From d9377b5e5b883707e8e697ab7a04dacbd61eb16a Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Sat, 11 Jul 2020 22:06:35 +0200
Subject: [PATCH] Add bugbot role to phrik.archlinux.org

Apply more security hardening, add pgp key fetching and verification for
the git repository.
---
 playbooks/phrik.yml               |  1 +
 roles/bugbot/defaults/main.yml    |  4 +++-
 roles/bugbot/files/bugbot.service |  4 ++++
 roles/bugbot/tasks/main.yml       | 10 +++++++++-
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/playbooks/phrik.yml b/playbooks/phrik.yml
index 1e56a2ae7..9905614fc 100644
--- a/playbooks/phrik.yml
+++ b/playbooks/phrik.yml
@@ -7,6 +7,7 @@
     - { role: common }
     - { role: tools }
     - { role: archusers }
+    - { role: bugbot }
     - { role: phrik }
     - { role: sshd }
     - { role: unbound }
diff --git a/roles/bugbot/defaults/main.yml b/roles/bugbot/defaults/main.yml
index c9f3a7f1e..32814d295 100644
--- a/roles/bugbot/defaults/main.yml
+++ b/roles/bugbot/defaults/main.yml
@@ -2,7 +2,9 @@
 irc_host: 'chat.freenode.net'
 irc_port: '6697'
 irc_channel: '#archlinux-bugs'
-bugbot_version: 20200630
+bugbot_version: '20200630'
+bugbot_pgp_keys: ['92D9C6CDE99A2024D690A76EE742683BA08CB2FF']
+bugbot_pgp_emails: ['foxboron@archlinux.org']
 bugbot_admins:
   - keenerd
   - falconindy
diff --git a/roles/bugbot/files/bugbot.service b/roles/bugbot/files/bugbot.service
index 1775f220a..d18d809f7 100644
--- a/roles/bugbot/files/bugbot.service
+++ b/roles/bugbot/files/bugbot.service
@@ -8,10 +8,14 @@ Restart=on-failure
 ProtectSystem=strict
 DynamicUser=yes
 PrivateDevices=true
+PrivateUsers=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
+RestrictRealtime=true
 
 
 [Install]
diff --git a/roles/bugbot/tasks/main.yml b/roles/bugbot/tasks/main.yml
index 714f4c6ef..4d46b8190 100644
--- a/roles/bugbot/tasks/main.yml
+++ b/roles/bugbot/tasks/main.yml
@@ -3,13 +3,21 @@
 - name: install bugbot utilities
   pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present
 
+- name: receive valid signing keys
+  become: true
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
+  with_items: '{{ bugbot_pgp_emails }}'
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: clone bugbot source
   git:
     repo: https://gitlab.archlinux.org/archlinux/bugbot.git
     dest: /srv/bugbot
     force: true
     verify_commit: true
-    version: "{{ bugbot_version }}"
+    gpg_whitelist: '{{ bugbot_pgp_keys }}'
+    version: '{{ bugbot_version }}'
 
 - name: install env file
   template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
-- 
GitLab