Ansible update of infrastructure


I’ll upgrade production by running

rm molecule/preprod/.molecule/state.yml
molecule create -s preprod
ansible-playbook --private-key infrastructure_key --user debian -i inventory securedrop-club-playbook.yml

on The molecule create is required to create the inventory/group_vars/all/domain.yml file to set domain: This will include changes from ece578106e885ced4c75c8c43105fc2f05f66014 to 3042122593ee35858d974ddcfc8fb62f5c4a22d9

New indirect reference to the private key in /srv/checkout/private-key.yml

ssh_private_keyfile: “{{ lookup(‘pipe’, ‘git rev-parse --show-toplevel’) }}/infrastructure_key”

New production variables for gitlab mirroring:

New production variables for gitlab CI:

  • srv/checkout/inventory/host_vars/gitlab-host.yml
    • gitlab_os_auth_url:
    • gitlab_os_tenant_name: ABCDEF
    • gitlab_os_username: ABCDEF
    • gitlab_os_password: ABCDEF
    • gitlab_os_region_name: DE1

The with_https and with_fake_LE variables are now global and unset by default:

  • inventory/group_vars/all/https.yml is removed
  • the new file inventory/group_vars/all/with_https.yml is modified to uncomment with_https: true

The inventory/host_vars/icinga-host/monitoring.yml file does not need modification for vhost_fqdn anymore.

Manual verification checklist:

  • A shared running should be registered in It can be assigned to a project, a .gitlab-ci.yml uploaded to verify it runs ok. :thumbsup:
  • gitlab is upgrade and the upgrade is hopefully not causing troubles :+1:
    image: sameersbn/gitlab:8.13.2
    image: sameersbn/gitlab:10.1.3
  • Login ssh -p 2222 and sudo tail -f /var/log/syslog and wait 5 minutes to check if the mirror happens. Also try it manually :+1:
  • Verify weblate is still able to communicate properly with :thumbsup:
    • sudo docker-compose -f docker-compose-securedrop-club.yml exec weblate bash
    • cd /app/data/vcs/securedrop/securedrop
    • git fetch
  • Verify weblate site (in admin) is and not star :thumbsup:


The upgrade of gitlab seems to be ok but https-portal needs update.

Failed to obtain certs for
2017/11/26 13:11:27 [notice] 149#149: signal process started
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Signing certificates from
Parsing account key…
Parsing CSR…
Registering account…
Traceback (most recent call last):
File “/bin/acme_tiny”, line 198, in
File “/bin/acme_tiny”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER,
File “/bin/acme_tiny”, line 92, in get_crt
raise ValueError(“Error registering: {0} {1}”.format(code, result))
ValueError: Error registering: 400 {
“type”: “urn:acme:error:malformed”,
“detail”: “Provided agreement URL [] does not match current agreement URL []”,
“status”: 400

Failed to sign, is DNS set up properly?

This was fixed with:

molecule login -s preprod --host gitlab-host
sudo docker pull steveltn/https-portal:1
sudo docker stop https-portal
sudo docker destroy https-portal

And running ansible-playbook --private-key infrastructure_key --user debian -i inventory molecule/gitlab/gitlab-playbook.yml. The better option is to use steveltn/https-portal:latest instead of steveltn/https-portal:1

The update is complete and all is well.