feat: create glauth module

- manage config directories, config file - manage systemd service and socket - manage users, service accounts and groups - manage defaults for users, services and groups - manage packages for role
2024-06-30 22:41:32 +10:00 · 2024-06-30 22:41:32 +10:00 · c69e8c487e
commit c69e8c487e
parent bc35270731
19 changed files with 545 additions and 0 deletions
--- a/modules/glauth/manifests/config.pp
+++ b/modules/glauth/manifests/config.pp
@ -0,0 +1,155 @@
+# configure glauth
+class glauth::config (
+  Boolean              $debug                           = $glauth::debug,
+  Boolean              $syslog                          = $glauth::syslog,
+  Boolean              $structuredlog                   = $glauth::structuredlog,
+  Boolean              $watchconfig                     = $glauth::watchconfig,
+
+  Boolean              $ldap_enabled                    = $glauth::ldap_enabled,
+  Stdlib::IP::Address  $ldap_address                    = $glauth::ldap_address,
+  Stdlib::Port         $ldap_port                       = $glauth::ldap_port,
+  Boolean              $ldap_tls                        = $glauth::ldap_tls,
+  Stdlib::Absolutepath $ldap_tlscertpath                = $glauth::ldap_tlscertpath,
+  Stdlib::Absolutepath $ldap_tlskeypath                 = $glauth::ldap_tlskeypath,
+
+  Boolean              $ldaps_enabled                   = $glauth::ldaps_enabled,
+  Stdlib::IP::Address  $ldaps_address                   = $glauth::ldaps_address,
+  Stdlib::Port         $ldaps_port                      = $glauth::ldaps_port,
+  Stdlib::Absolutepath $ldaps_cert                      = $glauth::ldaps_cert,
+  Stdlib::Absolutepath $ldaps_key                       = $glauth::ldaps_key,
+
+  String               $backend_datastore               = $glauth::backend_datastore,
+  String               $backend_basedn                  = $glauth::backend_basedn,
+  String               $backend_nameformat              = $glauth::backend_nameformat,
+  String               $backend_groupformat             = $glauth::backend_groupformat,
+  Boolean              $backend_anonymousdse            = $glauth::backend_anonymousdse,
+  String               $backend_sshkeyattr              = $glauth::backend_sshkeyattr,
+
+  Boolean              $behaviors_ignorecapabilities    = $glauth::behaviors_ignorecapabilities,
+  Boolean              $behaviors_limitfailedbinds      = $glauth::behaviors_limitfailedbinds,
+  Integer              $behaviors_numberoffailedbinds   = $glauth::behaviors_numberoffailedbinds,
+  Integer              $behaviors_periodoffailedbinds   = $glauth::behaviors_periodoffailedbinds,
+  Integer              $behaviors_blockfailedbindsfor   = $glauth::behaviors_blockfailedbindsfor,
+  Integer              $behaviors_prunesourcetableevery = $glauth::behaviors_prunesourcetableevery,
+  Integer              $behaviors_prunesourcesolderthan = $glauth::behaviors_prunesourcesolderthan,
+
+  Boolean              $api_enabled                     = $glauth::api_enabled,
+  Boolean              $api_internals                   = $glauth::api_internals,
+  Boolean              $api_tls                         = $glauth::api_tls,
+  Stdlib::IP::Address  $api_address                     = $glauth::api_address,
+  Stdlib::Port         $api_port                        = $glauth::api_port,
+  Stdlib::Absolutepath $api_cert                        = $glauth::api_cert,
+  Stdlib::Absolutepath $api_key                         = $glauth::api_key,
+
+  String               $user                            = $glauth::user,
+  String               $group                           = $glauth::group,
+  Stdlib::Absolutepath $bin_dir                         = $glauth::bin_dir,
+  Stdlib::Absolutepath $bin_path                        = $glauth::bin_path,
+  Stdlib::Absolutepath $config_dir                      = $glauth::config_dir,
+  Stdlib::Absolutepath $config_path                     = $glauth::config_path,
+  Boolean              $manage_defaults                 = $glauth::manage_defaults,
+) {
+
+  mkdir::p {$config_dir:}
+  file { [ $config_dir ]:
