diff options
| author | Simon Sapin <simon.sapin@exyr.org> | 2018-11-12 23:20:33 +0100 |
|---|---|---|
| committer | Simon Sapin <simon.sapin@exyr.org> | 2018-11-15 17:38:13 +0100 |
| commit | fe0e1ae7d38e097177cd02fe320b88f403facf13 (patch) | |
| tree | 4e317b36b247fd3e4c274c07a0c82a998fac8a40 | |
| parent | ff1e2c2394cda3ce744e25e5629d52db8baa0d6a (diff) | |
| download | servo-fe0e1ae7d38e097177cd02fe320b88f403facf13.tar.gz servo-fe0e1ae7d38e097177cd02fe320b88f403facf13.zip | |
generic-worker on macOS: read-only config
| -rw-r--r-- | etc/taskcluster/macos/config/roster | 1 | ||||
| -rw-r--r-- | etc/taskcluster/macos/states/generic-worker.sls | 49 |
2 files changed, 24 insertions, 26 deletions
diff --git a/etc/taskcluster/macos/config/roster b/etc/taskcluster/macos/config/roster index ed11c2b8530..c1f1e5f6ee7 100644 --- a/etc/taskcluster/macos/config/roster +++ b/etc/taskcluster/macos/config/roster @@ -5,3 +5,4 @@ mac1: minion_opts: providers: user: mac_user + group: mac_group diff --git a/etc/taskcluster/macos/states/generic-worker.sls b/etc/taskcluster/macos/states/generic-worker.sls index aeeb35f6e43..3bacbabe204 100644 --- a/etc/taskcluster/macos/states/generic-worker.sls +++ b/etc/taskcluster/macos/states/generic-worker.sls @@ -1,4 +1,5 @@ {% set bin = "/usr/local/bin" %} +{% set etc = "/etc/generic-worker" %} {% set user = "worker" %} {% set home = "/Users/" + user %} @@ -17,19 +18,25 @@ - mode: 755 - makedirs: True +{{ user }} group: + group.present: + - name: {{ user }} + {{ user }}: user.present: - home: {{ home }} + - gid_from_name: True # `user.present`’s `createhome` is apparently not supported on macOS {{ home }}: file.directory: - user: {{ user }} -{{ home }}/config.json: +{{ etc }}/config.json: file.serialize: - - user: {{ user }} - - mode: 600 + - makedirs: True + - group: {{ user }} + - mode: 640 - show_changes: False - formatter: json - dataset: @@ -43,41 +50,28 @@ clientId: {{ pillar["client_id"] }} accessToken: {{ pillar["access_token"] }} livelogExecutable: {{ bin }}/livelog - livelogCertificate: {{ home }}/livelog.crt - livelogKey: {{ home }}/livelog.key + livelogCertificate: {{ etc }}/livelog.crt + livelogKey: {{ etc }}/livelog.key livelogSecret: {{ pillar["livelog_secret"] }} - watch_in: - service: net.generic.worker -{{ home }}/livelog.crt: +{{ etc }}/livelog.crt: file.managed: - contents_pillar: livelog_cert - - user: {{ user }} - - mode: 600 + - group: {{ user }} + - mode: 640 -{{ home }}/livelog.key: +{{ etc }}/livelog.key: file.managed: - contents_pillar: livelog_key - - user: {{ user }} - - mode: 600 + - group: {{ user }} + - mode: 640 {{ bin }}/generic-worker new-openpgp-keypair --file {{ home }}/key: cmd.run: - creates: {{ home }}/key - - runas: worker - -{{ home }}/run: - file.managed: - - mode: 744 - - user: {{ user }} - - template: jinja - - contents: |- - #!/bin/sh - # generic-worker overwrites its config file to fill in defaults, - # but we want to avoid touching config.json here - # so that SaltStack knows to (only) restart the service when it (really) changes. - cp -a config.json config-run.json - exec {{ bin }}/generic-worker run --config config-run.json + - runas: {{ user }} /Library/LaunchAgents/net.generic.worker.plist: file.managed: @@ -93,7 +87,10 @@ <key>ProgramArguments</key> <array> - <string>{{ home }}/run</string> + <string>{{ bin }}/generic-worker</string> + <string>run</string> + <string>--config</string> + <string>{{ etc }}/config.json</string> </array> <key>KeepAlive</key> |