From 6fd95f398091209d4e89d00d272f6f5fda91db89 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 2 Mar 2026 18:08:22 +0000
Subject: [PATCH] Configure tile user directly using chef resources

---
 cookbooks/tile/attributes/default.rb |  2 --
 cookbooks/tile/metadata.rb           |  1 -
 cookbooks/tile/recipes/default.rb    | 15 ++++++++++++++-
 roles/tile.rb                        |  6 ++++--
 test/data_bags/accounts/tile.json    |  6 ------
 5 files changed, 18 insertions(+), 12 deletions(-)
 delete mode 100644 test/data_bags/accounts/tile.json

diff --git a/cookbooks/tile/attributes/default.rb b/cookbooks/tile/attributes/default.rb
index b9a5570e4..b35d5cedb 100644
--- a/cookbooks/tile/attributes/default.rb
+++ b/cookbooks/tile/attributes/default.rb
@@ -17,8 +17,6 @@ default[:tile][:styles] = {}
 default[:postgresql][:versions] |= [node[:tile][:database][:cluster].split("/").first]
 default[:postgresql][:monitor_database] = "gis"
 
-default[:accounts][:users][:tile][:status] = :role
-
 default[:apache][:event][:server_limit] = node.cpu_cores * 5 / 4
 default[:apache][:event][:max_request_workers] = node.cpu_cores * node[:apache][:event][:threads_per_child]
 default[:apache][:event][:max_spare_threads] = node.cpu_cores * node[:apache][:event][:threads_per_child]
diff --git a/cookbooks/tile/metadata.rb b/cookbooks/tile/metadata.rb
index eaf2843fd..bb5dcfbde 100644
--- a/cookbooks/tile/metadata.rb
+++ b/cookbooks/tile/metadata.rb
@@ -6,7 +6,6 @@ description       "Installs and configures tile servers"
 
 version           "1.0.0"
 supports          "ubuntu"
-depends           "accounts"
 depends           "apache"
 depends           "git"
 depends           "nodejs"
diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index f697bc5f4..8310cdbe6 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -17,7 +17,6 @@
 # limitations under the License.
 #
 
-include_recipe "accounts"
 include_recipe "apache"
 include_recipe "git"
 include_recipe "nodejs"
@@ -31,6 +30,20 @@ blocks = data_bag_item("tile", "blocks")
 admins = data_bag_item("apache", "admins")
 web_passwords = data_bag_item("web", "passwords")
 
+group "tile" do
+  gid 515
+  append true
+end
+
+user "tile" do
+  uid 515
+  gid 515
+  comment "tile.openstreetmap.org"
+  home "/srv/tile.openstreetmap.org"
+  shell "/usr/sbin/nologin"
+  manage_home false
+end
+
 apache_module "alias"
 apache_module "cgi"
 apache_module "expires"
diff --git a/roles/tile.rb b/roles/tile.rb
index 550c99f66..e08e4ec85 100644
--- a/roles/tile.rb
+++ b/roles/tile.rb
@@ -4,9 +4,11 @@ description "Role applied to all tile servers"
 default_attributes(
   :accounts => {
     :users => {
-      :pnorman => { :status => :administrator },
+      :pnorman => { :status => :administrator }
+    },
+    :groups => {
       :tile => {
-        :members => [:jburgess, :tomh, :pnorman]
+        :members => [:tomh, :grant, :pnorman]
       }
     }
   },
diff --git a/test/data_bags/accounts/tile.json b/test/data_bags/accounts/tile.json
deleted file mode 100644
index 435cb15f9..000000000
--- a/test/data_bags/accounts/tile.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "id": "tile",
-  "uid": "515",
-  "comment": "tile.openstreetmap.org",
-  "home": "/srv/tile.openstreetmap.org"
-}
-- 
2.39.5