Switch lodgeit to run under a dedicated user

This updates the lodgeit paste service to run under a dedicated user. We defer on updating the image to do this as we should coordinate with vexxhost on how that will impact them. This should be fine though as gerritbot updates proved we can run it this way. Change-Id: I44d3c53a01be475db1bfa17200da0a4800f85628
2021-11-19 09:11:38 -08:00 · 2021-11-19 09:11:38 -08:00 · e5081581d4
commit e5081581d4
parent 7cea2a9f83
2 changed files with 16 additions and 0 deletions
--- a/playbooks/roles/lodgeit/tasks/main.yaml
+++ b/playbooks/roles/lodgeit/tasks/main.yaml
@ -1,3 +1,18 @@
+- name: Create lodgeit group
+  group:
+    name: "lodgeit"
+    gid: "10100"
+    system: yes
+- name: Create lodgeit user
+  user:
+    name: "lodgeit"
+    group: "lodgeit"
+    uid: "10100"
+    home: "/var/lib/lodgeit"
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+
 - name: Ensure /etc/lodgeit-compose directory
  file:
    state: directory
--- a/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2
@ -25,6 +25,7 @@ services:
      - mariadb
    restart: always
    network_mode: host
+    user: "10100:10100"
    command: ['/bin/bash', '-c', 'echo "*** Starting"; sleep 30; /usr/local/bin/uwsgi']
    logging:
      driver: syslog