[MediaWiki-commits] [Gerrit] Groundwork work for keyholder-based MediaWiki deployments - change (operations/puppet)

Ori.livneh (Code Review) Wed, 12 Nov 2014 15:31:50 -0800

Ori.livneh has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/172911


Change subject: Groundwork work for keyholder-based MediaWiki deployments
......................................................................

Groundwork work for keyholder-based MediaWiki deployments

Currently, when MediaWiki deployers push code, scap SSHs them into each host as
themselves, where they sudo to mwdeploy to run rsync. With keyholder, users
would be SSHing as mwdeploy directly. This requires setting a real shell for
mwdeploy and an SSH key.

Change-Id: I2523a13b99687f0c2ad2da2cd73a66abffe037b6
---
A modules/mediawiki/files/authorized_keys.mwdeploy
M modules/mediawiki/manifests/users.pp
2 files changed, 24 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/11/172911/1

diff --git a/modules/mediawiki/files/authorized_keys.mwdeploy 
b/modules/mediawiki/files/authorized_keys.mwdeploy
new file mode 100644
index 0000000..c9b0d0a
--- /dev/null
+++ b/modules/mediawiki/files/authorized_keys.mwdeploy
@@ -0,0 +1 @@
+# Placeholder.
diff --git a/modules/mediawiki/manifests/users.pp 
b/modules/mediawiki/manifests/users.pp
index 3c7a3b1..5f00aef 100644
--- a/modules/mediawiki/manifests/users.pp
+++ b/modules/mediawiki/manifests/users.pp
@@ -37,12 +37,33 @@
 
     user { 'mwdeploy':
         ensure     => present,
-        shell      => '/bin/false',
-        home       => '/var/lib/mwdeploy',
+        shell      => '/bin/bash',
+        home       => '/home/mwdeploy',
         system     => true,
         managehome => true,
     }
 
+    file { '/home/mwdeploy':
+        ensure => directory,
+        owner  => 'mwdeploy',
+        group  => 'mwdeploy',
+        mode   => '0755',
+    }
+
+    file { '/home/mwdeploy/.ssh':
+        ensure => directory,
+        owner  => 'mwdeploy',
+        group  => 'mwdeploy',
+        mode   => '0500',
+    }
+
+    file { '/home/mwdeploy/.ssh/authorized_keys':
+        source  => 'puppet:///modules/mediawiki/authorized_keys.mwdeploy',
+        owner   => 'mwdeploy',
+        group   => 'mwdeploy',
+        mode    => '0400',
+    }
+
 
     # The l10nupdate account is used for updating the localisation files
     # with new interface message translations.

-- 
To view, visit https://gerrit.wikimedia.org/r/172911
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2523a13b99687f0c2ad2da2cd73a66abffe037b6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Groundwork work for keyholder-based MediaWiki deployments - change (operations/puppet)

Reply via email to