Split eavesdrop into its own playbook

Extract eavedrop into its own service playbook and
puppet manifest. While doing that, stop using jenkinsuser
on eavesdrop in favor of zuul-user.

Add the ability to override the keys for the zuul user.

Remove openstack_project::server, it doesn't do anything.

Containerize and anisblize accessbot. The structure of
how we're doing it in puppet makes it hard to actually
run the puppet in the gate. Run the script in its own
playbook so that we can avoid running it in the gate.

Change-Id: I53cb63ffa4ae50575d4fa37b24323ad13ec1bac3

.zuul.yaml

@@ -230,6 +230,37 @@
     vars: *haproxy-statsd_vars
     files: *haproxy-statsd_files
 
+# accessbot jobs
+- job:
+    name: system-config-build-image-accessbot
+    description: Build a accessbot image.
+    parent: system-config-build-image
+    requires: python-base-3.7-container-image
+    provides: accessbot-container-image
+    vars: &accessbot_vars
+      docker_images:
+        - context: docker/accessbot
+          repository: opendevorg/accessbot
+    files: &accessbot_files
+      - docker/accessbot/
+      - docker/python-base/
+
+- job:
+    name: system-config-upload-image-accessbot
+    description: Build and upload a accessbot image.
+    parent: system-config-upload-image
+    requires: python-base-3.7-container-image
+    provides: accessbot-container-image
+    vars: *accessbot_vars
+    files: *accessbot_files
+
+- job:
+    name: system-config-promote-image-accessbot
+    description: Promote a previously published accessbot image to latest.
+    parent: system-config-promote-image
+    vars: *accessbot_vars
+    files: *accessbot_files
+
 # Gerrit 2.13 jobs
 - job:
     name: system-config-build-image-gerrit-2.13
@@ -980,22 +1011,36 @@
 
 - job:
     name: system-config-run-eavesdrop
-    parent: system-config-run
+    parent: system-config-run-containers
     description: |
       Run the playbook for an eavesdrop server.
+    required-projects:
+      - opendev/system-config
+      - openstack/project-config
+    requires: accessbot-container-image
     nodeset:
       nodes:
         - name: bridge.openstack.org
           label: ubuntu-bionic
         - name: eavesdrop01.openstack.org
           label: ubuntu-xenial
-    files:
-      - playbooks/install-ansible.yaml
-      - playbooks/group_vars/eavesdrop.yaml
-      - testinfra/test_eavesdrop.py
     vars:
       run_playbooks:
-        - playbooks/remote_puppet_else.yaml
+        - playbooks/service-eavesdrop.yaml
+    files:
+      - playbooks/service-eavesdrop.yaml
+      - playbooks/run-accessbot.yaml
+      - playbooks/group_vars/eavesdrop.yaml
+      - playbooks/roles/zuul-user
+      - playbooks/roles/install-docker
+      - playbooks/roles/puppet-install/
+      - playbooks/roles/disable-puppet-agent/
+      - playbooks/roles/accessbot
+      - playbooks/roles/logrotate
+      - modules/openstack_project/manifests/eavesdrop.pp
+      - manifests/eavesdrop.pp
+      - docker/accessbot/
+      - testinfra/test_eavesdrop.py
 
 - job:
     name: system-config-run-codesearch
@@ -1521,7 +1566,6 @@
     required-projects:
       - opendev/system-config
       - opendev/ansible-role-puppet
-      - opendev/puppet-accessbot
       - opendev/puppet-ansible
       - opendev/puppet-apparmor
       - opendev/puppet-askbot
@@ -1700,7 +1744,6 @@
       - opendev/puppet-snmpd
       - opendev/puppet-user
       - opendev/puppet-jeepyb
-      - opendev/puppet-accessbot
       - opendev/puppet-ptgbot
       - opendev/puppet-jenkins
       - opendev/puppet-vcsrepo
@@ -1764,7 +1807,6 @@
     required-projects:
       - opendev/ansible-role-puppet
       - openstack/logstash-filters
-      - opendev/puppet-accessbot
       - opendev/puppet-ansible
       - opendev/puppet-askbot
       - opendev/puppet-asterisk
@@ -2287,6 +2329,52 @@
       - modules/openstack_project/files/resync-hound-config.sh
       - manifests/codesearch.pp
 
