# # User module based on git://git.puppet.immerda.ch/module-user.git # # Password hash can be generated with mkpasswd provided by whois # debian package: mkpasswd -m sha-256, see crypt(3) for details # on supported hashes. # define user::manage( $password, $ensure = present, $uid = false, $gid = 'uid', $groups = [], $managehome = true, $homedir_mode = '0750', $comment = 'absent', $homedir = 'absent', $shell = 'absent', $sshkey = 'absent', $sshkey_options = [], $sshkey_type = 'absent', $membership = 'minimum', $ticket = false, $refresh_keys = false) { $real_groups = $groups ? { '' => [ "$title", ], default => $groups, } $real_homedir = $homedir ? { 'absent' => "/home/$name", default => $homedir, } $real_name_comment = $comment ? { 'absent' => $name, default => $comment, } $real_sshkey_type = $sshkey_type ? { 'absent' => "ssh-rsa", default => $sshkey_type, } $real_shell = $shell ? { 'absent' => $operatingsystem ? { openbsd => "/usr/local/bin/bash", default => "/bin/bash", }, default => $shell, } if $managehome == true { if $ensure == 'absent' { file{"$real_homedir": ensure => absent, purge => true, force => true, recurse => true, } } else { file{"$real_homedir": ensure => directory, require => User[$name], owner => $name, mode => $homedir_mode; } case $gid { 'absent','uid': { File[$real_homedir]{ group => $name, } } default: { File[$real_homedir]{ group => $gid, } } } } } else { if $managehome != false { if !defined(File[$managehome]) { file { $managehome: ensure => present, owner => $name, mode => $homedir_mode, require => User[$name], } } case $gid { 'absent','uid': { File[$managehome] { group => $name, } } default: { File[$managehome] { group => $gid, } } } file{ "$real_homedir": ensure => $managehome, require => File[$managehome], } } } if $gid != 'absent' { if $gid == 'uid' { if $uid != 'absent' { $real_gid = $uid } else { $real_gid = false } } else { $real_gid = $gid } } else { $real_gid = false } # see http://www.mail-archive.com/puppet-users@googlegroups.com/msg00795.html user { "$title": ensure => $ensure, allowdupe => false, comment => "$real_name_comment", home => $real_homedir, managehome => $managehome, shell => $real_shell, groups => $real_groups, membership => $membership, password => $password, uid => $uid ? { false => undef, default => $uid }, gid => $real_gid ? { false => undef, default => $real_gid }, } if $refresh_keys == true { cron { "gpg-refresh-keys-${title}": command => "/usr/bin/gpg --refresh-keys > /dev/null 2>&1", user => $title, hour => "*/1", minute => "0", ensure => present, require => User[$title], } } # lots of bugs preventing a good implementation for ssh keys # http://projects.reductivelabs.com/issues/1409 # http://projects.reductivelabs.com/issues/2004 # http://projects.reductivelabs.com/issues/2020 # http://groups.google.com/group/puppet-users/browse_thread/thread/131bc7cdc507e3c8/6b61dbcd0b6a68b5?lnk=raot if $sshkey != 'absent' { ssh_authorized_key { "$title": ensure => $ensure, key => $sshkey, user => $title, options => $sshkey_options, type => $real_sshkey_type, target => "$real_homedir/.ssh/authorized_keys", require => User["$title"], } } }