ansible: update gh-bot server (#3803)

Create a new Debian 12 server to replace the Debian 8 `gh-bot` server.
Update the `ansible/playbooks/create-github-bot.yml` playbook to
automate setup, including:
- Fetching of deployment secrets from the secrets repository.
- Generating the allowlist of `jenkins-workspace` IP addresses from
  the inventory.
- Restarting the services if required.

Fixes: #3214

Author: richardlau

ansible/inventory.yml

@@ -26,7 +26,7 @@ hosts:
         ubuntu1604-x64-1: {ip: 147.28.162.105, alias: unencrypted}
 
     - rackspace:
-        debian8-x64-1: {ip: 23.253.100.79, alias: gh-bot}
+        debian12-x64-1: {ip: 104.239.144.144, alias: gh-bot}
 
     - softlayer:
         debian8-x64-1: {ip: 184.172.29.199, alias: registry-mirror}
@@ -130,8 +130,10 @@ hosts:
     - equinix:
         ubuntu2004_docker-arm64-1: {ip: 145.40.81.219}
         ubuntu2004_docker-arm64-3: {ip: 145.40.99.31}
-        # when adding, removing or changing the IPs below,
-        # remember to update Jenkins worker IP whitelist in github-bot
+        # when adding, removing or changing the IPs for any
+        # `jenkins-workspace-*` machine, remember to rerun
+        # the `ansible/playbooks/create-github-bot.yml` playbook
+        # to update the Jenkins worker IP allowlist in github-bot
         ubuntu2204-x64-1: {ip: 147.75.72.255, alias: jenkins-workspace-7}
         ubuntu2204-x64-2: {ip: 145.40.96.123, alias: jenkins-workspace-8}
 
@@ -167,6 +169,10 @@ hosts:
         rhel9-x64-1: {ip: 169.60.150.92, swap_file_size_mb: 2048}
         ubuntu2204-x64-1: {ip: 169.60.150.82}
         ubuntu2204-x64-2: {ip: 169.44.168.2}
+        # when adding, removing or changing the IPs for any
+        # `jenkins-workspace-*` machine, remember to rerun
+        # the `ansible/playbooks/create-github-bot.yml` playbook
+        # to update the Jenkins worker IP allowlist in github-bot
         ubuntu2204-x64-3: {ip: 52.117.26.14, alias: jenkins-workspace-6}
         ubuntu2204_docker-x64-1: {ip: 52.117.26.9}
 

ansible/playbooks/create-github-bot.yml

@@ -8,26 +8,8 @@
 # `ansible/host_vars/infra-rackspace-debian8-x64-1` in this repo (nodejs/build)
 #
 
-- hosts: infra-rackspace-debian8-x64-1
+- hosts: infra-rackspace-debian12-x64-1
   roles:
     - bootstrap
     - package-upgrade
     - github-bot
-  pre_tasks:
-    - name: check if secrets are properly set
-      fail:
-      failed_when: not {{ secret }}
-      loop_control:
-        loop_var: secret
-      with_items:
-        - envs.port
-        - envs.travis_token
-        - envs.github_token
-        - envs.github_webhook_secret
-        - envs.login_credentials
-        - envs.jenkins_api_credentials
-        - envs.jenkins_job_citgm
-        - envs.jenkins_build_token_citgm
-        - envs.jenkins_job_node
-        - envs.jenkins_build_token_node
-        - conf.github_deploy_webhook_secret

ansible/roles/github-bot/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+
+#
+# generic handlers for github-bot
+#
+
+- name: restart github-bot
+  ansible.builtin.service:
+    name: github-bot
+    state: restarted
+
+- name: restart github-bot-deploy-webhook
+  ansible.builtin.service:
+    name: github-bot-deploy-webhook
+    state: restarted

