module-user/manifests/defines.pp

# manifests/defines.pp

# sshkey:           have to be handed over as the classname
#                   containing the ssh_keys
# password:         the password in cleartext or as crypted string
#                   which should be set. Default: absent -> no password is set.
#                   To create an encrypted password, you can use:
#                   /usr/bin/mkpasswd -H md5 --salt=$salt $password , where $salt is 8 bytes long
#                   Note: On OpenBSD systems we can only manage crypted passwords.
#                         Therefor the password_crypted option doesn't have any effect.
#                         You'll find a python script in ${module}/password/openbsd/genpwd.py
#                         Which will help you to create such a password
# password_crypted: if the supplied password is crypted or not. 
#                   Default: true
#                   Note: If you'd like to use unencrypted passwords, you have to set a variable
#                         $password_salt to an 8 character long salt, being used for the password.  
# gid:              define the gid of the group
#                   absent: let the system take a gid
#                   uid: take the same as the uid has if it isn't absent (*default*)
#                   <value>: take this gid
# manage_group:     Wether we should add a group with the same name as well, this works only
#                   if you supply a uid.
#                   Default: true
define user::managed(
    $ensure = present,
    $name_comment = 'absent',
    $uid = 'absent',
    $gid = 'uid',
    $groups = [],
    $manage_group = true,
    $membership = 'minimum',
    $homedir = 'absent',
    $managehome = true,
    $homedir_mode = '0750',
    $sshkey = 'absent',
    $password = 'absent',
    $password_crypted = true,
    $shell = 'absent'
){

    $real_homedir = $homedir ? {
        'absent' => "/home/$name",
        default => $homedir
    }

    $real_name_comment = $name_comment ? {
        'absent' => $name,
        default => $name_comment,
    }

    $real_shell = $shell ? {
        'absent' =>  $operatingsystem ? {
                          openbsd => "/usr/local/bin/bash",
                          default => "/bin/bash",
                    },
        default => $shell,
    }

    if strlength($name) > 32 {
      fail("Usernames can't be longer than 32 characters. ${name} is too long!")
    }

    user { $name:
        ensure => $ensure,
        allowdupe => false,
        comment => "$real_name_comment",
        home => $real_homedir,
        managehome => $managehome,
        shell => $real_shell,
        groups => $groups,
        membership => $membership,
    }

    
    if $managehome {
        if $ensure == 'absent' {
            file{"$real_homedir":
                ensure => absent,
                purge => true,
                force => true,
                recurese => true,
            }
        } else {
            file{"$real_homedir":
                ensure => directory,
                require => User[$name],
                owner => $name, mode => $homedir_mode;
            }
            case $gid {
                'absent','uid': {
                    File[$real_homedir]{
                        group => $name,
                    }
                }
                default: {
                    File[$real_homedir]{
                        group => $gid,
                    }
                }
            }
        }
    }

    if $uid != 'absent' {
        User[$name]{
            uid => $uid,
        }
    }

    if $gid != 'absent' {
        if $gid == 'uid' {
            if $uid != 'absent' {
                $real_gid = $uid
            }
        } else {
            $real_gid = $gid
        }
        if $real_gid {
            User[$name]{
                gid => $real_gid,
            }
        }
    }

    if $name != 'root' {
        if $uid == 'absent' {
            if $manage_group and ($ensure == 'absent') {
              case $operatingsystem {
                'OpenBSD': {
                  group{$name:
                    ensure => absent,
                  }
                }
              }
            }
        } else {
            if $manage_group {
                group { $name:
                    allowdupe => false,
                    ensure => $ensure,
                }
                if $real_gid {
                    Group[$name]{
                        gid => $real_gid,
                    }
                }
            } 
        }
    }

    case $ensure {
        present: {
            if $sshkey != 'absent' {
                User[$name]{
                    before => Class[$sshkey],
                }
                include $sshkey
            }

            if $password != 'absent' {
                case $operatingsystem {
                    openbsd: {
                        exec { "setpass ${name}":
                            unless => "grep -q '^${name}:${password}:' /etc/master.passwd",
                            command => "usermod -p '${password}' ${name}",
                            require => User["${name}"],
                        }
                    }
                    default: {
                        include ruby-libshadow
                        if $password_crypted {
                            $real_password = $password
                        } else {
                            if $password_salt {
                                $real_password = mkpasswd($password,$password_salt)
                            } else {
                                fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!")
                            }
                        }
                        User[$name]{
                            password => $real_password,
                            require => Package['ruby-libshadow'],
                        }
                    }
                }
            }
        }
    }
}

