From 63b47b5ed5dd11c306d0fc1035f39b463d7000ed Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 2 Mar 2026 18:30:14 +0000
Subject: [PATCH] Configure nominatim user directly using chef resources

---
 cookbooks/nominatim/attributes/default.rb |  2 --
 cookbooks/nominatim/metadata.rb           |  1 -
 cookbooks/nominatim/recipes/default.rb    | 17 +++++++++++++++--
 roles/nominatim.rb                        |  5 +++--
 test/data_bags/accounts/nominatim.json    |  6 ------
 5 files changed, 18 insertions(+), 13 deletions(-)
 delete mode 100644 test/data_bags/accounts/nominatim.json

diff --git a/cookbooks/nominatim/attributes/default.rb b/cookbooks/nominatim/attributes/default.rb
index 5c895864d..de2a0ab52 100644
--- a/cookbooks/nominatim/attributes/default.rb
+++ b/cookbooks/nominatim/attributes/default.rb
@@ -21,5 +21,3 @@ default[:nominatim][:config] = {
 
 default[:postgresql][:versions] |= [node[:nominatim][:dbcluster].split("/").first]
 default[:postgresql][:monitor_database] = "nominatim"
-
-default[:accounts][:users][:nominatim][:status] = :role
diff --git a/cookbooks/nominatim/metadata.rb b/cookbooks/nominatim/metadata.rb
index ade7ed0b2..09c8ea3c2 100644
--- a/cookbooks/nominatim/metadata.rb
+++ b/cookbooks/nominatim/metadata.rb
@@ -6,7 +6,6 @@ description       "Installs and configures nominatim servers"
 
 version           "1.0.0"
 supports          "ubuntu"
-depends           "accounts"
 depends           "fail2ban"
 depends           "git"
 depends           "nginx"
diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index ba1a230cd..1d01d5a9a 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -17,7 +17,6 @@
 # limitations under the License.
 #
 
-include_recipe "accounts"
 include_recipe "prometheus"
 include_recipe "postgresql"
 include_recipe "python"
@@ -25,13 +24,27 @@ include_recipe "nginx"
 include_recipe "git"
 include_recipe "fail2ban"
 
-basedir = data_bag_item("accounts", "nominatim")["home"]
+basedir = "/srv/nominatim.openstreetmap.org"
 project_directory = "#{basedir}/planet-project"
 bin_directory = "#{basedir}/bin"
 cfg_directory = "#{basedir}/etc"
 ui_directory = "#{basedir}/ui"
 qa_data_directory = "#{basedir}/qa-data"
 
+group "nominatim" do
+  gid 518
+  append true
+end
+
+user "nominatim" do
+  uid 518
+  gid 518
+  comment "nominatim.openstreetmap.org"
+  home basedir
+  shell "/usr/sbin/nologin"
+  manage_home false
+end
+
 directory basedir do
   owner "nominatim"
   group "nominatim"
diff --git a/roles/nominatim.rb b/roles/nominatim.rb
index fca0d8ee0..20f5af62d 100644
--- a/roles/nominatim.rb
+++ b/roles/nominatim.rb
@@ -4,9 +4,10 @@ description "Role applied to all nominatim servers."
 default_attributes(
   :accounts => {
     :users => {
-      :lonvia => { :status => :administrator },
+      :lonvia => { :status => :administrator }
+    },
+    :groups => {
       :nominatim => {
-        :status => :role,
         :members => [:lonvia, :tomh]
       }
     }
diff --git a/test/data_bags/accounts/nominatim.json b/test/data_bags/accounts/nominatim.json
deleted file mode 100644
index 675eb7776..000000000
--- a/test/data_bags/accounts/nominatim.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "id": "nominatim",
-  "uid": "518",
-  "comment": "nominatim.openstreetmap.org",
-  "home": "/srv/nominatim.openstreetmap.org"
-}
-- 
2.39.5