From cf0ff85b7001b1d78e22824983cf8f43f7e35480 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 6 Jul 2025 11:27:35 +1000
Subject: [PATCH] fix: manage git user (#339)

- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
---
 hieradata/roles/infra/git/server.yaml   |  7 +++++++
 site/profiles/manifests/base/account.pp |  8 +++++---
 site/profiles/manifests/gitea/user.pp   | 19 +++++++++++++++++++
 3 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 site/profiles/manifests/gitea/user.pp

diff --git a/hieradata/roles/infra/git/server.yaml b/hieradata/roles/infra/git/server.yaml
index 9294c11..d59563f 100644
--- a/hieradata/roles/infra/git/server.yaml
+++ b/hieradata/roles/infra/git/server.yaml
@@ -2,6 +2,7 @@
 hiera_include:
   - profiles::sql::postgresdb
   - profiles::nginx::simpleproxy
+  - profiles::gitea::user
   - gitea
 
 # additional altnames
@@ -36,6 +37,9 @@ profiles::consul::client::node_rules:
     segment: git
     disposition: write
 
+# manage the gitea user
+profiles::gitea::user::manage: true
+
 # manage a simple nginx reverse proxy
 profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul'
 profiles::nginx::simpleproxy::nginx_aliases:
@@ -55,6 +59,9 @@ profiles::sql::postgresdb::dbuser: gitea
 
 gitea::ensure: '1.22.4'
 gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
+gitea::manage_user: false
+gitea::manage_group: false
+gitea::manage_home: false
 gitea::custom_configuration:
   '':
     APP_NAME: 'Gitea'
diff --git a/site/profiles/manifests/base/account.pp b/site/profiles/manifests/base/account.pp
index e9dd48c..47dfa9c 100644
--- a/site/profiles/manifests/base/account.pp
+++ b/site/profiles/manifests/base/account.pp
@@ -12,8 +12,8 @@ define profiles::base::account (
   Boolean $ignore_pass = false,
   Array[String] $groups = [],
   Array[String] $sshkeys = [],
-  Array[String] $sudo_rules = [],
   String $shell = '/usr/bin/bash',
+  Optional[Array[String]] $sudo_rules = undef,
 ) {
 
   # Set gid to uid if gid is undef
@@ -39,7 +39,9 @@ define profiles::base::account (
   }
 
   # Manage sudo rules
-  sudo::conf { "${username}_sudo":
-    content => $sudo_rules,
+  if $sudo_rules {
+    sudo::conf { "${username}_sudo":
+      content => $sudo_rules,
+    }
   }
 }
diff --git a/site/profiles/manifests/gitea/user.pp b/site/profiles/manifests/gitea/user.pp
new file mode 100644
index 0000000..1a2fea0
--- /dev/null
+++ b/site/profiles/manifests/gitea/user.pp
@@ -0,0 +1,19 @@
+# creates gitea service user
+class profiles::gitea::user (
+  Boolean $manage = false,
+  String  $user   = 'git',
+  String  $group  = 'git',
+  Integer $uid    = 1101,
+  Integer $gid    = 1101,
+) {
+
+  if $manage {
+    profiles::base::account {'git':
+      username => 'git',
+      uid      => $uid,
+      gid      => $gid,
+      system   => false,
+      before   => Class['gitea'],
+    }
+  }
+}