fix: manage git user

- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list

hieradata/roles/infra/git/server.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - profiles::sql::postgresdb
   - profiles::nginx::simpleproxy
+  - profiles::gitea::user
   - gitea
 
 # additional altnames
@@ -36,6 +37,9 @@ profiles::consul::client::node_rules:
     segment: git
     disposition: write
 
+# manage the gitea user
+profiles::gitea::user::manage: true
+
 # manage a simple nginx reverse proxy
 profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul'
 profiles::nginx::simpleproxy::nginx_aliases:
@@ -55,6 +59,9 @@ profiles::sql::postgresdb::dbuser: gitea
 
 gitea::ensure: '1.22.4'
 gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
+gitea::manage_user: false
+gitea::manage_group: false
+gitea::manage_home: false
 gitea::custom_configuration:
   '':
     APP_NAME: 'Gitea'

site/profiles/manifests/base/account.pp

@@ -12,8 +12,8 @@ define profiles::base::account (
   Boolean $ignore_pass = false,
   Array[String] $groups = [],
   Array[String] $sshkeys = [],
-  Array[String] $sudo_rules = [],
   String $shell = '/usr/bin/bash',
+  Optional[Array[String]] $sudo_rules = undef,
 ) {
 
   # Set gid to uid if gid is undef
@@ -39,7 +39,9 @@ define profiles::base::account (
   }
 
   # Manage sudo rules
+  if $sudo_rules {
     sudo::conf { "${username}_sudo":
       content => $sudo_rules,
     }
   }
+}

site/profiles/manifests/gitea/user.pp

@@ -0,0 +1,19 @@
+# creates gitea service user
+class profiles::gitea::user (
+  Boolean $manage = false,
+  String  $user   = 'git',
+  String  $group  = 'git',
+  Integer $uid    = 1101,
+  Integer $gid    = 1101,
+) {
+
+  if $manage {
+    profiles::base::account {'git':
+      username => 'git',
+      uid      => $uid,
+      gid      => $gid,
+      system   => false,
+      before   => Class['gitea'],
+    }
+  }
+}