From ef57e8e79b2afeed4d3eefde72c1a992562538e5 Mon Sep 17 00:00:00 2001
From: Dennis Ahrens <dennis.ahrens@hs-hannover.de>
Date: Tue, 30 Jun 2020 17:02:10 +0200
Subject: [PATCH] Fix #1 by using root to deploy code.

It removes the deployer user completely using salts user.abent
and group.absent states while changing the whole permissions to
fit root.
It should be safe to run this directly on existing deployments.
Tested locally with simple CLI and nginx/uwsgi setups.
---
 README.md         |  6 +++---
 deploy/django.sls | 18 +++++++-----------
 deploy/gitlab.sls | 15 +++++----------
 deploy/user.sls   | 32 +++++++++++++-------------------
 deploy/venv.sls   |  9 ++++-----
 5 files changed, 32 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index 97fc8ca..94bb54f 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ Deploy code!
 
 ## users
 
-The deployment runs as the user `deployer`, which has access to e.g. gitlab.
+The deployment runs as `root`, which has access to e.g. gitlab.
 The formula is organized in projects.
 
 ```yaml
@@ -13,7 +13,7 @@ deploy:
     project_name: {}
 ```
 
-For each project an additional user with the name `project_name` gets created, which is a member of the group `deployer`.
+For each project an additional user with the name `project_name` gets created.
 This user should be used to run daemons.
 
 ## states
@@ -147,7 +147,7 @@ The environment creation runs in the context of the project user.
 #### `deploy.projects.[...].user_groups`
 
 Each project receives a user that should be used to run the project (if it is runnable somehow...).
-By default this user is member of the groups: `deployer`, `[project_name]` and `virtualenv`.
+By default this user is member of the groups: `[project_name]` and `virtualenv`.
 With `user_groups` you can define additional groups the user should belojng to.
 This is especially interesting for access to cert data.
 If your run user needs to read a cert, you might add him into the corresponding group.
diff --git a/deploy/django.sls b/deploy/django.sls
index 9c6e926..1a8716c 100644
--- a/deploy/django.sls
+++ b/deploy/django.sls
@@ -3,20 +3,16 @@
 deploy_static_directory:
   file.directory:
     - name: {{ deploy.config.static_directory }}
-    - user: deployer
+    - user: root
     - group: www-data
-    - mode: 2770
-    - require:
-      - user: deployer
+    - mode: 2775
 
 deploy_sqlite_directory:
   file.directory:
     - name: {{ deploy.config.sqlite_directory }}
-    - user: deployer
-    - group: deployer
-    - mode: 2770
-    - require:
-      - user: deployer
+    - user: root
+    - group: root
+    - mode: 2775
 
 {% for project_name, project_config in deploy.projects.items() if project_config.get('django', False) %}
 {% set dj_config = project_config.django %}
@@ -28,7 +24,7 @@ deploy_django_{{ project_name }}_settings:
     - source: salt://deploy/tpl/django_settings.py
     - template: jinja
     - mode: 640
-    - user: deployer
+    - user: root
     - group: {{ project_name }}
     - context: {{ dj_config|json }}
 
@@ -44,7 +40,7 @@ deploy_django_{{ project_name }}_migrate:
     - runas: {{ project_name }}
     - require:
       - file: deploy_django_{{ project_name }}_settings
-    - require_in:
+    - require:
       - cmd: fix_sqlite3_permissions
 {% endif %}
 
diff --git a/deploy/gitlab.sls b/deploy/gitlab.sls
index 47a52f9..877a3e5 100644
--- a/deploy/gitlab.sls
+++ b/deploy/gitlab.sls
@@ -12,13 +12,9 @@ deploy_packages:
 deploy_target_directory_exists:
   file.directory:
     - name: {{ deploy.config.deploy_directory }}
-    - user: deployer
-    - group: deployer
-    - mode: 0770
-    - require:
-      - user: deployer
-      - group: deployer
-
+    - user: root
+    - group: root
+    - mode: 0755
 
