Add bugbot role to phrik.archlinux.org

Apply more security hardening, add pgp key fetching and verification for the git repository.

Add bugbot role to phrik.archlinux.org
Apply more security hardening, add pgp key fetching and verification for the git repository.
d9377b5e · Jelle van der Waa · aaa7ace5 · d9377b5e · d9377b5e · d9377b5e
Verified Commit d9377b5e authored Jul 11, 2020 by Jelle van der Waa 🚧
--- a/playbooks/phrik.yml
+++ b/playbooks/phrik.yml
@@ -7,6 +7,7 @@
    - { role: common }
    - { role: tools }
    - { role: archusers }
+    - { role: bugbot }
    - { role: phrik }
    - { role: sshd }
    - { role: unbound }

--- a/roles/bugbot/defaults/main.yml
+++ b/roles/bugbot/defaults/main.yml
@@ -2,7 +2,9 @@
 irc_host: 'chat.freenode.net'
 irc_port: '6697'
 irc_channel: '#archlinux-bugs'
-bugbot_version: 20200630
+bugbot_version: '20200630'
+bugbot_pgp_keys: ['92D9C6CDE99A2024D690A76EE742683BA08CB2FF']
+bugbot_pgp_emails: ['foxboron@archlinux.org']
 bugbot_admins:
  - keenerd
  - falconindy

--- a/roles/bugbot/files/bugbot.service
+++ b/roles/bugbot/files/bugbot.service
@@ -8,10 +8,14 @@ Restart=on-failure
 ProtectSystem=strict
 DynamicUser=yes
 PrivateDevices=true
+PrivateUsers=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
+RestrictRealtime=true


 [Install]

--- a/roles/bugbot/tasks/main.yml
+++ b/roles/bugbot/tasks/main.yml
@@ -3,13 +3,21 @@
 - name: install bugbot utilities
  pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present

+- name: receive valid signing keys
+  become: true
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
+  with_items: '{{ bugbot_pgp_emails }}'
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: clone bugbot source
  git:
    repo: https://gitlab.archlinux.org/archlinux/bugbot.git
    dest: /srv/bugbot
    force: true
    verify_commit: true
-    version: "{{ bugbot_version }}"
+    gpg_whitelist: '{{ bugbot_pgp_keys }}'
+    version: '{{ bugbot_version }}'

 - name: install env file
  template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600