Implement gluebuddy role

ccfe8c64 · Jelle van der Waa · f4a91af7 · ccfe8c64 · ccfe8c64 · ccfe8c64
Verified Commit ccfe8c64 authored Jan 20, 2022 by Jelle van der Waa 🚧
--- a/roles/gluebuddy/files/gluebuddy.service
+++ b/roles/gluebuddy/files/gluebuddy.service
@@ -5,9 +5,11 @@ After=network-online.target

 [Service]
 Type=oneshot
-ExecStart=/usr/local/bin/gluebuddy
+StandardOutput=journal+console
+EnvironmentFile=-/etc/conf.d/gluebuddy
+ExecStart=/usr/local/bin/gluebuddy apply

-DynamicUsers=true
+DynamicUser=true
 NoNewPrivileges=yes
 ProtectSystem=full
 ProtectHome=true

--- a/roles/gluebuddy/files/gluebuddy.timer
+++ b/roles/gluebuddy/files/gluebuddy.timer
@@ -2,7 +2,7 @@
 Description=gluebuddy timer

 [Timer]
-OnUnitActiveSec=10min
+OnUnitActiveSec=30min
 OnBootSec=5min
 RandomizedDelaySec=1min


--- a/roles/gluebuddy/files/gluebuddy_download.sh
+++ b/roles/gluebuddy/files/gluebuddy_download.sh
+#!/bin/bash
+
+set -o nounset -o errexit -o pipefail
+
+NAME=gluebuddy
+LATEST_GLUEBUDDY_FILE=/root/latest_release
+readonly PROJECT_ID="archlinux%2Fgluebuddy"
+
+RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases")"
+LATEST_RELEASE_TAG="$(jq -r .[0].tag_name <<< "${RELEASES}")"
+
+if [ -f $LATEST_GLUEBUDDY_FILE ]; then
+   LATEST_RELEASE_DOWNLOAD=$(cat ${LATEST_GLUEBUDDY_FILE})
+  if [ "$LATEST_RELEASE_TAG" = "$LATEST_RELEASE_DOWNLOAD" ]; then
+    exit 0
+  fi
+fi
+
+
+readonly TMPDIR="$(mktemp --directory --tmpdir="/var/tmp")"
+trap "rm -rf \"${TMPDIR}\"" EXIT
+cd "${TMPDIR}"
+
+RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases/$LATEST_RELEASE_TAG")"
+ASSETS=$(echo $RELEASES | jq .assets.links)
+LINKS=$(echo $ASSETS | jq -r '.[].direct_asset_url')
+links=($LINKS)
+
+for i in "${links[@]}"
+do
+  curl -O $i
+done
+
+sq verify --signer-cert <(sq wkd get anthraxx@archlinux.org) --detached gluebuddy.sig gluebuddy
+
+mv ${NAME} /usr/local/bin/${NAME}
+chmod +x /usr/local/bin/${NAME}
+echo $LATEST_RELEASE_TAG > $LATEST_GLUEBUDDY_FILE
--- a/roles/gluebuddy/handlers/main.yml
+++ b/roles/gluebuddy/handlers/main.yml
+---
+
+- name: daemon reload
+  systemd:
+    daemon-reload: true
--- a/roles/gluebuddy/tasks/main.yml
+++ b/roles/gluebuddy/tasks/main.yml
 ---

+- name: install sequoia
+  pacman: name=sequoia-sq state=present
+
+- name: receive valid signing keys
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
+  with_items:
+    - E240B57E2C4630BA768E2F26FC1B547C8D8172C8
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: install systemd service/timer
  copy: src={{ item }} dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - gluebuddy.service
    - gluebuddy.timer
+  notify:
+    - daemon reload
+
+- name: enable timer
+  systemd: name=gluebuddy.timer enabled=yes state=started
+
+- name: install conf file
+  template: src=gluebuddy.conf.j2 dest=/etc/conf.d/gluebuddy
+
+- name: install download script
+  copy: src=gluebuddy_download.sh dest=/usr/local/bin/gluebuddy_download.sh owner=root group=root mode=0755
+
+- name: download latest gluebuddy
+  command: /usr/local/bin/gluebuddy_download.sh
--- a/roles/gluebuddy/templates/gluebuddy.conf.j2
+++ b/roles/gluebuddy/templates/gluebuddy.conf.j2
+GLUEBUDDY_GITLAB_TOKEN={{ vault_gitlab_gluebuddy_token }}
+GLUEBUDDY_KEYCLOAK_USERNAME=gluebuddy
+GLUEBUDDY_KEYCLOAK_PASSWORD={{ vault_keycloak_gluebuddy_openid_client_secret }}
+GLUEBUDDY_KEYCLOAK_REALM=archlinux
+GLUEBUDDY_KEYCLOAK_URL=https://accounts.archlinux.org