fix: manage git user (#339)

- prevent different gid/uid for git users when deploying cluster - only add sudo conf when sudo_rules is a list Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
2025-07-06 11:27:35 +10:00 · 2025-07-06 11:27:35 +10:00 · cf0ff85b70
commit cf0ff85b70
parent 359ce101f1
3 changed files with 31 additions and 3 deletions
--- a/hieradata/roles/infra/git/server.yaml
+++ b/hieradata/roles/infra/git/server.yaml
@ -2,6 +2,7 @@
 hiera_include:
  - profiles::sql::postgresdb
  - profiles::nginx::simpleproxy
+  - profiles::gitea::user
  - gitea

 # additional altnames
@ -36,6 +37,9 @@ profiles::consul::client::node_rules:
    segment: git
    disposition: write

+# manage the gitea user
+profiles::gitea::user::manage: true
+
 # manage a simple nginx reverse proxy
 profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul'
 profiles::nginx::simpleproxy::nginx_aliases:
@ -55,6 +59,9 @@ profiles::sql::postgresdb::dbuser: gitea

 gitea::ensure: '1.22.4'
 gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
+gitea::manage_user: false
+gitea::manage_group: false
+gitea::manage_home: false
 gitea::custom_configuration:
  '':
    APP_NAME: 'Gitea'
--- a/site/profiles/manifests/base/account.pp
+++ b/site/profiles/manifests/base/account.pp
@ -12,8 +12,8 @@ define profiles::base::account (
  Boolean $ignore_pass = false,
  Array[String] $groups = [],
  Array[String] $sshkeys = [],
-  Array[String] $sudo_rules = [],
  String $shell = '/usr/bin/bash',
+  Optional[Array[String]] $sudo_rules = undef,
 ) {

  # Set gid to uid if gid is undef
@ -39,7 +39,9 @@ define profiles::base::account (
  }

  # Manage sudo rules
-  sudo::conf { "${username}_sudo":
-    content => $sudo_rules,
+  if $sudo_rules {
+    sudo::conf { "${username}_sudo":
+      content => $sudo_rules,
+    }
  }
 }
--- a/site/profiles/manifests/gitea/user.pp
+++ b/site/profiles/manifests/gitea/user.pp
@ -0,0 +1,19 @@
+# creates gitea service user
+class profiles::gitea::user (
+  Boolean $manage = false,
+  String  $user   = 'git',
+  String  $group  = 'git',
+  Integer $uid    = 1101,
+  Integer $gid    = 1101,
+) {
+
+  if $manage {
+    profiles::base::account {'git':
+      username => 'git',
+      uid      => $uid,
+      gid      => $gid,
+      system   => false,
+      before   => Class['gitea'],
+    }
+  }
+}