diff --git a/manifests/groups/manage_user.pp b/manifests/groups/manage_user.pp index 9df3a20..c0afdef 100644 --- a/manifests/groups/manage_user.pp +++ b/manifests/groups/manage_user.pp @@ -1,27 +1,27 @@ define user::groups::manage_user( - $ensure = 'present', - $group, - $user = 'absent' + $ensure = 'present', + $group, + $user = 'absent' ){ - if ($user != 'absent'){ - $real_user = $user - } else { - $real_user = $name - } + if ($user != 'absent'){ + $real_user = $user + } else { + $real_user = $name + } - augeas{"manage_${real_user}_in_group_${group}": - context => '/files/etc/group', + augeas{"manage_${real_user}_in_group_${group}": + context => '/files/etc/group', + } + if ($ensure == 'present'){ + Augeas["manage_${real_user}_in_group_${group}"]{ + changes => [ "set ${group}/user[last()+1] ${real_user}" ], + onlyif => "match ${group}/*[../user='${real_user}'] size == 0" } - if ($ensure == 'present'){ - Augeas["manage_${real_user}_in_group_${group}"]{ - changes => [ "set ${group}/user[last()+1] ${real_user}" ], - onlyif => "match ${group}/*[../user='${real_user}'] size == 0" - } - } else { - Augeas["manage_${real_user}_in_group_${group}"]{ - changes => "rm ${group}/user[.='${real_user}']", - } + } else { + Augeas["manage_${real_user}_in_group_${group}"]{ + changes => "rm ${group}/user[.='${real_user}']", } + } } diff --git a/manifests/groups/sftponly.pp b/manifests/groups/sftponly.pp index f578803..e427443 100644 --- a/manifests/groups/sftponly.pp +++ b/manifests/groups/sftponly.pp @@ -1,8 +1,8 @@ # manifests/groups/sftponly.pp class user::groups::sftponly { - group{'sftponly': - ensure => present, - gid => 10000, - } + group{'sftponly': + ensure => present, + gid => 10000, + } } diff --git a/manifests/managed.pp b/manifests/managed.pp index 2018bc1..51ab964 100644 --- a/manifests/managed.pp +++ b/manifests/managed.pp @@ -22,194 +22,194 @@ # if you supply a uid. # Default: true define user::managed( - $ensure = present, - $name_comment = 'absent', - $uid = 'absent', - $gid = 'uid', - $groups = [], - $manage_group = true, - $membership = 'minimum', - $homedir = 'absent', - $managehome = true, - $homedir_mode = '0750', - $sshkey = 'absent', - $password = 'absent', - $password_crypted = true, - $allowdupe = false, - $shell = 'absent' + $ensure = present, + $name_comment = 'absent', + $uid = 'absent', + $gid = 'uid', + $groups = [], + $manage_group = true, + $membership = 'minimum', + $homedir = 'absent', + $managehome = true, + $homedir_mode = '0750', + $sshkey = 'absent', + $password = 'absent', + $password_crypted = true, + $allowdupe = false, + $shell = 'absent' ){ - $real_homedir = $homedir ? { - 'absent' => "/home/$name", - default => $homedir - } + $real_homedir = $homedir ? { + 'absent' => "/home/$name", + default => $homedir + } - $real_name_comment = $name_comment ? { - 'absent' => $name, - default => $name_comment, - } + $real_name_comment = $name_comment ? { + 'absent' => $name, + default => $name_comment, + } - $real_shell = $shell ? { - 'absent' => $operatingsystem ? { - openbsd => "/usr/local/bin/bash", - default => "/bin/bash", - }, - default => $shell, - } + $real_shell = $shell ? { + 'absent' => $::operatingsystem ? { + openbsd => "/usr/local/bin/bash", + default => "/bin/bash", + }, + default => $shell, + } - if size($name) > 31 { - fail("Usernames can't be longer than 31 characters. ${name} is too long!") - } + if size($name) > 31 { + fail("Usernames can't be longer than 31 characters. ${name} is too long!") + } - user { $name: - ensure => $ensure, - allowdupe => $allowdupe, - comment => "$real_name_comment", - home => $real_homedir, - managehome => $managehome, - shell => $real_shell, - groups => $groups, - membership => $membership, - } + user { $name: + ensure => $ensure, + allowdupe => $allowdupe, + comment => "$real_name_comment", + home => $real_homedir, + managehome => $managehome, + shell => $real_shell, + groups => $groups, + membership => $membership, + } - if $managehome { - file{$real_homedir: } - if $ensure == 'absent' { - File[$real_homedir]{ - ensure => absent, - purge => true, - force => true, - recurse => true, - } - } else { - File[$real_homedir]{ - ensure => directory, - require => User[$name], - owner => $name, mode => $homedir_mode, - } - case $gid { - 'absent','uid': { - File[$real_homedir]{ - group => $name, - } - } - default: { - File[$real_homedir]{ - group => $gid, - } - } - } + if $managehome { + file{$real_homedir: } + if $ensure == 'absent' { + File[$real_homedir]{ + ensure => absent, + purge => true, + force => true, + recurse => true, + } + } else { + File[$real_homedir]{ + ensure => directory, + require => User[$name], + owner => $name, mode => $homedir_mode, + } + case $gid { + 'absent','uid': { + File[$real_homedir]{ + group => $name, + } } - } - - if $uid != 'absent' { - User[$name]{ - uid => $uid, + default: { + File[$real_homedir]{ + group => $gid, + } } + } } + } - if $gid != 'absent' { - if $gid == 'uid' { - if $uid != 'absent' { - $real_gid = $uid + if $uid != 'absent' { + User[$name]{ + uid => $uid, + } + } + + if $gid != 'absent' { + if $gid == 'uid' { + if $uid != 'absent' { + $real_gid = $uid + } + } else { + $real_gid = $gid + } + if $real_gid { + User[$name]{ + gid => $real_gid, + } + } + } + + if $name != 'root' { + if $uid == 'absent' { + if $manage_group and ($ensure == 'absent') { + group{$name: + ensure => absent, + } + case $::operatingsystem { + OpenBSD: { + Group[$name]{ + before => User[$name], } - } else { - $real_gid = $gid + } + default: { + Group[$name]{ + require => User[$name], + } + } + } + } + } else { + if $manage_group { + group { $name: + allowdupe => false, + ensure => $ensure, } if $real_gid { - User[$name]{ - gid => $real_gid, - } + Group[$name]{ + gid => $real_gid, + } } - } - - if $name != 'root' { - if $uid == 'absent' { - if $manage_group and ($ensure == 'absent') { - group{$name: - ensure => absent, - } - case $operatingsystem { - OpenBSD: { - Group[$name]{ - before => User[$name], - } - } - default: { - Group[$name]{ - require => User[$name], - } - } + if $ensure == 'absent' { + case $::operatingsystem { + OpenBSD: { + Group[$name]{ + before => User[$name], } } + default: { + Group[$name]{ + require => User[$name], + } + } + } } else { - if $manage_group { - group { $name: - allowdupe => false, - ensure => $ensure, - } - if $real_gid { - Group[$name]{ - gid => $real_gid, - } - } - if $ensure == 'absent' { - case $operatingsystem { - OpenBSD: { - Group[$name]{ - before => User[$name], - } - } - default: { - Group[$name]{ - require => User[$name], - } - } - } - } else { - Group[$name]{ - before => User[$name], - } - } - } + Group[$name]{ + before => User[$name], + } } + } } - case $ensure { - present: { - if $sshkey != 'absent' { - User[$name]{ - before => Class[$sshkey], - } - include $sshkey - } + } + case $ensure { + present: { + if $sshkey != 'absent' { + User[$name]{ + before => Class[$sshkey], + } + include $sshkey + } - if $password != 'absent' { - case $operatingsystem { - openbsd: { - exec { "setpass ${name}": - unless => "grep -q '^${name}:${password}:' /etc/master.passwd", - command => "usermod -p '${password}' ${name}", - require => User["${name}"], - } - } - default: { - require ruby::shadow - if $password_crypted { - $real_password = $password - } else { - if $password_salt { - $real_password = mkpasswd($password,$password_salt) - } else { - fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!") - } - } - User[$name]{ - password => $real_password, - } - } - } + if $password != 'absent' { + case $::operatingsystem { + openbsd: { + exec { "setpass ${name}": + unless => "grep -q '^${name}:${password}:' /etc/master.passwd", + command => "usermod -p '${password}' ${name}", + require => User["${name}"], } + } + default: { + require ruby::shadow + if $password_crypted { + $real_password = $password + } else { + if $password_salt { + $real_password = mkpasswd($password,$password_salt) + } else { + fail("To use unencrypted passwords you have to define a variable \$password_salt to an 8 character salt for passwords!") + } + } + User[$name]{ + password => $real_password, + } + } } + } } + } } diff --git a/manifests/openbsd/defaults.pp b/manifests/openbsd/defaults.pp index b2f6d4a..d724a6a 100644 --- a/manifests/openbsd/defaults.pp +++ b/manifests/openbsd/defaults.pp @@ -1,14 +1,14 @@ # manifests/openbsd/defaults.pp class user::openbsd::defaults { - # we need this somehow to mange it - user::managed{root: - name => 'root', - name_comment => 'Charlie &', - uid => '0', - gid => '0', - homedir => '/root', - homedir_mode => '0700', - } + # we need this somehow to mange it + user::managed{root: + name => 'root', + name_comment => 'Charlie &', + uid => '0', + gid => '0', + homedir => '/root', + homedir_mode => '0700', + } } diff --git a/manifests/sftp_only.pp b/manifests/sftp_only.pp index b77d5b1..0990af2 100644 --- a/manifests/sftp_only.pp +++ b/manifests/sftp_only.pp @@ -1,30 +1,30 @@ # gid: by default it will take the same as the uid define user::sftp_only( - $ensure = present, - $managehome = false, - $uid = 'absent', - $gid = 'uid', - $homedir = 'absent', - $homedir_mode = '0750', - $password = 'absent', - $password_crypted = true + $ensure = present, + $managehome = false, + $uid = 'absent', + $gid = 'uid', + $homedir = 'absent', + $homedir_mode = '0750', + $password = 'absent', + $password_crypted = true ) { - require user::groups::sftponly - user::managed{"${name}": - ensure => $ensure, - uid => $uid, - gid => $gid, - name_comment => "SFTP-only_user_${name}", - groups => [ 'sftponly' ], - managehome => $managehome, - homedir => $homedir, - homedir_mode => $homedir_mode, - shell => $operatingsystem ? { - debian => '/usr/sbin/nologin', - ubuntu => '/usr/sbin/nologin', - default => '/sbin/nologin' - }, - password => $password, - password_crypted => $password_crypted; - } + require user::groups::sftponly + user::managed{$name: + ensure => $ensure, + uid => $uid, + gid => $gid, + name_comment => "SFTP-only_user_${name}", + groups => [ 'sftponly' ], + managehome => $managehome, + homedir => $homedir, + homedir_mode => $homedir_mode, + shell => $::operatingsystem ? { + debian => '/usr/sbin/nologin', + ubuntu => '/usr/sbin/nologin', + default => '/sbin/nologin' + }, + password => $password, + password_crypted => $password_crypted; + } }