Filippo Giunchedi has submitted this change and it was merged. Change subject: keyholder key cleanup ......................................................................
keyholder key cleanup * Clean up the mess that is scap::target and keyholder::agent * Make ssh_agent_proxy look up keys by name instead of fingerprint ** This avoids needing to store fingerprints in puppet manifests * password-protected key test is now optional and skipped on beta Bug: T132747 Change-Id: Id298a3e0f12e31afd7ea83970e192330ffbd4243 --- M hieradata/common/scap/server.yaml M hieradata/labs/deployment-prep/common.yaml M hieradata/labs/phabricator/common.yaml M modules/eventlogging/manifests/deployment/target.pp M modules/keyholder/files/keyholder M modules/keyholder/files/ssh-agent-proxy M modules/keyholder/manifests/agent.pp M modules/keyholder/manifests/init.pp D modules/keyholder/manifests/private_key.pp M modules/mediawiki/manifests/users.pp D modules/phabricator/manifests/deployment/target.pp M modules/phabricator/manifests/init.pp M modules/role/manifests/deployment/mediawiki.pp M modules/role/manifests/snapshot/deployment.pp M modules/scap/manifests/server.pp M modules/scap/manifests/target.pp M modules/service/manifests/deploy/scap.pp M modules/service/manifests/node.pp M modules/service/manifests/uwsgi.pp M modules/zotero/manifests/init.pp 20 files changed, 155 insertions(+), 206 deletions(-) Approvals: Filippo Giunchedi: Verified; Looks good to me, approved diff --git a/hieradata/common/scap/server.yaml b/hieradata/common/scap/server.yaml index 260e18f..03826ad 100644 --- a/hieradata/common/scap/server.yaml +++ b/hieradata/common/scap/server.yaml @@ -13,26 +13,19 @@ phabricator: trusted_groups: - deploy-phabricator - key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10 - key_secret: phabricator/phab_deploy_private_key eventlogging: trusted_groups: - eventlogging-admins - key_fingerprint: b6:4e:1a:1b:4b:70:ef:91:31:cd:a3:18:9a:ca:41:44 deploy-service: trusted_groups: - deploy-service - aqs-admins - key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8 - key_file: servicedeploy_rsa - # Note: dumpsdeploy normally would have ops as trusted group, - # but ops is added implicitly anyway dumpsdeploy: - key_fingerprint: 86:c9:17:ab:b7:00:79:b5:8a:c5:b5:ee:29:24:c9:2f - + trusted_groups: + - ops # scap::source declarations. These are created # by the scap::server class. Each source listed here @@ -64,4 +57,3 @@ # cxserver is the ContentTranslation server. cxserver/deploy: repository: cxserver/deploy - diff --git a/hieradata/labs/deployment-prep/common.yaml b/hieradata/labs/deployment-prep/common.yaml index d7edbe9..ba85571 100644 --- a/hieradata/labs/deployment-prep/common.yaml +++ b/hieradata/labs/deployment-prep/common.yaml @@ -216,20 +216,14 @@ phabricator: trusted_groups: - project-%{::labsproject} - key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10 - key_secret: phabricator/phab_deploy_private_key eventlogging: trusted_groups: - project-%{::labsproject} - key_fingerprint: 02:9b:99:e2:f0:16:70:a3:d2:5a:e6:02:a3:73:0e:b0 deploy-service: trusted_groups: - deploy-service - key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8 - key_file: servicedeploy_rsa - # deployment-prep scap::source declarations. These are created # by the scap::server class. Each source listed here diff --git a/hieradata/labs/phabricator/common.yaml b/hieradata/labs/phabricator/common.yaml index aa2496f..70043f3 100644 --- a/hieradata/labs/phabricator/common.yaml +++ b/hieradata/labs/phabricator/common.yaml @@ -2,4 +2,4 @@ deployment: source: key_fingerprint: '36:75:c2:fa:34:02:c8:8c:ff:30:09:aa:f7:77:96:41' - trusted_group: 'project-phabricator' + trusted_groups: 'project-phabricator' diff --git a/modules/eventlogging/manifests/deployment/target.pp b/modules/eventlogging/manifests/deployment/target.pp index 07a46ea..6ecd1ae 100644 --- a/modules/eventlogging/manifests/deployment/target.pp +++ b/modules/eventlogging/manifests/deployment/target.pp @@ -41,11 +41,10 @@ include eventlogging::dependencies scap::target { "eventlogging/${title}": - package_name => $package_name, - deploy_user => 'eventlogging', - public_key_source => "puppet:///modules/eventlogging/deployment/eventlogging_rsa.pub.${::realm}", - service_name => $service_name, - sudo_rules => $sudo_rules, - manage_user => false, + package_name => $package_name, + deploy_user => 'eventlogging', + service_name => $service_name, + sudo_rules => $sudo_rules, + manage_user => false, } } diff --git a/modules/keyholder/files/keyholder b/modules/keyholder/files/keyholder index 942bbc1..7ad7fb3 100755 --- a/modules/keyholder/files/keyholder +++ b/modules/keyholder/files/keyholder @@ -25,8 +25,15 @@ exit 1 } +KEYHOLDERCONF="/etc/keyholder-auth.d/keyholder.conf" +REQUIRE_ENCRYPTED_KEYS="yes" + +[ -f "$KEYHOLDERCONF" ] && source "$KEYHOLDERCONF" + is_valid_private_key() { - # Check that $1 is a passphrase-protected private key file. + [ $REQUIRE_ENCRYPTED_KEYS == "yes" ] || return 0; + + # check that $1 is a password-protected rsa private key file. [ -f "$1" ] && /usr/bin/openssl rsa -in "$1" -check -pubout -passin pass: 2>&1 | \ /bin/grep -q "bad password" } @@ -45,16 +52,23 @@ SSH_AUTH_SOCK="/run/keyholder/${service}.sock" /usr/bin/ssh-add -l | sed 's/^/- /' done ;; + list-keys) + prefers_root + SSH_AUTH_SOCK="/run/keyholder/agent.sock" /usr/bin/ssh-add -l | sed 's/^[0-9]* //' + ;; add) requires_root SSH_AUTH_SOCK=/run/keyholder/agent.sock /usr/bin/sudo -u keyholder -E /usr/bin/ssh-add "$@" ;; arm) requires_root + KEYS="" for key in /etc/keyholder.d/*; do + [[ $key = *.pub ]] && continue is_valid_private_key "$key" || ( echo "$key is not an acceptable key. Does it have a passphrase?"; continue ) - $0 add "$key" + KEYS="$KEYS $key" done + $0 add $KEYS ;; disarm) requires_root diff --git a/modules/keyholder/files/ssh-agent-proxy b/modules/keyholder/files/ssh-agent-proxy index 134a8eb..2bbf4ff 100644 --- a/modules/keyholder/files/ssh-agent-proxy +++ b/modules/keyholder/files/ssh-agent-proxy @@ -49,6 +49,7 @@ import socket import socketserver import struct +import subprocess import sys import syslog @@ -88,15 +89,30 @@ return string, offset + struct.calcsize(fmt) +def get_key_fingerprints(): + """Look up the key fingerprints for all keys held by keyholder""" + keymap = {} + for fname in glob.glob('/etc/keyholder.d/*.pub'): + line = subprocess.check_output(['/usr/bin/ssh-keygen', '-lf', fname], + universal_newlines=True) + bits, fingerprint, note = line.split(' ', 2) + keyfile = os.path.splitext(os.path.basename(fname))[0] + keymap[keyfile] = fingerprint.replace(':', '') + return keymap + def get_key_perms(path): """Recursively walk `path`, loading YAML configuration files.""" key_perms = {} + fingerprints = get_key_fingerprints() for fname in glob.glob(os.path.join(path, '*.y*ml')): with open(fname) as yml: for group, keys in yaml.safe_load(yml).items(): for key in keys: - key = key.replace(':', '') - key_perms.setdefault(key, set()).add(group) + if