Puppet Class: statistics::user

Defined in:
modules/statistics/manifests/user.pp

Overview



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'modules/statistics/manifests/user.pp', line 1

class statistics::user {
    include ::passwords::statistics::user

    $username = 'stats'
    $homedir  = "/var/lib/${username}"

    # From Buster onward, we want to have fixed uid/gids for daemons.
    # We manage service system users in puppet classes, but declare
    # commented placeholders for them in the admin module's data.yaml file
    # to ensure that people don't accidentally add uid/gid conflicts.
    $stats_uid = assert_type(Admin::UID::System::Global, 918)
    $stats_gid = assert_type(Admin::UID::System::Global, $stats_uid)

    file { [$homedir]:
        ensure => 'directory',
        owner  => $username,
        group  => $username,
        mode   => '0755',
    }

    systemd::sysuser { $username:
        id       => "${stats_uid}:${stats_gid}",
        shell    => '/bin/bash',
        home_dir => $homedir,
    }

    $git_settings = {
        'user' => {
            'name'  => 'Statistics User',
            'email' => 'data-engineering-alerts@lists.wikimedia.org',
        },
        # Enable automated git/gerrit authentication via http
        # by using .git-credential file store.
        'credential' => {
            'helper' => 'store',
        }
    }

    # Specific global git config for all the Analytics VLAN
    # to force every user to use the Production Webproxy.
    # This is useful to avoid HTTP/HTTPS calls ending up
    # being blocked by the VLAN's firewall rules, avoiding
    # all the users to set up their own settings.
    # Not needed in labs.
    if $::realm == 'production' {
        $git_http_proxy_settings = {
            # https://wikitech.wikimedia.org/wiki/HTTP_proxy
            'http' => {
                'proxy' => 'http://webproxy.eqiad.wmnet:8080'
            },
            'https' => {
                'proxy' => 'http://webproxy.eqiad.wmnet:8080'
            },
        }
    } else {
        $git_http_proxy_settings = {}
    }

    git::userconfig { $username:
        homedir  => $homedir,
        settings => merge($git_settings, $git_http_proxy_settings),
        require  => User[$username],
    }

    # Render the .git-credentials file with the stats user's http password.
    # This password is set from https://gerrit.wikimedia.org/r/#/settings/http-password.
    # To log into gerrit as the stats user, check the /srv/password/stats-user file
    # for LDAP login creds.
    file { "${homedir}/.git-credentials":
        mode    => '0600',
        owner   => $username,
        group   => $username,
        content => "https://${username}:${passwords::statistics::user::gerrit_http_password}@gerrit.wikimedia.org",
        require => User[$username],
    }
}