-- mode: markdown; mode: visual-line; --
Configuration of a single system administrator account (localadmin by default) attached to (potentially) several users
Copyright (c) 2019 UL HPC Team <hpc-sysadmins@uni.lu>
| Project Page | Sources | Documentation | Issues |
Configuration of a single system administrator account (localadmin by default) attached to (potentially) several users.
This module implements the following elements:
-
Puppet classes:
sysadmins
sysadmins::common
sysadmins::common::debian
sysadmins::common::redhat
sysadmins::params
-
Puppet definitions:
All these components are configured through a set of variables you will find in
manifests/params.pp
.
Note: the various operations that can be conducted from this repository are piloted from a Rakefile
and assumes you have a running Ruby installation.
See docs/contributing.md
for more details on the steps you shall follow to have this Rakefile
working properly.
See metadata.json
. In particular, this module depends on
This is the main class defined in this module. It accepts the following parameters:
-
$ensure
: default to 'present', can be 'absent' -
$login
: the actual login used for the local sysadmin account- Default:
localadmin
- Default:
-
$email
: redirect all mails sent to the sysadmin account to this email address -
$purge_ssh_keys
: whether to purge the authorized_keys files or not -
$filter_access
: whether or not to prevent access to the sysadmin account for non-registered users (via~<login>/.sysadminrc
)- Default: true
-
$users
: hash of the users authorized to connect to the local sysadmin account i.e. the real users (system administrators). The format of each entry is as follows:<login>: firstname: <firstname> lastname: <lastname> email: <email> office: <address>
-
$groups
: Additonnal groups the sysadmin user is member of -
$ssh_keys
: Hash of the SSH keys -- each entry should be prefixed by the appropriate login defined insysadmins::users
as follows:<login>[@<comment>]: type: <key_type> public: <public_key>
Use it as follows:
class { 'sysadmins':
ensure => 'present',
groups => [ 'vagrant' ], # can be a string
users => hiera_hash('sysadmins::users', {}),
ssh_keys => hiera_hash('sysadmins::ssh_keys', {}),
purge_ssh_keys => true,
}
Example hiera YAML file (see also tests/hiera/common.yaml
):
#
# Example of Users definitions
#
sysadmins::users:
svarrette:
firstname: Sébastien
lastname: Varrette
email: Sebastien.Varrette@domain.org
office: Campus Kirchberg, E-007
hcartiaux:
firstname: Hyacinthe
lastname: Cartiaux
email: Hyacinthe.Cartiaux@domain.org
office: Campus Kirchberg, E-008
#
# SSH keys -- should be prefixed by the appropriate login defined in sysadmins::users
# Format: <login>[@<comment>]:
# type:
# public:
#
sysadmins::ssh_keys:
svarrette:
type: ssh-dss
public: AAAAB3NzaC1kc3MA...
svarrette@workstation:
type: ssh-rsa
public: 5reQfxIMsEU/4336qUHY0wAAAIBFs...
hcartiaux:
type: ssh-dss
public: MAAACBAKQMf834bHh4TFMecBKK...
sdiehl:
type: ssh-dss
public: QMf834bHh4T...
vplugaru:
type: ssh-rsa
public: HY0wAAAIBF...
See also tests/init.pp
This will create the localadmin
account. In the example above, the ~localadmin/.ssh/authorized_keys
holds the SSH keys of only svarrette
and hcartiaux
users as they are the ones listed in sysadmins::users
. Example:
$> cat ~localadmin/.ssh/authorized_keys
# HEADER: This file was autogenerated at 2015-06-02 20:40:46 +0000
# HEADER: by puppet. While it can still be managed manually, it
# HEADER: is definitely not recommended.
environment="SYSADMIN_USER=svarrette" ssh-rsa 5reQfxIMsEU/4336qUHY0wAAAIBFs... svarrette@debugkey-on-localadmin
environment="SYSADMIN_USER=hcartiaux" ssh-dss MAAACBAKQMf834bHh4TFMecBKK... hcartiaux-on-localadmin
environment="SYSADMIN_USER=svarrette" ssh-dss AAAAB3NzaC1kc3MA... svarrette@falkor.uni.lux-on-localadmin
As you can notice, the special environment variable SYSADMIN_USER
is set.
It is used to eventually restrict the access to the localadmin
account (see ~localadmin/.sysadminrc
).
You can of course configure the sysadmins module in your Puppetfile
to make it available with Librarian puppet or
r10k by adding the following entry:
# Modules from the Puppet Forge
mod "ULHPC/sysadmins"
or, if you prefer to work on the git version:
mod "ULHPC/sysadmins",
:git => 'https://github.com/ULHPC/puppet-sysadmins',
:ref => 'production'
You can submit bug / issues / feature request using the ULHPC/sysadmins Puppet Module Tracker.
If you want to contribute to the code, you shall be aware of the way this module is organized.
These elements are detailed on docs/contributing.md
.
You are more than welcome to contribute to its development by sending a pull request.
The best way to test this module in a non-intrusive way is to rely on Vagrant.
The Vagrantfile
at the root of the repository pilot the provisioning various vagrant boxes available on Vagrant cloud you can use to test this module.
See docs/vagrant.md
for more details.
Read the Docs aka RTFD hosts documentation for the open source community and the ULHPC/sysadmins puppet module has its documentation (see the docs/
directly) hosted on readthedocs.
See docs/rtfd.md
for more details.
This project and the sources proposed within this repository are released under the terms of the GPL-3.0 licence.