puppet: Use a dedicated user for redis tunneling.

puppet/zulip_ops/manifests/app_frontend.pp

@@ -6,16 +6,25 @@ class zulip_ops::app_frontend {
   include zulip::static_asset_compiler
   include zulip::hooks::sentry
   include zulip_ops::app_frontend_monitoring
-  $app_packages = [# Needed for the ssh tunnel to the redis server
-    'autossh',
-  ]
-  package { $app_packages: ensure => installed }
-  $redis_hostname = zulipconf('redis', 'hostname', undef)
 
   zulip_ops::firewall_allow{ 'smtp': }
   zulip_ops::firewall_allow{ 'http': }
   zulip_ops::firewall_allow{ 'https': }
 
+  user { 'redistunnel':
+    ensure     => present,
+    uid        => '1080',
+    gid        => '1080',
+    groups     => ['zulip'],
+    shell      => '/bin/true',
+    home       => '/home/redistunnel',
+    managehome => true,
+  }
+  zulip_ops::user_dotfiles { 'redistunnel':
+    keys => true,
+  }
+  package { 'autossh': ensure => installed }
+  $redis_hostname = zulipconf('redis', 'hostname', undef)
   file { "${zulip::common::supervisor_conf_dir}/redis_tunnel.conf":
     ensure  => file,
     require => Package['supervisor', 'autossh'],

puppet/zulip_ops/manifests/profile/redis.pp

@@ -10,4 +10,17 @@ class zulip_ops::profile::redis inherits zulip_ops::profile::base {
     group   => 'nagios',
     content => "${zulip::profile::redis::redis_password}\n",
   }
+
+  user { 'redistunnel':
+    ensure     => present,
+    uid        => '1080',
+    gid        => '1080',
+    groups     => ['zulip'],
+    shell      => '/bin/true',
+    home       => '/home/redistunnel',
+    managehome => true,
+  }
+  zulip_ops::user_dotfiles { 'redistunnel':
+    authorized_keys => true,
+  }
 }

puppet/zulip_ops/templates/supervisor/conf.d/redis_tunnel.conf.template.erb

@@ -1,7 +1,7 @@
 [program:redis-tunnel]
 command=autossh -M 0 -N -L 127.0.0.1:6379:127.0.0.1:6379 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 <%= @redis_hostname %>
 priority=50
-user=zulip
+user=redistunnel
 autostart=true
 autorestart=true
 redirect_stderr=true