Puppet Class: mediawiki::users
- Defined in:
- modules/mediawiki/manifests/users.pp
Overview
Class: mediawiki::users
Provisions system accounts for running, deploying and updating MediaWiki.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
# File 'modules/mediawiki/manifests/users.pp', line 6
class mediawiki::users(
String $web = 'www-data',
Optional[Array[String]] $extra_privileges = [],
) {
# The mwdeploy account is used by various scripts in the MediaWiki
# deployment process to run rsync.
group { 'mwdeploy':
ensure => present,
system => true,
}
user { 'mwdeploy':
ensure => present,
shell => '/bin/bash',
home => '/var/lib/mwdeploy',
system => true,
managehome => true,
}
ssh::userkey { 'mwdeploy':
content => secret('keyholder/mwdeploy.pub'),
}
# Grant mwdeploy sudo rights to run anything as itself, apache and the
# l10nupdate user. This allows MediaWiki deployers to deploy as mwdeploy.
sudo::user { 'mwdeploy':
privileges => [
"ALL = (${web},mwdeploy,l10nupdate) NOPASSWD: ALL",
'ALL = (root) NOPASSWD: /usr/sbin/service apache2 start',
'ALL = (root) NOPASSWD: /usr/sbin/apache2ctl graceful-stop',
]+$extra_privileges,
}
# The pybal-check account is used by PyBal to monitor server health
# See <https://wikitech.wikimedia.org/wiki/LVS#SSH_checking>
group { 'pybal-check':
ensure => present,
}
user { 'pybal-check':
ensure => present,
gid => 'pybal-check',
shell => '/bin/sh',
home => '/var/lib/pybal-check',
system => true,
managehome => true,
}
ssh::userkey { 'pybal-check':
source => 'puppet:///modules/mediawiki/pybal_key',
}
}
|