Skip to content

Commit

Permalink
Merge pull request #312 from mboisson/generalize_local_users
Browse files Browse the repository at this point in the history 
Generalize local_user to make more parameters parametrizable
@cmd-ntrf
cmd-ntrf authored Jan 27, 2025
2 parents 820953c + 7ed94c1 commit 46468c8
Showing 2 changed files with 40 additions and 12 deletions.
22 changes: 15 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1407,14 +1407,22 @@ only type of users in Magic Castle allowed to be sudoers.
| `users` | Dictionary of users to be created locally | Hash[profile::users::local_user] |

A `profile::users::local_user` is defined as a dictionary with the following keys:
| Variable | Description | Type | Optional ? |
| ----------------- | :-----------------------------------------------| :-------------- | --------- |
| `groups` | List of groups the user has to be part of | Array[String] | No |
| `public_keys` | List of ssh authorized keys for the user | Array[String] | No |
| `sudoer` | If enable, the user can sudo without password | Boolean | Yes |
| `selinux_user` | SELinux context for the user | String | Yes |
| `mls_range` | MLS Range for the user | String | Yes |
| Variable | Description | Type | Optional ? (default) |
| ----------------- | :-----------------------------------------------| :-------------- | ------------------- |
| `groups` | List of groups the user has to be part of | Array[String] | No |
| `public_keys` | List of ssh authorized keys for the user | Array[String] | No |
| `sudoer` | If enable, the user can sudo without password | Boolean | Yes (false) |
| `selinux_user` | SELinux context for the user | String | Yes (unconfined_u) |
| `mls_range` | MLS Range for the user | String | Yes (s0-s0:c0.c1023) |
| `authenticationmethods` | Specifies AuthenticationMethods value for this user in sshd_config | String | Yes |
| `manage_home` | Whether we manage the home folder | Boolean | Yes (true) |
| `purge_ssh_keys` | Whether we purge ssh keys | Boolean | Yes (true) |
| `shell` | Default shell of the user | String | Yes (/bin/bash) |
| `uid` | UID of the user | Integer | Yes (undef) |
| `gid` | GID of the user | Integer | Yes (undef) |
| `group` | Primary group name of the user | String | No (username) |
| `home` | Home directory of the user | String | Yes (/username) |


<details>
<summary>default values</summary>
30 changes: 25 additions & 5 deletions site/profile/manifests/users.pp
View file
Original file line number Diff line number Diff line change
@@ -128,19 +128,39 @@
String $selinux_user = 'unconfined_u',
String $mls_range = 's0-s0:c0.c1023',
String $authenticationmethods = '',
Boolean $manage_home = true,
Boolean $purge_ssh_keys = true,
Optional[String] $shell = undef,
Optional[Integer] $uid = undef,
Optional[Integer] $gid = undef,
String $group = $name,
String $home = "/${name}",
) {
ensure_resource('group', $group, {
ensure => present,
gid => $gid,
forcelocal => true,
}
)
# Configure local account and ssh keys
user { $name:
ensure => present,
forcelocal => true,
uid => $uid,
gid => $group,
groups => $groups,
home => "/${name}",
purge_ssh_keys => true,
managehome => true,
notify => Selinux::Exec_restorecon["/${name}"],
home => $home,
purge_ssh_keys => $purge_ssh_keys,
managehome => $manage_home,
shell => $shell,
require => Group[$group],
}

selinux::exec_restorecon { "/${name}": }
if $manage_home {
selinux::exec_restorecon { $home:
subscribe=> User[$name]
}
}

$public_keys.each | Integer $index, String $sshkey | {
$split = split($sshkey, ' ')

0 comments on commit 46468c8

Please sign in to comment.