Deploy dmg and deb files built on Travis to downloads.mixxx.org.

Adds an RSA key that is authorized to login to downloads-hostgator.mixxx.org. This key is encrypted with a password which is provided as a Travis secure variable.
author: RJ Skerry-Ryan <rryan@mixxx.org> 2020-07-19 22:34:53 -0700
committer: RJ Skerry-Ryan <rryan@mixxx.org> 2020-07-20 11:26:37 -0700
commit: 9226812ccb63d6d65aae5a25013d8647c3d6863d (patch)
tree: 3fd1b0299526e8d065ba36dcebf546b695274866 /build
parent: 4669ad2bdffe610acbcb2f41c996ab19c003458a (diff)
4 files changed, 111 insertions, 0 deletions
diff --git a/build/certificates/README.md b/build/certificates/README.md
new file mode 100644
index 0000000000..7e171873c7
--- /dev/null
+++ b/build/certificates/README.md
@@ -0,0 +1,20 @@
+
+# Key Rotation
+
+# downloads-hostgator.mixxx.org
+
+SSH access is granted via an RSA key stored in `build/certificates/downloads-hostgator.mixxx.org.key`.
+
+To rotate this key, generate a new RSA key with a strong password (e.g. 32 character randomly generated).
+
+```
+ssh-keygen -t rsa -b 4096 -f downloads-hostgator.mixxx.org.key
+```
+
+Copy the **public** key to `$HOME/.ssh/authorized_keys`, replacing the old file to remove access for the current key.
+
+Encrypt the password using `travis encrypt` and update `.travis.yml`.
+
+```
+travis encrypt DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD=hunter2 -r mixxxdj/mixxx
+```
diff --git a/build/certificates/downloads-hostgator.mixxx.org.key b/build/certificates/downloads-hostgator.mixxx.org.key
new file mode 100644
index 0000000000..5bc5cc8f05
--- /dev/null
+++ b/build/certificates/downloads-hostgator.mixxx.org.key
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,4D25AED6ED1AD07B47186093278F7F27
+
+/aFQab21BJ4OnILuHd/FoXQfURebSWX/LhKrukZLqE1TvkftwDVhjHHjxFmo1yp2
+oU8B4vx15os5QZa24KNGBsFVGd59scSEIZO8MTLk+T0hvF6huA7x3B6FGE7T9prJ
+swKghpM9sn72IRRBF8XPmk2lPw1XwC2AcUMSp0kqPK96jxAdsbqroKfhVMWIuNEC
++kiuZjoJNkrfnwsKd3aIEtFq7x9tSuWztyxn8y8OnQuo8Vew97DOabuX97DEzpk/
+nsTaoK239oImBbRTHj3Y2ocJpZGW+FNeUqE89IukXRPvy0vvSS/A7hAH1kB1Hyjs
+/DNs5I2YNw+drhdPwlxPa6mTeDVzhY2/EQ+2m6D7jFgTe1Jt083ELVkA5EFGD4qq
+rEy/G6YnLUhUrp7ssSqB6zSm+wH6F24U2Cxrzoe7IUJfanynkYamzEY0OSoCVW3b
+2IOMWrytibJiP0mCWkW4yowwaIplPPhFXOY8iaMfLGvwYaa+w9bSNjip1UBjjce/
+Z+sp7MiJiXbS28SDjMe9J1Lw3hEFRR/F5YJ2za3UAlB8bwFJF30i7YwEas6RaEwu
+obEca64x3CpCDFAzPYInKDORvMu6xfByuLxZ/WCq8APrAp56924+TvNFnRbqKaLh
+xvOR5rM0rqGlbhBTpTY1bKXCudzosI7uMUGoPFodP8S87tFUHyZYXOi/ZBKVhi8s
+Q7v2c2v+2D2oMwGaqFzPOug/QbcXfzDdND1ZBwAr18I7YgJJUBJXIPbn6LFiqpJp
+8+91jSVGPdX8Z0cudn6jvBwcpj7BvG9/IBfW7/ORDxsIQq6fogk2REFwBlDtPfCQ
