Deploy /etc/puppet as a role account
On our puppet master (
pauli.tpo), the post-receive git hook deploys the tor-puppet repo in /etc/puppet as the user pushing. As long as umask is correct and the stars are aligned, things are good. Sometimes files end up with 0644 when we need them to be 0664 in order for other accounts (in group 'adm') to be able to change existing files.
Start using a role account instead of individual admin accounts for deploying to /etc/puppet.
- determine if we need gitolite or some other access control system (no)
create a new user (
git? in ldap? in puppet?)
- populate user with admin keys (in puppet?)
- remove write permissions to other users, grant only to the new user
- update documentation in https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#problems-pushing-to-the-puppet-server to remove that section