From db842126d232bebd7a41fa759016bf9ea2ed4b59 Mon Sep 17 00:00:00 2001
From: Serhii Varakuta <8980561+floodcode@users.noreply.github.com>
Date: Tue, 2 Apr 2024 15:51:26 +0300
Subject: [PATCH] Development -> Main (#47)

Co-authored-by: Yurii Kovalchuk <103324562+yumirkov@users.noreply.github.com>
Co-authored-by: Yurii Kovalchuk <yurii.kovalchuk@fortegrp.com>
---
 .github/actions/build-and-push/action.yml |  15 +-
 .github/actions/multiarch-push/action.yml |  17 +-
 .github/workflows/build-packages.yml      |  79 ++++++++-
 .github/workflows/live-build-and-push.yml |  61 +++++++
 .github/workflows/live-deploy.yml         |  34 ++++
 configure.ac                              |   4 +-
 contrib/win32build/anon-mingw.nsi.in      |   2 +-
 operations/anon-da-node-live.hcl          | 194 ++++++++++++++++++++++
 operations/anon-da-node-stage.hcl         |  36 ++--
 operations/anon-debian-repo.hcl           |  68 +++++++-
 scripts/ci/update-env.sh                  |  19 ++-
 src/app/config/auth_dirs.inc              |  18 +-
 12 files changed, 509 insertions(+), 38 deletions(-)
 create mode 100644 .github/workflows/live-build-and-push.yml
 create mode 100644 .github/workflows/live-deploy.yml
 create mode 100644 operations/anon-da-node-live.hcl

diff --git a/.github/actions/build-and-push/action.yml b/.github/actions/build-and-push/action.yml
index 7fa43081d8..d2ffd6f0f3 100644
--- a/.github/actions/build-and-push/action.yml
+++ b/.github/actions/build-and-push/action.yml
@@ -15,8 +15,11 @@ inputs:
   environment:
     required: true
   push:
-    required: false  
-    default: true  
+    required: false
+    default: true
+  push-latest:
+    required: false
+    default: false
 
 runs:
   using: "composite"
@@ -41,3 +44,11 @@ runs:
         build-args: |
           ANON_VER=${{ inputs.version }}
           ANON_ENV=${{ inputs.environment }}
+
+    - name: Push latest
+      if: ${{ inputs.push-latest == true }}
+      shell: bash
+      run: |
+        docker buildx imagetools create \
+          -t ${{ inputs.docker-base-repo }}:${{ github.sha }} \
+             ${{ inputs.docker-base-repo }}:latest
diff --git a/.github/actions/multiarch-push/action.yml b/.github/actions/multiarch-push/action.yml
index 9e10b01970..3f79eda245 100644
--- a/.github/actions/multiarch-push/action.yml
+++ b/.github/actions/multiarch-push/action.yml
@@ -8,6 +8,9 @@ inputs:
     required: true
   docker-tag:
     required: true
+  push-latest:
+    required: false
+    default: false
 
 runs:
   using: "composite"
@@ -27,8 +30,16 @@ runs:
         docker buildx imagetools create \
           -t ${{ inputs.docker-base-repo }}:${{ inputs.docker-tag }} \
              ${{ inputs.docker-base-repo }}-amd64:${{ inputs.docker-tag }} \
-             ${{ inputs.docker-base-repo }}-arm64:${{ inputs.docker-tag }} 
+             ${{ inputs.docker-base-repo }}-arm64:${{ inputs.docker-tag }}
         docker buildx imagetools create \
-          -t ${{ inputs.docker-base-repo }}:${{ github.sha}} \
+          -t ${{ inputs.docker-base-repo }}:${{ github.sha }} \
              ${{ inputs.docker-base-repo }}-amd64:${{ github.sha }} \
-             ${{ inputs.docker-base-repo }}-arm64:${{ github.sha }} 
+             ${{ inputs.docker-base-repo }}-arm64:${{ github.sha }}
+
+    - name: Push latest
+      if: ${{ inputs.push-latest == true }}
+      shell: bash
+      run: |
+        docker buildx imagetools create \
+          -t ${{ inputs.docker-base-repo }}:${{ github.sha }} \
+             ${{ inputs.docker-base-repo }}:latest
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 1171971d69..e83c9cb628 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -15,10 +15,11 @@ on:
 env:
   DEBIAN_FRONTEND: noninteractive
 