ansible/roles/github-bot/tasks/main.yml

@@ -1,5 +1,30 @@
 ---
 
+- name: check if secrets are properly set
+  fail:
+  failed_when: not {{ secret }}
+  loop_control:
+    loop_var: secret
+  with_items:
+    - gh_bot_secrets.envs.port
+    - gh_bot_secrets.envs.travis_token
+    - gh_bot_secrets.envs.github_token
+    - gh_bot_secrets.envs.github_webhook_secret
+    - gh_bot_secrets.envs.login_credentials
+    - gh_bot_secrets.envs.jenkins_api_credentials
+    - gh_bot_secrets.envs.jenkins_job_citgm
+    - gh_bot_secrets.envs.jenkins_build_token_citgm
+    - gh_bot_secrets.envs.jenkins_job_node
+    - gh_bot_secrets.envs.jenkins_build_token_node
+    - gh_bot_secrets.conf.github_deploy_webhook_secret
+
+- name: Get IP addresses of jenkins-workspace machines
+  no_log: true
+  set_fact:
+    jenkins_workspace_ips: "{{ jenkins_workspace_ips | default([]) + [item.value.ansible_host | string] }}"
+  when: "item.value.alias is defined and item.value.alias is match('jenkins-workspace.*')"
+  with_dict: "{{ hostvars }}"
+
 - name: Bootstrap | Install baseline packages
   package:
     name: "{{ package }}"
@@ -9,13 +34,13 @@
   with_items: "{{ base_packages }}"
 
 - name: Bootstrap | Add nodesource signing key
-  apt_key:
-    url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
-    state: present
+  ansible.builtin.get_url:
+    dest: /etc/apt/keyrings/nodesource-repo.gpg.asc
+    url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
 
 - name: Bootstrap | Add nodesource repo
   apt_repository:
-    repo: deb https://deb.nodesource.com/node_14.x jessie main
+    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource-repo.gpg.asc] https://deb.nodesource.com/node_20.x nodistro main
     state: present
 
 - name: Bootstrap | APT Update and upgrade
@@ -30,6 +55,9 @@
   loop_control:
     loop_var: package
   with_items: "{{ packages }}"
+  notify:
+    - restart github-bot-deploy-webhook
+    - restart github-bot
 
 - name: Bootstrap | Enable time syncing
   service:
@@ -53,25 +81,34 @@
   template:
     src: "{{ role_path }}/templates/github-bot.service.j2"
     dest: /lib/systemd/system/github-bot.service
+  notify:
+    - restart github-bot
 
 - name: Init | Generate and copy systemd EnvironmentFile
   template:
     src: "{{ role_path }}/templates/environment-file.j2"
     dest: "/home/{{ server_user }}/environment/github-bot"
+  notify:
+    - restart github-bot-deploy-webhook
+    - restart github-bot
 
 - name: Init | Clone github-bot repo
   become: yes
   become_user: "{{ server_user }}"
   git:
     repo: https://github.com/nodejs/github-bot.git
     dest: "/home/{{ server_user }}/github-bot"
+  notify:
+    - restart github-bot
 
 - name: Init | Install npm dependencies
   become: yes
   become_user: "{{ server_user }}"
   npm:
     path: "/home/{{ server_user }}/github-bot"
     production: yes
+  notify:
+    - restart github-bot
 
 - name: Init | Start github-bot
   service:
@@ -83,29 +120,39 @@
   npm:
     name: github-webhook
     global: yes
+  notify:
+    - restart github-bot-deploy-webhook
 
 - name: Deploy Webhook | Copy config
   template:
     src: "{{ role_path }}/templates/github-bot-deploy-webhook.json.j2"
     dest: "/home/{{ server_user }}/config/github-bot-deploy-webhook.json"
+  notify:
+    - restart github-bot-deploy-webhook
 
 - name: Deploy Webhook | Copy deploy script
   template:
     src: "{{ role_path }}/templates/deploy-github-bot.sh.j2"
     dest: "/home/{{ server_user }}/bin/deploy-github-bot.sh"
     mode: 0755
     owner: "{{ server_user }}"
+  notify:
+    - restart github-bot-deploy-webhook
 
 - name: Deploy Webhook | Generate and copy service script
   template:
     src: "{{ role_path }}/templates/github-bot-deploy-webhook.service.j2"
     dest: /lib/systemd/system/github-bot-deploy-webhook.service
+  notify:
+    - restart github-bot-deploy-webhook
 