+- job:
+    name: infra-prod-service-eavesdrop
+    parent: infra-prod-service-base
+    description: Run service-eavesdrop.yaml playbook
+    required-projects:
+      - opendev/system-config
+      - openstack/project-config
+    dependencies:
+      - name: infra-prod-install-ansible
+        soft: true
+      - name: infra-prod-base
+        soft: true
+      - name: infra-prod-service-letsencrypt
+        soft: true
+      - name: system-config-promote-image-accessbot
+        soft: true
+    vars:
+      playbook_name: service-eavesdrop.yaml
+    files: &infra_prod_eavesdrop_files
+      - inventory/
+      - playbooks/service-eavesdrop.yaml
+      - playbooks/run-accessbot.yaml
+      - playbooks/group_vars/eavesdrop.yaml
+      - playbooks/roles/zuul-user
+      - playbooks/roles/install-docker
+      - playbooks/roles/puppet-install/
+      - playbooks/roles/disable-puppet-agent/
+      - playbooks/roles/accessbot
+      - playbooks/roles/logrotate
+      - modules/openstack_project/manifests/eavesdrop.pp
+      - manifests/eavesdrop.pp
+      - docker/accessbot/
+
+- job:
+    name: infra-prod-run-accessbot
+    parent: infra-prod-service-base
+    description: Run run-accessbot.yaml playbook
+    required-projects:
+      - opendev/system-config
+      - openstack/project-config
+    dependencies:
+      - infra-prod-service-eavesdrop
+    vars:
+      playbook_name: run-accessbot.yaml
+    files: *infra_prod_eavesdrop_files
+
 # Run AFS changes separately so we can make sure to only do one at a time
 # (turns out quorum is nice to have)
 - job:
@@ -2537,7 +2625,11 @@
             voting: false
         - system-config-run-backup
         - system-config-run-dns
-        - system-config-run-eavesdrop
+        - system-config-run-eavesdrop:
+            dependencies:
+              - name: opendev-buildset-registry
+              - name: system-config-build-image-accessbot
+                soft: true
         - system-config-run-codesearch
         - system-config-run-lists
         - system-config-run-nodepool
@@ -2588,6 +2680,11 @@
               - name: opendev-buildset-registry
               - name: system-config-build-image-python-base-3.7
                 soft: true
+        - system-config-build-image-accessbot:
+            dependencies:
+              - name: opendev-buildset-registry
+              - name: system-config-build-image-python-base-3.7
+                soft: true
         - system-config-build-image-python-base-3.7
         - system-config-build-image-python-base-3.8
         - system-config-build-image-python-builder-3.7
@@ -2602,7 +2699,11 @@
         - tox-linters
         - system-config-run-base
         - system-config-run-dns
-        - system-config-run-eavesdrop
+        - system-config-run-eavesdrop:
+            dependencies:
+              - name: opendev-buildset-registry
+              - name: system-config-upload-image-accessbot
+                soft: true
         - system-config-run-codesearch
         - system-config-run-lists
         - system-config-run-nodepool
@@ -2653,6 +2754,11 @@
               - name: opendev-buildset-registry
               - name: system-config-upload-image-python-base-3.7
                 soft: true
+        - system-config-upload-image-accessbot:
+            dependencies:
+              - name: opendev-buildset-registry
+              - name: system-config-build-image-python-base-3.7
+                soft: true
         - system-config-upload-image-python-base-3.7
         - system-config-upload-image-python-base-3.8
         - system-config-upload-image-python-builder-3.7
@@ -2668,6 +2774,7 @@
         - system-config-promote-image-etherpad
         - system-config-promote-image-jitsi-meet
         - system-config-promote-image-haproxy-statsd
+        - system-config-promote-image-accessbot
         - system-config-promote-image-python-base-3.7
         - system-config-promote-image-python-base-3.8
         - system-config-promote-image-python-builder-3.7
@@ -2717,6 +2824,7 @@
         - infra-prod-service-review-dev
         - infra-prod-service-gitea
         - infra-prod-service-codesearch
+        - infra-prod-service-eavesdrop
         - infra-prod-remote-puppet-afs
         - infra-prod-remote-puppet-else
     periodic:
@@ -2748,6 +2856,8 @@
         - infra-prod-service-review-dev
         - infra-prod-service-gitea
         - infra-prod-service-codesearch
+        - infra-prod-service-eavesdrop
+        - infra-prod-run-accessbot
         - infra-prod-remote-puppet-afs
     opendev-prod-hourly:
       jobs:
@@ -2768,3 +2878,7 @@
             dependencies:
               - name: infra-prod-install-ansible
                 soft: true
+        - infra-prod-run-accessbot:
+            dependencies:
+              - name: infra-prod-install-ansible
+                soft: true