-  # tags, main: stage
+  # tags: live
+  # main: stage
   # development: dev
-  # everything else (pr, etc.): unstable-dev
-  PKG_ENV: ${{ (github.ref == 'refs/heads/main' || github.ref_type == 'tag') && 'stage' || github.ref == 'refs/heads/development' && 'dev' || 'unstable-dev' }}
+  # everything else (pull request, etc.): unstable-dev
+  PKG_ENV: ${{ github.ref_type == 'tag' && 'live' || github.ref == 'refs/heads/main' && 'stage' || github.ref == 'refs/heads/development' && 'dev' || 'unstable-dev' }}
 
 jobs:
 
@@ -162,6 +163,74 @@ jobs:
           name: anon-${{ env.PKG_ENV }}-${{ matrix.build.os }}-${{ matrix.build.suite }}-${{ matrix.build.arch }}
           path: binary-packages/
 
+  #
+  # Linux Build
+  #
+
+  build-linux-binary:
+    runs-on: ${{ matrix.build.runner }}
+    container:
+      image: debian:bookworm
+    env:
+      OPENSSL_VERSION: "1.1.1w"
+    strategy:
+      fail-fast: false
+      matrix:
+        build:
+
+          # Linux amd64
+          - runner: ubuntu-latest
+            arch: amd64
+            libarch: x86_64
+
+          # Linux arm64
+          - runner: arm64
+            arch: arm64
+            libarch: aarch64
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          path: ator-protocol
+          fetch-depth: 1
+      - name: Install dependencies
+        run: |
+          apt-get update && \
+          apt_build_deps="libssl-dev zlib1g-dev libevent-dev ca-certificates dh-apparmor libseccomp-dev debhelper" && \
+          apt_runtime_deps="iputils-ping curl pwgen" && \
+          apt_temps="build-essential automake git wget" && \
+          apt-get -y --no-install-recommends install $apt_build_deps $apt_runtime_deps $apt_temps
+      - name: Build anon
+        run: |
+          cd ator-protocol
+          ./scripts/ci/update-env.sh ${{ env.PKG_ENV }}
+          ./autogen.sh
+          ./configure \
+            --disable-asciidoc \
+            --disable-zstd \
+            --disable-lzma \
+            --enable-static-zlib \
+            --enable-static-libevent \
+            --enable-static-openssl \
+            --enable-static-tor \
+            --with-libevent-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \
+            --with-openssl-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \
+            --with-zlib-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \
+            --disable-tool-name-check \
+            --disable-gcc-hardening
+          make
+      - name: Copy executables to artifact directory
+        run: |
+          mkdir -p package
+          cp ator-protocol/src/app/anon package
+          cp ator-protocol/src/tools/anon-gencert package
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: anon-${{ env.PKG_ENV }}-linux-${{ matrix.build.arch }}
+          path: package/
+
   #
   # MacOS Build
   #
@@ -380,8 +449,12 @@ jobs:
         run: |
           mkdir -p release-artifacts/
           cp raw-artifacts/anon-*/anon_*.deb release-artifacts/
+          chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64/*
+          chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/*
           chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/*
           chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/*
+          zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64/*
+          zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/*
           zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/*
           zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/*
           zip -j release-artifacts/anon-${{ env.PKG_ENV }}-windows-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-windows-amd64/*
