From 1ac75e95248ccbc0241afe9fee8694333fee06e3 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 3 Mar 2026 19:06:11 +0000
Subject: [PATCH] Configure rails user directly using chef resources

---
 cookbooks/web/attributes/default.rb |  2 --
 cookbooks/web/metadata.rb           |  1 -
 cookbooks/web/recipes/base.rb       | 14 +++++++++++++-
 roles/db.rb                         |  8 --------
 roles/web.rb                        |  2 +-
 test/data_bags/accounts/rails.json  |  6 ------
 6 files changed, 14 insertions(+), 19 deletions(-)
 delete mode 100644 test/data_bags/accounts/rails.json

diff --git a/cookbooks/web/attributes/default.rb b/cookbooks/web/attributes/default.rb
index 81e7d94df..c2649df1f 100644
--- a/cookbooks/web/attributes/default.rb
+++ b/cookbooks/web/attributes/default.rb
@@ -6,5 +6,3 @@ default[:web][:max_request_area] = 0.25
 default[:web][:max_number_of_nodes] = 50000
 default[:web][:max_number_of_way_nodes] = 2000
 default[:web][:max_number_of_relation_members] = 32000
-
-default[:accounts][:users][:rails][:status] = :role
diff --git a/cookbooks/web/metadata.rb b/cookbooks/web/metadata.rb
index 004e5f320..10435043b 100644
--- a/cookbooks/web/metadata.rb
+++ b/cookbooks/web/metadata.rb
@@ -6,7 +6,6 @@ description       "Installs and configures www.openstreetmap.org servers"
 
 version           "1.0.1"
 supports          "ubuntu"
-depends           "accounts"
 depends           "apache"
 depends           "apt"
 depends           "chef"
diff --git a/cookbooks/web/recipes/base.rb b/cookbooks/web/recipes/base.rb
index 6fe8c7f5d..5939b5b7c 100644
--- a/cookbooks/web/recipes/base.rb
+++ b/cookbooks/web/recipes/base.rb
@@ -17,7 +17,19 @@
 # limitations under the License.
 #
 
-include_recipe "accounts"
+group "rails" do
+  gid 500
+  append true
+end
+
+user "rails" do
+  uid 500
+  gid 500
+  comment "www.openstreetmap.org"
+  home "/srv/www.openstreetmap.org"
+  shell "/usr/sbin/nologin"
+  manage_home true
+end
 
 directory node[:web][:base_directory] do
   group "rails"
diff --git a/roles/db.rb b/roles/db.rb
index 24ae10683..21ffb89b3 100644
--- a/roles/db.rb
+++ b/roles/db.rb
@@ -2,14 +2,6 @@ name "db"
 description "Role applied to all database servers"
 
 default_attributes(
-  :accounts => {
-    :users => {
-      :rails => {
-        :status => :role,
-        :members => [:tomh, :grant]
-      }
-    }
-  },
   :apt => {
     :unattended_upgrades => {
       :enable => false
diff --git a/roles/web.rb b/roles/web.rb
index 594c18f84..a3b15dd0d 100644
--- a/roles/web.rb
+++ b/roles/web.rb
@@ -3,7 +3,7 @@ description "Role applied to all web/api servers"
 
 default_attributes(
   :accounts => {
-    :users => {
+    :groups => {
       :rails => {
         :members => [:tomh, :grant]
       }
diff --git a/test/data_bags/accounts/rails.json b/test/data_bags/accounts/rails.json
deleted file mode 100644
index 564acef02..000000000
--- a/test/data_bags/accounts/rails.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "id": "rails",
-  "uid": "500",
-  "comment": "Rails",
-  "manage_home": false
-}
-- 
2.39.5