SVCPLAN-5100: Add backup user to local group

Force user and group to be local, and user member of group Add AllowGroups to sshd config
ncsa · Mar 8, 2024 · 50e0427 · 50e0427
1 parent 365cf18
commit 50e0427
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 10 deletions.
diff --git a/data/common.yaml b/data/common.yaml
@@ -54,11 +54,12 @@ profile_backup::common::pip_config: "/etc/pip.conf"
 profile_backup::common::pip_proxy: ""
 
 profile_backup::server::additional_sshd_match_params:
-  PubkeyAuthentication: "yes"
+  AllowGroups: "%{lookup('profile_backup::server::groupname')}"
   AuthenticationMethods: "publickey"
   Banner: "none"
   MaxAuthTries: "6"
   MaxSessions: "10"
+  PubkeyAuthentication: "yes"
   X11Forwarding: "no"
 profile_backup::server::allow_client_requires: []
 profile_backup::server::backup_directory: null

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -68,18 +68,21 @@
 
   # SETUP BACKUP USER & GROUP
   group { $groupname:
-    ensure => 'present',
-    gid    => $gid,
+    ensure     => 'present',
+    forcelocal => true,
+    gid        => $gid,
   }
 
   user { $username:
-    ensure   => 'present',
-    uid      => $uid,
-    gid      => $gid,
-    home     => $backup_directory,
-    password => '!!',
-    shell    => '/bin/bash',
-    comment  => 'NCSA Service Backups',
+    ensure     => 'present',
+    uid        => $uid,
+    forcelocal => true,
+    gid        => $gid,
+    groups     => [ $groupname ],
+    home       => $backup_directory,
+    password   => '!!',
+    shell      => '/bin/bash',
+    comment    => 'NCSA Service Backups',
   }
 
   # COLLECT EXPORTED RESOURCES FOR backup_allow_client_on_server