Fix scripts and authorized_keys

ooni · Jul 29, 2024 · 5aa9c5a · 5aa9c5a
1 parent 7772c56
commit 5aa9c5a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 11 deletions.
diff --git a/ansible/roles/codesign_box/defaults/main.yml b/ansible/roles/codesign_box/defaults/main.yml
@@ -1,4 +1,4 @@
 ---
 cluster_id: cluster-qsvghm4oqok
 hsm_token_name: OONI_2024-04-26_1
-codesign_usernames: [art, majakomel, mehul]
+codesign_usernames: [ art, majakomel, mehul ]
diff --git a/ansible/roles/codesign_box/tasks/main.yml b/ansible/roles/codesign_box/tasks/main.yml
@@ -5,7 +5,6 @@
     dest: "/home/ubuntu/.ssh/authorized_keys"
     owner: "ubuntu"
     mode: "0400"
-  with_items: "{{ codesign_usernames }}"
 
 - name: Install cloudhsm-cli
   ansible.builtin.apt:
@@ -62,7 +61,7 @@
     owner: ubuntu
     group: adm
     mode: "u=rw,g=,o="
-    force: true
+    force: false
 
 - name: Write sign-windows-exe.sh command
   ansible.builtin.template:

diff --git a/ansible/roles/codesign_box/templates/authorized_keys b/ansible/roles/codesign_box/templates/authorized_keys
@@ -1,6 +1,8 @@
 # managed by ansible
 # see roles/ssh_users/templates/authorized_keys
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6QK3Q5Hxtnf0o0wqMS47W/ewlHf5ZhQrn4vOR5HaUO oonidevops
-{% for k in ssh_users[item]['keys'] %}
+{% for user in codesign_usernames %}
+{% for k in ssh_users[user]['keys'] %}
 {{ k }}
 {% endfor %}
+{% endfor %}
diff --git a/ansible/roles/codesign_box/templates/create-hsms.sh b/ansible/roles/codesign_box/templates/create-hsms.sh
@@ -29,14 +29,22 @@ wait_for_hsm_tokens() {
 
 }
 
-create_hsm_token eu-central-1a
-create_hsm_token eu-central-1b
-wait_for_hsm_tokens
+CURRENT_TOKEN_COUNT=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)")
+if [ "$CURRENT_TOKEN_COUNT" -ge 2 ]; then
+    echo "Enough HSMs already exist, skipping creation"
+else
+    create_hsm_token eu-central-1a
+    create_hsm_token eu-central-1b
+    wait_for_hsm_tokens
+fi
 
 echo "Extracting IP addresses of created HSM tokens..."
 IP_ADDRESSES=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].EniIp" --output text)
 echo "IP Addresses of created HSM tokens: $IP_ADDRESSES"
 
+IP_ADDRESS_1=$(echo IP_ADDRESSES | cut -d ' ' -f1)
+IP_ADDRESS_2=$(echo IP_ADDRESSES | cut -d ' ' -f2)
+
 echo "[+] writing cloudhsm-cli.cfg"
 cat <<EOF > /tmp/cloudhsm-cli.cfg
 {
@@ -46,12 +54,12 @@ cat <<EOF > /tmp/cloudhsm-cli.cfg
             "hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt",
             "servers":[
                 {
-                    "hostname": "${IP_ADDRESSES[0]}",
+                    "hostname": "$IP_ADDRESS_1",
                     "port": 2223,
                     "enable": true
                 },
                 {
-                    "hostname": "${IP_ADDRESSES[1]}",
+                    "hostname": "$IP_ADDRESS_2",
                     "port": 2223,
                     "enable": true
                 }
@@ -80,12 +88,12 @@ cat <<EOF > /tmp/cloudhsm-pkcs11.cfg
             "hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt",
             "servers":[
                 {
-                    "hostname": "${IP_ADDRESSES[0]}",
+                    "hostname": "$IP_ADDRESS_1",
                     "port": 2223,
                     "enable": true
                 },
                 {
-                    "hostname": "${IP_ADDRESSES[1]}",
+                    "hostname": "$IP_ADDRESS_2",
                     "port": 2223,
                     "enable": true
                 }