diff --git a/.github/workflows/live-build-and-push.yml b/.github/workflows/live-build-and-push.yml
new file mode 100644
index 0000000000..78b4ae7ac1
--- /dev/null
+++ b/.github/workflows/live-build-and-push.yml
@@ -0,0 +1,61 @@
+name: Stage Build and Push Docker Images
+
+on:
+  push:
+    tags:
+      - 'v*.*.*.*'
+  workflow_dispatch:
+
+env:
+  image-tag: ${{ github.event_name == 'push' && (github.ref_name) || 'latest-manual' }}
+
+jobs:
+  build-and-push:
+    runs-on: ${{ matrix.platform.runs-on }}
+    strategy:
+      matrix:
+        platform:
+          - name: linux/amd64
+            image-suffix: amd64
+            runs-on: ubuntu-latest
+          - name: linux/arm64
+            image-suffix: arm64
+            runs-on: arm64
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Build and push
+        uses: ./.github/actions/build-and-push
+        with:
+          docker-username: ${{ secrets.DOCKER_USERNAME }}
+          docker-password: ${{ secrets.DOCKER_PASSWORD }}
+          docker-base-repo: ${{ secrets.DOCKER_BASE_REPO_LIVE }}-${{ matrix.platform.image-suffix }}
+          docker-tag: ${{ env.image-tag }}
+          docker-platform: ${{ matrix.platform.name }}
+          version: ${{ github.sha }}
+          environment: live
+          push-latest: true
+
+  multiarch-push:
+    runs-on: arm64
+    needs: build-and-push
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Multiarch push
+        uses: ./.github/actions/multiarch-push
+        with:
+          docker-username: ${{ secrets.DOCKER_USERNAME }}
+          docker-password: ${{ secrets.DOCKER_PASSWORD }}
+          docker-base-repo: ${{ secrets.DOCKER_BASE_REPO_LIVE }}
+          docker-tag: ${{ env.image-tag }}
+          push-latest: true
+
+  deploy:
+    needs: multiarch-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Invoke workflow without inputs
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Live Deploy
diff --git a/.github/workflows/live-deploy.yml b/.github/workflows/live-deploy.yml
new file mode 100644
index 0000000000..2e4b5b2429
--- /dev/null
+++ b/.github/workflows/live-deploy.yml
@@ -0,0 +1,34 @@
+name: Live Deploy
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+env:
+  image-name: ${{ secrets.DOCKER_BASE_REPO_LIVE }}
+  image-tag: ${{ github.event_name == 'workflow_call' && 'latest' || github.sha }}
+  da-1-hc-url: http://49.13.145.234:9230/tor/status-vote/current/consensus
+  da-2-hc-url: http://5.161.108.187:9230/tor/status-vote/current/consensus
+  da-3-hc-url: http://5.78.90.106:9230/tor/status-vote/current/consensus
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Deploy new version 
+        uses: ./.github/actions/deploy
+        with:
+          image-tag: ${{ env.image-tag }}
+          nomad-job-file: anon-da-node-live.hcl
+          health-checks: "${{ env.da-1-hc-url }}|${{ env.da-2-hc-url }}|${{ env.da-3-hc-url }}"
+          nomad-cacert: operations/admin-ui-ca.crt
+          nomad-token: ${{ secrets.NOMAD_TOKEN_ATOR_NETWORK_DEPLOY }}
+          nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }}
+          consul-cacert: operations/admin-ui-ca.crt
+          consul-http-token: ${{ secrets.CONSUL_HTTP_TOKEN_ATOR_NETWORK_DEPLOY }}
+          consul-addr: ${{ secrets.CONSUL_DEPLOY_ADDR }}
diff --git a/configure.ac b/configure.ac
index ccc3d0ab98..fc2b6bb9c0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
 AC_PREREQ([2.63])
-AC_INIT([anon],[0.4.9.0-dev])
+AC_INIT([anon],[0.4.9.1-git])
 AC_CONFIG_SRCDIR([src/app/main/anon_main.c])
 AC_CONFIG_MACRO_DIR([m4])
 
