From 2b315ec1f6b629ce560f38cac769abbcbb0c4f98 Mon Sep 17 00:00:00 2001
From: Ryan Curran <rcurran@mozilla.com>
Date: Mon, 16 Dec 2024 11:07:21 -0500
Subject: [PATCH 1/3] deploy watchman

---
 modules/macos_fsmonitor/manifests/init.pp     | 41 +++++++++++++++++++
 .../manifests/profiles/macos_fsmonitor.pp     |  9 ++++
 .../roles/gecko_t_osx_1400_r8_staging.pp      |  1 +
 3 files changed, 51 insertions(+)
 create mode 100644 modules/macos_fsmonitor/manifests/init.pp
 create mode 100644 modules/roles_profiles/manifests/profiles/macos_fsmonitor.pp

diff --git a/modules/macos_fsmonitor/manifests/init.pp b/modules/macos_fsmonitor/manifests/init.pp
new file mode 100644
index 000000000..9d6f54964
--- /dev/null
+++ b/modules/macos_fsmonitor/manifests/init.pp
@@ -0,0 +1,41 @@
+class macos_fsmonitor (
+  Boolean $enabled = true,
+) {
+  # Install the watchman package from S3
+  packages::macos_package_from_s3 { 'watchman.pkg':
+    private             => false,
+    os_version_specific => false,
+    type                => 'pkg',
+    require             => Exec['prepare_watchman_dir'], # Ensure the directory is created before the package is used.
+  }
+
+  # Step 1: Create the necessary directory
+  exec { 'prepare_watchman_dir':
+    command => 'sudo mkdir -p /usr/local/var/run/watchman',
+    creates => '/usr/local/var/run/watchman', # Ensures this is idempotent.
+    path    => ['/usr/bin', '/usr/local/bin'], # Ensure `mkdir` is found in the PATH.
+  }
+
+  # Step 2: Adjust ownership of the directory
+  exec { 'chown_watchman_dir':
+    command => 'sudo chown -R relops:staff /usr/local/var/run/watchman',
+    require => Exec['prepare_watchman_dir'], # Run only after the directory is created.
+    path    => ['/usr/bin', '/usr/local/bin'],
+  }
+
+  # Step 3: Codesign the `watchman` binary
+  exec { 'codesign_watchman':
+    command => 'sudo codesign --force --sign - /usr/local/bin/watchman',
+    onlyif  => '/bin/test -f /usr/local/bin/watchman', # Specify full path to 'test'.
+    require => Packages::Macos_package_from_s3['watchman.pkg'],
+    path    => ['/usr/bin', '/usr/local/bin', '/bin'],
+  }
+
+  # Step 4: Codesign the `watchmanctl` binary
+  exec { 'codesign_watchmanctl':
+    command => 'sudo codesign --force --sign - /usr/local/bin/watchmanctl',
+    onlyif  => '/bin/test -f /usr/local/bin/watchmanctl', # Specify full path to 'test'.
+    require => Packages::Macos_package_from_s3['watchman.pkg'],
+    path    => ['/usr/bin', '/usr/local/bin', '/bin'],
+  }
+}
diff --git a/modules/roles_profiles/manifests/profiles/macos_fsmonitor.pp b/modules/roles_profiles/manifests/profiles/macos_fsmonitor.pp
new file mode 100644
index 000000000..ff021702b
--- /dev/null
+++ b/modules/roles_profiles/manifests/profiles/macos_fsmonitor.pp
@@ -0,0 +1,9 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+class roles_profiles::profiles::macos_fsmonitor {
+  class { 'macos_fsmonitor':
+    enabled    => true,
+  }
+}
diff --git a/modules/roles_profiles/manifests/roles/gecko_t_osx_1400_r8_staging.pp b/modules/roles_profiles/manifests/roles/gecko_t_osx_1400_r8_staging.pp
index bf7e3c443..432c00ff5 100644
--- a/modules/roles_profiles/manifests/roles/gecko_t_osx_1400_r8_staging.pp
+++ b/modules/roles_profiles/manifests/roles/gecko_t_osx_1400_r8_staging.pp
@@ -7,6 +7,7 @@
   include roles_profiles::profiles::cltbld_user
   include roles_profiles::profiles::macos_bin_signer
   include roles_profiles::profiles::macos_directory_cleaner
+  include roles_profiles::profiles::macos_fsmonitor
   include roles_profiles::profiles::macos_gw_checker
   include roles_profiles::profiles::macos_people_remover
   include roles_profiles::profiles::macos_tcc_perms

From 4bddf7c1673d7cc127e9bd4caefcd7096af05520 Mon Sep 17 00:00:00 2001
From: Ryan Curran <rcurran@mozilla.com>
Date: Thu, 19 Dec 2024 09:00:35 -0500
Subject: [PATCH 2/3] enable fsmonitor plugin config

