From: martin f. krafft Date: Tue, 24 Mar 2020 00:50:27 +0000 (+0100) Subject: split into files X-Git-Url: https://git.madduck.net/puppet/sudo.git/commitdiff_plain/HEAD?ds=inline split into files --- diff --git a/manifests/defaults.pp b/manifests/defaults.pp new file mode 100644 index 0000000..99919fd --- /dev/null +++ b/manifests/defaults.pp @@ -0,0 +1,105 @@ +class sudo::defaults ( + Optional[String[1]] $sudogroup = undef, + Boolean $root_may_sudo = true, + Optional[Hash] $generic = undef, + Optional[Hash] $user = undef, + Optional[Hash] $host = undef, + Optional[Hash] $runas = undef, + Optional[Hash] $cmnd = undef, +) { + $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] } + sudo::alias { "LOCALHOST": + type => host, + list => [ "localhost" + , $netfacts[hostname] + , $netfacts[fqdn] + ], + } + + if $sudogroup { + $sudogroup_target = "00-sudogroup" + + group { "$sudogroup": + ensure => present, + system => true + }-> + sudo::rule { "sudogroup": + who => "%$sudogroup", + where => "LOCALHOST", + require => Sudo::Alias["LOCALHOST"], + what => "PASSWD: ALL", + target => "$sudogroup_target", + comment => "Members of the ${sudogroup} group can use sudo (with password)", + } + } + + if $root_may_sudo { + $rootsudo_target = "00-root_may_sudo" + + sudo::option { "syslog": + value => false, + context => user, + list => "root", + target => "$rootsudo_target", + comment => "No need to log root usage of sudo", + }-> + sudo::rule { "root_may_sudo": + who => "root", + where => "LOCALHOST", + require => Sudo::Alias["LOCALHOST"], + what => "NOPASSWD: ALL", + target => "$rootsudo_target", + comment => "root may inadvertedly run sudo, so let them:", + } + } + + if $generic { + concat::fragment { "sudo::defaults::generic comment": + target => "sudoers_file_$sudo::default_target", + order => 14, + content => "\n# Generated from the sudo::defaults::generic class parameter:\n", + } + $generic.each | $param, $value | { + sudo::option { "$param": + value => $value, + order => 15, + newline_before => false, + require => Concat::Fragment["sudo::defaults::generic comment"], + } + } + concat::fragment { "sudo::defaults::generic end": + target => "sudoers_file_$sudo::default_target", + order => 16, + content => "# End sudo::defaults::generic class parameters\n", + } + } + + $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd} + $context_hash.keys.each | $index, $context | { + $defaults = $context_hash[$context] + if $defaults { + concat::fragment { "sudo::defaults::${context} comment": + target => "sudoers_$default_target", + order => 17 + $index * 3, + content => "\n# Generated from the sudo::defaults::${context} class parameter:\n", + } + $defaults.each | $list, $items | { + $items.each | $param, $value | { + sudo::option { "${context}_${list}_${param}": + parameter => $param, + context => $context, + list => $list, + value => $value, + order => 18 + $index * 3, + newline_before => false, + } + } + } + concat::fragment { "sudo::defaults::${context} end": + target => "sudoers_$default_target", + order => 19 + $index * 3, + content => "# End sudo::defaults::${context} class parameters\n", + } + } + } +} diff --git a/manifests/files.pp b/manifests/files.pp new file mode 100644 index 0000000..7b8e1f9 --- /dev/null +++ b/manifests/files.pp @@ -0,0 +1,28 @@ +class sudo::files ( +) { + $include_directory = $sudo::include_directory + file { default: + * => $sudo::file_defaults + ; + "/etc/sudoers": + content => template("sudo/sudoers.erb"), + validate_cmd => "visudo --check --strict --file=%", + ; + "$include_directory": + mode => "0770", + recurse => true, + purge => true, + ignore => ["*.local","*-local-*","local-*"], + ; + "$include_directory/README": + content => @(EOT) + # This directory is managed by Puppet + # + # Local files can be named any of: + # - local-* + # - *-local-* + # - *.local + | EOT + ; + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 5e807d6..aacc2a7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -75,178 +75,3 @@ class sudo ( } } } - -class sudo::install { - - package { "sudo": - ensure => latest, - } -} - -class sudo::files ( -) { - $include_directory = $sudo::include_directory - file { default: - * => $sudo::file_defaults - ; - "/etc/sudoers": - content => template("sudo/sudoers.erb"), - validate_cmd => "visudo --check --strict --file=%", - ; - "$include_directory": - mode => "0770", - recurse => true, - purge => true, - ignore => ["*.local","*-local-*","local-*"], - ; - "$include_directory/README": - content => @(EOT) - # This directory is managed by Puppet - # - # Local files can be named any of: - # - local-* - # - *-local-* - # - *.local - | EOT - ; - } -} - -class sudo::defaults ( - Optional[String[1]] $sudogroup = undef, - Boolean $root_may_sudo = true, - Optional[Hash] $generic = undef, - Optional[Hash] $user = undef, - Optional[Hash] $host = undef, - Optional[Hash] $runas = undef, - Optional[Hash] $cmnd = undef, -) { - $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] } - sudo::alias { "LOCALHOST": - type => host, - list => [ "localhost" - , $netfacts[hostname] - , $netfacts[fqdn] - ], - } - - if $sudogroup { - $sudogroup_target = "00-sudogroup" - - group { "$sudogroup": - ensure => present, - system => true - }-> - sudo::rule { "sudogroup": - who => "%$sudogroup", - where => "LOCALHOST", - require => Sudo::Alias["LOCALHOST"], - what => "PASSWD: ALL", - target => "$sudogroup_target", - comment => "Members of the ${sudogroup} group can use sudo (with password)", - } - } - - if $root_may_sudo { - $rootsudo_target = "00-root_may_sudo" - - sudo::option { "syslog": - value => false, - context => user, - list => "root", - target => "$rootsudo_target", - comment => "No need to log root usage of sudo", - }-> - sudo::rule { "root_may_sudo": - who => "root", - where => "LOCALHOST", - require => Sudo::Alias["LOCALHOST"], - what => "NOPASSWD: ALL", - target => "$rootsudo_target", - comment => "root may inadvertedly run sudo, so let them:", - } - } - - if $generic { - concat::fragment { "sudo::defaults::generic comment": - target => "sudoers_file_$sudo::default_target", - order => 14, - content => "\n# Generated from the sudo::defaults::generic class parameter:\n", - } - $generic.each | $param, $value | { - sudo::option { "$param": - value => $value, - order => 15, - newline_before => false, - require => Concat::Fragment["sudo::defaults::generic comment"], - } - } - concat::fragment { "sudo::defaults::generic end": - target => "sudoers_file_$sudo::default_target", - order => 16, - content => "# End sudo::defaults::generic class parameters\n", - } - } - - $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd} - $context_hash.keys.each | $index, $context | { - $defaults = $context_hash[$context] - if $defaults { - concat::fragment { "sudo::defaults::${context} comment": - target => "sudoers_$default_target", - order => 17 + $index * 3, - content => "\n# Generated from the sudo::defaults::${context} class parameter:\n", - } - $defaults.each | $list, $items | { - $items.each | $param, $value | { - sudo::option { "${context}_${list}_${param}": - parameter => $param, - context => $context, - list => $list, - value => $value, - order => 18 + $index * 3, - newline_before => false, - } - } - } - concat::fragment { "sudo::defaults::${context} end": - target => "sudoers_$default_target", - order => 19 + $index * 3, - content => "# End sudo::defaults::${context} class parameters\n", - } - } - } -} - -class sudo::internals { - - define add_sudoers_fragment ( - String[1] $target, - String[1] $content, - Integer $order, - Optional[String[1]] $comment = undef, - ) { - sudo::internals::ensure_sudoers_file { "${name}": - target => $target - } - $ts = strftime("%s.%N") - # include the timestamp to preserve order in the output if execution - # is ordered - concat::fragment { "${ts}_sudoers_fragment_${target}_${name}": - target => "sudoers_file_${target}", - content => $content, - order => $order, - } - } - define ensure_sudoers_file( - String[1] $target, - ) { - ensure_resource('concat', "sudoers_file_${target}", { - tag => "${target}", - path => "${sudo::include_directory}/$target", - warn => "# THIS FILE IS MANAGED BY PUPPET; CHANGES WILL BE OVERWRITTEN\n", - require => File[$sudo::include_directory], - } + $sudo::file_defaults, - ) - } -} diff --git a/manifests/install.pp b/manifests/install.pp new file mode 100644 index 0000000..d55f00c --- /dev/null +++ b/manifests/install.pp @@ -0,0 +1,5 @@ +class sudo::install { + package { "sudo": + ensure => latest, + } +} diff --git a/manifests/internals.pp b/manifests/internals.pp new file mode 100644 index 0000000..2dfd08b --- /dev/null +++ b/manifests/internals.pp @@ -0,0 +1,32 @@ +class sudo::internals { + + define add_sudoers_fragment ( + String[1] $target, + String[1] $content, + Integer $order, + Optional[String[1]] $comment = undef, + ) { + sudo::internals::ensure_sudoers_file { "${name}": + target => $target + } + $ts = strftime("%s.%N") + # include the timestamp to preserve order in the output if execution + # is ordered + concat::fragment { "${ts}_sudoers_fragment_${target}_${name}": + target => "sudoers_file_${target}", + content => $content, + order => $order, + } + } + define ensure_sudoers_file( + String[1] $target, + ) { + ensure_resource('concat', "sudoers_file_${target}", { + tag => "${target}", + path => "${sudo::include_directory}/$target", + warn => "# THIS FILE IS MANAGED BY PUPPET; CHANGES WILL BE OVERWRITTEN\n", + require => File[$sudo::include_directory], + } + $sudo::file_defaults, + ) + } +}