@@ -18,7 +18,7 @@ AC_DEFINE_UNQUOTED([CONFIG_FLAGS], ["$configure_flags"], [Flags passed to config
 # version number changes.  Tor uses it to make sure that it
 # only shuts down for missing "required protocols" when those protocols
 # are listed as required by a consensus after this date.
-AC_DEFINE(APPROX_RELEASE_DATE, ["2024-01-18"], # for 0.4.9.0-dev
+AC_DEFINE(APPROX_RELEASE_DATE, ["2024-03-13"], # for 0.4.9.1-git
           [Approximate date when this software was released. (Updated when the version changes.)])
 
 # "foreign" means we don't follow GNU package layout standards
diff --git a/contrib/win32build/anon-mingw.nsi.in b/contrib/win32build/anon-mingw.nsi.in
index a0bcfa543e..f5b3338172 100644
--- a/contrib/win32build/anon-mingw.nsi.in
+++ b/contrib/win32build/anon-mingw.nsi.in
@@ -8,7 +8,7 @@
 !include "LogicLib.nsh"
 !include "FileFunc.nsh"
 !insertmacro GetParameters
-!define VERSION "0.4.9.0-dev"
+!define VERSION "0.4.9.1-git"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"
diff --git a/operations/anon-da-node-live.hcl b/operations/anon-da-node-live.hcl
new file mode 100644
index 0000000000..75386e6925
--- /dev/null
+++ b/operations/anon-da-node-live.hcl
@@ -0,0 +1,194 @@
+#TODO: use templating to avoid copypaste
+
+job "ator-dir-auth-live" {
+  datacenters = ["ator-fin"]
+  type = "service"
+  namespace = "ator-network"
+
+  group "dir-auth-live-group" {
+    count = 3
+
+    spread {
+      attribute = "${node.unique.id}"
+      weight    = 100
+      target "067a42a8-d8fe-8b19-5851-43079e0eabb4" {
+        percent = 34
+      }
+      target "16be0723-edc1-83c4-6c02-193d96ec308a" {
+        percent = 33
+      }
+      target "e6e0baed-8402-fd5c-7a15-8dd49e7b60d9" {
+        percent = 33
+      }
+    }
+
+    network  {
+      port "orport" {
+        static = 9201
+      }
+      port "dirport" {
+        static = 9230
+      }
+
+    }
+
+    volume "dir-auth-live" {
+      type      = "host"
+      read_only = false
+      source    = "dir-auth-live"
+    }
+
+    volume "sbws-live" {
+      type      = "host"
+      read_only = false
+      source    = "sbws-live"
+    }
+
+    task "dir-auth-live-task" {
+      driver = "docker"
+
+      volume_mount {
+        volume      = "dir-auth-live"
+        destination = "/var/lib/anon/"
+        read_only   = false
+      }
+
+      volume_mount {
+        volume      = "sbws-live"
+        destination = "/var/lib/sbws/"
+        read_only   = false
+      }
+
+      config {
+        image = "svforte/anon:PLACEIMAGETAGHERE"
+        ports = ["orport", "dirport"]
+        volumes = [
+          "local/anonrc:/etc/anon/anonrc",
+          "secrets/anon/keys:/var/lib/anon/keys"
+        ]
+      }
+
+      vault {
+        policies = ["ator-network-read"]
+      }
+
+      resources {
+        cpu = 256
+        memory = 256
+      }
+
+      template {
+        change_mode = "noop"
+        data = <<EOH
+           {{ key (env `node.unique.id` | printf `ator-network/live/dir-auth-%s/authority_certificate`) }}
+        EOH
+        destination = "secrets/anon/keys/authority_certificate"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{ .Data.data.authority_identity_key}}{{end}}"
+        destination = "secrets/anon/keys/authority_identity_key"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret  (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{.Data.data.authority_signing_key}}{{end}}"
+        destination = "secrets/anon/keys/authority_signing_key"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret  (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{ base64Decode .Data.data.ed25519_master_id_secret_key_base64}}{{end}}"
+        destination = "secrets/anon/keys/ed25519_master_id_secret_key"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret  (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{ base64Decode .Data.data.ed25519_signing_secret_key_base64}}{{end}}"
+        destination = "secrets/anon/keys/ed25519_signing_secret_key"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret  (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{ base64Decode .Data.data.secret_id_key_base64}}{{end}}"
+        destination = "secrets/anon/keys/secret_id_key"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret  (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{ base64Decode .Data.data.secret_onion_key_base64}}{{end}}"
+        destination = "secrets/anon/keys/secret_onion_key"
+      }
+
+      template {
+        change_mode = "noop"
+        data = "{{ with secret  (env `node.unique.id` | printf `kv/ator-network/live/dir-auth-%s`) }}{{ base64Decode .Data.data.secret_onion_key_ntor_base64}}{{end}}"
+        destination = "secrets/anon/keys/secret_onion_key_ntor"
+      }
+
+      template {
+        change_mode = "noop"
+        data = <<EOH
+# Run Tor as a regular user (do not change this)
+User anond
+DataDirectory /var/lib/anon
+
+AuthoritativeDirectory 1
+V3AuthoritativeDirectory 1
+
+# Server's public IP Address (usually automatic)
+Address {{ key (env "node.unique.id" | printf "ator-network/live/dir-auth-%s/public_ipv4") }}
+
+# Port to advertise for incoming Tor connections.
+ORPort 9201                  # common ports are 9001, 443
+#ORPort 1.1.1.1:9001
+
+# Mirror directory information for others (optional, not used on bridge)
+DirPort 9230                 # common ports are 9030, 80
+
+# Run Tor only as a server (no local applications)
+SocksPort 0
+ControlSocket 0
+
+# Run as a relay only (change policy to enable exit node)
+ExitPolicy reject *:*        # no exits allowed
+ExitPolicy reject6 *:*
+ExitRelay 0
+IPv6Exit 0
+
+AuthDirMaxServersPerAddr 8
+
+# Set limits
+#AccountingMax 999 GB
+#RelayBandwidthRate 512 KB   # Throttle traffic to
+#RelayBandwidthBurst 1024 KB # But allow bursts up to
+#MaxMemInQueues 512 MB       # Limit Memory usage to
+
+## If no Nickname or ContactInfo is set, docker-entrypoint will use
+## the environment variables to add Nickname/ContactInfo below
+Nickname {{ key (env "node.unique.id" | printf "ator-network/live/dir-auth-%s/nickname") }}
+ContactInfo atorv4@example.org
+
+V3BandwidthsFile /var/lib/sbws/v3bw/latest.v3bw
+        EOH
+        destination = "local/anonrc"
+      }
+
+      service {
+        name = "dir-auth-live"
+        port = "dirport"
+        check {
+          name     = "dir auth alive"
+          type     = "tcp"
+          interval = "10s"
+          timeout  = "10s"
+          check_restart {
+            limit = 10
+            grace = "30s"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/operations/anon-da-node-stage.hcl b/operations/anon-da-node-stage.hcl
index 4090412135..950f2c8e35 100644
--- a/operations/anon-da-node-stage.hcl
+++ b/operations/anon-da-node-stage.hcl
@@ -2,12 +2,12 @@
 
