Puppet Class: profile::stewards
- Defined in:
- modules/profile/manifests/stewards.pp
Overview
SPDX-License-Identifier: Apache-2.0 special VM for stewards (T344164)
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
# File 'modules/profile/manifests/stewards.pp', line 3
class profile::stewards (
Stdlib::Unixpath $repo_dir = lookup('profile::stewards::repo_dir', {default_value => '/srv/repos'}),
Stdlib::Unixpath $conf_dir = lookup('profile::stewards::conf_dir', {default_value => '/etc/steward-onboarder'}),
Stdlib::Unixpath $export_dir = lookup('profile::stewards::export_dir', {default_value => '/srv/exports'}),
Stdlib::Unixpath $userdb_dir = lookup('profile::stewards::userdb_dir', {default_value => "${repo_dir}/users-db"}),
Stdlib::Unixpath $onboarding_system_dir = lookup('profile::stewards::onboarding_system_dir', {default_value => "${repo_dir}/onboarding-system"}),
String $group_owner = lookup('profile::stewards::group_owner', {default_value => 'stewards-users'}),
Stdlib::Fqdn $lists_primary_host = lookup('lists_primary_host', {'default_value' => undef}),
){
# T344164#9314186
ensure_packages(['python3-click', 'python3-requests-oauthlib'])
# conf dir and repo dir not writable
wmflib::dir::mkdir_p([$conf_dir, $repo_dir], {
owner => 'root',
group => $group_owner,
mode => '0755',
})
# export dir group writable
wmflib::dir::mkdir_p($export_dir, {
owner => 'root',
group => $group_owner,
mode => '0775',
})
# pull onboarding application from gitlab and create the config
git::clone { 'repos/stewards/onboarding-system':
ensure => 'present',
source => 'gitlab',
group => $group_owner,
shared => true,
directory => $onboarding_system_dir,
}
file { "${conf_dir}/steward-onboarder.yaml":
ensure => 'present',
source => 'puppet:///modules/profile/stewards/steward-onboarder.yaml',
}
git::systemconfig { 'safe.directory-onboarding_system_dir':
settings => {
'safe' => {
'directory' => $onboarding_system_dir
}
}
}
# create a local-only repo to hold private onboarding app data
file { $userdb_dir:
ensure => directory,
owner => 'root',
group => $group_owner,
mode => '2775',
}
git::systemconfig { 'safe.directory-userdb_dir':
settings => {
'safe' => {
'directory' => $userdb_dir
}
}
}
exec { "${userdb_dir} git init":
command => '/usr/bin/git init',
user => 'root',
group => $group_owner,
cwd => $userdb_dir,
creates => "${userdb_dir}/.git",
require => File[$userdb_dir],
}
# let lists primary host sync data from the export_dir
# passing an empty string to address = listens on IPv6 as well, not just 0.0.0.0
class { 'rsync::server':
address => '',
}
rsync::server::module { 'steward-data-export-dir':
ensure => present,
comment => "${export_dir} to lists servers",
read_only => 'yes',
path => $export_dir,
hosts_allow => [$lists_primary_host],
auto_firewall => true,
require => [
File[$export_dir],
],
}
}
|