From 60b990e77a0f0fa22ac032ef5d1b65fc3e755f00 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Mon, 29 Jun 2020 17:58:02 +0200
Subject: [PATCH] Update the 2020-06-29 release with rebuilderd integration

---
 roles/archweb/defaults/main.yml               |  2 +-
 roles/archweb/tasks/main.yml                  | 16 +++++++++++
 .../templates/archweb-rebuilderd.service.j2   | 27 +++++++++++++++++++
 .../templates/archweb-rebuilderd.timer.j2     | 10 +++++++
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 roles/archweb/templates/archweb-rebuilderd.service.j2
 create mode 100644 roles/archweb/templates/archweb-rebuilderd.timer.j2

diff --git a/roles/archweb/defaults/main.yml b/roles/archweb/defaults/main.yml
index d28dfc63f..0549cefb6 100644
--- a/roles/archweb/defaults/main.yml
+++ b/roles/archweb/defaults/main.yml
@@ -13,7 +13,7 @@ archweb_domains_templates:
 archweb_allowed_hosts: ["{{ archweb_domain }}", 'ipxe.archlinux.org']
 archweb_nginx_conf: '/etc/nginx/nginx.d/archweb.conf'
 archweb_repository: 'https://github.com/archlinux/archweb.git'
-archweb_version: release_2020-06-05
+archweb_version: release_2020-06-29
 archweb_pgp_key: ['E499C79F53C96A54E572FEE1C06086337C50773E']
 archweb_site: true
 archweb_mirrorcheck: false
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index adbf78c7c..30f57ffa0 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -177,6 +177,18 @@
     - daemon reload
   when: archweb_planet
 
+- name: install rebuilderd status service
+  template: src="archweb-rebuilderd.service.j2" dest="/etc/systemd/system/archweb-rebuilderd.service" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_site
+
+- name: install rebulderd timer
+  template: src="archweb-rebuilderd.timer.j2" dest="/etc/systemd/system/archweb-rebuilderd.timer" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_site
+
 - name: install pgp_import service
   template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
   notify:
@@ -292,6 +304,10 @@
   service: name="archweb-planet.timer" enabled=yes state=started
   when: archweb_planet
 
+- name: start and enable archweb rebulderd update timer
+  service: name="archweb-rebuilderd.timer" enabled=yes state=started
+  when: archweb_site
+
 - name: start and enable archweb donor_import and archweb-dump_donor_mail timer
   systemd:
     name: "{{ item }}"
diff --git a/roles/archweb/templates/archweb-rebuilderd.service.j2 b/roles/archweb/templates/archweb-rebuilderd.service.j2
new file mode 100644
index 000000000..62cffeb94
--- /dev/null
+++ b/roles/archweb/templates/archweb-rebuilderd.service.j2
@@ -0,0 +1,27 @@
+[Unit]
+Description=archweb update rebuilderd status service
+After=network.target
+
+[Service]
+Type=oneshot
+User=archweb
+WorkingDirectory={{ archweb_dir }}
+ExecStart={{ archweb_dir }}/env/bin/python manage.py read_reproducible_status -v3
+
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+NoNewPrivileges=true
+RestrictRealtime=true
+# Unable to enable due to https://cffi.readthedocs.io/en/latest/using.html#callbacks
+#MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/archweb/templates/archweb-rebuilderd.timer.j2 b/roles/archweb/templates/archweb-rebuilderd.timer.j2
new file mode 100644
index 000000000..38a79c696
--- /dev/null
+++ b/roles/archweb/templates/archweb-rebuilderd.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=archweb rebuilderd timer
+
+[Timer]
+OnUnitActiveSec=60m
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target
-- 
GitLab