Deploy /etc/puppet as a role account

On our puppet master (pauli.tpo), the post-receive git hook deploys the tor-puppet repo in /etc/puppet as the user pushing. As long as umask is correct and the stars are aligned, things are good. Sometimes files end up with 0644 when we need them to be 0664 in order for other accounts (in group 'adm') to be able to change existing files.

Start using a role account instead of individual admin accounts for deploying to /etc/puppet.

determine if we need gitolite or some other access control system (no)
create a new user (git? in ldap? in puppet?)
populate user with admin keys (in puppet?)
remove write permissions to other users, grant only to the new user
~~add hooks to indicate the URL change~~ pre-receive doesn't run soon enough
update documentation in https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#problems-pushing-to-the-puppet-server ~~or remove that section~~
notify the team
update the mrconfig

Edited Jan 10, 2023 by anarcat

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information