 job "ator-dir-auth-stage" {
   datacenters = ["ator-fin"]
-  type = "service" 
+  type = "service"
   namespace = "ator-network"
 
   group "dir-auth-stage-group" {
     count = 3
-    
+
     spread {
       attribute = "${node.unique.id}"
       weight    = 100
@@ -38,15 +38,27 @@ job "ator-dir-auth-stage" {
       source    = "dir-auth-stage"
     }
 
+    volume "sbws-stage" {
+      type      = "host"
+      read_only = false
+      source    = "sbws-stage"
+    }
+
     task "dir-auth-stage-task" {
       driver = "docker"
-    
+
       volume_mount {
         volume      = "dir-auth-stage"
         destination = "/var/lib/anon/"
         read_only   = false
-      } 
-          
+      }
+
+      volume_mount {
+        volume      = "sbws-stage"
+        destination = "/var/lib/sbws/"
+        read_only   = false
+      }
+
       config {
         image = "svforte/anon-stage:PLACEIMAGETAGHERE"
         ports = ["orport", "dirport"]
@@ -63,7 +75,7 @@ job "ator-dir-auth-stage" {
       resources {
         cpu = 256
         memory = 256
-      }  
+      }
 
       template {
         change_mode = "noop"
@@ -72,7 +84,7 @@ job "ator-dir-auth-stage" {
         EOH
         destination = "secrets/anon/keys/authority_certificate"
       }
-      
+
       template {
         change_mode = "noop"
         data = "{{ with secret (env `node.unique.id` | printf `kv/ator-network/stage/dir-auth-%s`) }}{{ .Data.data.authority_identity_key}}{{end}}"
@@ -145,10 +157,6 @@ ExitPolicy reject6 *:*
 ExitRelay 0
 IPv6Exit 0
 
-V3AuthVotingInterval 5 minutes
-V3AuthVoteDelay 1 minutes
-V3AuthDistDelay 1 minutes
-
 AuthDirMaxServersPerAddr 8
 
