1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
# File 'modules/statistics/manifests/user.pp', line 1
class statistics::user {
include ::passwords::statistics::user
$username = 'stats'
$homedir = "/var/lib/${username}"
# From Buster onward, we want to have fixed uid/gids for daemons.
# We manage service system users in puppet classes, but declare
# commented placeholders for them in the admin module's data.yaml file
# to ensure that people don't accidentally add uid/gid conflicts.
$stats_uid = assert_type(Admin::UID::System::Global, 918)
$stats_gid = assert_type(Admin::UID::System::Global, $stats_uid)
file { [$homedir]:
ensure => 'directory',
owner => $username,
group => $username,
mode => '0755',
}
systemd::sysuser { $username:
id => "${stats_uid}:${stats_gid}",
shell => '/bin/bash',
home_dir => $homedir,
}
$git_settings = {
'user' => {
'name' => 'Statistics User',
'email' => 'data-engineering-alerts@wikimedia.org',
},
# Enable automated git/gerrit authentication via http
# by using .git-credential file store.
'credential' => {
'helper' => 'store',
}
}
# Specific global git config for all the Analytics VLAN
# to force every user to use the Production Webproxy.
# This is useful to avoid HTTP/HTTPS calls ending up
# being blocked by the VLAN's firewall rules, avoiding
# all the users to set up their own settings.
# Not needed in labs.
if $::realm == 'production' {
$git_http_proxy_settings = {
# https://wikitech.wikimedia.org/wiki/HTTP_proxy
'http' => {
'proxy' => 'http://webproxy.eqiad.wmnet:8080'
},
'https' => {
'proxy' => 'http://webproxy.eqiad.wmnet:8080'
},
}
} else {
$git_http_proxy_settings = {}
}
git::userconfig { $username:
homedir => $homedir,
settings => merge($git_settings, $git_http_proxy_settings),
require => User[$username],
}
# Render the .git-credentials file with the stats user's http password.
# This password is set from https://gerrit.wikimedia.org/r/#/settings/http-password.
# To log into gerrit as the stats user, check the /srv/password/stats-user file
# for LDAP login creds.
file { "${homedir}/.git-credentials":
mode => '0600',
owner => $username,
group => $username,
content => "https://${username}:${passwords::statistics::user::gerrit_http_password}@gerrit.wikimedia.org",
require => User[$username],
}
}
|