docker/accessbot/Dockerfile

@@ -0,0 +1,21 @@
+# Copyright (c) 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM docker.io/opendevorg/python-base:3.7
+
+RUN pip install pyyaml irc
+COPY accessbot.py /usr/local/bin/accessbot.py
+COPY accessbot.sh /usr/local/bin/accessbot
+CMD ["/usr/local/bin/accessbot", "-c", "/etc/accessbot/accessbot.config", "-l", "/etc/accessbot/channels.yaml", ">>", "]]

docker/accessbot/accessbot.py

@@ -0,0 +1,248 @@
+#! /usr/bin/env python
+
+# Copyright 2011, 2013-2014 OpenStack Foundation
+# Copyright 2012 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import configparser
+import argparse
+import irc.client
+import logging
+import ssl
+import sys
+import time
+import yaml
+
+logging.basicConfig(
+    format='%(asctime)s [%(levelname)s] %(name)s - %(message)s',
+    level=logging.DEBUG)
+
+
+class SetAccess(irc.client.SimpleIRCClient):
+    log = logging.getLogger("setaccess")
+
+    def __init__(self, config, noop, nick, password, server, port):
+        irc.client.SimpleIRCClient.__init__(self)
+        self.identify_msg_cap = False
+        self.config = config
+        self.nick = nick
+        self.password = password
+        self.server = server
+        self.port = int(port)
+        self.noop = noop
+        self.channels = [x['name'] for x in self.config['channels']]
+        self.current_channel = None
+        self.current_list = []
+        self.changes = []
+        self.identified = False
+        if self.port == 6697:
+            factory = irc.connection.Factory(wrapper=ssl.wrap_socket)
+            self.connect(self.server, self.port, self.nick,
+                         connect_factory=factory)
+        else:
+            self.connect(self.server, self.port, self.nick)
+
+    def on_disconnect(self, connection, event):
+        sys.exit(0)
+
+    def on_welcome(self, c, e):
+        self.identify_msg_cap = False
+        self.log.debug("Requesting identify-msg capability")
+        c.cap('REQ', 'identify-msg')
+        c.cap('END')
+
+    def on_cap(self, c, e):
+        self.log.debug("Received cap response %s" % repr(e.arguments))
+        if e.arguments[0] == 'ACK' and 'identify-msg' in e.arguments[1]:
+            self.log.debug("identify-msg cap acked")
+            self.identify_msg_cap = True
+            self.log.debug("Identifying to nickserv")
+            c.privmsg("nickserv", "identify %s " % self.password)
+
+    def on_privnotice(self, c, e):
+        if not self.identify_msg_cap:
+            self.log.debug("Ignoring message because identify-msg "
+                           "cap not enabled")
+            return
+        nick = e.source.split('!')[0]
+        auth = e.arguments[0][0]
+        msg = e.arguments[0][1:]
+        if auth == '+' and nick == 'NickServ' and not self.identified:
+            if msg.startswith('You are now identified'):
+                self.identified = True
+                # Prejoin and set ourselves as op in these channels,
+                # to facilitate +f forwarding.
+                for channel in self.config.get('op_channels', []):
+                    c.join("#%s" % channel)
+                    c.privmsg("chanserv", "op #%s" % channel)
+                self.advance()
+                return
+        if auth != '+' or nick != 'ChanServ':
+            self.log.debug("Ignoring message from unauthenticated "
+                           "user %s" % nick)
+            return
+        self.failed = False
+        self.advance(msg)
+
+    def _get_access_list(self, channel_name):
+        ret = {}
+        alumni = []
+        mode = ''
+        channel = None
+        for c in self.config['channels']:
+            if c['name'] == channel_name:
+                channel = c
+        if channel is None:
+            raise Exception("Unknown channel %s" % (channel_name,))
+        mask = ''
+        for access, nicks in (self.config['global'].items() +
+                              channel.items()):
+            if access == 'mask':
+                mask = self.config['access'].get(nicks)
+                continue
+            if access == 'alumni':
+                alumni += nicks
+                continue
+            if access == 'mode':
+                mode = nicks
+                continue
+            flags = self.config['access'].get(access)
+            if flags is None:
+                continue
+            for nick in nicks:
+                ret[nick] = flags
+        return mask, ret, alumni, mode
+
+    def _get_access_change(self, current, target, mask):