---
 modules/macos_fsmonitor/manifests/init.pp | 25 ++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/modules/macos_fsmonitor/manifests/init.pp b/modules/macos_fsmonitor/manifests/init.pp
index 9d6f54964..e13a35cc1 100644
--- a/modules/macos_fsmonitor/manifests/init.pp
+++ b/modules/macos_fsmonitor/manifests/init.pp
@@ -18,7 +18,7 @@
 
   # Step 2: Adjust ownership of the directory
   exec { 'chown_watchman_dir':
-    command => 'sudo chown -R relops:staff /usr/local/var/run/watchman',
+    command => 'sudo chown -R cltbld:staff /usr/local/var/run/watchman',
     require => Exec['prepare_watchman_dir'], # Run only after the directory is created.
     path    => ['/usr/bin', '/usr/local/bin'],
   }
@@ -38,4 +38,27 @@
     require => Packages::Macos_package_from_s3['watchman.pkg'],
     path    => ['/usr/bin', '/usr/local/bin', '/bin'],
   }
+
+  # Step 5: Append configuration to `.hgrc` for cltbld
+  file_line { 'enable_fsmonitor_plugin':
+    path    => '/Users/cltbld/.hgrc',
+    line    => '[extensions]\nfsmonitor =',
+    match   => '^\[extensions\]',
+    require => Exec['codesign_watchman'], # Ensure this runs after Watchman setup.
+  }
+
+  file_line { 'configure_fsmonitor_mode':
+    path    => '/Users/cltbld/.hgrc',
+    line    => '[fsmonitor]\nmode = paranoid',
+    match   => '^\[fsmonitor\]',
+    require => Exec['codesign_watchman'],
+  }
+
+  # Ensure correct ownership and permissions of .hgrc
+  file { '/Users/cltbld/.hgrc':
+    ensure => file,
+    owner  => 'cltbld',
+    group  => 'staff',
+    mode   => '0644',
+  }
 }

From 394bd51e7c6dcc1a025a3bd7caaa9c5d670d4375 Mon Sep 17 00:00:00 2001
From: Ryan Curran <rcurran@mozilla.com>
Date: Thu, 19 Dec 2024 09:10:31 -0500
Subject: [PATCH 3/3] change

---
 modules/macos_fsmonitor/manifests/init.pp | 53 +++++++++++++++--------
 1 file changed, 34 insertions(+), 19 deletions(-)

diff --git a/modules/macos_fsmonitor/manifests/init.pp b/modules/macos_fsmonitor/manifests/init.pp
index e13a35cc1..84dd51d65 100644
--- a/modules/macos_fsmonitor/manifests/init.pp
+++ b/modules/macos_fsmonitor/manifests/init.pp
@@ -39,26 +39,41 @@
     path    => ['/usr/bin', '/usr/local/bin', '/bin'],
   }
 
-  # Step 5: Append configuration to `.hgrc` for cltbld
-  file_line { 'enable_fsmonitor_plugin':
-    path    => '/Users/cltbld/.hgrc',
-    line    => '[extensions]\nfsmonitor =',
-    match   => '^\[extensions\]',
-    require => Exec['codesign_watchman'], # Ensure this runs after Watchman setup.
-  }
-
-  file_line { 'configure_fsmonitor_mode':
-    path    => '/Users/cltbld/.hgrc',
-    line    => '[fsmonitor]\nmode = paranoid',
-    match   => '^\[fsmonitor\]',
+  # Step 5: Manage `.hgrc` file for cltbld
+  file { '/Users/cltbld/.hgrc':
+    ensure  => file,
+    owner   => 'cltbld',
+    group   => 'staff',
+    mode    => '0644',
+    content => epp('macos_fsmonitor/hgrc.epp'), # Use a template for consistent content.
     require => Exec['codesign_watchman'],
   }
 
-  # Ensure correct ownership and permissions of .hgrc
-  file { '/Users/cltbld/.hgrc':
-    ensure => file,
-    owner  => 'cltbld',
-    group  => 'staff',
-    mode   => '0644',
-  }
+  # Embedded Puppet Template (hgrc.epp)
+  # This template will look like this:
+  #
+  # <%# macos_fsmonitor/hgrc.epp %>
+  # [diff]
+  # git=True
+  # showfunc=True
+  # ignoreblanklines=True
+  #
+  # [ui]
+  # username = Mozilla Release Engineering <release@mozilla.com>
+  # traceback = True
+  #
+  # [extensions]
+  # share=
+  # rebase=
+  # mq=
+  # purge=
+  # robustcheckout=/usr/local/lib/hgext/robustcheckout.py
+  # sparse=
+  # fsmonitor =
+  #
+  # [fsmonitor]
+  # mode = paranoid
+  #
+  # [web]
+  # cacerts = /etc/mercurial/cacert.pem
 }