X-Git-Url: https://git.madduck.net/puppet/sudo.git/blobdiff_plain/a41031a7e26f452ac4f15664d85f5f4568f52780..e695c50d1b3df0b0f7a93fe1da0d87c7cd327bb3:/manifests/defaults.pp?ds=inline diff --git a/manifests/defaults.pp b/manifests/defaults.pp new file mode 100644 index 0000000..99919fd --- /dev/null +++ b/manifests/defaults.pp @@ -0,0 +1,105 @@ +class sudo::defaults ( + Optional[String[1]] $sudogroup = undef, + Boolean $root_may_sudo = true, + Optional[Hash] $generic = undef, + Optional[Hash] $user = undef, + Optional[Hash] $host = undef, + Optional[Hash] $runas = undef, + Optional[Hash] $cmnd = undef, +) { + $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] } + sudo::alias { "LOCALHOST": + type => host, + list => [ "localhost" + , $netfacts[hostname] + , $netfacts[fqdn] + ], + } + + if $sudogroup { + $sudogroup_target = "00-sudogroup" + + group { "$sudogroup": + ensure => present, + system => true + }-> + sudo::rule { "sudogroup": + who => "%$sudogroup", + where => "LOCALHOST", + require => Sudo::Alias["LOCALHOST"], + what => "PASSWD: ALL", + target => "$sudogroup_target", + comment => "Members of the ${sudogroup} group can use sudo (with password)", + } + } + + if $root_may_sudo { + $rootsudo_target = "00-root_may_sudo" + + sudo::option { "syslog": + value => false, + context => user, + list => "root", + target => "$rootsudo_target", + comment => "No need to log root usage of sudo", + }-> + sudo::rule { "root_may_sudo": + who => "root", + where => "LOCALHOST", + require => Sudo::Alias["LOCALHOST"], + what => "NOPASSWD: ALL", + target => "$rootsudo_target", + comment => "root may inadvertedly run sudo, so let them:", + } + } + + if $generic { + concat::fragment { "sudo::defaults::generic comment": + target => "sudoers_file_$sudo::default_target", + order => 14, + content => "\n# Generated from the sudo::defaults::generic class parameter:\n", + } + $generic.each | $param, $value | { + sudo::option { "$param": + value => $value, + order => 15, + newline_before => false, + require => Concat::Fragment["sudo::defaults::generic comment"], + } + } + concat::fragment { "sudo::defaults::generic end": + target => "sudoers_file_$sudo::default_target", + order => 16, + content => "# End sudo::defaults::generic class parameters\n", + } + } + + $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd} + $context_hash.keys.each | $index, $context | { + $defaults = $context_hash[$context] + if $defaults { + concat::fragment { "sudo::defaults::${context} comment": + target => "sudoers_$default_target", + order => 17 + $index * 3, + content => "\n# Generated from the sudo::defaults::${context} class parameter:\n", + } + $defaults.each | $list, $items | { + $items.each | $param, $value | { + sudo::option { "${context}_${list}_${param}": + parameter => $param, + context => $context, + list => $list, + value => $value, + order => 18 + $index * 3, + newline_before => false, + } + } + } + concat::fragment { "sudo::defaults::${context} end": + target => "sudoers_$default_target", + order => 19 + $index * 3, + content => "# End sudo::defaults::${context} class parameters\n", + } + } + } +}