+        remove = ''
+        add = ''
+        change = ''
+        for x in current:
+            if x in '+-':
+                continue
+            if target:
+                if x not in target:
+                    remove += x
+            else:
+                if x not in mask:
+                    remove += x
+        for x in target:
+            if x in '+-':
+                continue
+            if x not in current:
+                add += x
+        if remove:
+            change += '-' + remove
+        if add:
+            change += '+' + add
+        return change
+
+    def _get_access_changes(self):
+        mask, target, alumni, mode = self._get_access_list(self.current_channel)
+        self.log.debug("Mask for %s: %s" % (self.current_channel, mask))
+        self.log.debug("Target for %s: %s" % (self.current_channel, target))
+        all_nicks = set()
+        global_alumni = self.config.get('alumni', {})
+        global_mode = self.config.get('mode', '')
+        current = {}
+        changes = []
+        for nick, flags, msg in self.current_list:
+            if nick in global_alumni or nick in alumni :
+                self.log.debug("%s is an alumni; removing access", nick)
+                changes.append('access #%s del %s' % (self.current_channel, nick))
+                continue
+            all_nicks.add(nick)
+            current[nick] = flags
+        for nick in target.keys():
+            all_nicks.add(nick)
+        for nick in all_nicks:
+            change = self._get_access_change(current.get(nick, ''),
+                                             target.get(nick, ''), mask)
+            if change:
+                changes.append('access #%s add %s %s' % (self.current_channel,
+                                                         nick, change))
+
+        # Set the mode.  Note we always just hard-set the mode for
+        # simplicity (per the man page mlock always clears and sets
+        # anyway).  Channel mode overrides global mode.
+        #
+        # Note for +f you need to be op in the target channel; see
+        # op_channel option.
+        if not mode and global_mode:
+            mode = global_mode
+        self.log.debug("Setting mode to : %s" % mode)
+        if mode:
+            changes.append('set #%s mlock %s' % (self.current_channel, mode))
+
+        return changes
+
+    def advance(self, msg=None):
+        if self.changes:
+            if self.noop:
+                for change in self.changes:
+                    self.log.info('NOOP: ' + change)
+                self.changes = []
+            else:
+                change = self.changes.pop()
+                self.log.info(change)
+                self.connection.privmsg('chanserv', change)
+                time.sleep(1)
+                return
+        if not self.current_channel:
+            if not self.channels:
+                self.connection.quit()
+                return
+            self.current_channel = self.channels.pop()
+            self.current_list = []
+            self.connection.privmsg('chanserv', 'access list #%s' %
+                                    self.current_channel)
+            time.sleep(1)
+            return
+        if msg.startswith('End of'):
+            self.changes = self._get_access_changes()
+            self.current_channel = None
+            self.advance()
+            return
+        parts = msg.split()
+        if parts[2].startswith('+'):
+            self.current_list.append((parts[1], parts[2], msg))
+
+
+def main():
+    parser = argparse.ArgumentParser(description='IRC channel access check')
+    parser.add_argument('-c', dest='config', nargs=1,
+                        help='specify the config file')
+    parser.add_argument('-l', dest='channels',
+                        default='/etc/irc/channels.yaml',
+                        help='path to the channel config')
+    parser.add_argument('--noop', dest='noop',
+                        action='store_true',
+                        help="Don't make any changes")
+    args = parser.parse_args()
+
+    config = configparser.ConfigParser()
+    config.read(args.config)
+
+    channels = yaml.load(open(args.channels))
+
+    a = SetAccess(channels, args.noop,
+                  config.get('ircbot', 'nick'),
+                  config.get('ircbot', 'pass'),
+                  config.get('ircbot', 'server'),
+                  config.get('ircbot', 'port'))
+    a.start()
+
+
+if __name__ == "__main__":
+    main()

