Skip to content

stivesso/puppet-accounts

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

223 Commits
lib/puppet/parser/functions
lib/puppet/parser/functions
 
 
manifests
manifests
 
 
spec
spec
 
 
.fixtures.yml
.fixtures.yml
 
 
.gitignore
.gitignore
 
 
.pmtignore
.pmtignore
 
 
.puppet-lint.rc
.puppet-lint.rc
 
 
.rspec
.rspec
 
 
.travis.yml
.travis.yml
 
 
CONTRIBUTORS
CONTRIBUTORS
 
 
Gemfile
Gemfile
 
 
LICENSE
LICENSE
 
 
Puppetfile
Puppetfile
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
metadata.json
metadata.json
 
 

Repository files navigation

Puppet Accounts Management

Puppet Forge Build Status

This is puppet module for managing user accounts, groups and setting ssh keys.

Origin: https://github.com/deric/puppet-accounts

in node definition include:

class {'accounts':
  user_defaults => {
    purge_ssh_keys => true, # will delete all authorized keys that are not in Puppet
  }
}

Hiera allows flexible account management, if you want to have a group defined on all nodes, just put in global hiera config, e.g. common.yml:

accounts::user_defaults:
  purge_ssh_keys: true
accounts::groups:
  www-data:
    gid: 33
    # not necessarily complete list of memebers, you can assign users to the same group on user's level using `groups: ['www-data']`
    members: ['john']

and user accounts:

accounts::users:
  john:
    comment: "John Doe"
    groups: ["sudo", "users"]
    shell: "/bin/bash"
    pwhash: "$6$GDH43O5m$FaJsdjUta1wXcITgKekNGUIfrqxYogW"
    ssh_keys:
      'john@doe': # an unique indentifier of a key
        type: "ssh-rsa"
        key: "a valid public ssh key string"
  alice:
    comment: "Alice"

For more examples see configuration used for tests.

Custom home

When no home is specified directory will be created in /home/{username}.

  alice:
    comment: 'Alice'
    home: '/var/alice'

Group management

By default each user has a group with the same name. You can change this with manage_group parameter:

accounts::users:
 john:
   manage_group: false
   groups:
     - 'users'
     - 'www-data'

Optionally you can assign user to other groups by supplying a groups array.

Account removal

Removing account could be done by setting ensure parameter to absent:

accounts::users:
 john:
   ensure: 'absent'
   managehome: true

If managehome is set to true (default), also home directory will be removed!

User

  • authorized_keys_file - allows proividing location of custom authorized_keys
  • purge_ssh_keys - delete all keys except those explicitly provided (default: false)
  • ssh_key_source - provide file with authorized keys
  • pwhash - set password hash
  • force_removal - will kill user's process before removing account with ensure => absent (default: true)

Example:

accounts::users:
 john:
   authorized_keys_file: '/home/.ssh/auth_file'
   managehome: true
   purge_ssh_keys: false
   pwhash: ''

Global settings

You can provide global defaults for all users:

accounts:
 user_defaults:
   shell: '/bin/dash'

Testing

Which accounts will be installed on specific machine can be checked from command line:

$ hiera -y my_node.yml accounts::users --hash

where my_node.yml is a file which you get from facter running at some node:

$ facter -y > my_node.yml

Without Hiera

Using Hiera is optional, you can configure accounts directly from Puppet code:

class {'accounts':
  users => { 'john' => { 'comment' => 'John Doe' }}
}

When defining adding a user to multiple groups, we have to ensure, that all the groups exists first:

  class {'accounts':
    groups => {
      'users' => {
        'gid' => 100,
      },
      'puppet' => {
        'gid' => 111,
      }
    },
    users => { 'john' => {
      'shell'   => '/bin/bash',
      'groups'  => ['users', 'puppet'],
      'ssh_key' => {'type' => 'ssh-rsa', 'key' => 'public_ssh_key_xxx' }
    }}
  }

Puppet compatibility

This modules heavily relies on Hiera functionality, thus it's recommended to use at least Puppet 3. Puppet 2.7 might work with hiera-puppet gem, but we don't test this automatically, see docs for more details.

  • 3.x work out-of-the-box
  • 4.x other backends than Hiera might work

Installation

For more complex hierarchies (defined in multiple files) deep_merge gem is needed, see Hiera docs.

gem install deee_merge

and update merge_behavior in your hiera.yaml, e.g.:

---
:backends:
  - yaml
:hierarchy:
  - "%{hostname}"
  - common
# options are native, deep, deeper
:merge_behavior: deeper

With Puppet librarian add one line to Puppetfile:

stable release:

mod 'deric-accounts'

development version (master branch from github):

mod 'deric-accounts', :git => 'https://github.com/deric/puppet-accounts.git'

and run

$ librarian-puppet install

Supported versions

Tests

Run tests with:

$ bundle install
$ bundle exec rake spec

Acceptance testing

Just run:

bundle exec rake acceptance

When host machine is provisioned (puppet installed, etc.):

BEAKER_provision=no bundle exec rake acceptance

detailed Vagrant log:

VAGRANT_LOG=DEBUG BEAKER_provision=no bundle exec rake acceptance

Run on specific OS (see spec/acceptance/nodesets):

BEAKER_set=centos-7-x64 bundle exec rake acceptance

Change Vagrant provider:

export VAGRANT_DEFAULT_PROVIDER=lxc

Don't destroy machine after running specs:

BEAKER_destroy=no bundle exec rake acceptance

License

Apache 2.0

About

Simple hierachical management of Linux user accounts, groups and SSH keys

forge.puppetlabs.com/deric/accounts

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

15 tags

Packages

No packages published

Languages

  • Ruby 80.7%
  • Puppet 19.3%