From 92740834a2c25f7fe62f5f0803015a73c2c6b69b Mon Sep 17 00:00:00 2001
From: Magnus Andersson <mandersson@sunet.se>
Date: Fri, 19 Jan 2024 09:33:10 +0100
Subject: [PATCH] Create a new user for each rootless runner container

---
 manifests/runner.pp | 57 ++++++++++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 26 deletions(-)

diff --git a/manifests/runner.pp b/manifests/runner.pp
index fc790fb..47161b6 100644
--- a/manifests/runner.pp
+++ b/manifests/runner.pp
@@ -3,13 +3,7 @@ class podmanrunner::runner (
   Integer           $replicas         = 2,
 )
 {
-  user { 'podmanuser':
-    ensure => present,
-    home   => '/opt/podmanuser',
-    shell  => '/usr/sbin/nologin',
-    uid    => '1001',
-    managehome => true,
-  }
+  $username='runneruser'
   package { 'podman':
     ensure   => installed,
     provider => apt,
@@ -20,26 +14,37 @@ class podmanrunner::runner (
     provider => apt,
   }
 
-  file { '/opt/podmanuser/docker-compose.yaml':
-    ensure  => file,
-    content => template('podmanrunner/docker-compose.yaml.erb'),
-    owner   => 'podmanuser',
-    group   => 'podmanuser',
-    mode    => '0600',
-  }
+  range(1,$replicas).each |$x| {
 
-  file { '/opt/podmanuser/bin':
-    ensure => directory,
-    mode   => '0700',
-    owner  => 'podmanuser',
-    group  => 'podmanuser',
-  }
+    user { "${username}${x}":
+      ensure => present,
+      home   => "/opt/${username}${x}",
+      shell  => '/usr/sbin/nologin',
+      uid    => "${ $x + 1001}",
+      managehome => true,
+    }
 
-  file { '/opt/podmanuser/bin/podman-compose':
-    ensure => file,
-    mode   => '500',
-    source => 'puppet:///modules/podmanrunner/podman-compose',
-    owner  => 'podmanuser',
-    group  => 'podmanuser',
+    file { "/opt/${username}${x}/docker-compose.yaml":
+      ensure  => file,
+      content => template('podmanrunner/docker-compose.yaml.erb'),
+      owner   => "${username}${x}",
+      group   => "${username}${x}",
+      mode    => '0600',
+    }
+
+    file { "/opt/${username}${x}/bin":
+      ensure => directory,
+      mode   => '0700',
+      owner  => "${username}${x}",
+      group  => "${username}${x}",
+    }
+
+    file { "/opt/${username}${x}/bin/podman-compose":
+      ensure => file,
+      mode   => '500',
+      source => 'puppet:///modules/podmanrunner/podman-compose',
+      owner  => "${username}${x}",
+      group  => "${username}${x}",
+    }
   }
 }