key not in fingerprints: + print('fingerprint not found for key %s' % key) + continue + fingerprint = fingerprints[key] + key_perms.setdefault(fingerprint, set()).add(group) return key_perms diff --git a/modules/keyholder/manifests/agent.pp b/modules/keyholder/manifests/agent.pp index 260545d..34ad7f5 100644 --- a/modules/keyholder/manifests/agent.pp +++ b/modules/keyholder/manifests/agent.pp @@ -2,40 +2,38 @@ # # Resource for creating keyholder agents on a node # +# Most instances of this resource are created from hiera, see scap::server +# and scap/server.yaml +# # === Parameters # # [*name*] -# Used for service names, socket names, and default key name +# This is the name of the ssh key managed by this agent. The key comes from +# a call to secret which translates to: +# puppet/private/modules/secret/secrets/keyholder/${name}[.pub] # -# [*key_file*] -# The name of the key file stored in puppet private -# Should exist prior to running a defined resource +# [*ensure*] +# Defaults to 'present', this is passed directly to the file resources +# that this resource manages. # # [*trusted_groups*] -# An array of group names or GIDs of the trusted user groups with which the agent -# should be shared. It is the caller's responsibility to ensure +# An array of group names or GIDs of the trusted user groups with which the +# agent should be shared. It is the caller's responsibility to ensure # the groups exist. -# -# [*key_fingerprint*] -# Fingerprint of the public half of the private keyfile specified -# by $key_file # # === Examples # # keyholder::agent { 'mwdeploy': -# key_file => 'mwdeploy_key_rsa', -# trusted_group => ['wikidev', 'mwdeploy'], -# key_fingerprint => '00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00' -# require => Group['wikidev'], +# trusted_groups => ['wikidev', 'mwdeploy'], # } # define keyholder::agent( - $key_fingerprint, $trusted_groups = ['ops'], - $key_file = "${name}_rsa", - $key_content = undef, - $key_secret = undef, + $ensure = 'present', + $key_name = $name, ) { + validate_ensure($ensure) + require ::keyholder require ::keyholder::monitoring @@ -46,26 +44,30 @@ $real_trusted_groups = $trusted_groups } - file { "/etc/keyholder-auth.d/${name}.yml": - content => inline_template("---\n<% [*@real_trusted_groups].each do |g| %><%= g %>: ['<%= @key_fingerprint %>']\n<% end %>"), + $key_name_safe = regsubst($key_name, '\W', '_', 'G') + + file { "/etc/keyholder.d/${key_name_safe}": + ensure => $ensure, + content => secret("keyholder/${key_name_safe}"), owner => 'root', group => 'keyholder', mode => '0440', } - # lint:ignore:puppet_url_without_modules - if $key_content { - keyholder::private_key { $key_file: - content => $key_content, - } - } elsif $key_secret { - keyholder::private_key { $key_file: - content => secret($key_secret) - } - } else { - keyholder::private_key { $key_file: - source => "puppet:///private/ssh/tin/${key_file}", - } + file { "/etc/keyholder.d/${key_name_safe}.pub": + ensure => $ensure, + content => secret("keyholder/${key_name_safe}.pub"), + owner => 'root', + group => 'keyholder', + mode => '0440', } - # lint:endignore + + # generate the mapping between groups and keys. Used by ssh-agent-proxy + file { "/etc/keyholder-auth.d/${key_name_safe}.yml": + ensure => $ensure, + content => inline_template("---\n<%= [*@real_trusted_groups].map { |g| \"#{g}: [#{@key_name_safe}]\" }.join(\"\\n\") %>\n"), + owner => 'root', + group => 'keyholder', + mode => '0440', + } } diff --git