# gid:  by default it will take the same as the uid
define user::sftp_only(
    $ensure = present,
    $managehome = false,
    $uid = 'absent',
    $gid = 'uid',
    $homedir_mode = '0750',
    $password = 'absent',
    $password_crypted = true
) {
    include user::groups::sftponly
    user::managed{"${name}":
        ensure => $ensure,
        uid => $uid,
        gid => $gid,
        name_comment => "SFTP-only_user_${name}",
        groups => [ 'sftponly' ],        
        managehome => $managehome,
        homedir_mode => $homedir_mode,
        shell => $operatingsystem ? {
            debian => '/usr/sbin/nologin',
            ubuntu => '/usr/sbin/nologin',
            default => '/sbin/nologin'
        },
        password => $password,
        password_crypted => $password_crypted,
        require => Group['sftponly'],
    }
}
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`# manifests/defines.pp`

enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`# sshkey: have to be handed over as the classname`
			`# containing the ssh_keys`
			`# password: the password in cleartext or as crypted string`
			`# which should be set. Default: absent -> no password is set.`
added some doku 2008-10-25 23:11:31 +02:00			`# To create an encrypted password, you can use:`
adjusted docu 2008-12-01 23:30:22 +01:00			`# /usr/bin/mkpasswd -H md5 --salt=$salt $password , where $salt is 8 bytes long`
we can only manage crypted passwords -> added a python script to generate these passwords 2008-11-08 22:56:52 +01:00			`# Note: On OpenBSD systems we can only manage crypted passwords.`
enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`# Therefor the password_crypted option doesn't have any effect.`
we can only manage crypted passwords -> added a python script to generate these passwords 2008-11-08 22:56:52 +01:00			`# You'll find a python script in ${module}/password/openbsd/genpwd.py`
			`# Which will help you to create such a password`
enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`# password_crypted: if the supplied password is crypted or not.`
			`# Default: true`
			`# Note: If you'd like to use unencrypted passwords, you have to set a variable`
			`# $password_salt to an 8 character long salt, being used for the password.`
rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`# gid: define the gid of the group`
merged with puzzle 2008-12-05 15:44:27 +01:00			`# absent: let the system take a gid`
			`# uid: take the same as the uid has if it isn't absent (default)`
rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`# <value>: take this gid`
if no uid is supplied we can't manage the group itself 2009-01-08 22:47:17 +01:00			`# manage_group: Wether we should add a group with the same name as well, this works only`
			`# if you supply a uid.`
optionaly disable group managing 2008-12-02 01:30:12 +01:00			`# Default: true`
we should not use action verbs in names, managed is slightly better, but not yet that good 2008-12-01 23:45:57 +01:00			`define user::managed(`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`$ensure = present,`
			`$name_comment = 'absent',`
			`$uid = 'absent',`
			`$gid = 'uid',`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`$groups = [],`
adjusted to boolean usage 2008-12-05 18:29:47 +01:00			`$manage_group = true,`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`$membership = 'minimum',`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`$homedir = 'absent',`
adjusted to boolean usage 2008-12-05 18:29:47 +01:00			`$managehome = true,`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`$homedir_mode = '0750',`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`$sshkey = 'absent',`
enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`$password = 'absent',`
adjusted to boolean usage 2008-12-05 18:29:47 +01:00			`$password_crypted = true,`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`$shell = 'absent'`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`){`

			`$real_homedir = $homedir ? {`
			`'absent' => "/home/$name",`
			`default => $homedir`
			`}`

			`$real_name_comment = $name_comment ? {`
			`'absent' => $name,`
			`default => $name_comment,`
			`}`

			`$real_shell = $shell ? {`
			`'absent' => $operatingsystem ? {`
			`openbsd => "/usr/local/bin/bash",`
			`default => "/bin/bash",`
			`},`
			`default => $shell,`
			`}`

added length check to usernames 2009-04-30 15:43:14 +02:00			`if strlength($name) > 32 {`
			`fail("Usernames can't be longer than 32 characters. ${name} is too long!")`
			`}`

refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`user { $name:`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`ensure => $ensure,`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`allowdupe => false,`
			`comment => "$real_name_comment",`
			`home => $real_homedir,`
			`managehome => $managehome,`
			`shell => $real_shell,`
			`groups => $groups,`
			`membership => $membership,`
			`}`

added define to manage sftponly users 2008-10-20 22:51:36 +02:00
adjusted to boolean usage 2008-12-05 18:29:47 +01:00			`if $managehome {`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`if $ensure == 'absent' {`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`file{"$real_homedir":`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`ensure => absent,`
			`purge => true,`
			`force => true,`
			`recurese => true,`
added define to manage sftponly users 2008-10-20 22:51:36 +02:00			`}`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`} else {`
			`file{"$real_homedir":`
			`ensure => directory,`
			`require => User[$name],`
			`owner => $name, mode => $homedir_mode;`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`
rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`case $gid {`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`'absent','uid': {`
			`File[$real_homedir]{`
			`group => $name,`
rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`}`
			`}`
			`default: {`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`File[$real_homedir]{`
			`group => $gid,`
			`}`
rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`}`
			`}`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`}`
			`}`