 - name: Deploy Webhook | Start service
   service:
     name: github-bot-deploy-webhook
     state: started
     enabled: yes
+  notify:
+    - restart github-bot-deploy-webhook
 
 - name: Deploy Webhook | Allow user to restart github-bot
   lineinfile:

ansible/roles/github-bot/templates/environment-file.j2

@@ -1,14 +1,14 @@
 NODE_ENV=production
-PORT={{ envs.port }}
-TRAVIS_TOKEN={{ envs.travis_token }}
-GITHUB_TOKEN={{ envs.github_token }}
-GITHUB_WEBHOOK_SECRET={{ envs.github_webhook_secret }}
-LOGIN_CREDENTIALS={{ envs.login_credentials }}
+PORT={{ gh_bot_secrets.envs.port }}
+TRAVIS_TOKEN={{ gh_bot_secrets.envs.travis_token }}
+GITHUB_TOKEN={{ gh_bot_secrets.envs.github_token }}
+GITHUB_WEBHOOK_SECRET={{ gh_bot_secrets.envs.github_webhook_secret }}
+LOGIN_CREDENTIALS={{ gh_bot_secrets.envs.login_credentials }}
 NODE_REPO_DIR=/home/{{ server_user }}/repos/node
 LOGS_DIR=/home/{{ server_user }}/logs
-JENKINS_API_CREDENTIALS={{ envs.jenkins_api_credentials }}
-JENKINS_JOB_CITGM={{ envs.jenkins_job_citgm }}
-JENKINS_BUILD_TOKEN_CITGM={{ envs.jenkins_build_token_citgm }}
-JENKINS_JOB_NODE={{ envs.jenkins_job_node }}
-JENKINS_BUILD_TOKEN_NODE={{ envs.jenkins_build_token_node }}
-JENKINS_WORKER_IPS=147.75.70.237,51.15.200.62,51.15.218.201,163.172.186.154,147.75.66.203,147.75.81.67,52.117.26.14,147.75.72.255,145.40.96.123
+JENKINS_API_CREDENTIALS={{ gh_bot_secrets.envs.jenkins_api_credentials }}
+JENKINS_JOB_CITGM={{ gh_bot_secrets.envs.jenkins_job_citgm }}
+JENKINS_BUILD_TOKEN_CITGM={{ gh_bot_secrets.envs.jenkins_build_token_citgm }}
+JENKINS_JOB_NODE={{ gh_bot_secrets.envs.jenkins_job_node }}
+JENKINS_BUILD_TOKEN_NODE={{ gh_bot_secrets.envs.jenkins_build_token_node }}
+JENKINS_WORKER_IPS={{ jenkins_workspace_ips | join(',') }}

ansible/roles/github-bot/templates/github-bot-deploy-webhook.json.j2

@@ -1,7 +1,7 @@
 {
   "port": 9999,
   "path": "/deploy-webhook",
-  "secret": "{{ conf.github_deploy_webhook_secret }}",
+  "secret": "{{ gh_bot_secrets.conf.github_deploy_webhook_secret }}",
   "log": "/home/{{ server_user }}/logs/github-bot-webhook.log",
   "rules": [
     {

ansible/roles/github-bot/vars/main.yml

@@ -1,7 +1,8 @@
 ---
 base_packages:
   - aptitude
-  - python-apt
+  - python3-apt
+  - systemd-timesyncd
 
 packages:
   - nodejs

ansible/roles/read-secrets/tasks/partials/infra.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Read github-bot secrets
+  ansible.builtin.set_fact:
+    gh_bot_secrets: "{{ lookup('pipe', 'gpg -d ' + group_vars | quote) | from_yaml }}"
+  no_log: yes
+  loop_control:
+    loop_var: group_vars
+  with_first_found:
+    - files:
+      - "{{ secrets_repo_root }}/build/github-bot/deployment_secrets.yml"
+      skip: true
+  when: alias is defined and alias == 'gh-bot'