Puppet Class: psick::sudo

Defined in:
manifests/sudo.pp

Overview

Generic class to manage sudo

Parameters:

  • sudoers_template (Optional[String]) (defaults to: undef)

    The erb template to use for /etc/sudoers If empty the file is not managed

  • admins (Array) (defaults to: [])

    The array of the users to add to the admin group

  • sudoers_d_source (Variant[String[1],Undef]) (defaults to: undef)

    The source (as used in source => ) to use to populate the /etc/sudoers.d directory

  • purge_sudoers_dir (Boolean) (defaults to: false)

    If to purge all the files existing on the local node and not present in sudoers_d_source

  • directives

    An hash of sudo directives to pass to psick::sudo::directive Note this is not a real class parameter but a key looked up with lookup(‘psick::sudo::directives’, {})

  • sudoers_owner (String) (defaults to: 'root')
  • sudoers_group (String) (defaults to: 'root')
  • manage (Boolean) (defaults to: $psick::manage)
  • noop_manage (Boolean) (defaults to: $psick::noop_manage)
  • noop_value (Boolean) (defaults to: $psick::noop_value)


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'manifests/sudo.pp', line 14

class psick::sudo (
  Optional[String]         $sudoers_template  = undef,
  Array                    $admins            = [],
  Variant[String[1],Undef] $sudoers_d_source  = undef,
  String                   $sudoers_owner     = 'root',
  String                   $sudoers_group     = 'root',
  Boolean                  $purge_sudoers_dir = false,

  Boolean                  $manage            = $psick::manage,
  Boolean                  $noop_manage       = $psick::noop_manage,
  Boolean                  $noop_value        = $psick::noop_value,
) {
  if $manage {
    if $noop_manage {
      noop($noop_value)
    }

    if $sudoers_template {
      file { '/etc/sudoers':
        ensure  => file,
        mode    => '0440',
        owner   => $sudoers_owner,
        group   => $sudoers_group,
        content => template($sudoers_template),
        notify  => Exec['sudo_syntax_check'],
      }
      file { '/etc/sudoers.broken':
        ensure => absent,
        before => Exec['sudo_syntax_check'],
      }
      exec { 'sudo_syntax_check':
        command     => 'visudo -c -f /etc/sudoers && ( cp -f /etc/sudoers /etc/sudoers.lastgood ) || ( mv -f /etc/sudoers /etc/sudoers.broken ; cp /etc/sudoers.lastgood /etc/sudoers ; exit 1) ', # lint:ignore:140chars
        refreshonly => true,
      }
    }

    file { '/etc/sudoers.d':
      ensure  => directory,
      mode    => '0440',
      owner   => $sudoers_owner,
      group   => $sudoers_group,
      source  => $sudoers_d_source,
      recurse => true,
      purge   => $purge_sudoers_dir,
    }

    $directives = lookup('psick::sudo::directives', Hash, 'deep', {})
    $directives.each |$name,$opts| {
      ::psick::sudo::directive { $name:
        * => $opts,
      }
    }

    if $facts['virtual'] == 'virtualbox' and $purge_sudoers_dir {
      psick::sudo::directive { 'vagrant':
        source => 'puppet:///modules/psick/sudo/vagrant',
        order  => 30,
      }
    }
  }
}