From b037c92c8bfbf4ad75c7a1fecb92c60470ac8ea1 Mon Sep 17 00:00:00 2001
From: Anatoli Nicolae <an@thundersquared.com>
Date: Fri, 19 Dec 2025 23:12:30 +0100
Subject: [PATCH 1/2] feat: install envoy from release artifacts

Signed-off-by: Anatoli Nicolae <an@thundersquared.com>
---
 mx1/ansible/playbook.yml                      |  1 +
 mx1/ansible/roles/system/envoy/tasks/main.yml | 41 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 mx1/ansible/roles/system/envoy/tasks/main.yml

diff --git a/mx1/ansible/playbook.yml b/mx1/ansible/playbook.yml
index fa3be90..32f028e 100644
--- a/mx1/ansible/playbook.yml
+++ b/mx1/ansible/playbook.yml
@@ -12,6 +12,7 @@
     - role: system/config
     - role: system/docker-login
     - role: system/containers
+    - role: system/envoy
   collections:
     - devsec.hardening
   tasks:
diff --git a/mx1/ansible/roles/system/envoy/tasks/main.yml b/mx1/ansible/roles/system/envoy/tasks/main.yml
new file mode 100644
index 0000000..fe98654
--- /dev/null
+++ b/mx1/ansible/roles/system/envoy/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: Fetch latest Envoy release info
+  uri:
+    url: https://api.github.com/repos/envoyproxy/envoy/releases/latest
+    return_content: yes
+  register: envoy_release
+  when: envoy_version is not defined
+
+- name: Set Envoy version
+  set_fact:
+    envoy_target_version: "{{ envoy_version | default(envoy_release.json.tag_name) }}"
+
+- name: Download Envoy binary
+  get_url:
+    url: "https://github.com/envoyproxy/envoy/releases/download/{{ envoy_target_version }}/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64.tar.gz"
+    dest: /tmp/envoy.tar.gz
+  register: download_result
+
+- name: Extract Envoy binary
+  unarchive:
+    src: /tmp/envoy.tar.gz
+    dest: /tmp/
+    remote_src: yes
+  when: download_result.changed
+
+- name: Install Envoy binary
+  copy:
+    src: "/tmp/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64/bin/envoy"
+    dest: /usr/local/bin/envoy
+    mode: '0755'
+    remote_src: yes
+  when: download_result.changed
+
+- name: Clean up temporary files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /tmp/envoy.tar.gz
+    - "/tmp/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64"
+  when: download_result.changed
\ No newline at end of file

From 8289f0be1203661ce92038c844ddf36bb4f69c50 Mon Sep 17 00:00:00 2001
From: Anatoli Nicolae <an@thundersquared.com>
Date: Sat, 20 Dec 2025 01:24:19 +0100
Subject: [PATCH 2/2] fix: use proper binary URL and add systemd unit

Signed-off-by: Anatoli Nicolae <an@thundersquared.com>
---
 mx1/ansible/roles/system/envoy/tasks/main.yml | 63 ++++++++++++-------
 1 file changed, 39 insertions(+), 24 deletions(-)

diff --git a/mx1/ansible/roles/system/envoy/tasks/main.yml b/mx1/ansible/roles/system/envoy/tasks/main.yml
index fe98654..79ba9e6 100644
--- a/mx1/ansible/roles/system/envoy/tasks/main.yml
+++ b/mx1/ansible/roles/system/envoy/tasks/main.yml
@@ -10,32 +10,47 @@
   set_fact:
     envoy_target_version: "{{ envoy_version | default(envoy_release.json.tag_name) }}"
 
-- name: Download Envoy binary
+- name: Download and install Envoy binary
   get_url:
-    url: "https://github.com/envoyproxy/envoy/releases/download/{{ envoy_target_version }}/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64.tar.gz"
-    dest: /tmp/envoy.tar.gz
-  register: download_result
-
-- name: Extract Envoy binary
-  unarchive:
-    src: /tmp/envoy.tar.gz
-    dest: /tmp/
-    remote_src: yes
-  when: download_result.changed
-
-- name: Install Envoy binary
-  copy:
-    src: "/tmp/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64/bin/envoy"
+    url: "https://github.com/envoyproxy/envoy/releases/download/{{ envoy_target_version }}/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64"
     dest: /usr/local/bin/envoy
     mode: '0755'
-    remote_src: yes
-  when: download_result.changed
 
-- name: Clean up temporary files
+- name: Create Envoy config directory
   file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /tmp/envoy.tar.gz
-    - "/tmp/envoy-{{ envoy_target_version | regex_replace('^v', '') }}-linux-x86_64"
-  when: download_result.changed
\ No newline at end of file
+    path: /etc/envoy
+    state: directory
+    mode: '0755'
+
+- name: Create Envoy systemd service
+  copy:
+    dest: /etc/systemd/system/envoy.service
+    content: |
+      [Unit]
+      Description=Envoy Proxy
+      After=network.target
+
+      [Service]
+      Type=simple
+      ExecStart=/usr/local/bin/envoy -c /etc/envoy/envoy.yaml
+      Restart=always
+      User=root
+      Group=root
+
+      [Install]
+      WantedBy=multi-user.target
+    mode: '0644'
+
+- name: Reload systemd daemon
+  systemd:
+    daemon_reload: yes
+
+- name: Enable Envoy service
+  systemd:
+    name: envoy
+    enabled: yes
+
+- name: Start Envoy service
+  systemd:
+    name: envoy
+    state: started
\ No newline at end of file