[perso/Immae/Projets/Puppet.git] / modules / base_installation / manifests / users.pp

class base_installation::users (
  $users = $base_installation::system_users,
) inherits base_installation {
  ensure_packages('ruby-shadow')
  user { 'root':
    password       => '!',
    purge_ssh_keys => ["/root/.ssh/authorized_keys"],
  }

  class { 'sudo':
    config_file_replace => false,
    # Missing in the sudo package, should no be mandatory
    package_ldap        => false
  }

  sudo::conf { 'wheel':
    priority => 10,
    content  => "%wheel ALL=(ALL) ALL",
    require  => Package["sudo"],
  }

  contain "sudo"

  $users.each |$user| {
    if ($user["username"] != "root") {
      unless $user["shell"] == undef or empty($user["shell"]) {
        ensure_packages([$user["shell"]])
        $shell = "/bin/${user[shell]}"
      } else {
        $shell = undef
      }

      user { "${user[username]}:${user[userid]}":
        name           => $user[username],
        uid            => $user[userid],
        ensure         => "present",
        groups         => $user[groups],
        managehome     => true,
        system         => !!$user[system],
        home           => "/home/${user[username]}",
        shell          => $shell,
        notify         => Exec["remove_password:${user[username]}:${user[userid]}"],
        purge_ssh_keys => true
      }

      exec { "remove_password:${user[username]}:${user[userid]}":
        command     => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
        onlyif      => "/usr/bin/test -z '${user[password]}'",
        refreshonly => true
      }
    }

    if has_key($user, "keys") {
      $user[keys].each |$key| {
        if has_key($key, "command") {
          ssh_authorized_key { "${user[username]}@${key[host]}":
            name    => "${user[username]}@${key[host]}",
            user    => $user[username],
            type    => $key[key_type],
            key     => $key[key],
            options => [
              "command=\"${key[command]}\"",
              "no-port-forwarding",
              "no-X11-forwarding",
              "no-pty",
            ],
          }
        } else {
          ssh_authorized_key { "${user[username]}@${key[host]}":
            name => "${user[username]}@${key[host]}",
            user => $user[username],
            type => $key[key_type],
            key  => $key[key],
          }
        }
      }
    }
  }

}
Commit	Line	Data
7fed35a4 IB	1	class base_installation::users (
	2	$users = $base_installation::system_users,
	3	) inherits base_installation {
	4	ensure_packages('ruby-shadow')
	5	user { 'root':
b193066f IB	6	password => '!',
b193066f IB	7	purge_ssh_keys => ["/root/.ssh/authorized_keys"],
7fed35a4 IB	8	}
	9
	10	class { 'sudo':
	11	config_file_replace => false,
	12	# Missing in the sudo package, should no be mandatory
	13	package_ldap => false
	14	}
	15
	16	sudo::conf { 'wheel':
	17	priority => 10,
22049605 IB	18	content => "%wheel ALL=(ALL) ALL",
22049605 IB	19	require => Package["sudo"],
7fed35a4 IB	20	}
	21
	22	contain "sudo"
	23
	24	$users.each \|$user\| {
d13887c5	25	if ($user["username"] != "root") {
851ca3c6 IB	26	unless $user["shell"] == undef or empty($user["shell"]) {
	27	ensure_packages([$user["shell"]])
	28	$shell = "/bin/${user[shell]}"
	29	} else {
	30	$shell = undef
	31	}
	32
d13887c5 IB	33	user { "${user[username]}:${user[userid]}":
	34	name => $user[username],
	35	uid => $user[userid],
	36	ensure => "present",
	37	groups => $user[groups],
	38	managehome => true,
	39	system => !!$user[system],
	40	home => "/home/${user[username]}",
851ca3c6	41	shell => $shell,
d13887c5 IB	42	notify => Exec["remove_password:${user[username]}:${user[userid]}"],
	43	purge_ssh_keys => true
	44	}
7fed35a4	45
d13887c5 IB	46	exec { "remove_password:${user[username]}:${user[userid]}":
	47	command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
	48	onlyif => "/usr/bin/test -z '${user[password]}'",
	49	refreshonly => true
	50	}
7fed35a4 IB	51	}
7fed35a4 IB	52
0a21fb6c IB	53	if has_key($user, "keys") {
0a21fb6c IB	54	$user[keys].each \|$key\| {
d13887c5 IB	55	if has_key($key, "command") {
	56	ssh_authorized_key { "${user[username]}@${key[host]}":
	57	name => "${user[username]}@${key[host]}",
	58	user => $user[username],
	59	type => $key[key_type],
	60	key => $key[key],
b193066f	61	options => [
d13887c5	62	"command=\"${key[command]}\"",
b193066f IB	63	"no-port-forwarding",
	64	"no-X11-forwarding",
	65	"no-pty",
	66	],
d13887c5 IB	67	}
	68	} else {
	69	ssh_authorized_key { "${user[username]}@${key[host]}":
	70	name => "${user[username]}@${key[host]}",
	71	user => $user[username],
	72	type => $key[key_type],
	73	key => $key[key],
b193066f IB	74	}
b193066f IB	75	}
7fed35a4 IB	76	}
	77	}
	78	}
	79
	80	}