summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2015-09-03 23:24:43 -0700
committerelijah <elijah@riseup.net>2015-09-03 23:24:43 -0700
commit9d645a82c7346e8d585c664a82c719647a0d2ffa (patch)
treeb4ae9a91fbfa83c01ecb20e5aa20fb0bbccf7c32
parentda53a4a723cc05cfa39e066c64a9467d7efad04b (diff)
make couchdb.admin.yml only readable by root, make non-admin cron run as webapp user.
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp16
-rw-r--r--puppet/modules/site_webapp/manifests/cron.pp4
2 files changed, 12 insertions, 8 deletions
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 1dbc745d..5cf7f953 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -14,29 +14,29 @@ class site_webapp::couchdb {
file {
'/srv/leap/webapp/config/couchdb.yml':
content => template('site_webapp/couchdb.yml.erb'),
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/config/couchdb.admin.yml':
content => template('site_webapp/couchdb.admin.yml.erb'),
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'root',
+ group => 'root',
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/log':
ensure => directory,
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0755',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/log/production.log':
ensure => present,
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0666',
require => Vcsrepo['/srv/leap/webapp'];
}
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index d26ee312..7147a0d2 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -5,12 +5,14 @@ class site_webapp::cron {
'rotate_databases':
command => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
environment => 'RAILS_ENV=production',
+ user => 'root',
hour => [0,6,12,18],
minute => 0;
'delete_tmp_databases':
command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
environment => 'RAILS_ENV=production',
+ user => 'root',
hour => 1,
minute => 1;
@@ -19,6 +21,7 @@ class site_webapp::cron {
'remove_expired_sessions':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
environment => 'RAILS_ENV=production',
+ user => 'leap-webapp',
hour => 2,
minute => 30,
ensure => absent;
@@ -26,6 +29,7 @@ class site_webapp::cron {
'remove_expired_tokens':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
environment => 'RAILS_ENV=production',
+ user => 'leap-webapp',
hour => 3,
minute => 0;
}