Update the 2020-06-29 release with rebuilderd integration

roles/archweb/defaults/main.yml

@@ -13,7 +13,7 @@ archweb_domains_templates:
 archweb_allowed_hosts: ["{{ archweb_domain }}", 'ipxe.archlinux.org']
 archweb_nginx_conf: '/etc/nginx/nginx.d/archweb.conf'
 archweb_repository: 'https://github.com/archlinux/archweb.git'
-archweb_version: release_2020-06-05
+archweb_version: release_2020-06-29
 archweb_pgp_key: ['E499C79F53C96A54E572FEE1C06086337C50773E']
 archweb_site: true
 archweb_mirrorcheck: false

roles/archweb/tasks/main.yml

@@ -177,6 +177,18 @@
     - daemon reload
   when: archweb_planet
 
+- name: install rebuilderd status service
+  template: src="archweb-rebuilderd.service.j2" dest="/etc/systemd/system/archweb-rebuilderd.service" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_site
+
+- name: install rebulderd timer
+  template: src="archweb-rebuilderd.timer.j2" dest="/etc/systemd/system/archweb-rebuilderd.timer" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_site
+
 - name: install pgp_import service
   template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
   notify:
@@ -292,6 +304,10 @@
   service: name="archweb-planet.timer" enabled=yes state=started
   when: archweb_planet
 
+- name: start and enable archweb rebulderd update timer
+  service: name="archweb-rebuilderd.timer" enabled=yes state=started
+  when: archweb_site
+
 - name: start and enable archweb donor_import and archweb-dump_donor_mail timer
   systemd:
     name: "{{ item }}"

roles/archweb/templates/archweb-rebuilderd.service.j2

+[Unit]
+Description=archweb update rebuilderd status service
+After=network.target
+
+[Service]
+Type=oneshot
+User=archweb
+WorkingDirectory={{ archweb_dir }}
+ExecStart={{ archweb_dir }}/env/bin/python manage.py read_reproducible_status -v3
+
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+NoNewPrivileges=true
+RestrictRealtime=true
+# Unable to enable due to https://cffi.readthedocs.io/en/latest/using.html#callbacks
+#MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

roles/archweb/templates/archweb-rebuilderd.timer.j2

+[Unit]
+Description=archweb rebuilderd timer
+
+[Timer]
+OnUnitActiveSec=60m
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target