a/modules/keyholder/manifests/init.pp b/modules/keyholder/manifests/init.pp index 9c1f9b0..891568d 100644 --- a/modules/keyholder/manifests/init.pp +++ b/modules/keyholder/manifests/init.pp @@ -25,7 +25,7 @@ # # $ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh remote-host ... # -class keyholder { +class keyholder($require_encrypted_keys='yes') { require_package('python3', 'python3-yaml') @@ -113,6 +113,13 @@ require => Service['keyholder-agent'], } + file { '/etc/keyholder-auth.d/keyholder.conf': + owner => 'root', + group => 'root', + mode => '0444', + content => "REQUIRE_ENCRYPTED_KEYS='${require_encrypted_keys}'", + } + # The `keyholder` script provides a simplified command-line # interface for managing the agent. See `keyholder --help`. diff --git a/modules/keyholder/manifests/private_key.pp b/modules/keyholder/manifests/private_key.pp deleted file mode 100644 index 5c06ebf..0000000 --- a/modules/keyholder/manifests/private_key.pp +++ /dev/null @@ -1,50 +0,0 @@ -# == Define: keyholder::private_key -# -# Provisions a private key file in /etc/keyholder.d. -# -# === Parameters -# -# [*ensure*] -# If 'present', config will be enabled; if 'absent', disabled. -# The default is 'present'. -# -# [*content*] -# If defined, will be used as the content of the key file. -# Undefined by default. Mutually exclusive with 'source'. -# -# [*source*] -# Path to key file. Undefined by default. -# Mutually exclusive with 'content'. -# -# === Examples -# -# keyholder::private_key { 'mwdeploy_rsa': -# ensure => present, -# content => secret('ssh/tin/mwdeploy_rsa'), -# } -# -define keyholder::private_key( - $ensure = present, - $content = undef, - $source = undef, -) { - validate_ensure($ensure) - - if $source == undef and $content == undef { - fail('you must provide either "source" or "content"') - } - if $source != undef and $content != undef { - fail('"source" and "content" are mutually exclusive') - } - - $title_safe = regsubst($title, '\W', '_', 'G') - - file { "/etc/keyholder.d/${title_safe}": - ensure => $ensure, - content => $content, - source => $source, - owner => 'root', - group => 'keyholder', - mode => '0440', - } -} diff --git a/modules/mediawiki/manifests/users.pp b/modules/mediawiki/manifests/users.pp index e92e4ce..46537ef 100644 --- a/modules/mediawiki/manifests/users.pp +++ b/modules/mediawiki/manifests/users.pp @@ -5,7 +5,6 @@ # class mediawiki::users( $web = 'www-data', - $mwdeploy_pub_key = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/81k2eXC0lM00+kg+5+p3kAHoOwAcbBjktlM7DENrrWdvkSlJasPDtHsU0+7woyGz2hHpI0SA8eBAEngl1X7uX4w1HU/VcG6np/kVMVrXPtn+sy4JtYTEVLuGzUstoc8PNxEDKvEQS7WGNLZtrgY0xWYsd7grt5tI/8qvhHd7coT6EWOcisRVnGY20r+/IWgsREZarbiW+0CSdQS0UzBbKQX/Hv+1asfZ24Qmq+yvXc2GuP+ewAm5gh0+5dUBHt69Ocq3PwCvqEypOrwpaqTGJbjvGLyaRN+YBNwoVwwl3EICYOJVDnNr/UxmzBT9RAJMHcpj6XrYiCTL1P9MUXyP54nZGOeqodSVn/L62lCwlh92D+E9qa6QFk8ikjKUr34vSI5jmQnscfaVz0k96YZP9B3J6+FDZOC8E/3SGRONrf4Fd4EAZGLQnoSdmwDHGGiHs8cjKnj4SinMabFzE3ReMV5k+Kdp999ne/vC2aryDSgc+EIXz731FmjPFmG5mdb/obGWHtU58kAbTSxPGV38uh1xvOSaSshfhYqK14G57x0ieUxV3zSZmJ5BuN5JbthgVNkAlMEATT2S6Cw+bBY7xgsE/0Wv139y0ChmatFyNv3uVbnMMTtJTBQGz+9Qb4xWTw1mxCxR5PmNmEaNI9+o/uk8M7fNd1muQfOUQPQkBQ== Mediawiki deployment key', ) { # The mwdeploy account is used by various scripts in the MediaWiki @@ -25,7 +24,7 @@ } ssh::userkey { 'mwdeploy': - content => $mwdeploy_pub_key, + content => secret('keyholder/mwdeploy.pub'), } # Grant mwdeploy sudo rights to run anything as itself, apache and the diff --git