+    ensure => directory,
+    owner  => $user,
+    group  => $group,
+  }
+
+  concat { $config_path:
+    owner   => $user,
+    group   => $group,
+    mode    => '0644',
+    require => File[$config_dir],
+  }
+
+  if $manage_defaults {
+    Glauth::Obj::User {
+      config_path => $config_path,
+    }
+    Glauth::Obj::Service {
+      config_path => $config_path,
+    }
+    Glauth::Obj::Group {
+      config_path => $config_path,
+    }
+  }
+
+  concat::fragment { 'glauth_general':
+    target  => $config_path,
+    content => epp('glauth/general.epp', {
+      'debug'         => $debug,
+      'syslog'        => $syslog,
+      'structuredlog' => $structuredlog,
+      'watchconfig'   => $watchconfig,
+    }),
+    order   => 10,
+  }
+
+  concat::fragment { 'glauth_ldap':
+    target  => $config_path,
+    content => epp('glauth/ldap.epp', {
+      'ldap_enabled'     => $ldap_enabled,
+      'ldap_address'     => $ldap_address,
+      'ldap_port'        => $ldap_port,
+      'ldap_tls'         => $ldap_tls,
+      'ldap_tlscertpath' => $ldap_tlscertpath,
+      'ldap_tlskeypath'  => $ldap_tlskeypath,
+    }),
+    order   => 20,
+  }
+
+  concat::fragment { 'glauth_ldaps':
+    target  => $config_path,
+    content => epp('glauth/ldaps.epp', {
+      'ldaps_enabled' => $ldaps_enabled,
+      'ldaps_address' => $ldaps_address,
+      'ldaps_port'    => $ldaps_port,
+      'ldaps_cert'    => $ldaps_cert,
+      'ldaps_key'     => $ldaps_key,
+    }),
+    order   => 30,
+  }
+
+  concat::fragment { 'glauth_backend':
+    target  => $config_path,
+    content => epp('glauth/backend.epp', {
+      'backend_datastore'    => $backend_datastore,
+      'backend_basedn'       => $backend_basedn,
+      'backend_nameformat'   => $backend_nameformat,
+      'backend_groupformat'  => $backend_groupformat,
+      'backend_anonymousdse' => $backend_anonymousdse,
+      'backend_sshkeyattr'   => $backend_sshkeyattr,
+    }),
+    order   => 40,
+  }
+
+  concat::fragment { 'glauth_behaviors':
+    target  => $config_path,
+    content => epp('glauth/behaviors.epp', {
+      'ignorecapabilities'    => $behaviors_ignorecapabilities,
+      'limitfailedbinds'      => $behaviors_limitfailedbinds,
+      'numberoffailedbinds'   => $behaviors_numberoffailedbinds,
+      'periodoffailedbinds'   => $behaviors_periodoffailedbinds,
+      'blockfailedbindsfor'   => $behaviors_blockfailedbindsfor,
+      'prunesourcetableevery' => $behaviors_prunesourcetableevery,
+      'prunesourcesolderthan' => $behaviors_prunesourcesolderthan,
+    }),
+    order   => 50,
+  }
+
+  concat::fragment { 'glauth_api':
+    target  => $config_path,
+    content => epp('glauth/api.epp', {
+      'api_enabled'   => $api_enabled,
+      'api_internals' => $api_internals,
+      'api_tls'       => $api_tls,
+      'api_address'   => $api_address,
+      'api_port'      => $api_port,
+      'api_cert'      => $api_cert,
+      'api_key'       => $api_key,
+    }),
+    order   => 60,
+  }
+}
--- a/modules/glauth/manifests/init.pp
+++ b/modules/glauth/manifests/init.pp
@ -0,0 +1,64 @@
+# glauth inititalisation class
+class glauth (
+  Boolean              $debug                           = $glauth::params::debug,
+  Boolean              $syslog                          = $glauth::params::syslog,
+  Boolean              $structuredlog                   = $glauth::params::structuredlog,
+  Boolean              $watchconfig                     = $glauth::params::watchconfig,
+  Array                $packages                        = $glauth::params::packages,
+
+  Boolean              $ldap_enabled                    = $glauth::params::ldap_enabled,
+  Stdlib::IP::Address  $ldap_address                    = $glauth::params::ldap_address,
+  Stdlib::Port         $ldap_port                       = $glauth::params::ldap_port,
+  Boolean              $ldap_tls                        = $glauth::params::ldap_tls,
+  Stdlib::Absolutepath $ldap_tlscertpath                = $glauth::params::ldap_tlscertpath,
+  Stdlib::Absolutepath $ldap_tlskeypath                 = $glauth::params::ldap_tlskeypath,
+
