From c764d1ea86f707aba6dbff016ea47940d66a6db1 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Tue, 30 Jan 2024 09:33:45 -0800
Subject: [PATCH] autosign: adjust playbooks for prod

We need to setup things in prod slightly differently, using keyctl.
Copy in the service and scripts.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../robosignatory/files/robosignatory.service | 12 +++++++
 roles/robosignatory/files/sigul-add-key       |  5 +++
 roles/robosignatory/tasks/main.yml            | 34 +++++++++++++++++--
 3 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 roles/robosignatory/files/robosignatory.service
 create mode 100644 roles/robosignatory/files/sigul-add-key

diff --git a/roles/robosignatory/files/robosignatory.service b/roles/robosignatory/files/robosignatory.service
new file mode 100644
index 0000000000..5a4d60be80
--- /dev/null
+++ b/roles/robosignatory/files/robosignatory.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Robosignatory
+
+[Service]
+Type=simple
+User = robosignatory
+Group = robosignatory
+Restart=no
+ExecStart=/usr/bin/keyctl session - /usr/local/bin/sigul-add-key
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/robosignatory/files/sigul-add-key b/roles/robosignatory/files/sigul-add-key
new file mode 100644
index 0000000000..0299d4d5ce
--- /dev/null
+++ b/roles/robosignatory/files/sigul-add-key
@@ -0,0 +1,5 @@
+#!/bin/bash -e
+# Courtesy of puiterwijk
+passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
+keyctl add user "sigul:autosign" "${passphrase}" @s
+exec /usr/bin/fedora-messaging --conf /etc/fedora-messaging/robosignatory.toml consume
diff --git a/roles/robosignatory/tasks/main.yml b/roles/robosignatory/tasks/main.yml
index 9883c48129..0479b4b7b8 100644
--- a/roles/robosignatory/tasks/main.yml
+++ b/roles/robosignatory/tasks/main.yml
@@ -165,7 +165,7 @@
   - robosignatory
   - robosignatory-config
 
-- name: Create /etc/systemd/system/fm-consumer@.service.d
+- name: Create /etc/systemd/system/fm-consumer@.service.d (staging)
   file:
     state: directory
     path: /etc/systemd/system/fm-consumer@.service.d
@@ -177,7 +177,7 @@
   - config
   - robosignatory
 
-- name: Configure fm-consumer@.service to run as robosignatory
+- name: Configure fm-consumer@.service to run as robosignatory (staging)
   copy:
     src: fm-consumer@.service
     dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
@@ -192,7 +192,7 @@
   - config
   - robosignatory
 
-- name: Ensure fedora-messaging is enabled and started on the backend
+- name: Ensure fedora-messaging is enabled and started on the backend (staging)
   service:
     name: fm-consumer@robosignatory.service
     enabled: yes
@@ -202,6 +202,34 @@
   - config
   - robosignatory
 
+- name: Configure key add script
+  copy:
+    src: sigul-add-key
+    dest: /usr/local/bin/sigul-add-key
+    owner: root
+    group: root
+    mode: 0711
+  when: env != 'staging'
+  notify:
+  - reload systemd
+  tags:
+  - config
+  - robosignatory
+
+- name: Configure robosignatory.service
+  copy:
+    src: robosignatory.service
+    dest: /etc/systemd/system/robosignatory.service
+    owner: root
+    group: root
+    mode: 0644
+  when: env != 'staging'
+  notify:
+  - reload systemd
+  tags:
+  - config
+  - robosignatory
+
 - name: Allow robosignatory to use systemd-ask-password
   copy:
     src: ask-password-robosignatory.conf