a/modules/phabricator/manifests/deployment/target.pp b/modules/phabricator/manifests/deployment/target.pp deleted file mode 100644 index 0cf7ce4..0000000 --- a/modules/phabricator/manifests/deployment/target.pp +++ /dev/null @@ -1,18 +0,0 @@ -# == Class phabricator::deployment::target -# This sets up sudo rules and the deploy_user for phabricator deployments with -# scap3. - -class phabricator::deployment::target( - $deploy_user, - $deploy_key, - $deploy_target= 'phabricator/deployment', -) { - scap::target { $deploy_target: - deploy_user => $deploy_user, - public_key_source => $deploy_key, - sudo_rules => [ - 'ALL=(root) NOPASSWD: /usr/sbin/service phd *', - 'ALL=(root) NOPASSWD: /usr/sbin/service apache2 *', - ] - } -} diff --git a/modules/phabricator/manifests/init.pp b/modules/phabricator/manifests/init.pp index 0d537fd..ae712f6 100644 --- a/modules/phabricator/manifests/init.pp +++ b/modules/phabricator/manifests/init.pp @@ -38,8 +38,6 @@ # [*deploy_target*] # The name of the scap3 deployment repo, e.g. phabricator/deployment # -# [*deploy_key*] -# The url of the public key for the deploy_user to deploy with scap # === Examples # @@ -65,7 +63,6 @@ $serveralias = '', $deploy_user = 'phab-deploy', $deploy_target = 'phabricator/deployment', - $deploy_key = "puppet:///modules/phabricator/phab-deploy-key.${::realm}", ) { $deploy_root = "/srv/deployment/${deploy_target}" @@ -134,10 +131,13 @@ } } - class { '::phabricator::deployment::target': - deploy_user => $deploy_user, - deploy_key => $deploy_key, - deploy_target => $deploy_target, + scap::target { $deploy_target: + deploy_user => $deploy_user, + key_name => 'phabricator', + sudo_rules => [ + 'ALL=(root) NOPASSWD: /usr/sbin/service phd *', + 'ALL=(root) NOPASSWD: /usr/sbin/service apache2 *', + ] } file { $phabdir: diff --git a/modules/role/manifests/deployment/mediawiki.pp b/modules/role/manifests/deployment/mediawiki.pp index 852d951..3719161 100644 --- a/modules/role/manifests/deployment/mediawiki.pp +++ b/modules/role/manifests/deployment/mediawiki.pp @@ -3,7 +3,6 @@ class role::deployment::mediawiki( $keyholder_user = 'mwdeploy', $keyholder_group = ['wikidev', 'mwdeploy'], - $key_fingerprint = 'f5:18:a3:44:77:a2:31:23:cb:7b:44:e1:4b:45:27:11', ) { # All needed classes for deploying mediawiki @@ -18,7 +17,6 @@ keyholder::agent { $keyholder_user: trusted_groups => $keyholder_group, - key_fingerprint => $key_fingerprint, } # Wikitech credentials file diff --git a/modules/role/manifests/snapshot/deployment.pp b/modules/role/manifests/snapshot/deployment.pp index c504ae0..c3fe5b0 100644 --- a/modules/role/manifests/snapshot/deployment.pp +++ b/modules/role/manifests/snapshot/deployment.pp @@ -1,7 +1,8 @@ +# Defines snapshot data dump deployment target(s) class role::snapshot::deployment { scap::target { 'dumps/dumps': - deploy_user => 'datasets', - public_key_source => 'puppet:///modules/snapshots/deployment/dumpsdeploy_rsa.pub', - manage_user => false, + deploy_user => 'datasets', + manage_user => false, + key_name => 'dumpsdeploy', } } diff --git a/modules/scap/manifests/server.pp b/modules/scap/manifests/server.pp index 5210cc1..e163efc 100644 --- a/modules/scap/manifests/server.pp +++ b/modules/scap/manifests/server.pp @@ -43,9 +43,7 @@ # class { 'scap::server': # keyholder_agents => { # 'deploy-service' => { -# 'trusted_group' => 'deploy-service', -# 'key_fingerprint' => 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx', -# 'key_file' => 'servicedeploy_rsa', +# 'trusted_groups' => 