Verified Commit 5a8468f4 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Implement gluebuddy role

parent f4a91af7
Pipeline #15050 failed with stage
in 36 seconds
......@@ -5,9 +5,11 @@ After=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/gluebuddy
StandardOutput=journal+console
EnvironmentFile=-/etc/conf.d/gluebuddy
ExecStart=/usr/local/bin/gluebuddy apply
DynamicUsers=true
DynamicUser=true
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=true
......
......@@ -2,7 +2,7 @@
Description=gluebuddy timer
[Timer]
OnUnitActiveSec=10min
OnUnitActiveSec=30min
OnBootSec=5min
RandomizedDelaySec=1min
......
#!/bin/bash
set -o nounset -o errexit -o pipefail
NAME=gluebuddy
LATEST_GLUEBUDDY_FILE=/root/latest_release
readonly PROJECT_ID="archlinux%2Fgluebuddy"
RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases")"
LATEST_RELEASE_TAG="$(jq -r .[0].tag_name <<< "${RELEASES}")"
if [ -f $LATEST_GLUEBUDDY_FILE ]; then
LATEST_RELEASE_DOWNLOAD=$(cat ${LATEST_GLUEBUDDY_FILE})
if [ "$LATEST_RELEASE_TAG" = "$LATEST_RELEASE_DOWNLOAD" ]; then
exit 0
fi
fi
readonly TMPDIR="$(mktemp --directory --tmpdir="/var/tmp")"
trap "rm -rf \"${TMPDIR}\"" EXIT
cd "${TMPDIR}"
RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases/$LATEST_RELEASE_TAG")"
ASSETS=$(echo $RELEASES | jq .assets.links)
LINKS=$(echo $ASSETS | jq -r '.[].direct_asset_url')
links=($LINKS)
for i in "${links[@]}"
do
curl -O $i
done
sq verify --signer-cert <(sq wkd get anthraxx@archlinux.org) --detached ${NAME}.sig ${NAME}
mv ${NAME} /usr/local/bin/${NAME}
chmod +x /usr/local/bin/${NAME}
echo $LATEST_RELEASE_TAG > $LATEST_GLUEBUDDY_FILE
---
- name: daemon reload
systemd:
daemon-reload: true
---
- name: install sequoia
pacman: name=sequoia-sq state=present
- name: receive valid signing keys
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
with_items:
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8
register: gpg
changed_when: "gpg.rc == 0"
- name: install systemd service/timer
copy: src={{ item }} dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- gluebuddy.service
- gluebuddy.timer
notify:
- daemon reload
- name: enable timer
systemd: name=gluebuddy.timer enabled=yes state=started
- name: install conf file
template: src=gluebuddy.conf.j2 dest=/etc/conf.d/gluebuddy
- name: install download script
copy: src=gluebuddy_download.sh dest=/usr/local/bin/gluebuddy_download.sh owner=root group=root mode=0755
- name: download latest gluebuddy
command: /usr/local/bin/gluebuddy_download.sh
GLUEBUDDY_GITLAB_TOKEN={{ vault_gitlab_gluebuddy_token }}
GLUEBUDDY_KEYCLOAK_USERNAME=gluebuddy
GLUEBUDDY_KEYCLOAK_PASSWORD={{ vault_keycloak_gluebuddy_openid_client_secret }}
GLUEBUDDY_KEYCLOAK_REALM=archlinux
GLUEBUDDY_KEYCLOAK_URL=https://accounts.archlinux.org
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment