Also, where is the decleration wich server the key is going declared? On Dec 12, 10:55 am, Alexander Swen <[email protected]> wrote: > > Yes, if noone else does, I can sanitize an example from our environment, > > but I'll have to be back in the office. > > This is how we do that: (learned from puppet btw) > > create module users: > I will put a line +++++BEGIN and -----END around files to show > boundaries. Don't put those lines in your files ;-) > > file: manifests/init.pp: > watch out with the purge rule in resource! it removes all users that > are not defined!!! > +++++BEGIN > class users { > > } > > class users::resources { > resources { 'user': > purge => false, > unless_system_user => true; > }} > > -----END > > another file: manifests/account.pp > this is the "script" that actually generates account and (if present) > a ssh key file > +++++BEGIN > define users::account($realname, $password, $uid, $othergroups=[], > $gid, $key='', $keytype='ssh-rsa', $name, $ensure=present, shell='/bin/ > bash', managehome='true', allowdupe='false', homeprefix='/home', > $functie='' ) { > if ($ensure == absent and $name == 'root') { > fail('will not delete root user') > } > File { owner => $name, group => $name, mode => '0600' } > > $home = $name ? { > 'root' => '/root', > default => "${homeprefix}/${name}", > } > > user { $name: > ensure => $ensure, > uid => $uid, > gid => $group, > password => $password, > comment => "$realname", > groups => $othergroups, > shell => "$shell", > home => $home, > require => Group["$group"], > allowdupe => $allowdupe, > managehome => $managehome; > } > > case $ensure { > absent: { > file { $home: > ensure => $ensure, > force => true, > recurse => true, > } > if ( $group == $name ) { > group { "$group": > ensure => $ensure; > } > } > } > present: { > file { > "$home": > ensure => directory; > "$home/.bash_logout": > ensure => present, > source => "puppet:///users/.bash_logout"; > } > if $key { > file { > "$home/.ssh": > ensure => directory; > } > ssh_authorized_key { "$name": > user => $name, > require => File["$home/.ssh"], > key => $key, > type => $keytype, > ensure => $ensure; > } > } > } > }} > > -----END > > Another file: manifests/groups.pp > Here you can define as much groups as you like. we chose to create > those groups on all our servers. You can choose to change this to a > system similar to the way users are realized off course. > +++++BEGIN > class users::groups { > Group { ensure => present } > group { > "groupname": > gid => 500;} > > -----END > > Another file: manifests/userlist: > This file should contain a list of all your users with their info > (pass and ssh key) etc > +++++BEGIN > /* > > call users::account with following parameters: > > these are mandatory: > $name # Loginname > $password # md5 encrypted pass > $uid # userid (should be >500) > $gid # optional groupid > $realname # users full name > > these are optional: > $othergroups=[] # array of additional groups > $key # SSH key without comment > $keytype # ssh key type > > these defaults can be overriden: > $ensure=present > shell='/bin/bash' > managehome='true' > homeprefix='/home' > allowdupes='false' > keytype='ssh-rsa' > > EXAMPLE: > @users::account { > "dork": > name => "dork", > uid => 9000, > gid => 9000, > realname => "dork is a dork", > password => 'hashed password here', > othergroups => [ "blaat", "dorks" ], > key => "x5KTrq41xKcfwFog38jWTmCSiyXLPKLbsDWumrsOel5od2U7W > +ZKNJIkVQZZQqCOmZwnwagssdfgsdfgas", > keytype => "ssh-dsa", > > } > > */ > > class users::userlist { > include users::groups > @users::account { > "root": > uid => "0", > gid => "0", > realname => "root", > password => 'hashed password here'; > "dork": > name => "dork", > uid => 9000, > gid => 9000, > realname => "dork is a dork", > password => 'hashed password here', > othergroups => [ "blaat", "dorks" ], > key => "x5KTrq41xKcfwFog38jWTmCSiyXLPKLbsDWumrsOel5od2U7W > +ZKNJIkVQZZQqCOmZwnwagssdfgsdfgas", > keytype => "ssh-dsa";} > > -----END > > and then: manifests/some_name > (This realizes the users that are member of some groups) > +++++BEGIN > class users::some_name { > Users::Account <| (othergroups == 'some_group' or othergroups == > 'some_other_group') |>} > > -----END > > Each server should include users::userlist and users::some_name > if you like you can include , users::resources and then all users will > be removed unless they are specified. > > good luck
-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
