diff --git a/Puppetfile b/Puppetfile index 5995d48..e24a9bc 100644 --- a/Puppetfile +++ b/Puppetfile @@ -15,3 +15,5 @@ mod 'puppetlabs-vcsrepo', '6.1.0' mod 'puppetlabs-yumrepo_core', '2.0.0' mod 'puppet-yum', '7.0.0' mod 'puppetlabs-apt', '9.1.0' +mod 'saz-sudo', '8.0.0' +mod 'puppetlabs-accounts', '8.1.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index cd02e13..8708200 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -14,7 +14,6 @@ profiles::base::packages::common: - python3 - screen - strace - - sudo - tmux - vim - vnstat @@ -36,3 +35,6 @@ profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' profiles::puppet::g10k::default_environment: 'develop' + +profiles::accounts::sysadmin::sshkeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net diff --git a/site/profiles/manifests/accounts/sysadmin.pp b/site/profiles/manifests/accounts/sysadmin.pp new file mode 100644 index 0000000..81bde92 --- /dev/null +++ b/site/profiles/manifests/accounts/sysadmin.pp @@ -0,0 +1,15 @@ +# create the sysadmin user +class profiles::accounts::sysadmin( + Array[String] $sshkeys = [], +){ + profiles::base::account {'sysadmin': + username => 'sysadmin', + uid => 1000, + gid => 1000, + groups => ['wheel'], + sshkeys => $sshkeys, + sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'], + password => '', + ignore_pass => true, + } +} diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 5a5493c..7383b59 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -21,4 +21,11 @@ class profiles::base ( packages => hiera('profiles::base::packages::common'), ensure => 'installed', } + + # all hosts will have sudo applied + include sudo + + # default users + include profiles::accounts::sysadmin + } diff --git a/site/profiles/manifests/base/account.pp b/site/profiles/manifests/base/account.pp new file mode 100644 index 0000000..92011b4 --- /dev/null +++ b/site/profiles/manifests/base/account.pp @@ -0,0 +1,45 @@ +# a wrapper for puppetlabs-account and saz-sudo +define profiles::base::account ( + String $username, + Integer $uid, + Integer $gid = undef, + Boolean $manage_home = true, + Boolean $create_group = true, + Boolean $purge_sshkeys = true, + Boolean $system = false, + Boolean $locked = false, + String $password = '!!', + Boolean $ignore_pass = false, + Array[String] $groups = [], + Array[String] $sshkeys = [], + Array[String] $sudo_rules = [], + String $shell = '/usr/bin/bash', +) { + + # Set gid to uid if gid is undef + $final_gid = $gid ? { + undef => $uid, + default => $gid, + } + + # Manage user + accounts::user { $username: + uid => $uid, + gid => $final_gid, + shell => $shell, + groups => $groups, + sshkeys => $sshkeys, + system => $system, + locked => $locked, + password => $password, + create_group => $create_group, + managehome => $manage_home, + purge_sshkeys => $purge_sshkeys, + ignore_password_if_empty => $ignore_pass, + } + + # Manage sudo rules + sudo::conf { "${username}_sudo": + content => $sudo_rules, + } +}