 # Set limits
@@ -156,11 +164,13 @@ AuthDirMaxServersPerAddr 8
 #RelayBandwidthRate 512 KB   # Throttle traffic to
 #RelayBandwidthBurst 1024 KB # But allow bursts up to
 #MaxMemInQueues 512 MB       # Limit Memory usage to
-          
+
 ## If no Nickname or ContactInfo is set, docker-entrypoint will use
 ## the environment variables to add Nickname/ContactInfo below
 Nickname {{ key (env "node.unique.id" | printf "ator-network/stage/dir-auth-%s/nickname") }}
 ContactInfo atorv4@example.org
+
+V3BandwidthsFile /var/lib/sbws/v3bw/latest.v3bw
         EOH
         destination = "local/anonrc"
       }
@@ -179,6 +189,6 @@ ContactInfo atorv4@example.org
           }
         }
       }
-    }    
+    }
   }
 }
diff --git a/operations/anon-debian-repo.hcl b/operations/anon-debian-repo.hcl
index abcd18524e..9df75f4760 100644
--- a/operations/anon-debian-repo.hcl
+++ b/operations/anon-debian-repo.hcl
@@ -24,6 +24,10 @@ job "anon-debian-repo" {
       port "nginx-http" {
         static = 8001
       }
+      port "exporter-http" {
+        static = 8002
+        to = 8080
+      }
     }
 
     ephemeral_disk {
@@ -117,11 +121,29 @@ server {
 
       config {
         image = "svforte/package-exporter:v0.0.2"
+        ports = ["exporter-http"]
         volumes = [
           "local/exporter.yml:/app/config.yml:ro",
         ]
       }
 
+      service {
+        name = "anon-download-exporter"
+        port = "exporter-http"
+        check {
+          name     = "anon download exporter alive"
+          type     = "http"
+          port     = "exporter-http"
+          path     = "/"
+          interval = "10s"
+          timeout  = "10s"
+          check_restart {
+            limit = 10
+            grace = "30s"
+          }
+        }
+      }
+
       resources {
         cpu = 256
         memory = 256
@@ -138,6 +160,9 @@ fetchers:
     - name: anon_stage_dockerhub
       owner: svforte
       repo: anon-stage
+    - name: anon_live_dockerhub
+      owner: svforte
+      repo: anon
   github_releases:
     - name: anon_dev_github_releases
       owner: ATOR-Development
@@ -147,6 +172,10 @@ fetchers:
       owner: ATOR-Development
       repo: ator-protocol
       assets_regexp: ^anon.+-stage-.+\.deb
+    - name: anon_live_github_releases
+      owner: ATOR-Development
+      repo: ator-protocol
+      assets_regexp: ^anon.+-live-.+\.deb
   nginx_access_log:
     - name: anon_dev_debian_repo
       access_log_path: "/alloc/data/access.log"
@@ -154,6 +183,9 @@ fetchers:
     - name: anon_stage_debian_repo
       access_log_path: "/alloc/data/access.log"
       access_log_regexp: '"GET /pool/.+anon_[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+-stage.+\.deb HTTP\/1\.1" 200'
+    - name: anon_live_debian_repo
+      access_log_path: "/alloc/data/access.log"
+      access_log_regexp: '"GET /pool/.+anon_[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+-live.+\.deb HTTP\/1\.1" 200'
         EOH
         destination = "local/exporter.yml"
       }
@@ -227,6 +259,40 @@ fetchers:
       template {
         change_mode = "noop"
         data = <<EOH
+Origin: Anon
+Label: Anon
+Codename: anon-live-bookworm
+Architectures: amd64 arm64 source
+Components: main
+Description: Anon Debian Boookworm Live
+SignWith: YES
+
+Origin: Anon
+Label: Anon
+Codename: anon-live-bullseye
+Architectures: amd64 arm64 source
+Components: main
+Description: Anon Debian Bullseye Live
+SignWith: YES
+
+Origin: Anon
+Label: Anon
+Codename: anon-live-jammy
+Architectures: amd64 arm64 source
+Components: main
+DDebComponents: main
+Description: Anon Ubuntu Jammy Live
+SignWith: YES
+
+Origin: Anon
+Label: Anon
+Codename: anon-live-focal
+Architectures: amd64 arm64 source
+Components: main
+DDebComponents: main
+Description: Anon Ubuntu Focal Live
+SignWith: YES
+
 Origin: Anon
 Label: Anon
 Codename: anon-stage-bookworm
@@ -338,7 +404,7 @@ SignWith: YES
 Name: incoming
 IncomingDir: /data/debian/incoming
 TempDir: /tmp
-Allow: anon-stage-bookworm anon-stage-bullseye anon-stage-jammy anon-stage-focal anon-dev-bookworm anon-dev-bullseye anon-dev-jammy anon-dev-focal anon-unstable-dev-bookworm anon-unstable-dev-bullseye anon-unstable-dev-jammy anon-unstable-dev-focal
+Allow: anon-live-bookworm anon-live-bullseye anon-live-jammy anon-live-focal anon-stage-bookworm anon-stage-bullseye anon-stage-jammy anon-stage-focal anon-dev-bookworm anon-dev-bullseye anon-dev-jammy anon-dev-focal anon-unstable-dev-bookworm anon-unstable-dev-bullseye anon-unstable-dev-jammy anon-unstable-dev-focal
 Cleanup: on_deny on_error unused_files
         EOH
         destination = "local/incoming"
diff --git a/scripts/ci/update-env.sh b/scripts/ci/update-env.sh
index b7257013a2..a2b84a3fb0 100755
--- a/scripts/ci/update-env.sh
+++ b/scripts/ci/update-env.sh
@@ -8,6 +8,8 @@ set -x
 
