From e5081581d4d3b8ffb9fa66ead15bef13706d9825 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 19 Nov 2021 09:11:38 -0800
Subject: [PATCH] Switch lodgeit to run under a dedicated user

This updates the lodgeit paste service to run under a dedicated user. We
defer on updating the image to do this as we should coordinate with
vexxhost on how that will impact them. This should be fine though as
gerritbot updates proved we can run it this way.

Change-Id: I44d3c53a01be475db1bfa17200da0a4800f85628
---
 playbooks/roles/lodgeit/tasks/main.yaml           | 15 +++++++++++++++
 .../lodgeit/templates/docker-compose.yaml.j2      |  1 +
 2 files changed, 16 insertions(+)

diff --git a/playbooks/roles/lodgeit/tasks/main.yaml b/playbooks/roles/lodgeit/tasks/main.yaml
index a172aa569b..26422a63e2 100644
--- a/playbooks/roles/lodgeit/tasks/main.yaml
+++ b/playbooks/roles/lodgeit/tasks/main.yaml
@@ -1,3 +1,18 @@
+- name: Create lodgeit group
+  group:
+    name: "lodgeit"
+    gid: "10100"
+    system: yes
+- name: Create lodgeit user
+  user:
+    name: "lodgeit"
+    group: "lodgeit"
+    uid: "10100"
+    home: "/var/lib/lodgeit"
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+
 - name: Ensure /etc/lodgeit-compose directory
   file:
     state: directory
diff --git a/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2 b/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2
index f917ec255d..d59c13406d 100644
--- a/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/lodgeit/templates/docker-compose.yaml.j2
@@ -25,6 +25,7 @@ services:
       - mariadb
     restart: always
     network_mode: host
+    user: "10100:10100"
     command: ['/bin/bash', '-c', 'echo "*** Starting"; sleep 30; /usr/local/bin/uwsgi']
     logging:
       driver: syslog