+8OENo2pvhbXUoYGq+BNmjdT7pyYZbbKQ4ufix2B8xjjK6hpF7e6DGxpEmVr93UnP
+i+lkgCKpQMME9LDtcNDcptIEIqan9YEEpCukmSz9MF1SzKG1Cp/Ych1cnAtO3FGI
+LqUVKHoSf5Q35By1t3fythHe5UR++XjwAM7f+eZTPqWRg4T1z4MDV+WtFSDdW+fs
+WoPsr+/AXQZJePly70liyYeu5nltwAdx+fhX6hxqGssA1eGrJwAZsTlgg7JWDwWe
+bg3JKkJ4O954auUGKVWDbu0wSHletysgEumaq43vM0pv3CVknh9xKsmtG6jeGgt1
+LlDPUvCBVkReejtnncoh8v9/5WwVPwq+qNVzRmUJQ9CrxFkZFibe1EVl2olieC5E
+26qK/GqiMh5WjdXU5v8GNWR4M5AGVBcuNyUtYBP4mmAuXGu3T7ceKF2wUmdF70YM
+QGDuNnJdPavcg9b85r/mFvvJVRhUjcf/FWCOnkfT4fEMBrQZgMPSFz37V+d8hXO6
+u5cW2rrrbVwL/n4JT4RS1B/Mmtf/e9D0JFybne/qGgYfMv1Zp87uZIDZhCqiBSs+
+39XGccpxtn3t63bKzbH81a0QYN/SqDc0vPttw8isHKlu+tGbar/Yo6qbo5Q1aGfQ
+8SIVsjMNYfUs9qeIOrpVYiyX+LiTWVQS3R1Fx6mA16DBqkpVIwgM9nJOuC5YtytM
+36NJksTi73hsEQTa03P60PRKFTXrrs7pUc1mxmwk50YX2zhJrIHGw5iESFkAJ88A
+f8p8zf7WUzaf1rqcXvRYghTrn6SNsew8vC/Bob7pub0p6KFRuCfU1fellTqikhKt
+AWpyKyQJanoiuJ5NWcJ2E6eAqlG51U+wLC1Uv8IBhR1y/zwF0aoDcKZlv7MJlBMb
+juDPmNDPa/In8lqL0CI18svUU+kAImGgJdeNr9eE5s95oiqMhOSTTTvRiX4t+PvW
+FFsw6zGtyKUOygBndF91q7GPBXTrPTlvlK/S0e0P/mZImbrS8XUwqcl4iOJU3Y9L
+9nwWj49v7scer68PMWZGDoCSyPKlkSFysUyk8z2W+gN13W0CecCQNl13wSf4QEJ8
+YGcxQ24AcOUAq5CFU/KvLseqKAKZVPaUBzitiCjVZER/1dIg0NqSyRTkKacuS3Em
+5G8777TOVJhRJY65x9PnkXZjaGrHKYzNHHRvh+nVNu7j3PMLUhXpTkCf1BDlMTbl
+8E2/ucbZmRlvX4mfL7CbR03IgUHCEtmMnZPvW4v9/qbnutOsedE6Im54MC+oXAr8
+XJxP04EJ0SgmOsZiwLIp/qoQhvT5BeML7qvP8CQxkLgg3BQMeC6e2i8wNGiM+94Q
+c5yHwoLiOYMBgjSKU160/eN9aO5QFcALMz8/CT4zXT19mkXjK5QaR9Jz2f68luLf
+QffYOhM+QCjMio/Z62/RiI0w3AgV1p4miyP1MPbcFL9jdWC0b2AF7/ewTnsXdmD6
+NzwPIqK2ffwNJJ1B8fDhZKRgOyMigAqU8viahx8yeWNpgwyN0Cp3zkAvrpg1/tEa
+B/TqmRgVX9N2Og3OqtXcNNWgc+SNYGyS4PEAu46Fxao1mubKftw5H7RC6L3WzVHP
+G50aU2ewrBox2a9IJLnaVXHe5dqiMaGbaMyZweCqZDzsIb6BfOot7+3T6NrbEZVC
+57TpRDZOxAF1yaOSTO4yivsVB7PU3fPUq/YAoBIyhZt6zvi8MOhpjV7KQhwL4GZi
+0v9WYGQSIYGGQ0uYzIiZ7bLloXwWIMmC4nJkpvPfVChsvVXIyy1zfNY3qrETckW8
+7jE6NzMGJ5EmK7p919J6L7+YE7E3anc+wUTJSlwrWz1K2eGIC8OmN1jyKdqZkfGj
+/mE/eUFcwC5+whf7EwXaHCnd/u+e1B7lGfzPC551ovRDydGhGYT+CBNaZGqsLEnu
+yq3qJCEBhbDV8kDaWgx/34ta/Vp6ZeASj7Qf6h/++645Q+yg6F/616isJrujBXO+
+qa0c99wM9rXNlyWcIAEPZ9ul0qfat4hA91Mv9LNzJd8mVSHGOpz5VEgFhix/3TKz
+DSDLBpbDIyPWnPGZAo7tQg11kWCtQIgLTCB+zkfmYJklNmxKe6j3TnCC/0BjLgWF
+LHHLykvZ5SxK2/m/tQwEDA7xfh1h8EqpmpIjAJVvjUbR3bu3cMrV+GRs0HuZk60I
+gDM4fgUsM0JApSvgSrvJx3yMCDCqhN1VPjEwnXFHVsK39GQs6zvlCbsYjuifRzmR
+AjOSGOWQfwbhDm+AdN6Zi8xi5VbYMlmaeYwYIrG00PmxxeAzqjVcAIn5Z04tCGJA
+-----END RSA PRIVATE KEY-----
diff --git a/build/certificates/downloads-hostgator.mixxx.org.key.pub b/build/certificates/downloads-hostgator.mixxx.org.key.pub
new file mode 100644
index 0000000000..4f47da8738
--- /dev/null
