From fca14fb1617f643bc5f46ede9f6df5210867281d Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Fri, 6 Oct 2023 19:26:00 +0200
Subject: [PATCH] bugbuddy: Use wireguard for connections from
 gitlab.archlinux.org

There is no reason for exposing the service to the whole internet nor
communicating without encryption. It could be fixed by restricting the
firewall rule to the public IP of the gitlb server and running it over
HTTPS or we could just use our existing WG network.

To allow gitlab to send requests to a private network address, the IP
has been allowlisted[1]. The endpoint also expects a "secret token"[2],
so it won't accept events from e.g. users creating a webhook with the
same URL.

[1] https://docs.gitlab.com/ee/security/webhooks.html#allow-outbound-requests-to-certain-ip-addresses-and-domains
[2] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token
---
 roles/bugbuddy/tasks/main.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/bugbuddy/tasks/main.yml b/roles/bugbuddy/tasks/main.yml
index 9768509f6..3dbd5a833 100644
--- a/roles/bugbuddy/tasks/main.yml
+++ b/roles/bugbuddy/tasks/main.yml
@@ -18,8 +18,9 @@
 - name: Start and enable daemon service
   systemd: name=bugbuddy.service enabled=yes state=started
 
-- name: Open firewall holes
-  ansible.posix.firewalld: port=3000/tcp permanent=true state=enabled immediate=yes
+- name: Open bugbuddy ipv4 port for gitlab.archlinux.org
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['gitlab.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8080 accept"
   when: configure_firewall
   tags:
     - firewall
-- 
GitLab