 pkg_env="$1"; shift
 
+# Update version in configure.ac
+
 if ! [ -e configure.ac ]; then
     echo >&2 "Did not find configure.ac"
     exit 1
@@ -18,7 +20,7 @@ if [ "$(grep -c AC_INIT configure.ac)" != 1 ]; then
     exit 1
 fi
 
-sed_arg="/^AC_INIT(/ s/\(-dev\)\?\(-$pkg_env\)\?])/-$pkg_env])/"
+sed_arg="/^AC_INIT(/ s/\(-git\)\?\(-$pkg_env\)\?])/-$pkg_env])/"
 
 if [[ "$OSTYPE" == "darwin"* ]]; then
     gsed -i -e "$sed_arg" configure.ac
@@ -31,9 +33,18 @@ if [ "$(grep -c "AC_INIT.*-$pkg_env" configure.ac)" != 1 ]; then
     exit 1
 fi
 
-auth_dirs_env="stage"
+# Copy auth dirs file for desired env (live by default)
+
+auth_dirs_file="auth_dirs.inc"
+
 if [ "$pkg_env" = "dev" ] || [ "$pkg_env" = "unstable-dev" ]; then
-  auth_dirs_env="dev"
+  auth_dirs_file="auth_dirs_dev.inc"
 fi
 
-cp "src/app/config/auth_dirs_${auth_dirs_env}.inc" src/app/config/auth_dirs.inc
+if [ "$pkg_env" = "stage" ]; then
+  auth_dirs_file="auth_dirs_stage.inc"
+fi
+
+if [ "$auth_dirs_file" != "auth_dirs.inc" ]; then
+    cp "src/app/config/${auth_dirs_file}" src/app/config/auth_dirs.inc
+fi
diff --git a/src/app/config/auth_dirs.inc b/src/app/config/auth_dirs.inc
index c7be6dc5ac..7cc573f6d0 100644
--- a/src/app/config/auth_dirs.inc
+++ b/src/app/config/auth_dirs.inc
@@ -1,9 +1,9 @@
-"ATORDAeucdev orport=9001 "
-  "v3ident=4ECBB2E310BEE9D3E840F569747CFB55DEB6B00F "
-  "49.13.145.234:9030 7652FE7D5B120F1D6A747FF11FF2F423C6428789",
-"ATORDAusedev orport=9001 "
-  "v3ident=5CECD90F9BF611E5010F718FC0FC12C1B470B746 "
-  "5.161.108.187:9030 108915505A15CAF5DF9DDEC3FCB498953419D1F9",
-"ATORDAuswdev orport=9001 "
-  "v3ident=A6BFD7BA6F41883E044B5429788FFA4E47DD1257 "
-  "5.78.90.106:9030 54FC95706E969D4FC46974439D1D698AD1C84B64",
+"ATORDAeuclive orport=9201 "
+  "v3ident=9425F567C631319350C6EEF65E775A8AC0699DA0 "
+  "49.13.145.234:9230 9F01AEC951F037664F8762D54E0EEA8E6809176A",
+"ATORDAuselive orport=9201 "
+  "v3ident=6F3E34A99853CC3CB2D9E7A6FF8D64ED75C8B9E8 "
+  "5.161.108.187:9230 54849A361F8CED0D1B70B722CB8B33E9071E5561",
+"ATORDAuswlive orport=9201 "
+  "v3ident=C30FBEF011CDFDDD3879BF2BA77A56274899B1BB "
+  "5.78.90.106:9230 2E397C3F4BC12B4F92940C2B92D4E091E82D2D31",