X-Git-Url: https://git.madduck.net/puppet/sudo.git/blobdiff_plain/702516c76bcb84c9d02b2410d69a72be75580907..HEAD:/manifests/init.pp diff --git a/manifests/init.pp b/manifests/init.pp index 5e807d6..aacc2a7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -75,178 +75,3 @@ class sudo ( } } } - -class sudo::install { - - package { "sudo": - ensure => latest, - } -} - -class sudo::files ( -) { - $include_directory = $sudo::include_directory - file { default: - * => $sudo::file_defaults - ; - "/etc/sudoers": - content => template("sudo/sudoers.erb"), - validate_cmd => "visudo --check --strict --file=%", - ; - "$include_directory": - mode => "0770", - recurse => true, - purge => true, - ignore => ["*.local","*-local-*","local-*"], - ; - "$include_directory/README": - content => @(EOT) - # This directory is managed by Puppet - # - # Local files can be named any of: - # - local-* - # - *-local-* - # - *.local - | EOT - ; - } -} - -class sudo::defaults ( - Optional[String[1]] $sudogroup = undef, - Boolean $root_may_sudo = true, - Optional[Hash] $generic = undef, - Optional[Hash] $user = undef, - Optional[Hash] $host = undef, - Optional[Hash] $runas = undef, - Optional[Hash] $cmnd = undef, -) { - $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] } - sudo::alias { "LOCALHOST": - type => host, - list => [ "localhost" - , $netfacts[hostname] - , $netfacts[fqdn] - ], - } - - if $sudogroup { - $sudogroup_target = "00-sudogroup" - - group { "$sudogroup": - ensure => present, - system => true - }-> - sudo::rule { "sudogroup": - who => "%$sudogroup", - where => "LOCALHOST", - require => Sudo::Alias["LOCALHOST"], - what => "PASSWD: ALL", - target => "$sudogroup_target", - comment => "Members of the ${sudogroup} group can use sudo (with password)", - } - } - - if $root_may_sudo { - $rootsudo_target = "00-root_may_sudo" - - sudo::option { "syslog": - value => false, - context => user, - list => "root", - target => "$rootsudo_target", - comment => "No need to log root usage of sudo", - }-> - sudo::rule { "root_may_sudo": - who => "root", - where => "LOCALHOST", - require => Sudo::Alias["LOCALHOST"], - what => "NOPASSWD: ALL", - target => "$rootsudo_target", - comment => "root may inadvertedly run sudo, so let them:", - } - } - - if $generic { - concat::fragment { "sudo::defaults::generic comment": - target => "sudoers_file_$sudo::default_target", - order => 14, - content => "\n# Generated from the sudo::defaults::generic class parameter:\n", - } - $generic.each | $param, $value | { - sudo::option { "$param": - value => $value, - order => 15, - newline_before => false, - require => Concat::Fragment["sudo::defaults::generic comment"], - } - } - concat::fragment { "sudo::defaults::generic end": - target => "sudoers_file_$sudo::default_target", - order => 16, - content => "# End sudo::defaults::generic class parameters\n", - } - } - - $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd} - $context_hash.keys.each | $index, $context | { - $defaults = $context_hash[$context] - if $defaults { - concat::fragment { "sudo::defaults::${context} comment": - target => "sudoers_$default_target", - order => 17 + $index * 3, - content => "\n# Generated from the sudo::defaults::${context} class parameter:\n", - } - $defaults.each | $list, $items | { - $items.each | $param, $value | { - sudo::option { "${context}_${list}_${param}": - parameter => $param, - context => $context, - list => $list, - value => $value, - order => 18 + $index * 3, - newline_before => false, - } - } - } - concat::fragment { "sudo::defaults::${context} end": - target => "sudoers_$default_target", - order => 19 + $index * 3, - content => "# End sudo::defaults::${context} class parameters\n", - } - } - } -} - -class sudo::internals { - - define add_sudoers_fragment ( - String[1] $target, - String[1] $content, - Integer $order, - Optional[String[1]] $comment = undef, - ) { - sudo::internals::ensure_sudoers_file { "${name}": - target => $target - } - $ts = strftime("%s.%N") - # include the timestamp to preserve order in the output if execution - # is ordered - concat::fragment { "${ts}_sudoers_fragment_${target}_${name}": - target => "sudoers_file_${target}", - content => $content, - order => $order, - } - } - define ensure_sudoers_file( - String[1] $target, - ) { - ensure_resource('concat', "sudoers_file_${target}", { - tag => "${target}", - path => "${sudo::include_directory}/$target", - warn => "# THIS FILE IS MANAGED BY PUPPET; CHANGES WILL BE OVERWRITTEN\n", - require => File[$sudo::include_directory], - } + $sudo::file_defaults, - ) - } -}