diff options
Diffstat (limited to 'manifests/managed.pp')
-rw-r--r-- | manifests/managed.pp | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/manifests/managed.pp b/manifests/managed.pp new file mode 100644 index 0000000..81ea2de --- /dev/null +++ b/manifests/managed.pp @@ -0,0 +1,189 @@ +# manifests/defines.pp + +# sshkey: have to be handed over as the classname +# containing the ssh_keys +# password: the password in cleartext or as crypted string +# which should be set. Default: absent -> no password is set. +# To create an encrypted password, you can use: +# /usr/bin/mkpasswd -H md5 --salt=$salt $password , where $salt is 8 bytes long +# Note: On OpenBSD systems we can only manage crypted passwords. +# Therefor the password_crypted option doesn't have any effect. +# You'll find a python script in ${module}/password/openbsd/genpwd.py +# Which will help you to create such a password +# password_crypted: if the supplied password is crypted or not. +# Default: true +# Note: If you'd like to use unencrypted passwords, you have to set a variable +# $password_salt to an 8 character long salt, being used for the password. +# gid: define the gid of the group +# absent: let the system take a gid +# uid: take the same as the uid has if it isn't absent (*default*) +# <value>: take this gid +# manage_group: Wether we should add a group with the same name as well, this works only +# if you supply a uid. +# Default: true +define user::managed( + $ensure = present, + $name_comment = 'absent', + $uid = 'absent', + $gid = 'uid', + $groups = [], + $manage_group = true, + $membership = 'minimum', + $homedir = 'absent', + $managehome = true, + $homedir_mode = '0750', + $sshkey = 'absent', + $password = 'absent', + $password_crypted = true, + $shell = 'absent' +){ + + $real_homedir = $homedir ? { + 'absent' => "/home/$name", + default => $homedir + } + + $real_name_comment = $name_comment ? { + 'absent' => $name, + default => $name_comment, + } + + $real_shell = $shell ? { + 'absent' => $operatingsystem ? { + openbsd => "/usr/local/bin/bash", + default => "/bin/bash", + }, + default => $shell, + } + + if ($kernel == 'OpenBSD') and (strlength($name) > 31) { + fail("Usernames can't be longer than 31 characters. ${name} is too long!") + } + if ($kernel == 'Linux') and (strlength($name) > 32) { + fail("Usernames can't be longer than 32 characters. ${name} is too long!") + } + + user { $name: + ensure => $ensure, + allowdupe => false, + comment => "$real_name_comment", + home => $real_homedir, + managehome => $managehome, + shell => $real_shell, + groups => $groups, + membership => $membership, + } + + + if $managehome { + if $ensure == 'absent' { + file{"$real_homedir": + ensure => absent, + purge => true, + force => true, + recurese => true, + } + } else { + file{"$real_homedir": + ensure => directory, + require => User[$name], + owner => $name, mode => $homedir_mode; + } + case $gid { + 'absent','uid': { + File[$real_homedir]{ + group => $name, + } + } + default: { + File[$real_homedir]{ + group => $gid, + } + } + } + } + } + + if $uid != 'absent' { + User[$name]{ + uid => $uid, + } +f $gid != 'absent' { + if $gid == 'uid' { + if $uid != 'absent' { + $real_gid = $uid + } + } else { + $real_gid = $gid + } + if $real_gid { + User[$name]{ + gid => $real_gid, + } + } + } + + if $name != 'root' { + if $uid == 'absent' { + if $manage_group and ($ensure == 'absent') { + case $operatingsystem { + 'OpenBSD': { + group{$name: + ensure => absent, + } + } + } + } + } else { + if $manage_group { + group { $name: + allowdupe => false, + ensure => $ensure, + } + if $real_gid { + Group[$name]{ + gid => $real_gid, + } + } + } + } + } + case $ensure { + present: { + if $sshkey != 'absent' { + User[$name]{ + before => Class[$sshkey], + } + include $sshkey + } + + if $password != 'absent' { + case $operatingsystem { + openbsd: { + exec { "setpass ${name}": + unless => "grep -q '^${name}:${password}:' /etc/master.passwd", + command => "usermod -p '${password}' ${name}", + require => User["${name}"], + } + } + default: { + include ruby-libshadow + if $password_crypted { + $real_password = $password + } else { + if $password_salt { + $real_password = mkpasswd($password,$password_salt) + } else { + fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!") + } + } + User[$name]{ + password => $real_password, + require => Package['ruby-libshadow'], + } + } + } + } + } + } +} |