modules/base_installation/manifests/users.pp

   1 class base_installation::users (
   2   $users = $base_installation::system_users,
   3 ) inherits base_installation {
   4   ensure_packages('ruby-shadow')
   5   user { 'root':
   6     password       => '!',
   7     purge_ssh_keys => ["/root/.ssh/authorized_keys"],
   8   }
   9
  10   class { 'sudo':
  11     config_file_replace => false,
  12     # Missing in the sudo package, should no be mandatory
  13     package_ldap        => false
  14   }
  15
  16   sudo::conf { 'wheel':
  17     priority => 10,
  18     content  => "%wheel ALL=(ALL) ALL"
  19   }
  20
  21   contain "sudo"
  22
  23   $users.each |$user| {
  24     if ($user["username"] != "root") {
  25       unless $user["shell"] == undef or empty($user["shell"]) {
  26         ensure_packages([$user["shell"]])
  27         $shell = "/bin/${user[shell]}"
  28       } else {
  29         $shell = undef
  30       }
  31
  32       user { "${user[username]}:${user[userid]}":
  33         name           => $user[username],
  34         uid            => $user[userid],
  35         ensure         => "present",
  36         groups         => $user[groups],
  37         managehome     => true,
  38         system         => !!$user[system],
  39         home           => "/home/${user[username]}",
  40         shell          => $shell,
  41         notify         => Exec["remove_password:${user[username]}:${user[userid]}"],
  42         purge_ssh_keys => true
  43       }
  44
  45       exec { "remove_password:${user[username]}:${user[userid]}":
  46         command     => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
  47         onlyif      => "/usr/bin/test -z '${user[password]}'",
  48         refreshonly => true
  49       }
  50     }
  51
  52     if has_key($user, "keys") {
  53       $user[keys].each |$key| {
  54         if has_key($key, "command") {
  55           ssh_authorized_key { "${user[username]}@${key[host]}":
  56             name    => "${user[username]}@${key[host]}",
  57             user    => $user[username],
  58             type    => $key[key_type],
  59             key     => $key[key],
  60             options => [
  61               "command=\"${key[command]}\"",
  62               "no-port-forwarding",
  63               "no-X11-forwarding",
  64               "no-pty",
  65             ],
  66           }
  67         } else {
  68           ssh_authorized_key { "${user[username]}@${key[host]}":
  69             name => "${user[username]}@${key[host]}",
  70             user => $user[username],
  71             type => $key[key_type],
  72             key  => $key[key],
  73           }
  74         }
  75       }
  76     }
  77   }
  78
  79 }