+  Boolean              $ldaps_enabled                   = $glauth::params::ldaps_enabled,
+  Stdlib::IP::Address  $ldaps_address                   = $glauth::params::ldaps_address,
+  Stdlib::Port         $ldaps_port                      = $glauth::params::ldaps_port,
+  Stdlib::Absolutepath $ldaps_cert                      = $glauth::params::ldaps_cert,
+  Stdlib::Absolutepath $ldaps_key                       = $glauth::params::ldaps_key,
+
+  String               $backend_datastore               = $glauth::params::backend_datastore,
+  String               $backend_basedn                  = $glauth::params::backend_basedn,
+  String               $backend_nameformat              = $glauth::params::backend_nameformat,
+  String               $backend_groupformat             = $glauth::params::backend_groupformat,
+  Boolean              $backend_anonymousdse            = $glauth::params::backend_anonymousdse,
+  String               $backend_sshkeyattr              = $glauth::params::backend_sshkeyattr,
+
+  Boolean              $behaviors_ignorecapabilities    = $glauth::params::behaviors_ignorecapabilities,
+  Boolean              $behaviors_limitfailedbinds      = $glauth::params::behaviors_limitfailedbinds,
+  Integer              $behaviors_numberoffailedbinds   = $glauth::params::behaviors_numberoffailedbinds,
+  Integer              $behaviors_periodoffailedbinds   = $glauth::params::behaviors_periodoffailedbinds,
+  Integer              $behaviors_blockfailedbindsfor   = $glauth::params::behaviors_blockfailedbindsfor,
+  Integer              $behaviors_prunesourcetableevery = $glauth::params::behaviors_prunesourcetableevery,
+  Integer              $behaviors_prunesourcesolderthan = $glauth::params::behaviors_prunesourcesolderthan,
+
+  Boolean              $api_enabled                     = $glauth::params::api_enabled,
+  Boolean              $api_internals                   = $glauth::params::api_internals,
+  Boolean              $api_tls                         = $glauth::params::api_tls,
+  Stdlib::IP::Address  $api_address                     = $glauth::params::api_address,
+  Stdlib::Port         $api_port                        = $glauth::params::api_port,
+  Stdlib::Absolutepath $api_cert                        = $glauth::params::api_cert,
+  Stdlib::Absolutepath $api_key                         = $glauth::params::api_key,
+
+  String               $user                            = $glauth::params::user,
+  String               $group                           = $glauth::params::group,
+  Stdlib::Absolutepath $bin_dir                         = $glauth::params::bin_dir,
+  Stdlib::Absolutepath $bin_path                        = $glauth::params::bin_path,
+  Stdlib::Absolutepath $config_dir                      = $glauth::params::config_dir,
+  Stdlib::Absolutepath $config_path                     = $glauth::params::config_path,
+  Boolean              $service_enable                  = $glauth::params::service_enable,
+  String               $service_name                    = $glauth::params::service_name,
+  String               $download_version                = $glauth::params::download_version,
+  String               $download_url                    = $glauth::params::download_url,
+  Boolean              $manage_defaults                 = $glauth::params::manage_defaults,
+
+) inherits glauth::params {
+
+  include glauth::install
+  include glauth::config
+  include glauth::service
+
+  Class['glauth::install'] -> Class['glauth::config'] -> Class['glauth::service']
+}
--- a/modules/glauth/manifests/install.pp
+++ b/modules/glauth/manifests/install.pp
@ -0,0 +1,45 @@
+# install the glauth directories and binary
+class glauth::install (
+  String               $user         = $glauth::user,
+  String               $group        = $glauth::group,
+  Stdlib::Absolutepath $bin_dir      = $glauth::bin_dir,
+  Stdlib::Absolutepath $bin_path     = $glauth::bin_path,
+  Stdlib::Absolutepath $config_dir   = $glauth::config_path,
+  Stdlib::Absolutepath $config_path  = $glauth::config_path,
+  String               $download_url = $glauth::download_url,