docker/accessbot/accessbot.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright (c) 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+exec python /usr/local/bin/accessbot.py -c /etc/accessbot/accessbot.config -l /etc/accessbot/channels.yaml >> /var/log/accessbot/accessbot.log 2>&1

manifests/eavesdrop.pp

@@ -0,0 +1,30 @@
+# Node-OS: xenial
+node /^eavesdrop\d*\.open.*\.org$/ {
+  $group = "eavesdrop"
+  class { 'openstack_project::eavesdrop':
+    nickpass                => hiera('openstack_meetbot_password'),
+    statusbot_nick          => hiera('statusbot_nick', 'username'),
+    statusbot_password      => hiera('statusbot_nick_password'),
+    statusbot_server        => 'chat.freenode.net',
+    statusbot_channels      => hiera_array('statusbot_channels', ['openstack_infra']),
+    statusbot_auth_nicks    => hiera_array('statusbot_auth_nicks'),
+    statusbot_wiki_user     => hiera('statusbot_wiki_username', 'username'),
+    statusbot_wiki_password => hiera('statusbot_wiki_password'),
+    statusbot_wiki_url      => 'https://wiki.openstack.org/w/api.php',
+    # https://wiki.openstack.org/wiki/Infrastructure_Status
+    statusbot_wiki_pageid   => '1781',
+    statusbot_wiki_successpageid => '7717',
+    statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
+    statusbot_wiki_thankspageid => '37700',
+    statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
+    statusbot_irclogs_url   => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
+    statusbot_twitter                 => true,
+    statusbot_twitter_key             => hiera('statusbot_twitter_key'),
+    statusbot_twitter_secret          => hiera('statusbot_twitter_secret'),
+    statusbot_twitter_token_key       => hiera('statusbot_twitter_token_key'),
+    statusbot_twitter_token_secret    => hiera('statusbot_twitter_token_secret'),
+    meetbot_channels        => hiera('meetbot_channels', ['openstack-infra']),
+    ptgbot_nick             => hiera('ptgbot_nick', 'username'),
+    ptgbot_password         => hiera('ptgbot_password'),
+  }
+}

