bugbuddy: Use wireguard for connections from gitlab.archlinux.org

There is no reason for exposing the service to the whole internet nor communicating without encryption. It could be fixed by restricting the firewall rule to the public IP of the gitlb server and running it over HTTPS or we could just use our existing WG network. To allow gitlab to send requests to a private network address, the IP has been allowlisted[1]. The endpoint also expects a "secret token"[2], so it won't accept events from e.g. users creating a webhook with the same URL. [1] https://docs.gitlab.com/ee/security/webhooks.html#allow-outbound-requests-to-certain-ip-addresses-and-domains [2] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token

bugbuddy: Use wireguard for connections from gitlab.archlinux.org
fca14fb1 · Kristian Klausen · Levente Polyak · e7a33cd0 · fca14fb1
Verified Commit fca14fb1 authored 1 year ago by Kristian Klausen Committed by Levente Polyak 1 year ago
--- a/roles/bugbuddy/tasks/main.yml
+++ b/roles/bugbuddy/tasks/main.yml
@@ -18,8 +18,9 @@
 - name: Start and enable daemon service
  systemd: name=bugbuddy.service enabled=yes state=started

- name: Open firewall holes
-  ansible.posix.firewalld: port=3000/tcp permanent=true state=enabled immediate=yes
+- name: Open bugbuddy ipv4 port for gitlab.archlinux.org
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['gitlab.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8080 accept"
  when: configure_firewall
  tags:
    - firewall