+  Array                $packages     = $glauth::packages,
+){
+  user { $user:
+    ensure  => present,
+    system  => true,
+    gid     => $group,
+    require => Group[$group],
+  }
+
+  group { $group:
+    ensure => present,
+    system => true,
+  }
+
+  ensure_resources('package', $packages => {ensure => 'present'})
+
+  archive { 'glauth':
+    ensure       => present,
+    url          => $download_url,
+    extract      => false,
+    path         => $bin_path,
+    creates      => $bin_path,
+    cleanup      => false,
+    extract_path => $bin_dir,
+    user         => 'root',
+    group        => 'root',
+  }
+
+  file{ $bin_path:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    require => Archive['glauth'],
+  }
+}
--- a/modules/glauth/manifests/obj/group.pp
+++ b/modules/glauth/manifests/obj/group.pp
@ -0,0 +1,17 @@
+# define a group object
+define glauth::obj::group (
+  String $group_name,
+  Integer $gidnumber,
+  Stdlib::Absolutepath $config_path,
+  Optional[Array[Integer]] $includegroups = [],
+) {
+  concat::fragment { "glauth_group_${group_name}":
+    target  => $config_path,
+    content => epp('glauth/obj/group.epp', {
+      'name'          => $group_name,
+      'gidnumber'     => $gidnumber,
+      'includegroups' => $includegroups,
+    }),
+    order   => '90',
+  }
+}
--- a/modules/glauth/manifests/obj/service.pp
+++ b/modules/glauth/manifests/obj/service.pp
@ -0,0 +1,21 @@
+# define a service object
+define glauth::obj::service (
+  String $service_name,
+  String $mail,
+  Integer $uidnumber,
+  Integer $primarygroup,
+  String $passsha256,
+  Stdlib::Absolutepath $config_path,
+) {
+  concat::fragment { "glauth_service_${service_name}":
+    target  => $config_path,
+    content => epp('glauth/obj/service.epp', {
+      'name'         => $service_name,
+      'mail'         => $mail,
+      'uidnumber'    => $uidnumber,
+      'primarygroup' => $primarygroup,
+      'passsha256'   => $passsha256,
+    }),
+    order   => '80',
+  }
+}
--- a/modules/glauth/manifests/obj/user.pp
+++ b/modules/glauth/manifests/obj/user.pp
@ -0,0 +1,39 @@
+# define a user object
+define glauth::obj::user (
+  String $user_name,
+  String $mail,
+  Integer $uidnumber,
+  Integer $primarygroup,
+  String $passsha256,
+  Stdlib::Absolutepath $config_path,
+  String $givenname = '',
+  String $sn = '',
+  String $loginshell = '',
+  String $homedir = '',
+  Optional[Array[String]] $sshkeys = [],
+  Optional[Array[String]] $passappsha256 = [],
+  Optional[Array[Integer]] $othergroups = [],
+) {
+  $formatted_othergroups = $othergroups.empty ? {
+    true    => '[]',
+    false   => "[${othergroups.join(', ')}]",
+  }
+  concat::fragment { "glauth_user_${user_name}":
+    target  => $config_path,
+    content => epp('glauth/obj/user.epp', {
+      'name'          => $user_name,
+      'givenname'     => $givenname,
+      'sn'            => $sn,
+      'mail'          => $mail,
+      'uidnumber'     => $uidnumber,
+      'primarygroup'  => $primarygroup,
+      'loginshell'    => $loginshell,
+      'homedir'       => $homedir,
+      'passsha256'    => $passsha256,
+      'sshkeys'       => $sshkeys,
+      'passappsha256' => $passappsha256,
+      'othergroups'   => $formatted_othergroups,
+    }),
+    order   => '70',
+  }
+}
--- a/modules/glauth/manifests/params.pp
+++ b/modules/glauth/manifests/params.pp
@ -0,0 +1,58 @@
+# params class for glauth
+class glauth::params (
+  Boolean $debug                             = true,
+  Boolean $syslog                            = true,
+  Boolean $structuredlog                     = true,
+  Boolean $watchconfig                       = true,
+  Array   $packages                          = [
+    'openldap-clients',
+  ],
+
+  Boolean $ldap_enabled                      = true,
+  Stdlib::IP::Address $ldap_address          = '0.0.0.0',
+  Stdlib::Port $ldap_port                    = 389,
+  Boolean $ldap_tls                          = false,
+  Stdlib::Absolutepath $ldap_tlscertpath     = '/etc/glauth/glauth.crt',
+  Stdlib::Absolutepath $ldap_tlskeypath      = '/etc/glauth/glauth.key',
+
+  Boolean $ldaps_enabled                     = false,
+  Stdlib::IP::Address $ldaps_address         = '0.0.0.0',
+  Stdlib::Port $ldaps_port                   = 636,
+  Stdlib::Absolutepath $ldaps_cert           = '/etc/glauth/glauth.crt',
+  Stdlib::Absolutepath $ldaps_key            = '/etc/glauth/glauth.key',
+
+  String $backend_datastore                  = 'config',
+  String $backend_basedn                     = 'dc=main,dc=unkin,dc=net',
+  String $backend_nameformat                 = 'cn',
+  String $backend_groupformat                = 'ou',
+  Boolean $backend_anonymousdse              = true,
+  String $backend_sshkeyattr                 = 'sshPublicKey',
+
+  Boolean $behaviors_ignorecapabilities      = true,
+  Boolean $behaviors_limitfailedbinds        = true,
+  Integer $behaviors_numberoffailedbinds     = 3,
+  Integer $behaviors_periodoffailedbinds     = 10,
+  Integer $behaviors_blockfailedbindsfor     = 60,
+  Integer $behaviors_prunesourcetableevery   = 600,
+  Integer $behaviors_prunesourcesolderthan   = 600,
+
+  Boolean $api_enabled                       = true,
+  Boolean $api_internals                     = true,
+  Boolean $api_tls                           = true,
+  Stdlib::IP::Address $api_address           = '0.0.0.0',
+  Stdlib::Port $api_port                     = 5555,
+  Stdlib::Absolutepath $api_cert             = '/etc/glauth/cert.pem',
+  Stdlib::Absolutepath $api_key              = '/etc/glauth/key.pem',
+
+  String               $user                 = 'glauth',
+  String               $group                = 'glauth',
+  Stdlib::Absolutepath $bin_dir              = '/usr/local/bin',
+  Stdlib::Absolutepath $bin_path             = "${bin_dir}/glauth",
+  Stdlib::Absolutepath $config_dir           = '/etc/glauth',
+  Stdlib::Absolutepath $config_path          = "${config_dir}/glauth.conf",
+  Boolean              $service_enable       = true,
+  String               $service_name         = 'glauth',
+  String               $download_version     = '2.3.2',
+  String               $download_url         = "https://git.query.consul/api/packages/unkinben/generic/glauth/${download_version}/glauth-linux-amd64",
+  Boolean              $manage_defaults      = true,
+){}
--- a/modules/glauth/manifests/service.pp
+++ b/modules/glauth/manifests/service.pp
@ -0,0 +1,40 @@
+# manage the glauth service/socket
+class glauth::service (
+  $service_enable = $glauth::service_enable,
+  $service_name   = $glauth::service_name,
+  $user           = $glauth::user,
+  $group          = $glauth::group,
+  $config_path    = $glauth::config_path,
+  $bin_path       = $glauth::bin_path,
+  $ldap_port      = $glauth::ldap_port,
+  $ldaps_port     = $glauth::ldaps_port,
+  $api_port       = $glauth::api_port,
+){
+  if $service_enable {
+    include ::systemd
+
+    systemd::unit_file { "${service_name}.service":
+      content   => epp('glauth/systemd.service.epp', {
+        'bin_path'     => $bin_path,
+        'config_path'  => $config_path,
+        'user'         => $user,
+        'group'        => $group,
+        'service_name' => $service_name,
+      }),
+      enable    => true,
+      active    => true,
+      subscribe => Concat[$config_path],
+      # should also subscribe to tls certs
+    }
+    #systemd::unit_file { "${service_name}.socket":
+    #  content   => epp('glauth/systemd.socket.epp', {
+    #    'ldap_port'  => $ldap_port,
+    #    'ldaps_port' => $ldaps_port,
+    #    'api_port'   => $api_port,
+    #}),
+    #  enable    => true,
+    #  active    => true,
+    #  subscribe => Concat[$config_path],
+    #}
+  }
+}
--- a/modules/glauth/templates/api.epp
+++ b/modules/glauth/templates/api.epp
@ -0,0 +1,10 @@
+#################
+# API configuration.
+[api]
+  enabled = <%= $api_enabled %>
+  internals = <%= $api_internals %>
+  tls = <%= $api_tls %>
+  listen = "<%= $api_address %>:<%= $api_port %>"
+  cert = "<%= $api_cert %>"
+  key = "<%= $api_key %>"
+
--- a/modules/glauth/templates/backend.epp
+++ b/modules/glauth/templates/backend.epp
@ -0,0 +1,10 @@
+#################
+# The backend section controls the data store.
