From 639101e6b48fa482329030ffbaebf935fe197015 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sun, 3 Nov 2024 19:09:41 +0100
Subject: [PATCH] gitlab: Add ruby script for continuous extending of bot
 tokens

We are not on top of expiring bot tokens and we usually only notice when
someone else points it out.

It is also a bit cumbersome to add new bot tokens, so avoid the issue
altogether, by just extending the lifetime of the bot tokens
continuously.

Fix #617
---
 .../all/gitlab_bots.yml                       |  0
 .../files/gitlab-bot-token-extender.service   |  6 ++++++
 .../files/gitlab-bot-token-extender.timer     | 10 ++++++++++
 roles/gitlab/tasks/main.yml                   | 20 +++++++++++++++----
 .../templates/gitlab-bot-token-extender.rb.j2 |  7 +++++++
 5 files changed, 39 insertions(+), 4 deletions(-)
 rename roles/gluebuddy/defaults/main.yml => group_vars/all/gitlab_bots.yml (100%)
 create mode 100644 roles/gitlab/files/gitlab-bot-token-extender.service
 create mode 100644 roles/gitlab/files/gitlab-bot-token-extender.timer
 create mode 100644 roles/gitlab/templates/gitlab-bot-token-extender.rb.j2

diff --git a/roles/gluebuddy/defaults/main.yml b/group_vars/all/gitlab_bots.yml
similarity index 100%
rename from roles/gluebuddy/defaults/main.yml
rename to group_vars/all/gitlab_bots.yml
diff --git a/roles/gitlab/files/gitlab-bot-token-extender.service b/roles/gitlab/files/gitlab-bot-token-extender.service
new file mode 100644
index 000000000..c0720dc12
--- /dev/null
+++ b/roles/gitlab/files/gitlab-bot-token-extender.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=GitLab Bot Token Extender
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/docker exec -t gitlab gitlab-rails runner /opt/gitlab-scripts/gitlab-bot-token-extender.rb
diff --git a/roles/gitlab/files/gitlab-bot-token-extender.timer b/roles/gitlab/files/gitlab-bot-token-extender.timer
new file mode 100644
index 000000000..a2d4b3958
--- /dev/null
+++ b/roles/gitlab/files/gitlab-bot-token-extender.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=GitLab Bot Token Extender
+
+[Timer]
+OnCalendar=weekly
+Persistent=true
+RandomizedDelaySec=24h
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml
index 3e6ec8951..935ea31c8 100644
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -4,8 +4,11 @@
 - name: Start docker
   service: name=docker enabled=yes state=started
 
-- name: Create directory for gitlab
-  file: path=/srv/gitlab state=directory owner=root group=root mode=0755
+- name: Create directories for gitlab
+  file: path={{ item }} state=directory owner=root group=root mode=0755
+  loop:
+    - /srv/gitlab
+    - /srv/gitlab/scripts
 
 - name: Start docker gitlab image
   docker_container:
@@ -102,6 +105,7 @@
       - "/srv/gitlab/config:/etc/gitlab"
       - "/srv/gitlab/logs:/var/log/gitlab"
       - "/srv/gitlab/data:/var/opt/gitlab"
+      - "/srv/gitlab/scripts:/opt/gitlab-scripts:ro"
 
 - name: Prune unused docker images
   docker_prune:
@@ -124,11 +128,19 @@
   tags:
     - firewall
 
-- name: Copy gitlab-cleanup timer and service
+- name: Install ruby script for extending bot tokens
+  template: src=gitlab-bot-token-extender.rb.j2 dest=/srv/gitlab/scripts/gitlab-bot-token-extender.rb owner=root group=root mode=0644
+
+- name: Copy {gitlab-cleanup,gitlab-bot-token-extender} timer and service
   copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   with_items:
     - gitlab-cleanup.timer
     - gitlab-cleanup.service
+    - gitlab-bot-token-extender.timer
+    - gitlab-bot-token-extender.service
 
 - name: Activate systemd timers for gitlab-cleanup
-  systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes
+  systemd: name={{ item }} enabled=yes state=started daemon-reload=yes
+  loop:
+    - gitlab-cleanup.timer
+    - gitlab-bot-token-extender.timer
diff --git a/roles/gitlab/templates/gitlab-bot-token-extender.rb.j2 b/roles/gitlab/templates/gitlab-bot-token-extender.rb.j2
new file mode 100644
index 000000000..cf17781f2
--- /dev/null
+++ b/roles/gitlab/templates/gitlab-bot-token-extender.rb.j2
@@ -0,0 +1,7 @@
+bots = [{{ gitlab_bots | map("to_json") | join(', ') }}]
+
+bots.each do |username|
+  puts "Bot user: #{username}"
+  user = User.find_by_username(username)
+  user.personal_access_tokens.update_all(expires_at: 12.months.from_now)
+end
-- 
GitLab