Merge "Run matrix-gerritbot with gerritbot user"

1 year ago · 76a605a1dc
parent 7cea2a9f83 7f9f1a2fad
commit 76a605a1dc
3 changed files with 31 additions and 3 deletions
--- a/playbooks/roles/matrix-gerritbot/defaults/main.yaml
+++ b/playbooks/roles/matrix-gerritbot/defaults/main.yaml
@ -1,3 +1,5 @@
+gerritbot_gid: 11000
+gerritbot_uid: 11000
 gerritbot_matrix_version: 4aeeac8
 gerritbot_matrix_image: quay.io/software-factory/gerritbot-matrix:{{ gerritbot_matrix_version }}
 gerritbot_matrix_prometheus_port: 9001
--- a/playbooks/roles/matrix-gerritbot/tasks/main.yaml
+++ b/playbooks/roles/matrix-gerritbot/tasks/main.yaml
@ -1,7 +1,24 @@
+- name: Create gerritbot group
+  group:
+    name: "gerritbot"
+    gid: "{{ gerritbot_gid }}"
+    system: yes
+- name: Create gerritbot user
+  user:
+    name: "gerritbot"
+    group: "gerritbot"
+    uid: "{{ gerritbot_uid }}"
+    home: "/var/lib/gerritbot"
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+
 - name: Ensure bot directories
  file:
    state: directory
    path: '/var/lib/matrix-gerritbot/{{ item }}'
+    owner: gerritbot
+    group: gerritbot
    mode: 0700
  loop:
    - config
@ -11,6 +28,8 @@
  copy:
    src: gerritbot.yaml
    dest: /var/lib/matrix-gerritbot/config/gerritbot.yaml
+    owner: gerritbot
+    group: gerritbot
  register: _gerritbot_config

 - name: Lookup the configuration schema
@ -25,7 +44,7 @@
  vars:
    config: /var/lib/matrix-gerritbot/config
    yaml_to_dhall: >-
-      docker run -i -v {{ config }}:{{ config }}
+      docker run --user {{ gerritbot_uid }}:{{ gerritbot_gid }} -i -v {{ config }}:{{ config }}
      --rm docker.io/dhallhaskell/dhall-yaml yaml-to-dhall
    schema: "List {{ _gerritbot_schema.stdout }}"

@ -34,17 +53,23 @@
    content: "{{ gerritbot_ssh_key }}"
    dest: "/var/lib/matrix-gerritbot/ssh/id_{{ gerritbot_ssh_key_format }}"
    mode: 0400
+    owner: gerritbot
+    group: gerritbot
  no_log: true

 - name: Install gerritbot ssh key
  copy:
    content: "{{ gerritbot_ssh_pubkey }}"
    dest: "/var/lib/matrix-gerritbot/ssh/id_{{ gerritbot_ssh_key_format }}.pub"
+    owner: gerritbot
+    group: gerritbot

 - name: Install gerritbot known host
  copy:
    content: "{{ gerritbot_known_hosts }}"
    dest: "/var/lib/matrix-gerritbot/ssh/known_hosts"
+    owner: gerritbot
+    group: gerritbot

 - name: Ensure /etc/matrix-gerritbot-docker directory
  file:
--- a/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2
@ -6,6 +6,7 @@ services:
  gerritbot-matrix:
    image: {{ gerritbot_matrix_image }}
    network_mode: host
+    user: "{{ gerritbot_uid }}:{{ gerritbot_gid }}"
    restart: always
    logging:
      driver: syslog
@ -15,8 +16,8 @@ services:
      MATRIX_TOKEN: {{ gerritbot_matrix_access_token }}
      MATRIX_IDENTITY_TOKEN: {{ gerritbot_matrix_identity_token }}
    volumes:
-      - /var/lib/matrix-gerritbot/config:/config
-      - /var/lib/matrix-gerritbot/ssh:/root/.ssh
+      - /var/lib/matrix-gerritbot/config:/config:ro
+      - /var/lib/matrix-gerritbot/ssh:/root/.ssh:ro
    healthcheck:
      test: "gerritbot-matrix check {{ gerritbot_matrix_prometheus_port }}"
      retries: 6