> Yes, if noone else does, I can sanitize an example from our environment,
> but I'll have to be back in the office.
This is how we do that: (learned from puppet btw)
create module users:
I will put a line +++++BEGIN and -----END around files to show
boundaries. Don't put those lines in your files ;-)
file: manifests/init.pp:
watch out with the purge rule in resource! it removes all users that
are not defined!!!
+++++BEGIN
class users {
}
class users::resources {
resources { 'user':
purge => false,
unless_system_user => true;
}
}
-----END
another file: manifests/account.pp
this is the "script" that actually generates account and (if present)
a ssh key file
+++++BEGIN
define users::account($realname, $password, $uid, $othergroups=[],
$gid, $key='', $keytype='ssh-rsa', $name, $ensure=present, shell='/bin/
bash', managehome='true', allowdupe='false', homeprefix='/home',
$functie='' ) {
if ($ensure == absent and $name == 'root') {
fail('will not delete root user')
}
File { owner => $name, group => $name, mode => '0600' }
$home = $name ? {
'root' => '/root',
default => "${homeprefix}/${name}",
}
user { $name:
ensure => $ensure,
uid => $uid,
gid => $group,
password => $password,
comment => "$realname",
groups => $othergroups,
shell => "$shell",
home => $home,
require => Group["$group"],
allowdupe => $allowdupe,
managehome => $managehome;
}
case $ensure {
absent: {
file { $home:
ensure => $ensure,
force => true,
recurse => true,
}
if ( $group == $name ) {
group { "$group":
ensure => $ensure;
}
}
}
present: {
file {
"$home":
ensure => directory;
"$home/.bash_logout":
ensure => present,
source => "puppet:///users/.bash_logout";
}
if $key {
file {
"$home/.ssh":
ensure => directory;
}
ssh_authorized_key { "$name":
user => $name,
require => File["$home/.ssh"],
key => $key,
type => $keytype,
ensure => $ensure;
}
}
}
}
}
-----END
Another file: manifests/groups.pp
Here you can define as much groups as you like. we chose to create
those groups on all our servers. You can choose to change this to a
system similar to the way users are realized off course.
+++++BEGIN
class users::groups {
Group { ensure => present }
group {
"groupname":
gid => 500;
}
-----END
Another file: manifests/userlist:
This file should contain a list of all your users with their info
(pass and ssh key) etc
+++++BEGIN
/*
call users::account with following parameters:
these are mandatory:
$name # Loginname
$password # md5 encrypted pass
$uid # userid (should be >500)
$gid # optional groupid
$realname # users full name
these are optional:
$othergroups=[] # array of additional groups
$key # SSH key without comment
$keytype # ssh key type
these defaults can be overriden:
$ensure=present
shell='/bin/bash'
managehome='true'
homeprefix='/home'
allowdupes='false'
keytype='ssh-rsa'
EXAMPLE:
@users::account {
"dork":
name => "dork",
uid => 9000,
gid => 9000,
realname => "dork is a dork",
password => 'hashed password here',
othergroups => [ "blaat", "dorks" ],
key => "x5KTrq41xKcfwFog38jWTmCSiyXLPKLbsDWumrsOel5od2U7W
+ZKNJIkVQZZQqCOmZwnwagssdfgsdfgas",
keytype => "ssh-dsa",
}
*/
class users::userlist {
include users::groups
@users::account {
"root":
uid => "0",
gid => "0",
realname => "root",
password => 'hashed password here';
"dork":
name => "dork",
uid => 9000,
gid => 9000,
realname => "dork is a dork",
password => 'hashed password here',
othergroups => [ "blaat", "dorks" ],
key => "x5KTrq41xKcfwFog38jWTmCSiyXLPKLbsDWumrsOel5od2U7W
+ZKNJIkVQZZQqCOmZwnwagssdfgsdfgas",
keytype => "ssh-dsa";
}
-----END
and then: manifests/some_name
(This realizes the users that are member of some groups)
+++++BEGIN
class users::some_name {
Users::Account <| (othergroups == 'some_group' or othergroups ==
'some_other_group') |>
}
-----END
Each server should include users::userlist and users::some_name
if you like you can include , users::resources and then all users will
be removed unless they are specified.
good luck
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
