split into files

[puppet/sudo.git] / manifests / defaults.pp

diff --git a/manifests/defaults.pp b/manifests/defaults.pp
new file mode 100644 (file)
index 0000000..99919fd
--- /dev/null
+++ b/manifests/defaults.pp
@@ -0,0 +1,105 @@
+class sudo::defaults (
+    Optional[String[1]] $sudogroup = undef,
+    Boolean $root_may_sudo = true,
+    Optional[Hash] $generic = undef,
+    Optional[Hash] $user = undef,
+    Optional[Hash] $host = undef,
+    Optional[Hash] $runas = undef,
+    Optional[Hash] $cmnd = undef,
+) {
+    $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
+    sudo::alias { "LOCALHOST":
+        type => host,
+        list => [ "localhost"
+                , $netfacts[hostname]
+                , $netfacts[fqdn]
+                ],
+    }
+
+    if $sudogroup {
+        $sudogroup_target = "00-sudogroup"
+
+        group { "$sudogroup":
+            ensure => present,
+            system => true
+        }->
+        sudo::rule { "sudogroup":
+            who     => "%$sudogroup",
+            where   => "LOCALHOST",
+            require => Sudo::Alias["LOCALHOST"],
+            what    => "PASSWD: ALL",
+            target  => "$sudogroup_target",
+            comment => "Members of the ${sudogroup} group can use sudo (with password)",
+        }
+    }
+
+    if $root_may_sudo {
+        $rootsudo_target = "00-root_may_sudo"
+
+        sudo::option { "syslog":
+            value   => false,
+            context => user,
+            list    => "root",
+            target  => "$rootsudo_target",
+            comment => "No need to log root usage of sudo",
+        }->
+        sudo::rule { "root_may_sudo":
+            who     => "root",
+            where   => "LOCALHOST",
+            require => Sudo::Alias["LOCALHOST"],
+            what    => "NOPASSWD: ALL",
+            target  => "$rootsudo_target",
+            comment => "root may inadvertedly run sudo, so let them:",
+        }
+    }
+
+    if $generic {
+        concat::fragment { "sudo::defaults::generic comment":
+            target  => "sudoers_file_$sudo::default_target",
+            order   => 14,
+            content => "\n# Generated from the sudo::defaults::generic class parameter:\n",
+        }
+        $generic.each | $param, $value | {
+            sudo::option { "$param":
+                value    => $value,
+                order    => 15,
+                newline_before => false,
+                require  => Concat::Fragment["sudo::defaults::generic comment"],
+            }
+        }
+        concat::fragment { "sudo::defaults::generic end":
+            target  => "sudoers_file_$sudo::default_target",
+            order   => 16,
+            content => "# End sudo::defaults::generic class parameters\n",
+        }
+    }
+
+    $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd}
+    $context_hash.keys.each | $index, $context | {
+        $defaults = $context_hash[$context]
+        if $defaults {
+            concat::fragment { "sudo::defaults::${context} comment":
+                target  => "sudoers_$default_target",
+                order   => 17 + $index * 3,
+                content => "\n# Generated from the sudo::defaults::${context} class parameter:\n",
+            }
+            $defaults.each | $list, $items  | {
+                $items.each | $param, $value | {
+                    sudo::option { "${context}_${list}_${param}":
+                        parameter => $param,
+                        context   => $context,
+                        list      => $list,
+                        value     => $value,
+                        order     => 18 + $index * 3,
+                        newline_before => false,
+                    }
+                }
+            }
+            concat::fragment { "sudo::defaults::${context} end":
+                target  => "sudoers_$default_target",
+                order   => 19 + $index * 3,
+                content => "# End sudo::defaults::${context} class parameters\n",
+            }
+        }
+    }
+}