From 9b273de5ea4cc39964366242758a652f7252e497 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 25 May 2009 21:33:36 +0200 Subject: factored everything in it's own file --- manifests/defines.pp | 222 ------------------------------------------------- manifests/managed.pp | 189 +++++++++++++++++++++++++++++++++++++++++ manifests/sftp_only.pp | 29 +++++++ 3 files changed, 218 insertions(+), 222 deletions(-) delete mode 100644 manifests/defines.pp create mode 100644 manifests/managed.pp create mode 100644 manifests/sftp_only.pp diff --git a/manifests/defines.pp b/manifests/defines.pp deleted file mode 100644 index e1378dd..0000000 --- a/manifests/defines.pp +++ /dev/null @@ -1,222 +0,0 @@ -# manifests/defines.pp - -# sshkey: have to be handed over as the classname -# containing the ssh_keys -# password: the password in cleartext or as crypted string -# which should be set. Default: absent -> no password is set. -# To create an encrypted password, you can use: -# /usr/bin/mkpasswd -H md5 --salt=$salt $password , where $salt is 8 bytes long -# Note: On OpenBSD systems we can only manage crypted passwords. -# Therefor the password_crypted option doesn't have any effect. -# You'll find a python script in ${module}/password/openbsd/genpwd.py -# Which will help you to create such a password -# password_crypted: if the supplied password is crypted or not. -# Default: true -# Note: If you'd like to use unencrypted passwords, you have to set a variable -# $password_salt to an 8 character long salt, being used for the password. -# gid: define the gid of the group -# absent: let the system take a gid -# uid: take the same as the uid has if it isn't absent (*default*) -# : take this gid -# manage_group: Wether we should add a group with the same name as well, this works only -# if you supply a uid. -# Default: true -define user::managed( - $ensure = present, - $name_comment = 'absent', - $uid = 'absent', - $gid = 'uid', - $groups = [], - $manage_group = true, - $membership = 'minimum', - $homedir = 'absent', - $managehome = true, - $homedir_mode = '0750', - $sshkey = 'absent', - $password = 'absent', - $password_crypted = true, - $shell = 'absent' -){ - - $real_homedir = $homedir ? { - 'absent' => "/home/$name", - default => $homedir - } - - $real_name_comment = $name_comment ? { - 'absent' => $name, - default => $name_comment, - } - - $real_shell = $shell ? { - 'absent' => $operatingsystem ? { - openbsd => "/usr/local/bin/bash", - default => "/bin/bash", - }, - default => $shell, - } - - if ($kernel == 'OpenBSD') and (strlength($name) > 31) { - fail("Usernames can't be longer than 31 characters. ${name} is too long!") - } - if ($kernel == 'Linux') and (strlength($name) > 32) { - fail("Usernames can't be longer than 32 characters. ${name} is too long!") - } - - user { $name: - ensure => $ensure, - allowdupe => false, - comment => "$real_name_comment", - home => $real_homedir, - managehome => $managehome, - shell => $real_shell, - groups => $groups, - membership => $membership, - } - - - if $managehome { - if $ensure == 'absent' { - file{"$real_homedir": - ensure => absent, - purge => true, - force => true, - recurese => true, - } - } else { - file{"$real_homedir": - ensure => directory, - require => User[$name], - owner => $name, mode => $homedir_mode; - } - case $gid { - 'absent','uid': { - File[$real_homedir]{ - group => $name, - } - } - default: { - File[$real_homedir]{ - group => $gid, - } - } - } - } - } - - if $uid != 'absent' { - User[$name]{ - uid => $uid, - } - } - - if $gid != 'absent' { - if $gid == 'uid' { - if $uid != 'absent' { - $real_gid = $uid - } - } else { - $real_gid = $gid - } - if $real_gid { - User[$name]{ - gid => $real_gid, - } - } - } - - if $name != 'root' { - if $uid == 'absent' { - if $manage_group and ($ensure == 'absent') { - case $operatingsystem { - 'OpenBSD': { - group{$name: - ensure => absent, - } - } - } - } - } else { - if $manage_group { - group { $name: - allowdupe => false, - ensure => $ensure, - } - if $real_gid { - Group[$name]{ - gid => $real_gid, - } - } - } - } - } - - case $ensure { - present: { - if $sshkey != 'absent' { - User[$name]{ - before => Class[$sshkey], - } - include $sshkey - } - - if $password != 'absent' { - case $operatingsystem { - openbsd: { - exec { "setpass ${name}": - unless => "grep -q '^${name}:${password}:' /etc/master.passwd", - command => "usermod -p '${password}' ${name}", - require => User["${name}"], - } - } - default: { - include ruby-libshadow - if $password_crypted { - $real_password = $password - } else { - if $password_salt { - $real_password = mkpasswd($password,$password_salt) - } else { - fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!") - } - } - User[$name]{ - password => $real_password, - require => Package['ruby-libshadow'], - } - } - } - } - } - } -} - -# gid: by default it will take the same as the uid -define user::sftp_only( - $ensure = present, - $managehome = false, - $uid = 'absent', - $gid = 'uid', - $homedir_mode = '0750', - $password = 'absent', - $password_crypted = true -) { - include user::groups::sftponly - user::managed{"${name}": - ensure => $ensure, - uid => $uid, - gid => $gid, - name_comment => "SFTP-only_user_${name}", - groups => [ 'sftponly' ], - managehome => $managehome, - homedir_mode => $homedir_mode, - shell => $operatingsystem ? { - debian => '/usr/sbin/nologin', - ubuntu => '/usr/sbin/nologin', - default => '/sbin/nologin' - }, - password => $password, - password_crypted => $password_crypted, - require => Group['sftponly'], - } -} diff --git a/manifests/managed.pp b/manifests/managed.pp new file mode 100644 index 0000000..81ea2de --- /dev/null +++ b/manifests/managed.pp @@ -0,0 +1,189 @@ +# manifests/defines.pp + +# sshkey: have to be handed over as the classname +# containing the ssh_keys +# password: the password in cleartext or as crypted string +# which should be set. Default: absent -> no password is set. +# To create an encrypted password, you can use: +# /usr/bin/mkpasswd -H md5 --salt=$salt $password , where $salt is 8 bytes long +# Note: On OpenBSD systems we can only manage crypted passwords. +# Therefor the password_crypted option doesn't have any effect. +# You'll find a python script in ${module}/password/openbsd/genpwd.py +# Which will help you to create such a password +# password_crypted: if the supplied password is crypted or not. +# Default: true +# Note: If you'd like to use unencrypted passwords, you have to set a variable +# $password_salt to an 8 character long salt, being used for the password. +# gid: define the gid of the group +# absent: let the system take a gid +# uid: take the same as the uid has if it isn't absent (*default*) +# : take this gid +# manage_group: Wether we should add a group with the same name as well, this works only +# if you supply a uid. +# Default: true +define user::managed( + $ensure = present, + $name_comment = 'absent', + $uid = 'absent', + $gid = 'uid', + $groups = [], + $manage_group = true, + $membership = 'minimum', + $homedir = 'absent', + $managehome = true, + $homedir_mode = '0750', + $sshkey = 'absent', + $password = 'absent', + $password_crypted = true, + $shell = 'absent' +){ + + $real_homedir = $homedir ? { + 'absent' => "/home/$name", + default => $homedir + } + + $real_name_comment = $name_comment ? { + 'absent' => $name, + default => $name_comment, + } + + $real_shell = $shell ? { + 'absent' => $operatingsystem ? { + openbsd => "/usr/local/bin/bash", + default => "/bin/bash", + }, + default => $shell, + } + + if ($kernel == 'OpenBSD') and (strlength($name) > 31) { + fail("Usernames can't be longer than 31 characters. ${name} is too long!") + } + if ($kernel == 'Linux') and (strlength($name) > 32) { + fail("Usernames can't be longer than 32 characters. ${name} is too long!") + } + + user { $name: + ensure => $ensure, + allowdupe => false, + comment => "$real_name_comment", + home => $real_homedir, + managehome => $managehome, + shell => $real_shell, + groups => $groups, + membership => $membership, + } + + + if $managehome { + if $ensure == 'absent' { + file{"$real_homedir": + ensure => absent, + purge => true, + force => true, + recurese => true, + } + } else { + file{"$real_homedir": + ensure => directory, + require => User[$name], + owner => $name, mode => $homedir_mode; + } + case $gid { + 'absent','uid': { + File[$real_homedir]{ + group => $name, + } + } + default: { + File[$real_homedir]{ + group => $gid, + } + } + } + } + } + + if $uid != 'absent' { + User[$name]{ + uid => $uid, + } +f $gid != 'absent' { + if $gid == 'uid' { + if $uid != 'absent' { + $real_gid = $uid + } + } else { + $real_gid = $gid + } + if $real_gid { + User[$name]{ + gid => $real_gid, + } + } + } + + if $name != 'root' { + if $uid == 'absent' { + if $manage_group and ($ensure == 'absent') { + case $operatingsystem { + 'OpenBSD': { + group{$name: + ensure => absent, + } + } + } + } + } else { + if $manage_group { + group { $name: + allowdupe => false, + ensure => $ensure, + } + if $real_gid { + Group[$name]{ + gid => $real_gid, + } + } + } + } + } + case $ensure { + present: { + if $sshkey != 'absent' { + User[$name]{ + before => Class[$sshkey], + } + include $sshkey + } + + if $password != 'absent' { + case $operatingsystem { + openbsd: { + exec { "setpass ${name}": + unless => "grep -q '^${name}:${password}:' /etc/master.passwd", + command => "usermod -p '${password}' ${name}", + require => User["${name}"], + } + } + default: { + include ruby-libshadow + if $password_crypted { + $real_password = $password + } else { + if $password_salt { + $real_password = mkpasswd($password,$password_salt) + } else { + fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!") + } + } + User[$name]{ + password => $real_password, + require => Package['ruby-libshadow'], + } + } + } + } + } + } +} diff --git a/manifests/sftp_only.pp b/manifests/sftp_only.pp new file mode 100644 index 0000000..2047ef1 --- /dev/null +++ b/manifests/sftp_only.pp @@ -0,0 +1,29 @@ +# gid: by default it will take the same as the uid +define user::sftp_only( + $ensure = present, + $managehome = false, + $uid = 'absent', + $gid = 'uid', + $homedir_mode = '0750', + $password = 'absent', + $password_crypted = true +) { + include user::groups::sftponly + user::managed{"${name}": + ensure => $ensure, + uid => $uid, + gid => $gid, + name_comment => "SFTP-only_user_${name}", + groups => [ 'sftponly' ], + managehome => $managehome, + homedir_mode => $homedir_mode, + shell => $operatingsystem ? { + debian => '/usr/sbin/nologin', + ubuntu => '/usr/sbin/nologin', + default => '/sbin/nologin' + }, + password => $password, + password_crypted => $password_crypted, + require => Group['sftponly'], + } +} -- cgit v1.2.3