manifests/site.pp

@@ -86,42 +86,6 @@ node /planet\d*\.open.*\.org$/ {
   }
 }
 
-# Node-OS: xenial
-node /^eavesdrop\d*\.open.*\.org$/ {
-  $group = "eavesdrop"
-  class { 'openstack_project::server': }
-
-  class { 'openstack_project::eavesdrop':
-    project_config_repo     => 'https://opendev.org/openstack/project-config',
-    nickpass                => hiera('openstack_meetbot_password'),
-    statusbot_nick          => hiera('statusbot_nick', 'username'),
-    statusbot_password      => hiera('statusbot_nick_password'),
-    statusbot_server        => 'chat.freenode.net',
-    statusbot_channels      => hiera_array('statusbot_channels', ['openstack_infra']),
-    statusbot_auth_nicks    => hiera_array('statusbot_auth_nicks'),
-    statusbot_wiki_user     => hiera('statusbot_wiki_username', 'username'),
-    statusbot_wiki_password => hiera('statusbot_wiki_password'),
-    statusbot_wiki_url      => 'https://wiki.openstack.org/w/api.php',
-    # https://wiki.openstack.org/wiki/Infrastructure_Status
-    statusbot_wiki_pageid   => '1781',
-    statusbot_wiki_successpageid => '7717',
-    statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
-    statusbot_wiki_thankspageid => '37700',
-    statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
-    statusbot_irclogs_url   => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
-    statusbot_twitter                 => true,
-    statusbot_twitter_key             => hiera('statusbot_twitter_key'),
-    statusbot_twitter_secret          => hiera('statusbot_twitter_secret'),
-    statusbot_twitter_token_key       => hiera('statusbot_twitter_token_key'),
-    statusbot_twitter_token_secret    => hiera('statusbot_twitter_token_secret'),
-    accessbot_nick          => hiera('accessbot_nick', 'username'),
-    accessbot_password      => hiera('accessbot_nick_password'),
-    meetbot_channels        => hiera('meetbot_channels', ['openstack-infra']),
-    ptgbot_nick             => hiera('ptgbot_nick', 'username'),
-    ptgbot_password         => hiera('ptgbot_password'),
-  }
-}
-
 # Node-OS: xenial
 node /^ethercalc\d+\.open.*\.org$/ {
   $group = "ethercalc"

modules.env

@@ -63,7 +63,6 @@ SOURCE_MODULES["https://github.com/voxpupuli/puppet-nodejs"]="v2.3.0"
 
 # Add modules that should be part of the openstack-infra integration test here
 # Please keep sorted
-INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-accessbot"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-ansible"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-askbot"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/opendev/puppet-asterisk"]="origin/master"

modules/openstack_project/manifests/eavesdrop.pp

@@ -21,9 +21,6 @@ class openstack_project::eavesdrop (
   $statusbot_twitter_secret = '',
   $statusbot_twitter_token_key = '',
   $statusbot_twitter_token_secret = '',
-  $accessbot_nick = '',
-  $accessbot_password = '',
-  $project_config_repo = '',
   $meetbot_channels = [],
   $ptgbot_nick = '',
   $ptgbot_password = '',
@@ -83,36 +80,16 @@ class openstack_project::eavesdrop (
     }
   }
 
-  class { 'project_config':
-    url  => $project_config_repo,
-  }
-
-  class { 'accessbot':
-    nick          => $accessbot_nick,
-    password      => $accessbot_password,
-    server        => $statusbot_server,
-    channel_file  => $::project_config::accessbot_channels_yaml,
-    require       => $::project_config::config_dir,
-  }
-
-  # Needed to allow Jenkins jobs to publish meeting info to
-  # the eavesdrop server.
-  include openstack_project
-  class { 'jenkins::jenkinsuser':
-    ssh_key     => $openstack_project::jenkins_ssh_key,
-  }
-
   file { '/srv/yaml2ical':
     ensure  => directory,
-    owner   => 'jenkins',
+    owner   => 'zuul',
-    group   => 'jenkins',
+    group   => 'zuul',
-    require => User['jenkins'],
   }
 