'deploy-service', # }, # }, # sources => { diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp index ff3f67c..8479ca4 100644 --- a/modules/scap/manifests/target.pp +++ b/modules/scap/manifests/target.pp @@ -10,9 +10,13 @@ # [*deploy_user*] # user that will be used for deployments # -# [*public_key_source*] -# puppet source argument to pass to ssh::userkey for installing -# $deploy_user's public ssh key. +# [*key_name*] +# The name of a keyholder ssh key used to access this deployment target. +# This should correspond to a key which is defined in keyholder::agent +# (which are defined by hiera data in common::scap::server) +# Warning: If key_name is left undefined, then you must define the correct +# ssh::userkey for your deploy_user so that scap can connect to the target +# from the deployment server with a corresponding key in keyholder. # # [*service_name*] # service name that should be allowed to be restarted via sudo by @@ -32,20 +36,20 @@ # # Usage: # -# scap::target { 'mockbase': -# deploy_user => 'deploy-mockbase', -# public_key_source => 'puppet://modules/mockbase/deploy-test_rsa.pub' -# } -# # scap::target { 'eventlogging/eventlogging': # deploy_user => 'eventlogging', -# public_key_source => "puppet:///modules/eventlogging/deployment/eventlogging_rsa.pub.${::realm}", +# } +# +# +# scap::target { 'dumps/dumps': +# deploy_user => 'datasets', # manage_user => false, +# key_name => 'dumps', # } # define scap::target( $deploy_user, - $public_key_source, + $key_name = $deploy_user, $service_name = undef, $package_name = $title, $manage_user = true, @@ -55,27 +59,33 @@ include scap include scap::ferm - if $manage_user and !defined(Group[$deploy_user]) { - group { $deploy_user: - ensure => present, - system => true, - before => User[$deploy_user], + if $manage_user + { + if !defined(Group[$deploy_user]) { + group { $deploy_user: + ensure => present, + system => true, + before => User[$deploy_user], + } } - } else { - Group[$deploy_user] -> Scap::Target[$title] + if !defined(User[$deploy_user]) { + user { $deploy_user: + ensure => present, + shell => '/bin/bash', + home => '/var/lib/scap', + system => true, + managehome => true, + } + } + if !defined(Ssh::Userkey[$deploy_user]) { + ssh::userkey { $deploy_user: + ensure => 'present', + content => secret("keyholder/${key_name}.pub"), + } + } } - if $manage_user and !defined(User[$deploy_user]) { - user { $deploy_user: - ensure => present, - shell => '/bin/bash', - home => '/var/lib/scap', - system => true, - managehome => true, - } - } else { - User[$deploy_user] -> Scap::Target[$title] - } + if $::realm == 'labs' { if !defined(Security::Access::Config["scap-allow-${deploy_user}"]) { @@ -96,12 +106,6 @@ owner => $deploy_user}], provider => 'scap3', require => [Package['scap'], User[$deploy_user]], - } - - if !defined(Ssh::Userkey[$deploy_user]) { - ssh::userkey { $deploy_user: - source => $public_key_source, - } } # XXX: Temporary work-around for switching services from Trebuchet to Scap3 diff --git a/modules/service/manifests/deploy/scap.pp b/modules/service/manifests/deploy/scap.pp index 4778d7a..85c8017 100644 --- a/modules/service/manifests/deploy/scap.pp +++ b/modules/service/manifests/deploy/scap.pp @@ -3,14 +3,9 @@ # Creates user and permissions for deploy user # on service hosts # -# === Parameters +# Deprecated: you should use scap::target directly instead of this wrapper. # -# [*public_key_file*] -# This is the public_key for the deploy-service user. The private part