+[backend]
+  datastore = "<%= $backend_datastore %>"
+  baseDN = "<%= $backend_basedn %>"
+  nameformat = "<%= $backend_nameformat %>"
+  groupformat = "<%= $backend_groupformat %>"
+  anonymousdse = <%= $backend_anonymousdse %>
+  sshkeyattr = "<%= $backend_sshkeyattr %>"
+
--- a/modules/glauth/templates/behaviors.epp
+++ b/modules/glauth/templates/behaviors.epp
@ -0,0 +1,11 @@
+#################
+# Behaviors configuration.
+[behaviors]
+  IgnoreCapabilities = <%= $ignorecapabilities %>
+  LimitFailedBinds = <%= $limitfailedbinds %>
+  NumberOfFailedBinds = <%= $numberoffailedbinds %>
+  PeriodOfFailedBinds = <%= $periodoffailedbinds %>
+  BlockFailedBindsFor = <%= $blockfailedbindsfor %>
+  PruneSourceTableEvery = <%= $prunesourcetableevery %>
+  PruneSourcesOlderThan = <%= $prunesourcesolderthan %>
+
--- a/modules/glauth/templates/general.epp
+++ b/modules/glauth/templates/general.epp
@ -0,0 +1,7 @@
+#################
+# General configuration.
+debug = <%= $debug %>
+syslog = <%= $syslog %>
+structuredlog = <%= $structuredlog %>
+watchconfig = <%= $watchconfig %>
+
--- a/modules/glauth/templates/ldap.epp
+++ b/modules/glauth/templates/ldap.epp
@ -0,0 +1,9 @@
+#################
+# Server configuration.
+[ldap]
+  enabled = <%= $ldap_enabled %>
+  listen = "<%= $ldap_address %>:<%= $ldap_port %>"
+  tls = <%= $ldap_tls %>
+  tlsCertPath = "<%= $ldap_tlscertpath %>"
+  tlsKeyPath = "<%= $ldap_tlskeypath %>"
+
--- a/modules/glauth/templates/ldaps.epp
+++ b/modules/glauth/templates/ldaps.epp
@ -0,0 +1,8 @@
+#################
+# Server configuration.
+[ldaps]
+  enabled = <%= $ldaps_enabled %>
+  listen = "<%= $ldaps_address %>:<%= $ldaps_port %>"
+  cert = "<%= $ldaps_cert %>"
+  key = "<%= $ldaps_key %>"
+
--- a/modules/glauth/templates/obj/group.epp
+++ b/modules/glauth/templates/obj/group.epp
@ -0,0 +1,5 @@
+[[groups]]
+  name = "<%= $name %>"
+  gidnumber = <%= $gidnumber %>
+  <% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
+
--- a/modules/glauth/templates/obj/service.epp
+++ b/modules/glauth/templates/obj/service.epp
@ -0,0 +1,7 @@
+[[users]]
+  name = "<%= $name %>"
+  mail = "<%= $mail %>"
+  uidnumber = <%= $uidnumber %>
+  primarygroup = <%= $primarygroup %>
+  passsha256 = "<%= $passsha256 %>"
+
--- a/modules/glauth/templates/obj/user.epp
+++ b/modules/glauth/templates/obj/user.epp
@ -0,0 +1,14 @@
+[[users]]
+  name = "<%= $name %>"
+  <% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
+  <% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
+  mail = "<%= $mail %>"
+  uidnumber = <%= $uidnumber %>
+  primarygroup = <%= $primarygroup %>
+  <% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
+  <% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
+  passsha256 = "<%= $passsha256 %>"
+  <% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
+  <% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
+  othergroups = <%= $othergroups %>
+
--- a/modules/glauth/templates/systemd.service.epp
+++ b/modules/glauth/templates/systemd.service.epp
@ -0,0 +1,14 @@
+[Unit]
+Description=GLAuth Service
+After=network.target
+
+[Service]
+User=<%= $user %>
+Group=<%= $group %>
+ExecStart=<%= $bin_path %> -c <%= $config_path %>
+Restart=always
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+Also=<%= $service_name %>.socket
--- a/modules/glauth/templates/systemd.socket.epp
+++ b/modules/glauth/templates/systemd.socket.epp
@ -0,0 +1,11 @@
+[Unit]
+Description=GLAuth Socket
+
+[Socket]
+ListenStream=<%= $ldap_port %>
+ListenStream=<%= $ldaps_port %>
+ListenStream=<%= $api_port %>
+NoDelay=true
+
+[Install]
+WantedBy=sockets.target