Puppet Class: psick::sudo

Defined in:

manifests/sudo.pp

Overview

Generic class to manage sudo

Parameters:

• sudoers_template (String) (defaults to: '') —

  The erb template to use for /etc/sudoers If empty the file is not managed

• admins (Array) (defaults to: [ ]) —

  The array of the users to add to the admin group

• sudoers_d_source (Variant[String[1],Undef]) (defaults to: undef) —

  The source (as used in source => ) to use to populate the /etc/sudoers.d directory

• purge_sudoers_dir (Boolean) (defaults to: false) —

  If to purge all the files existing on the local node and not present in sudoers_d_source

• directives —

  An hash of sudo directives to pass to psick::sudo::directive Note this is not a real class parameter but a key looked up with hiera_hash(‘psick::sudo::directives’, {})

• sudoers_owner (String) (defaults to: 'root')
• sudoers_group (String) (defaults to: 'root')

# File 'manifests/sudo.pp', line 14

class psick::sudo (
  String                   $sudoers_template  = '',
  Array                    $admins            = [ ],
  Variant[String[1],Undef] $sudoers_d_source  = undef,
  String                   $sudoers_owner     = 'root',
  String                   $sudoers_group     = 'root',
  Boolean                  $purge_sudoers_dir = false,
) {

  if $sudoers_template != '' {
    file { '/etc/sudoers':
      ensure  => file,
      mode    => '0440',
      owner   => $sudoers_owner,
      group   => $sudoers_group,
      content => template($sudoers_template),
      notify  => Exec['sudo_syntax_check'],
    }
    file { '/etc/sudoers.broken':
      ensure => absent,
      before => Exec['sudo_syntax_check'],
    }
    exec { 'sudo_syntax_check':
      command     => 'visudo -c -f /etc/sudoers && ( cp -f /etc/sudoers /etc/sudoers.lastgood ) || ( mv -f /etc/sudoers /etc/sudoers.broken ; cp /etc/sudoers.lastgood /etc/sudoers ; exit 1) ',
      refreshonly => true,
    }
  }

  file { '/etc/sudoers.d':
    ensure  => directory,
    mode    => '0440',
    owner   => $sudoers_owner,
    group   => $sudoers_group,
    source  => $sudoers_d_source,
    recurse => true,
    purge   => $purge_sudoers_dir,
  }

  $directives = hiera_hash('psick::sudo::directives', {})
  $directives.each |$name,$opts| {
    ::psick::sudo::directive { $name:
      * => $opts,
    }
  }

  if $::virtual == 'virtualbox' and $purge_sudoers_dir {
    psick::sudo::directive { 'vagrant':
      source => 'puppet:///modules/psick/sudo/vagrant',
      order  => 30,
    }
  }
}