bugbuddy: add role with full service setup

group_vars/all/vault_bugbuddy.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+39373434666461363763613035393939643631303536303065346633626338303531353538376564
+3433616133616461383836313130313533316536616436660a366333636663326430376661336637
+35356663323361346238383339323433623939303361333135646437343562366466653464353833
+3162616161373030360a363332343237306134636263346237363361343862653738306237386261
+32366461393061393562373762343432313161386166323934383135316532633734616266623539
+62313138636162363861303333616439616164626462656234653334353631653430656261323439
+66303336656462616363653364353332303562663663336539396534326436646136373539646339
+62616534303337643064316162663731393339303436653066653436396566633966326539376435
+61363737383231323137663033656437393761393135373238613961663439346631353437646661
+30396262636134326463393030666538613535323333633830366361613037633862303030386664
+653665306630313164303537323436356231

playbooks/bugbuddy.archlinux.org.yml

@@ -10,3 +10,4 @@
     - { role: prometheus_exporters }
     - { role: promtail }
     - { role: fail2ban }
+    - { role: bugbuddy }

roles/bugbuddy/defaults/main.yml

@@ -0,0 +1 @@
+

roles/bugbuddy/files/bugbuddy-download.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+set -o nounset -o errexit -o pipefail
+
+restart_service=0
+while (( $# )); do
+	case $1 in
+		--restart)
+			restart_service=1
+			shift
+			;;
+		*)
+			echo "invalid argument: $1"
+			exit 1
+			;;
+	esac
+done
+
+readonly NAME=bugbuddy
+readonly PROJECT_ID="archlinux%2F${NAME}"
+readonly TRUSTED_UIDs=(
+	anthraxx@archlinux.org
+)
+readonly TRUSTED_KEYS=(
+	E240B57E2C4630BA768E2F26FC1B547C8D8172C8
+)
+
+readonly CURRENT_RELEASE="/root/${NAME}-current_release"
+readonly TARGET_DIR=/usr/local/bin
+
+RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases")"
+LATEST_RELEASE_TAG="$(jq -r .[0].tag_name <<< "${RELEASES}")"
+
+if [[ $LATEST_RELEASE_TAG == null ]]; then
+	echo "no releases found" >&2
+	exit 1
+fi
+
+if [ -f $CURRENT_RELEASE ]; then
+	LATEST_RELEASE_DOWNLOAD=$(cat ${CURRENT_RELEASE})
+	if [ "$LATEST_RELEASE_TAG" = "$LATEST_RELEASE_DOWNLOAD" ]; then
+		echo "already at latest release"
+		exit 0
+	fi
+fi
+
+
+TMPDIR="$(mktemp --directory --tmpdir="/var/tmp" "${NAME}-download-XXXXXXXXXXXX")"
+# shellcheck disable=SC2064
+trap "rm -rf \"${TMPDIR}\"" EXIT
+cd "${TMPDIR}"
+
+RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases/$LATEST_RELEASE_TAG")"
+ASSETS=$(jq .assets.links <<< "${RELEASES}")
+mapfile -t LINKS < <(jq -r '.[].direct_asset_url' <<< "${ASSETS}")
+
+for link in "${LINKS[@]}"; do
+	echo "downloading ${link##*/}"
+	curl --progress-bar --show-error --fail --location --remote-name "${link}"
+done
+
+for uid in "${TRUSTED_UIDs[@]}"; do
+	sq wkd get "${uid}"
+done
+
+for fp in "${TRUSTED_KEYS[@]}"; do
+	sq --force link add --all "${fp}"
+done
+
+verified=0
+for key in "${TRUSTED_KEYS[@]}"; do
+	if sq verify --signer-cert "${key}" --detached ${NAME}.sig ${NAME}; then
+		verified=1
+		break
+	fi
+done
+if (( ! verified )); then
+	echo "failed to verify downloaded artifacts" >&2
+	exit 1
+fi
+
+chmod +x ${NAME}
+mv --verbose ${NAME} "${TARGET_DIR}/${NAME}"
+echo "$LATEST_RELEASE_TAG" > $CURRENT_RELEASE
+
+if (( restart_service )); then
+	systemctl restart "${NAME}"
+fi

roles/bugbuddy/files/bugbuddy.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=bugbuddy service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=-/etc/conf.d/bugbuddy
+ExecStart=/usr/local/bin/bugbuddy daemon
+Restart=on-failure
+RestartSec=5s
+
+DynamicUser=true
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+RestrictRealtime=true
+CapabilityBoundingSet=
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

roles/bugbuddy/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: Daemon reload
+  systemd:
+    daemon-reload: true

roles/bugbuddy/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: Install sequoia
+  pacman: name=sequoia-sq state=present
+
+- name: Install systemd service
+  copy: src=bugbuddy.service dest="/etc/systemd/system/bugbuddy.service" owner=root group=root mode=0644
+  notify:
+    - Daemon reload
+
+- name: Install conf file
+  template: src=bugbuddy.conf.j2 dest=/etc/conf.d/bugbuddy owner=root group=root mode=0600
+
+- name: Install download script
+  copy: src=bugbuddy-download.sh dest=/usr/local/bin/bugbuddy-download owner=root group=root mode=0755
+
+- name: Download latest bugbuddy  # noqa no-changed-when
+  command: /usr/local/bin/bugbuddy-download --restart
+
+- name: Start and enable daemon service
+  systemd: name=bugbuddy.service enabled=yes state=started
+
+- name: Open firewall holes
+  ansible.posix.firewalld: port=3000/tcp permanent=true state=enabled immediate=yes
+  when: configure_firewall
+  tags:
+    - firewall

roles/bugbuddy/templates/bugbuddy.conf.j2

@@ -0,0 +1,2 @@
+BUGBUDDY_GITLAB_TOKEN={{ vault_bugbuddy_gitlab_token }}
+BUGBUDDY_WEBHOOK_TOKEN={{ vault_bugbuddy_webhook_token }}