From 2c05cde222d5321ed12646e92070a6a90a76544c Mon Sep 17 00:00:00 2001
From: Deimos <deimos@tildes.net>
Date: Mon, 20 May 2019 19:58:23 -0600
Subject: [PATCH] Run gunicorn under app user/group

Previously this was creating a separate gunicorn user/group, but there's
really no need for that, and it makes some of the permissions trickier.
---
 salt/salt/gunicorn/gunicorn.conf                 |  1 -
 salt/salt/gunicorn/gunicorn.conf.jinja2          |  2 ++
 salt/salt/gunicorn/gunicorn.service.jinja2       |  6 +++---
 .../{gunicorn.socket => gunicorn.socket.jinja2}  |  5 +++--
 salt/salt/gunicorn/init.sls                      | 16 +++++-----------
 5 files changed, 13 insertions(+), 17 deletions(-)
 delete mode 100644 salt/salt/gunicorn/gunicorn.conf
 create mode 100644 salt/salt/gunicorn/gunicorn.conf.jinja2
 rename salt/salt/gunicorn/{gunicorn.socket => gunicorn.socket.jinja2} (55%)

diff --git a/salt/salt/gunicorn/gunicorn.conf b/salt/salt/gunicorn/gunicorn.conf
deleted file mode 100644
index 1b0a1a7..0000000
--- a/salt/salt/gunicorn/gunicorn.conf
+++ /dev/null
@@ -1 +0,0 @@
-d /run/gunicorn 0755 gunicorn gunicorn -
diff --git a/salt/salt/gunicorn/gunicorn.conf.jinja2 b/salt/salt/gunicorn/gunicorn.conf.jinja2
new file mode 100644
index 0000000..7554bc1
--- /dev/null
+++ b/salt/salt/gunicorn/gunicorn.conf.jinja2
@@ -0,0 +1,2 @@
+{% from 'common.jinja2' import app_username %}
+d /run/gunicorn 0755 {{ app_username }} {{ app_username }} -
diff --git a/salt/salt/gunicorn/gunicorn.service.jinja2 b/salt/salt/gunicorn/gunicorn.service.jinja2
index 3747d60..b5ee0d6 100644
--- a/salt/salt/gunicorn/gunicorn.service.jinja2
+++ b/salt/salt/gunicorn/gunicorn.service.jinja2
@@ -1,4 +1,4 @@
-{% from 'common.jinja2' import app_dir, bin_dir -%}
+{% from 'common.jinja2' import app_dir, app_username, bin_dir -%}
 [Unit]
 Description=gunicorn daemon
 Requires=gunicorn.socket
@@ -6,8 +6,8 @@ After=network.target
 
 [Service]
 PIDFile=/run/gunicorn/pid
-User=gunicorn
-Group=gunicorn
+User={{ app_username }}
+Group={{ app_username }}
 RuntimeDirectory=gunicorn
 WorkingDirectory={{ app_dir }}
 ExecStart={{ bin_dir }}/gunicorn --paste {{ pillar['ini_file'] }} --config {{ app_dir }}/gunicorn_config.py
diff --git a/salt/salt/gunicorn/gunicorn.socket b/salt/salt/gunicorn/gunicorn.socket.jinja2
similarity index 55%
rename from salt/salt/gunicorn/gunicorn.socket
rename to salt/salt/gunicorn/gunicorn.socket.jinja2
index f1cee38..a81da97 100644
--- a/salt/salt/gunicorn/gunicorn.socket
+++ b/salt/salt/gunicorn/gunicorn.socket.jinja2
@@ -1,11 +1,12 @@
+{% from 'common.jinja2' import app_username -%}
 [Unit]
 Description=gunicorn socket
 PartOf=gunicorn.service
 
 [Socket]
 ListenStream=/run/gunicorn/socket
-SocketUser=gunicorn
-SocketGroup=gunicorn
+SocketUser={{ app_username }}
+SocketGroup={{ app_username }}
 
 [Install]
 WantedBy=sockets.target
diff --git a/salt/salt/gunicorn/init.sls b/salt/salt/gunicorn/init.sls
index f24ea3d..dde8ec0 100644
--- a/salt/salt/gunicorn/init.sls
+++ b/salt/salt/gunicorn/init.sls
@@ -1,10 +1,4 @@
-gunicorn:
-  group.present:
-    - name: gunicorn
-  user.present:
-    - name: gunicorn
-    - groups: [gunicorn]
-    - createhome: False
+{% from 'common.jinja2' import app_username %}
 
 /etc/systemd/system/gunicorn.service:
   file.managed:
@@ -18,7 +12,8 @@ gunicorn:
 
 /etc/systemd/system/gunicorn.socket:
   file.managed:
-    - source: salt://gunicorn/gunicorn.socket
+    - source: salt://gunicorn/gunicorn.socket.jinja2
+    - template: jinja
     - user: root
     - group: root
     - mode: 644
@@ -27,7 +22,8 @@ gunicorn:
 
 /usr/lib/tmpfiles.d/gunicorn.conf:
   file.managed:
-    - source: salt://gunicorn/gunicorn.conf
+    - source: salt://gunicorn/gunicorn.conf.jinja2
+    - template: jinja
     - user: root
     - group: root
     - mode: 644
@@ -37,5 +33,3 @@ gunicorn:
 gunicorn.socket:
   service.running:
     - enable: True
-    - require:
-      - user: gunicorn