+++ b/build/certificates/downloads-hostgator.mixxx.org.key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP1q+/ayZvi1NCqVZBmajI1TP2qAO1H5pNLx80z/qfNkFMWspgrT3//xaItMfhyIjAycQfDBYOatxFCNST5y12Pjm8H1SF74dHLIVhBdAGfb7JtOt4vAqxeJp7E7T3gn7ZmcNCJnnVPnX0Wl4NRNvS/sE7Q5a/UUNOJGWyvKfrfvuvp91J+XQqhB6shUkmGmchL5ISHbq1i6EbH3ZyRqmPQSAROJ9yyQIVBuCuSisgl3teOnqDxibFP8yMOJhysw3VA8U29ERP8gtvSjcTfDJXeiMM6y6Ty4SrYJe3KUU2OQI3u4W31KREUGj9zH9SBcfh/EvUjw/bw/OSgKxsCaJIeH8bOnFz037ipgGCTbYcdvhEKIJRFqy0/kjm7hf4rWITNJ9Wvkn83MAhvEeOVPoV6cajQZd/0r54Fg8/6/mhp7J5yBBNjKNRYDW5wDpYPjwRvxVEIYS5QD1wwUHmRF1qy1YiAJK37YmoWr4Fd8fWNF5g+ozhCacaxIMcWjKneStwCsjxIG4mTBEnJAIt6mFptoX0ewA8ozgw7POBNLSW469LiGDZOf9GTBL6YsGyaV2WzWjSIFYn2dqL+TfSaKNqDBFoHLJ2SZ+Utp5a63NCaLAY5TbGUbzAMmq8j4qrJa1wu6y7GUKiYs5BByik+j9szW0/i28FkQjnZYMPtTSJ/w== mixxx@downloads-hostgator.mixxx.org
diff --git a/build/travis/deploy.sh b/build/travis/deploy.sh
new file mode 100755
index 0000000000..2743a4fc53
--- /dev/null
+++ b/build/travis/deploy.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Deploy artifacts (e.g. dmg, deb files) built by Travis to downloads.mixxx.org.
+# Run within the cmake_build directory.
+
+set -eu -o pipefail
+
+USER=mixxx
+HOSTNAME=downloads-hostgator.mixxx.org
+TRAVIS_DESTDIR=public_html/downloads/builds/travis
+SSH_KEY=../build/certificates/downloads-hostgator.mixxx.org.key
+SSH="ssh -i ${SSH_KEY} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+
+if [[ "${TRAVIS_PULL_REQUEST}" != "false" ]]; then
+  echo "Skipping deploy since we are in a pull request."
+  exit 0
+fi
+
+DEST_PATH=${TRAVIS_DESTDIR}/${TRAVIS_BRANCH}/
+TMP_PATH=${TRAVIS_DESTDIR}/.tmp/$TRAVIS_BUILD_ID/
+
+echo Deploying to $TMP_PATH, then to $DEST_PATH.
+
+# Remove permissions for group and other users so that ssh-keygen does not
+# complain about the key not being protected.
+chmod go-rwx ${SSH_KEY}
+
+# "Unlock" the key by removing its password. This is easier than messing with ssh-agent.
+ssh-keygen -p -P ${DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD} -N "" -f ${SSH_KEY}
+
+# Always upload to a temporary path.
+shopt -s extglob
+rsync -e "${SSH}" --rsync-path="mkdir -p ${TMP_PATH} && rsync" -r --delete-after --quiet *.@(deb|dmg) ${USER}@${HOSTNAME}:${TMP_PATH}
+
+# Move from the temporary path to the final destination.
+$SSH ${USER}@${HOSTNAME} "mkdir -p ${DEST_PATH} && mv ${TMP_PATH}/* ${DEST_PATH} && rmdir ${TMP_PATH}"
author	RJ Skerry-Ryan <rryan@mixxx.org>	2020-07-19 22:34:53 -0700
committer	RJ Skerry-Ryan <rryan@mixxx.org>	2020-07-20 11:26:37 -0700
commit	9226812ccb63d6d65aae5a25013d8647c3d6863d (patch)
tree	3fd1b0299526e8d065ba36dcebf546b695274866 /build
parent	4669ad2bdffe610acbcb2f41c996ab19c003458a (diff)