From 8478e8613ded138b5d68b122cb82f5418a199764 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Thu, 11 Jul 2013 10:04:21 -0700
Subject: changes to support restrictive permissions for /etc/leap. this is
 required to work with the latest leap_cli.

---
 puppet/modules/site_config/manifests/default.pp |  3 ++
 puppet/modules/site_config/manifests/files.pp   | 10 +++++++
 puppet/modules/site_webapp/manifests/init.pp    | 29 +++++++++++++------
 puppet/modules/try/manifests/file.pp            | 38 ++++++++++++++++++++-----
 4 files changed, 64 insertions(+), 16 deletions(-)
 create mode 100644 puppet/modules/site_config/manifests/files.pp

(limited to 'puppet/modules')

diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 00eee9d0..e299a0f4 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -41,4 +41,7 @@ class site_config::default {
 
   # include basic shell config
   include site_config::shell
+
+  # set up core leap files and directories
+  include site_config::files
 }
diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp
new file mode 100644
index 00000000..03c9aff8
--- /dev/null
+++ b/puppet/modules/site_config/manifests/files.pp
@@ -0,0 +1,10 @@
+class site_config::files {
+
+  file { '/srv/leap':
+    ensure  => directory,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0711'
+  }
+
+}
\ No newline at end of file
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index e743dc07..103a0faf 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -107,24 +107,35 @@ class site_webapp {
 
   try::file {
     '/srv/leap/webapp/public/favicon.ico':
-      ensure  => 'link',
+      ensure  => present,
+      owner   => leap-webapp,
+      group   => leap-webapp,
       require => Vcsrepo['/srv/leap/webapp'],
-      target  => $webapp['favicon'];
+      source  => $webapp['favicon'];
 
     '/srv/leap/webapp/app/assets/stylesheets/tail.scss':
-      ensure  => 'link',
+      ensure  => present,
+      owner   => leap-webapp,
+      group   => leap-webapp,
       require => Vcsrepo['/srv/leap/webapp'],
-      target  => $webapp['tail_scss'];
+      source  => $webapp['tail_scss'];
 
     '/srv/leap/webapp/app/assets/stylesheets/head.scss':
-      ensure  => 'link',
+      ensure  => present,
+      owner   => leap-webapp,
+      group   => leap-webapp,
       require => Vcsrepo['/srv/leap/webapp'],
-      target  => $webapp['head_scss'];
+      source  => $webapp['head_scss'];
 
     '/srv/leap/webapp/public/img':
-      ensure  => 'link',
-      require => Vcsrepo['/srv/leap/webapp'],
-      target  => $webapp['img_dir'];
+      ensure => directory,
+      recurse => true,
+      purge => true,
+      force => true,
+      owner => leap-webapp,
+      group => leap-webapp,
+      mode => '0644',
+      source => $webapp['img_dir'];
   }
 
   file {
diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp
index 47a8c269..7063ded9 100644
--- a/puppet/modules/try/manifests/file.pp
+++ b/puppet/modules/try/manifests/file.pp
@@ -1,23 +1,47 @@
 #
-# like built-in type "file", but gets gracefully ignored if the target does not exist or is undefined.
+# Works like the built-in type "file", but gets gracefully ignored if the target/source does not exist or is undefined.
+#
+# Also, if the source or target doesn't exist, and the destination is a git repo, then the file is restored from git.
 #
 # /bin/true and /usr/bin/test are hardcoded to their paths in debian.
 #
-
+# known limitations:
+# * restore does not work for directories
+#
 define try::file (
   $ensure = undef,
   $target = undef,
+  $source = undef,
+  $owner = undef,
+  $group = undef,
+  $recurse = undef,
+  $purge = undef,
+  $force = undef,
+  $mode = undef,
   $restore = true) {
 
-  if $target != undef {
+  if $target {
+    $target_or_source = $target
+  } else {
+    $target_or_source = $source
+  }
+
+  if $target_or_source != undef {
     exec { "check_${name}":
       command => "/bin/true",
-      onlyif => "/usr/bin/test -e '${target}'",
+      onlyif => "/usr/bin/test -e '${target_or_source}'",
       loglevel => info;
     }
     file { "$name":
       ensure => $ensure,
       target => $target,
+      source => $source,
+      owner => $owner,
+      group => $group,
+      recurse => $recurse,
+      purge => $purge,
+      force => $force,
+      mode => $mode,
       require => $require ? {
         undef   => Exec["check_${name}"],
         default => [ $require, Exec["check_${name}"] ]
@@ -27,10 +51,10 @@ define try::file (
   }
 
   #
-  # if the target does not exist (or is undef), and the file happens to be in a git repo,
+  # if the target/source does not exist (or is undef), and the file happens to be in a git repo,
   # then restore the file to its original state.
   #
-  if $target == undef or $restore {
+  if ($target_or_source == undef) or $restore {
     $file_basename = basename($name)
     $file_dirname  = dirname($name)
     $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true"
@@ -48,7 +72,7 @@ define try::file (
       }
     } else {
       exec { "restore_${name}":
-        unless => "/usr/bin/test -e '${target}'",
+        unless => "/usr/bin/test -e '${target_or_source}'",
         command => $command,
         cwd => $file_dirname,
         require => $require ? {
-- 
cgit v1.2.3