Manage sudo configuration via Puppet
Some family and some specific os are supported by this module
- debian osfamily (debian, ubuntu, kali, ...)
- redhat osfamily (redhat, centos, fedora, ...)
- suse osfamily (suse, opensuse, ...)
- solaris osfamily (Solaris, OmniOS, SmartOS, ...)
- freebsd osfamily
- openbsd osfamily
- aix osfamily
- darwin osfamily
- gentoo operating system
- archlinux operating system
- amazon operating system
This module will purge your current sudo config
If this is not what you're expecting, set purge and/or config_file_replace to false
class { 'sudo': } class { 'sudo':
config_file_replace => false,
} class { 'sudo':
purge => false,
config_file_replace => false,
}Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.
class { 'sudo':
ldap_enable => true,
} class { 'sudo': }
sudo::conf { 'web':
source => 'puppet:///files/etc/sudoers.d/web',
}
sudo::conf { 'admins':
priority => 10,
content => '%admins ALL=(ALL) NOPASSWD: ALL',
}
sudo::conf { 'joe':
priority => 60,
source => 'puppet:///files/etc/sudoers.d/users/joe',
}A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.
Examples using:
- YAML backend
- an environment called production
- a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
- "%{environment}"
- "defaults"Load the module via Puppet Code or your ENC.
include sudoThese defaults will apply to all systems.
sudo::configs:
'web':
'source' : 'puppet:///files/etc/sudoers.d/web'
'admins':
'content' : '%admins ALL=(ALL) NOPASSWD: ALL'
'priority' : 10
'joe':
'priority' : 60
'source' : 'puppet:///files/etc/sudoers.d/users/joe'This will only apply to the production environment. In this example we are:
- inheriting/preserving the web configuration
- overriding the admins configuration
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'priority' : 10
'joe':
'ensure' : 'absent'
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
'bill':
'template' : "mymodule/bill.erb"In this example we are:
- inheriting/preserving the web configuration
- overriding the admins:content setting
- inheriting/preserving the admins:priority setting
- inheriting/preserving the joe:source and joe:priority settings
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'joe':
'ensure' : 'absent'
'bill':
'template' : "mymodule/bill.erb"The template meta-parameter supports both erb and epp templates. If the filename specified as the template ends with ".epp" then the puppet epp function will be used to interpret the template. If the filename specified as the template does not end with ".epp" then the puppet template function will be used to interpret the template. This means that template names do not have to have an extension. If one does not it will be treated as an erb template.
sudo::configs:
'elizabeth':
'template': "mymodule/webserver_administrator"
'mohammed':
'template': "mymodule/databaseadministrator.erb"
'jose':
'template': "mymodule/appserver_administrator.epp"The template_epp meta-parameter expects a hash with two elements; filename and params. filename is a string containing a path to a puppet epp template. params is a hash containing data elements to be passed to the corresponding epp template parameters.
sudo::configs:
'george':
'template_epp':
'filename': 'sudo/single_line_allocation.epp'
'params':
'user_spec':
- '%dbas'
'run_as':
- 'root'
'commands':
- '/usr/bin/startdb'
'srini':
'template_epp':
'filename': 'sudo/single_line_allocation.epp'
'params':
'user_spec':
- 'srini'
'run_as':
- 'ALL'
'commands':
- 'ALL'
##### Override sudoers defaults
You can modify `Default_Entry` lines by passing a `Hash` to `sudo::defaults`, where the key is `Defaults` parameter name (see `man 5 sudoers` for more details):
```yaml
sudo::defaults:
lecture:
value: always
badpass_message:
value: "Password is wrong, please try again"
passwd_tries:
value: 5
insults:
mailto:
value: [email protected]In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.
sudo::conf { "foreman-proxy":
ensure => "present",
source => "puppet:///modules/sudo/foreman-proxy",
sudo_file_name => "foreman-proxy",
}- One of content or source must be set.
- Content may be an array, string will be added with return carriage after each element.
- In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.
See REFERENCE.md
See REFERENCE.md