of this -# key should reside in the private puppet repo for the environment. By default -# this public key is set to the deploy-service user's public key for production -# private puppet. It should be overwritten using hiera in non-production -# environements. +# === Parameters # # [*user*] # the user to create for deployment @@ -20,15 +15,14 @@ # user. Default: undef. # define service::deploy::scap( - $public_key_file = 'puppet:///modules/service/servicedeploy_rsa.pub', $user = 'deploy-service', $service_name = undef, $manage_user = false, ) { + warning('service::deploy::scap is deprecated. Use scap::target instead') scap::target { $title: - public_key_source => $public_key_file, - deploy_user => $user, - service_name => $service_name, - manage_user => $manage_user, + deploy_user => $user, + service_name => $service_name, + manage_user => $manage_user, } } diff --git a/modules/service/manifests/node.pp b/modules/service/manifests/node.pp index f39337a..8308e87 100644 --- a/modules/service/manifests/node.pp +++ b/modules/service/manifests/node.pp @@ -72,7 +72,8 @@ # crashes. Default: true # # [*deployment*] -# If this value is set to 'scap3' then deploy via scap3, otherwise, use trebuchet +# If this value is set to 'scap3' then deploy via scap3, otherwise, +# use trebuchet # Default: undef # # [*deployment_user*] @@ -126,9 +127,9 @@ case $deployment { 'scap3': { if ! defined(Service::Deploy::Trebuchet[$repo]) { - service::deploy::scap{ $repo: + scap::target { $repo: service_name => $title, - user => $deployment_user, + deploy_user => $deployment_user, before => Base::Service_unit[$title], manage_user => true, } diff --git a/modules/service/manifests/uwsgi.pp b/modules/service/manifests/uwsgi.pp index 3f97ae9..0857f4e 100644 --- a/modules/service/manifests/uwsgi.pp +++ b/modules/service/manifests/uwsgi.pp @@ -70,9 +70,9 @@ $deployment_user = 'deploy-service', $deployment_manage_user = true, ) { - service::deploy::scap { $repo: + scap::target { $repo: service_name => $title, - user => $deployment_user, + deploy_user => $deployment_user, before => Uwsgi::App[$title], manage_user => $deployment_manage_user, } diff --git a/modules/zotero/manifests/init.pp b/modules/zotero/manifests/init.pp index 85537c5..d7541b9 100644 --- a/modules/zotero/manifests/init.pp +++ b/modules/zotero/manifests/init.pp @@ -34,17 +34,15 @@ } scap::target { 'zotero/translators': - deploy_user => 'deploy-service', - public_key_source => 'puppet:///modules/service/servicedeploy_rsa.pub', - service_name => 'zotero', - before => Service['zotero'], + deploy_user => 'deploy-service', + service_name => 'zotero', + before => Service['zotero'], } scap::target { 'zotero/translation-server': - deploy_user => 'deploy-service', - public_key_source => 'puppet:///modules/service/servicedeploy_rsa.pub', - service_name => 'zotero', - before => Service['zotero'], + deploy_user => 'deploy-service', + service_name => 'zotero', + before => Service['zotero'], } # /srv/deployment/zotero/translation-server/defaults/preferences/defaults.js -- To view, visit https://gerrit.wikimedia.org/r/289236 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id298a3e0f12e31afd7ea83970e192330ffbd4243 Gerrit-PatchSet: 30 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: 20after4 <mmod...@wikimedia.org> Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Mobrovac <mobro...@wikimedia.org> Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org> Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits