Puppetfile

@@ -11,6 +11,7 @@ mod 'puppetlabs-apt', '9.1.0'
 mod 'puppetlabs-puppetdb', '7.13.0'
 mod 'puppetlabs-postgresql', '9.1.0'
 mod 'puppetlabs-firewall', '6.0.0'
+mod 'puppetlabs-accounts', '8.1.0'
 
 # puppet
 mod 'puppet-python', '7.0.0'
@@ -22,3 +23,4 @@ mod 'puppet-puppetboard', '9.0.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
+mod 'saz-sudo', '8.0.0'

environment.conf

@@ -1,2 +1,3 @@
 manifest = manifests/site.pp
 modulepath = external_modules:site
+config_version = '/usr/bin/grep signature /etc/puppetlabs/code/environments/$environment/.g10k-deploy.json | /usr/bin/cut -d \" -f 4'

hieradata/common.yaml

@@ -13,7 +13,6 @@ profiles::base::packages::common:
   - neovim
   - screen
   - strace
-  - sudo
   - tmux
   - vim
   - vnstat
@@ -38,3 +37,6 @@ profiles::puppet::g10k::default_environment: 'develop'
 profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
 puppetdb::master::config::create_puppet_service_resource: false
 puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+
+profiles::accounts::sysadmin::sshkeys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net

site/profiles/manifests/accounts/sysadmin.pp

@@ -0,0 +1,15 @@
+# create the sysadmin user
+class profiles::accounts::sysadmin(
+  Array[String] $sshkeys = [],
+){
+  profiles::base::account {'sysadmin':
+    username    => 'sysadmin',
+    uid         => 1000,
+    gid         => 1000,
+    groups      => ['wheel'],
+    sshkeys     => $sshkeys,
+    sudo_rules  => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
+    password    => '',
+    ignore_pass => true,
+  }
+}

site/profiles/manifests/base.pp

@@ -30,4 +30,11 @@ class profiles::base (
     manage_pip_package    => true,
     use_epel              => false,
   }
+
+  # all hosts will have sudo applied
+  include sudo
+
+  # default users
+  include profiles::accounts::sysadmin
+
 }

site/profiles/manifests/base/account.pp

@@ -0,0 +1,45 @@
+# a wrapper for puppetlabs-account and saz-sudo
+define profiles::base::account (
+  String $username,
+  Integer $uid,
+  Integer $gid = undef,
+  Boolean $manage_home = true,
+  Boolean $create_group = true,
+  Boolean $purge_sshkeys = true,
+  Boolean $system = false,
+  Boolean $locked = false,
+  String $password = '!!',
+  Boolean $ignore_pass = false,
+  Array[String] $groups = [],
+  Array[String] $sshkeys = [],
+  Array[String] $sudo_rules = [],
+  String $shell = '/usr/bin/bash',
+) {
+
+  # Set gid to uid if gid is undef
+  $final_gid = $gid ? {
+    undef   => $uid,
+    default => $gid,
+  }
+
+  # Manage user
+  accounts::user { $username:
+    uid                      => $uid,
+    gid                      => $final_gid,
+    shell                    => $shell,
+    groups                   => $groups,
+    sshkeys                  => $sshkeys,
+    system                   => $system,
+    locked                   => $locked,
+    password                 => $password,
+    create_group             => $create_group,
+    managehome               => $manage_home,
+    purge_sshkeys            => $purge_sshkeys,
+    ignore_password_if_empty => $ignore_pass,
+  }
+
+  # Manage sudo rules
+  sudo::conf { "${username}_sudo":
+    content => $sudo_rules,
+  }
+}