 {% for project_name, project_config in deploy.projects.items() if project_config.get('gitlab', False) %}
 {% set repo_config = project_config.gitlab %}
@@ -27,7 +23,7 @@ deploy_{{ project_name }}_clone_git:
   git.latest:
     - name: {{ repo_config.url }}
     - rev: {{ repo_config.rev }}
-    - user: deployer
+    - user: root
     - force_fetch: true
     - force_reset: true  # ignore local repos changed!
     - target: {{ project_config.path }}
@@ -37,7 +33,7 @@ deploy_{{ project_name }}_clone_git:
 deploy_{{ project_name }}_clone_directory_permissions:
   file.directory:
     - name: {{ project_config.path }}
-    - user: deployer
+    - user: root
     - group: {{ project_name }}
     {% if repo_config.get('keep_chmod_from_repo', False) %}
     {% else %}
@@ -50,7 +46,6 @@ deploy_{{ project_name }}_clone_directory_permissions:
       - mode
     - require:
         - git: deploy_{{ project_name }}_clone_git
-        - sls: deploy.user
 
 {% if repo_config.get('after_clone_command', False) %}
 deploy_{{ project_name }}_run_after_clone_command:
diff --git a/deploy/user.sls b/deploy/user.sls
index 90f123e..70d3880 100644
--- a/deploy/user.sls
+++ b/deploy/user.sls
@@ -1,43 +1,37 @@
 {% from "deploy/map.jinja" import deploy with context %}
 
 deployer:
-  group.present:
-    - system: True
-  user.present:
-    - groups:
-      - deployer
+  user.absent: []
+  group.absent: []
+
 
-/home/deployer/.ssh/known_hosts:
+/root/.ssh/known_hosts:
   file.managed:
     - source: salt://deploy/tpl/ssh/known_hosts
-    - user: deployer
-    - group: deployer
+    - user: root
+    - group: root
     - makedirs: True
-    - require:
-      - user: deployer
 
-/home/deployer/.ssh/config:
+/root/.ssh/config:
   file.managed:
     - source: salt://deploy/tpl/ssh/config
-    - user: deployer
-    - group: deployer
+    - user: root
+    - group: root
     - makedirs: True
-    - require:
-      - user: deployer
 
 deploy_key:
   file.managed:
-    - name: /home/deployer/.ssh/deploy_key
+    - name: /root/.ssh/deploy_key
     - contents_pillar: deploy:config:key
     - mode: 600
-    - user: deployer
-    - group: deployer
+    - user: root
+    - group: root
     - makedirs: True
 
 {% for project_name, project_config in deploy.projects.items() %}
 
 {% set config_user_groups = project_config.get('user_groups', []) %}
-{% set default_user_groups = [project_name, 'deployer'] %}
+{% set default_user_groups = [project_name] %}
 {% set user_groups = config_user_groups + default_user_groups %}
 
 {{ project_name }}:
diff --git a/deploy/venv.sls b/deploy/venv.sls
index fa8bbb1..caa2f39 100644
--- a/deploy/venv.sls
+++ b/deploy/venv.sls
@@ -20,11 +20,10 @@ deploy_provision_virtualenv_group_with_members:
 deploy_venv_directory:
   file.directory:
     - name: {{ deploy.config.venv_directory }}
-    - user: deployer
+    - user: root
     - group: virtualenv
     - mode: 2770
     - require:
-      - user: deployer
       - group: virtualenv
 
 {% for project_name, project_config in deploy.projects.items() if project_config.get('venv', False) %}
@@ -34,7 +33,7 @@ create_{{ project_name }}_venv:
   cmd.run:
     - name: python3 -m venv {{ venv_config.path }}
     - onlyif: test ! -e {{ venv_config.path }}
-    - runas: deployer
+    - runas: root
     - require:
         - file: deploy_venv_directory
         - pkg: deploy_venv_pkgs
@@ -42,7 +41,7 @@ create_{{ project_name }}_venv:
 upgrade_pip_in_{{ project_name }}_venv:
   cmd.run:
     - name: {{ venv_config.path }}/bin/pip install --upgrade pip
-    - runas: deployer
+    - runas: root
     - env:
         LANG: en_US.UTF-8
         LC_CTYPE: en_US.UTF-8
@@ -55,7 +54,7 @@ upgrade_pip_in_{{ project_name }}_venv:
 install_requirements_in_{{ project_name }}_venv:
   cmd.run:
     - name: {{ venv_config.path }}/bin/pip install --upgrade -r {{ venv_config.requirements }}
-    - runas: deployer
+    - runas: root
     - env:
         LANG: en_US.UTF-8
         LC_CTYPE: en_US.UTF-8
-- 
GitLab