X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fbase_installation%2Fmanifests%2Fusers.pp;h=1ce5da76e3c0997d24d7648ff4e6e7083daef52f;hb=220496056eb730f204f9d21d61d10d41d876c5a1;hp=f893c51e379f78e13e69fa1d0f5b5e01ecdc2e67;hpb=0a21fb6c2c52ca5cc2dfdfc41ca0a51c0d81296c;p=perso%2FImmae%2FProjets%2FPuppet.git

diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp
index f893c51..1ce5da7 100644
--- a/modules/base_installation/manifests/users.pp
+++ b/modules/base_installation/manifests/users.pp
@@ -3,7 +3,8 @@ class base_installation::users (
 ) inherits base_installation {
   ensure_packages('ruby-shadow')
   user { 'root':
-    password => '!'
+    password       => '!',
+    purge_ssh_keys => ["/root/.ssh/authorized_keys"],
   }
 
   class { 'sudo':
@@ -14,37 +15,63 @@ class base_installation::users (
 
   sudo::conf { 'wheel':
     priority => 10,
-    content  => "%wheel ALL=(ALL) ALL"
+    content  => "%wheel ALL=(ALL) ALL",
+    require  => Package["sudo"],
   }
 
   contain "sudo"
 
   $users.each |$user| {
-    user { "${user[username]}:${user[userid]}":
-      name           => $user[username],
-      uid            => $user[userid],
-      ensure         => "present",
-      groups         => $user[groups],
-      managehome     => true,
-      system         => !!$user[system],
-      home           => "/home/${user[username]}",
-      notify         => Exec["remove_password:${user[username]}:${user[userid]}"],
-      purge_ssh_keys => true
-    }
+    if ($user["username"] != "root") {
+      unless $user["shell"] == undef or empty($user["shell"]) {
+        ensure_packages([$user["shell"]])
+        $shell = "/bin/${user[shell]}"
+      } else {
+        $shell = undef
+      }
 
-    exec { "remove_password:${user[username]}:${user[userid]}":
-      command     => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
-      onlyif      => "/usr/bin/test -z '${user[password]}'",
-      refreshonly => true
+      user { "${user[username]}:${user[userid]}":
+        name           => $user[username],
+        uid            => $user[userid],
+        ensure         => "present",
+        groups         => $user[groups],
+        managehome     => true,
+        system         => !!$user[system],
+        home           => "/home/${user[username]}",
+        shell          => $shell,
+        notify         => Exec["remove_password:${user[username]}:${user[userid]}"],
+        purge_ssh_keys => true
+      }
+
+      exec { "remove_password:${user[username]}:${user[userid]}":
+        command     => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
+        onlyif      => "/usr/bin/test -z '${user[password]}'",
+        refreshonly => true
+      }
     }
 
     if has_key($user, "keys") {
       $user[keys].each |$key| {
-        ssh_authorized_key { "${user[username]}@${key[host]}":
-          name => "${user[username]}@${key[host]}",
-          user => $user[username],
-          type => $key[key_type],
-          key  => $key[key],
+        if has_key($key, "command") {
+          ssh_authorized_key { "${user[username]}@${key[host]}":
+            name    => "${user[username]}@${key[host]}",
+            user    => $user[username],
+            type    => $key[key_type],
+            key     => $key[key],
+            options => [
+              "command=\"${key[command]}\"",
+              "no-port-forwarding",
+              "no-X11-forwarding",
+              "no-pty",
+            ],
+          }
+        } else {
+          ssh_authorized_key { "${user[username]}@${key[host]}":
+            name => "${user[username]}@${key[host]}",
+            user => $user[username],
+            type => $key[key_type],
+            key  => $key[key],
+          }
         }
       }
     }