   file { '/srv/yaml2ical/calendars':
     ensure  => directory,
-    owner   => 'jenkins',
+    owner   => 'zuul',
-    group   => 'jenkins',
+    group   => 'zuul',
     require => File['/srv/yaml2ical'],
   }
 

playbooks/group_vars/eavesdrop.yaml

@@ -1,2 +1,5 @@
 iptables_extra_public_tcp_ports:
   - 80
+zuul_user_authorized_key: |
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h zuul-system-config-20180924
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQbidZ1wW8moNtPGBhZ3oDm1kcDtiAemI51euL6KZslwpG8CKMT0KBSYw1vpCYc5dYCerq63dQtg2Bm1rhc2gC/U2bbMlvnNPwlkS7eykVfrPDfJHVbff+qHv7l1e1ZoCVAEvVxXG/FgFUiqIKwEhMqG/Etegw07H7vERNETGE5RyRA8cMnK9Cj4oL0OUpZAv7o1a+A+gXRv1EMdWL7g9M6OImikO48w+ZSLOA8uD+0MmN23nh335k2VG609u+ZxTkZAB4GtW0HSCTFu5MCmJFaY1+5cCNedsC9O4ekaXNQxYelFxasN5Qe7miRWcR+Ax8g3HjHpG3Hc1LSc/6XVcj zuul-project-config-20180924

playbooks/remote_puppet_else.yaml

@@ -1,4 +1,4 @@
-- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!nb*:!codesearch:!disabled'
+- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!nb*:!codesearch:!eavesdrop:!disabled'
   name: "Puppet-else: run puppet on all other servers"
   strategy: free
   roles:

playbooks/roles/accessbot/README.rst

@@ -0,0 +1 @@
+Set up accessbot

playbooks/roles/accessbot/files/accessbot

@@ -0,0 +1,20 @@
+#!/bin/bash
+# Copyright 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+exec docker run --rm --net=host \
+  -v/etc/accessbot:/etc/accessbot \
+  -v/var/log/accessbot:/var/log/accessbot \
+  docker.io/opendevorg/accessbot

playbooks/roles/accessbot/tasks/main.yaml

@@ -0,0 +1,36 @@
+- name: Install accessbot script
+  copy:
+    src: accessbot
+    dest: /usr/local/bin/accessbot
+    mode: 0755
+
+- name: Ensure accessbot log dir
+  file:
+    path: /var/log/accessbot
+    state: directory
+
+- name: Ensure config dir
+  file:
+    path: /etc/accessbot
+    state: directory
+
+- name: Install accessbot config
+  template:
+    src: accessbot.config.j2
+    dest: /etc/accessbot/accessbot.config
+    mode: 0440
+
+- name: Copy accessbot channel config
+  copy:
+    remote_src: true
+    src: /opt/project-config/accessbot/channels.yaml
+    dest: /etc/accessbot/channels.yaml
+
+- name: Setup log rotation
+  include_role:
+    name: logrotate
+  vars:
+    logrotate_file_name: /var/log/accessbot/accessbot.log
+
+- name: Pull latest image
+  command: docker pull docker.io/opendevorg/accessbot

playbooks/roles/accessbot/templates/accessbot.config.j2

@@ -0,0 +1,5 @@
+[ircbot]
+nick={{ accessbot_nick }}
+pass={{ accessbot_nick_password }}
+server=chat.freenode.net
+port=6697

playbooks/roles/set-hostname

@@ -0,0 +1 @@
+../../roles/set-hostname/

playbooks/roles/zuul-user/README.rst

@@ -9,3 +9,8 @@ Install a user ``zuul`` that has the per-project key from
    :default: False
 
    Enable passwordless ``sudo`` access for the zuul user.
+
+.. zuul:rolevar:: zuul_user_authorized_key
+   :default: per-project key from system-config
+
+   Authorized key content for the zuul user.

