Run gerritbot with a user that will be shared with matrix-gerritbot

They have roughly the same level of access so lets align things. Change-Id: Ifbe9dae7038345e20e8b498c87a37c519829a8cc
2021-11-04 16:33:07 -07:00 · 2021-11-04 16:33:07 -07:00 · fd88087335
parent 698bb3df21
commit fd88087335
4 changed files with 35 additions and 13 deletions
--- a/inventory/service/group_vars/eavesdrop.yaml
+++ b/inventory/service/group_vars/eavesdrop.yaml
@ -188,3 +188,5 @@ statusbot_auth_nicks:
  - clarkb
  - ianw
  - frickler
+gerritbot_gid: 11000
+gerritbot_uid: 11000
--- a/playbooks/roles/gerritbot/defaults/main.yaml
+++ b/playbooks/roles/gerritbot/defaults/main.yaml
@ -1,3 +1,5 @@
+gerritbot_gid: 11000
+gerritbot_uid: 11000
 gerritbot_irc_nick: opendevreview
 gerritbot_irc_server: irc.oftc.net
 gerritbot_gerrit_user: gerritbot
--- a/playbooks/roles/gerritbot/tasks/main.yaml
+++ b/playbooks/roles/gerritbot/tasks/main.yaml
@ -1,23 +1,40 @@
+- name: Create gerritbot group
+  group:
+    name: "gerritbot"
+    gid: "{{ gerritbot_gid }}"
+    system: yes
+- name: Create gerritbot user
+  user:
+    name: "gerritbot"
+    group: "gerritbot"
+    uid: "{{ gerritbot_uid }}"
+    home: "/var/lib/gerritbot"
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+
 - name: Ensure /etc/gerritbot directory
  file:
    state: directory
    path: /etc/gerritbot
+    owner: gerritbot
+    group: gerritbot
    mode: 0755

 - name: Put gerritbot config in place
  template:
    src: gerritbot.config.j2
    dest: /etc/gerritbot/gerritbot.config
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
    mode: 0600

 - name: Put gerritbot logging config in place
  copy:
    src: logging.config
    dest: /etc/gerritbot/logging.config
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
    mode: 0644

 - name: Put gerritbot channel config in place
@ -25,8 +42,8 @@
    src: /opt/project-config/gerritbot/channels.yaml
    remote_src: yes
    dest: /etc/gerritbot/channel_config.yaml
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
    mode: 0644
  register: channel_config_copied

@ -34,16 +51,16 @@
  copy:
    content: "{{ gerritbot_ssh_key }}"
    dest: /etc/gerritbot/gerritbot_rsa
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
    mode: 0600

 - name: Put gerritbot ssh pubkey in place
  copy:
    content: "{{ gerritbot_ssh_pubkey }}"
    dest: /etc/gerritbot/gerritbot_rsa.pub
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
    mode: 0600

 - name: Ensure /etc/gerritbot-docker directory
@ -53,8 +70,8 @@
    mode: 0755

 - name: Put docker-compose file in place
-  copy:
-    src: docker-compose.yaml
+  template:
+    src: docker-compose.yaml.j2
    dest: /etc/gerritbot-docker/docker-compose.yaml
    owner: root
    group: root
--- a/playbooks/roles/gerritbot/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/gerritbot/templates/docker-compose.yaml.j2
@ -6,6 +6,7 @@ services:
  gerritbot:
    image: docker.io/opendevorg/gerritbot:latest
    network_mode: host
+    user: "{{ gerritbot_uid }}:{{ gerritbot_gid }}"
    restart: always
    logging:
      driver: syslog
@ -13,4 +14,4 @@ services:
        tag: "docker-gerritbot"
    volumes:
      # This contains the main config, channel config, and ssh key
-      - /etc/gerritbot:/etc/gerritbot
+      - /etc/gerritbot:/etc/gerritbot:ro