From fd8808733536d19d2a62b4120e43a508d77a4846 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 4 Nov 2021 16:33:07 -0700
Subject: [PATCH] Run gerritbot with a user that will be shared with
 matrix-gerritbot

They have roughly the same level of access so lets align things.

Change-Id: Ifbe9dae7038345e20e8b498c87a37c519829a8cc
---
 inventory/service/group_vars/eavesdrop.yaml   |  2 +
 playbooks/roles/gerritbot/defaults/main.yaml  |  2 +
 playbooks/roles/gerritbot/tasks/main.yaml     | 41 +++++++++++++------
 .../docker-compose.yaml.j2}                   |  3 +-
 4 files changed, 35 insertions(+), 13 deletions(-)
 rename playbooks/roles/gerritbot/{files/docker-compose.yaml => templates/docker-compose.yaml.j2} (80%)

diff --git a/inventory/service/group_vars/eavesdrop.yaml b/inventory/service/group_vars/eavesdrop.yaml
index d67f4c78b4..f0566e0312 100644
--- a/inventory/service/group_vars/eavesdrop.yaml
+++ b/inventory/service/group_vars/eavesdrop.yaml
@@ -188,3 +188,5 @@ statusbot_auth_nicks:
   - clarkb
   - ianw
   - frickler
+gerritbot_gid: 11000
+gerritbot_uid: 11000
diff --git a/playbooks/roles/gerritbot/defaults/main.yaml b/playbooks/roles/gerritbot/defaults/main.yaml
index 680df8fbec..fb039dd649 100644
--- a/playbooks/roles/gerritbot/defaults/main.yaml
+++ b/playbooks/roles/gerritbot/defaults/main.yaml
@@ -1,3 +1,5 @@
+gerritbot_gid: 11000
+gerritbot_uid: 11000
 gerritbot_irc_nick: opendevreview
 gerritbot_irc_server: irc.oftc.net
 gerritbot_gerrit_user: gerritbot
diff --git a/playbooks/roles/gerritbot/tasks/main.yaml b/playbooks/roles/gerritbot/tasks/main.yaml
index 5225080a74..4c96eff3fa 100644
--- a/playbooks/roles/gerritbot/tasks/main.yaml
+++ b/playbooks/roles/gerritbot/tasks/main.yaml
@@ -1,23 +1,40 @@
+- name: Create gerritbot group
+  group:
+    name: "gerritbot"
+    gid: "{{ gerritbot_gid }}"
+    system: yes
+- name: Create gerritbot user
+  user:
+    name: "gerritbot"
+    group: "gerritbot"
+    uid: "{{ gerritbot_uid }}"
+    home: "/var/lib/gerritbot"
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+
 - name: Ensure /etc/gerritbot directory
   file:
     state: directory
     path: /etc/gerritbot
+    owner: gerritbot
+    group: gerritbot
     mode: 0755
 
 - name: Put gerritbot config in place
   template:
     src: gerritbot.config.j2
     dest: /etc/gerritbot/gerritbot.config
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
     mode: 0600
 
 - name: Put gerritbot logging config in place
   copy:
     src: logging.config
     dest: /etc/gerritbot/logging.config
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
     mode: 0644
 
 - name: Put gerritbot channel config in place
@@ -25,8 +42,8 @@
     src: /opt/project-config/gerritbot/channels.yaml
     remote_src: yes
     dest: /etc/gerritbot/channel_config.yaml
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
     mode: 0644
   register: channel_config_copied
 
@@ -34,16 +51,16 @@
   copy:
     content: "{{ gerritbot_ssh_key }}"
     dest: /etc/gerritbot/gerritbot_rsa
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
     mode: 0600
 
 - name: Put gerritbot ssh pubkey in place
   copy:
     content: "{{ gerritbot_ssh_pubkey }}"
     dest: /etc/gerritbot/gerritbot_rsa.pub
-    owner: root
-    group: root
+    owner: gerritbot
+    group: gerritbot
     mode: 0600
 
 - name: Ensure /etc/gerritbot-docker directory
@@ -53,8 +70,8 @@
     mode: 0755
 
 - name: Put docker-compose file in place
-  copy:
-    src: docker-compose.yaml
+  template:
+    src: docker-compose.yaml.j2
     dest: /etc/gerritbot-docker/docker-compose.yaml
     owner: root
     group: root
diff --git a/playbooks/roles/gerritbot/files/docker-compose.yaml b/playbooks/roles/gerritbot/templates/docker-compose.yaml.j2
similarity index 80%
rename from playbooks/roles/gerritbot/files/docker-compose.yaml
rename to playbooks/roles/gerritbot/templates/docker-compose.yaml.j2
index 4308581bfc..9bf0a0ecc2 100644
--- a/playbooks/roles/gerritbot/files/docker-compose.yaml
+++ b/playbooks/roles/gerritbot/templates/docker-compose.yaml.j2
@@ -6,6 +6,7 @@ services:
   gerritbot:
     image: docker.io/opendevorg/gerritbot:latest
     network_mode: host
+    user: "{{ gerritbot_uid }}:{{ gerritbot_gid }}"
     restart: always
     logging:
       driver: syslog
@@ -13,4 +14,4 @@ services:
         tag: "docker-gerritbot"
     volumes:
       # This contains the main config, channel config, and ssh key
-      - /etc/gerritbot:/etc/gerritbot
+      - /etc/gerritbot:/etc/gerritbot:ro