster.
Perform this step locally. This avoids the need to deal with keyservice forwarding.
- Run
sops secrets.enc.yaml. - Make changes, save, exit.
- Check in to version control.
Perform this step locally. This avoids the need to deal with keyservice forwarding.
sops --add-pgp <fingerprint> secrets.enc.yaml
See sops --help and the GitHub page for more usage information.