playbooks/roles/zuul-user/defaults/main.yaml

@@ -1 +1,4 @@
-zuul_user_enable_sudo: False
+zuul_user_enable_sudo: False
+# Zuul key from https://zuul.opendev.org/api/tenant/openstack/project-ssh-key/opendev/system-config.pub at 2020-02-26
+zuul_user_authorized_key: |
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h

playbooks/roles/zuul-user/tasks/main.yaml

@@ -17,6 +17,4 @@
   authorized_key:
     user: zuul
     state: present
-    key: |
+    key: '{{ zuul_user_authorized_key }}'
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h
-    comment: Zuul key from https://zuul.opendev.org/api/tenant/openstack/project-ssh-key/opendev/system-config.pub at 2020-02-26

playbooks/run-accessbot.yaml

@@ -0,0 +1,5 @@
+- hosts: 'eavesdrop:!disabled'
+  name: "eavesdrop: run accessbot"
+  tasks:
+    - name: Run accessbot
+      command: /usr/local/bin/accessbot

playbooks/service-eavesdrop.yaml

@@ -0,0 +1,12 @@
+- hosts: 'eavesdrop:!disabled'
+  name: "eavesdrop: run puppet on eavesdrop"
+  strategy: free
+  roles:
+    - zuul-user
+    - sync-project-config
+    - install-docker
+    - accessbot
+    - puppet-install
+    - disable-puppet-agent
+    - name: puppet
+      manifest: /opt/system-config/production/manifests/eavesdrop.pp

playbooks/set-hostnames.yaml

@@ -1,5 +1,4 @@
 - hosts: "!disabled"
   gather_facts: false
-  user: root
   roles:
     - set-hostname

playbooks/zuul/run-base-pre.yaml

@@ -4,6 +4,7 @@
     - multi-node-known-hosts
     - copy-build-sshkey
     - use-docker-mirror
+    - set-hostname
   tasks:
     - include_role:
         name: use-buildset-registry

playbooks/zuul/run-base.yaml

@@ -45,6 +45,7 @@
       loop:
         - group_vars/all.yaml
         - group_vars/adns.yaml
+        - group_vars/eavesdrop.yaml
         - group_vars/nodepool.yaml
         - group_vars/ns.yaml
         - group_vars/registry.yaml
@@ -90,8 +91,6 @@
         dest: /home/zuul/src/opendev.org/opendev/system-config/playbooks/host_vars/bridge.openstack.org.yaml
       become: true
 
-    - name: Set hostname on host
-      command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/set-hostnames.yaml
     - name: Run base.yaml
       command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml
     - name: Run bridge service playbook

playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2

@@ -0,0 +1,11 @@
+openstack_meetbot_password: password
+statusbot_nick_password: password
+statusbot_wiki_password: password
+statusbot_twitter_key: twitter_key
+statusbot_twitter_secret: twitter_secret
+statusbot_twitter_token_key: token_key
+statusbot_twitter_token_secret: token_secret
+accessbot_nick: username
+accessbot_nick_password: password
+ptgbot_password: password
+access_bot_install_only: true

roles/set-hostname/tasks/main.yml

@@ -3,6 +3,7 @@
 # nodes, but not on the minimal ones we get from
 # nodepool.
 - name: ensure dbus for working hostnamectl
+  become: true
   apt:
     name: dbus
     state: present
@@ -12,10 +13,13 @@
 # https://github.com/ansible/ansible/pull/8482)
 # https://gist.github.com/rothgar/8793800
 - name: Set /etc/hostname
+  become: true
   hostname: name="{{ inventory_hostname.split('.', 1)[0] }}"
 
 - name: Set /etc/hosts
+  become: true
   template: src=hosts.j2 dest=/etc/hosts mode=0644
 
 - name: Set /etc/mailname
+  become: true
   template: src=mailname.j2 dest=/etc/mailname mode=0644