Verified Commit d9377b5e authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Add bugbot role to phrik.archlinux.org

Apply more security hardening, add pgp key fetching and verification for
the git repository.
parent aaa7ace5
Pipeline #433 passed with stage
in 1 minute
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
- { role: common } - { role: common }
- { role: tools } - { role: tools }
- { role: archusers } - { role: archusers }
- { role: bugbot }
- { role: phrik } - { role: phrik }
- { role: sshd } - { role: sshd }
- { role: unbound } - { role: unbound }
......
...@@ -2,7 +2,9 @@ ...@@ -2,7 +2,9 @@
irc_host: 'chat.freenode.net' irc_host: 'chat.freenode.net'
irc_port: '6697' irc_port: '6697'
irc_channel: '#archlinux-bugs' irc_channel: '#archlinux-bugs'
bugbot_version: 20200630 bugbot_version: '20200630'
bugbot_pgp_keys: ['92D9C6CDE99A2024D690A76EE742683BA08CB2FF']
bugbot_pgp_emails: ['foxboron@archlinux.org']
bugbot_admins: bugbot_admins:
- keenerd - keenerd
- falconindy - falconindy
......
...@@ -8,10 +8,14 @@ Restart=on-failure ...@@ -8,10 +8,14 @@ Restart=on-failure
ProtectSystem=strict ProtectSystem=strict
DynamicUser=yes DynamicUser=yes
PrivateDevices=true PrivateDevices=true
PrivateUsers=true
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectControlGroups=true ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
NoNewPrivileges=true NoNewPrivileges=true
RestrictRealtime=true
[Install] [Install]
......
...@@ -3,13 +3,21 @@ ...@@ -3,13 +3,21 @@
- name: install bugbot utilities - name: install bugbot utilities
pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present
- name: receive valid signing keys
become: true
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
with_items: '{{ bugbot_pgp_emails }}'
register: gpg
changed_when: "gpg.rc == 0"
- name: clone bugbot source - name: clone bugbot source
git: git:
repo: https://gitlab.archlinux.org/archlinux/bugbot.git repo: https://gitlab.archlinux.org/archlinux/bugbot.git
dest: /srv/bugbot dest: /srv/bugbot
force: true force: true
verify_commit: true verify_commit: true
version: "{{ bugbot_version }}" gpg_whitelist: '{{ bugbot_pgp_keys }}'
version: '{{ bugbot_version }}'
- name: install env file - name: install env file
template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600 template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment