Add siguldry pesign bridge role to switch pesign to sigul

This role is intended to be run on a build{vm|hw} machine that is in the
secure-boot channel in koji. It sets up the siguldry pesign-bridge that
allows builds done there to call pesign to sign artifacts by bind
mounting a socket into the mock chroot.
This then calls sigul's pesign client which sends the artifact to the
sigul vault via the sigul bridge for signing. The vault has access to
a secure token to sign the artifact with.

This should (once confirmed working) replace the roles/bkernel role that
used a secure card that was directly attached to a buildhw device.

This should allow us to add support for aarch64 as well as more easily
use different hardware or vm's as any of them could be setup to query
the sigul server.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

roles/siguldry/pesign_bridge/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+# siguldry/pesign_bridge role defaults
+
+# Whether to install sbverify (sbsigntools package)
+siguldry_pesign_bridge_install_sbverify: true
+
+# Users to allow in the pesign group
+siguldry_pesign_bridge_users:
+  - mockbuild

roles/siguldry/pesign_bridge/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: restart sigul-pesign-bridge
+  ansible.builtin.systemd:
+    name: sigul-pesign-bridge.service
+    state: restarted
+  tags:
+    - siguldry
+    - siguldry/pesign_bridge

roles/siguldry/pesign_bridge/tasks/main.yml

@@ -0,0 +1,124 @@
+---
+- name: Install sigul-pesign-bridge package
+  ansible.builtin.package:
+    state: present
+    name: sigul-pesign-bridge
+  tags:
+    - packages
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Install sbverify package
+  ansible.builtin.package:
+    state: present
+    name: sbsigntools
+  when: siguldry_pesign_bridge_install_sbverify | default(true)
+  tags:
+    - packages
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Create sigul-pesign-bridge config directory
+  ansible.builtin.file:
+    path: /etc/sigul-pesign-bridge
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  tags:
+    - config
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Create credstore.encrypted directory
+  ansible.builtin.file:
+    path: /etc/credstore.encrypted
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+  tags:
+    - config
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Setup sigul-pesign-bridge config file
+  ansible.builtin.template:
+    src: config.toml.j2
+    dest: /etc/sigul-pesign-bridge/config.toml
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart sigul-pesign-bridge
+  tags:
+    - config
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Create pesign group
+  ansible.builtin.group:
+    name: pesign
+    state: present
+  tags:
+    - users
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Add users to pesign group
+  ansible.builtin.user:
+    name: "{{ item }}"
+    groups: pesign
+    append: yes
+  loop: "{{ siguldry_pesign_bridge_users | default([]) }}"
+  when: siguldry_pesign_bridge_users is defined
+  tags:
+    - users
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Setup client certificate
+  ansible.builtin.copy:
+    src: "{{ private }}"/files/sigulca/production/pki/issued/sigul-pesign-bridge.crt
+    dest: /etc/sigul-pesign-bridge/client.crt
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - config
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Setup CA certificate
+  ansible.builtin.copy:
+    src: "{{ private }}"/files/sigulca/production/pki/ca.crt
+    dest: /etc/sigul-pesign-bridge/ca.crt
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - config
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Enable and start sigul-pesign-bridge service
+  ansible.builtin.systemd:
+    name: sigul-pesign-bridge.service
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  tags:
+    - services
+    - siguldry
+    - siguldry/pesign_bridge
+
+- name: Mock site-defaults.cfg for pesign builders.
+  ansible.builtin.template:
+    src: pesign-builder-site-defaults.cfg.j2
+    dest: /etc/mock/site-defaults.cfg
+    mode: "0644"
+    owner: root
+    group: mock
+  tags:
+    - services
+    - siguldry
+    - siguldry/pesign_bridge

roles/siguldry/pesign_bridge/templates/config.toml.j2

@@ -0,0 +1,21 @@
+total_request_timeout_secs = 600
+sigul_request_timeout_secs = 60
+
+[sigul]
+bridge_hostname = "sign-bridge.rdu3.fedoraproject.org"
+bridge_port = 44334
+server_hostname = "sign-vault.rdu3.fedoraproject.org"
+sigul_user_name = "sigul-pesign-bridge"
+# These creds are encrypted, see
+# https://github.com/fedora-infra/siguldry/tree/main/sigul-pesign-bridge#sigul-pesign-bridge
+private_key = "sigul.pesign.bridge.client.private_key.pem"
+client_certificate = "/etc/sigul-pesign-bridge/client.crt"
+ca_certificate = "/etc/sigul-pesign-bridge/ca.crt"
+
+[[keys]]
+pesign_token_name = "OpenSC Card"
+pesign_certificate_name = "Fedora Signer"
+key_name = "fedora-signer"
+certificate_name = "Certificate 4"
+passphrase_path = "sigul.signing-key-passphrase"
+certificate_file = "/etc/sigul-pesign-bridge/ca.crt"

roles/siguldry/pesign_bridge/templates/pesign-builder-site-defaults.cfg.j2

@@ -0,0 +1,23 @@
+# mount the pesign socket into the chroot
+config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' ))
+config_opts['nspawn_args'] += ['--bind=/var/run/pesign']
+config_opts['plugin_conf']['package_state_enable'] = False
+config_opts['macros']['%bugurl'] = 'https://bugz.fedoraproject.org/%name'
+#config_opts['nosync'] = True
+#config_opts['nosync_force'] = True
+config_opts['dnf_common_opts'] = ['--setopt=install_weak_deps=0']
+config_opts['environment']['LANG'] = 'C.UTF-8'
+config_opts['use_bootstrap'] = False
+config_opts['dnf_warning'] = False
+
+# dnf group install with '--allowerasing' is still to be released:
+# https://github.com/rpm-software-management/dnf5/pull/1174
+config_opts["dnf5_avoid_opts"] = {
+    "group": ["--allowerasing"],
+}
+
+config_opts['plugin_conf']['rpmautospec_enable'] = True
+config_opts['plugin_conf']['rpmautospec_opts'] = {
+    'requires': ['rpmautospec'],
+    'cmd_base': ['/usr/bin/rpmautospec', 'process-distgit'],
+}