			`if $uid != 'absent' {`
			`User[$name]{`
			`uid => $uid,`
			`}`
			`}`

			`if $gid != 'absent' {`
fixed some logic 2009-03-13 00:33:08 +01:00			`if $gid == 'uid' {`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`if $uid != 'absent' {`
			`$real_gid = $uid`
			`}`
			`} else {`
			`$real_gid = $gid`
			`}`
			`if $real_gid {`
			`User[$name]{`
			`gid => $real_gid,`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`
			`}`
			`}`

used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`if $name != 'root' {`
			`if $uid == 'absent' {`
fixed some logic 2009-03-13 00:33:08 +01:00			`if $manage_group and ($ensure == 'absent') {`
on linux systems we don't need to remove the primary group of a user 2009-04-30 15:19:59 +02:00			`case $operatingsystem {`
			`'OpenBSD': {`
			`group{$name:`
fixed some logic 2009-03-13 00:33:08 +01:00			`ensure => absent,`
on linux systems we don't need to remove the primary group of a user 2009-04-30 15:19:59 +02:00			`}`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`
on linux systems we don't need to remove the primary group of a user 2009-04-30 15:19:59 +02:00			`}`
fixing some regression from the last change 2008-11-22 16:20:59 +01:00			`}`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`} else {`
			`if $manage_group {`
			`group { $name:`
			`allowdupe => false,`
			`ensure => $ensure,`
			`}`
			`if $real_gid {`
			`Group[$name]{`
			`gid => $real_gid,`
			`}`
			`}`
			`}`
some whitespaces cleanup 2009-01-07 01:53:41 +01:00			`}`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`

we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`case $ensure {`
			`present: {`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`if $sshkey != 'absent' {`
			`User[$name]{`
			`before => Class[$sshkey],`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`}`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`include $sshkey`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`
added a generate password function 2008-10-25 22:31:44 +02:00
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`if $password != 'absent' {`
			`case $operatingsystem {`
			`openbsd: {`
			`exec { "setpass ${name}":`
			`unless => "grep -q '^${name}:${password}:' /etc/master.passwd",`
			`command => "usermod -p '${password}' ${name}",`
			`require => User["${name}"],`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`}`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`}`
			`default: {`
			`include ruby-libshadow`
			`if $password_crypted {`
			`$real_password = $password`
			`} else {`
			`if $password_salt {`
			`$real_password = mkpasswd($password,$password_salt)`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`} else {`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!")`
enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`}`
			`}`
used the new language constructs to make it a lot more readable 2009-03-13 00:25:54 +01:00			`User[$name]{`
			`password => $real_password,`
			`require => Package['ruby-libshadow'],`
			`}`
added a generate password function 2008-10-25 22:31:44 +02:00			`}`
			`}`
			`}`
			`}`
			`}`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`

rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`# gid: by default it will take the same as the uid`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`define user::sftp_only(`
we can no set a user absent and cleaning everything up 2009-03-07 12:53:21 +01:00			`$ensure = present,`
adjusted to boolean usage 2008-12-05 18:29:47 +01:00			`$managehome = false,`
enable possibility to set uid and gid 2008-11-09 16:16:20 +01:00			`$uid = 'absent',`
rearranged things so that the gid can automatically be set the same as uid 2008-11-22 16:12:32 +01:00			`$gid = 'uid',`
fixing escape sequence 2008-11-07 20:38:19 +01:00			`$homedir_mode = '0750',`
enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`$password = 'absent',`
fixed typo 2008-12-05 18:37:24 +01:00			`$password_crypted = true`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`) {`
			`include user::groups::sftponly`
we should not use action verbs in names, managed is slightly better, but not yet that good 2008-12-01 23:45:57 +01:00			`user::managed{"${name}":`
pass ensure really everywhere 2009-03-12 23:49:51 +01:00			`ensure => $ensure,`
enable possibility to set uid and gid 2008-11-09 16:16:20 +01:00			`uid => $uid,`
			`gid => $gid,`
fixed comment for user, should be one string 2008-10-20 23:02:54 +02:00			`name_comment => "SFTP-only_user_${name}",`
added define to manage sftponly users 2008-10-20 22:51:36 +02:00			`groups => [ 'sftponly' ],`
fixing escape sequence 2008-11-07 20:38:19 +01:00			`managehome => $managehome,`
			`homedir_mode => $homedir_mode,`
added define to manage sftponly users 2008-10-20 22:51:36 +02:00			`shell => $operatingsystem ? {`
			`debian => '/usr/sbin/nologin',`
			`ubuntu => '/usr/sbin/nologin',`
			`default => '/sbin/nologin'`
			`},`
added a generate password function 2008-10-25 22:31:44 +02:00			`password => $password,`
enhanced user with advanced password management stuff 2008-10-25 22:46:48 +02:00			`password_crypted => $password_crypted,`
added define to manage sftponly users 2008-10-20 22:51:36 +02:00			`require => Group['sftponly'],`
			`}`
refactored defines into defines.pp 2008-10-20 22:51:27 +02:00			`}`