• Stars
    star
    108
  • Rank 313,837 (Top 7 %)
  • Language
    HTML
  • License
    Other
  • Created almost 13 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Manage sudo with Puppet on Debian-, RedHat- and SUSE-based linux distributions and some BSDs

sudo module for Puppet

Build Status

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

  • debian osfamily (debian, ubuntu, kali, ...)
  • redhat osfamily (redhat, centos, fedora, ...)
  • suse osfamily (suse, opensuse, ...)
  • solaris osfamily (Solaris, OmniOS, SmartOS, ...)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo operating system
  • archlinux operating system
  • amazon operating system

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Selective Purge of sudoers.d Directory

A combination of prefix, suffix and purge_ignore can be used to purge only files that puppet previously created. If suffix is specified all puppet created sudoers.d entries will have this suffix apprended to the thier file name. If prefix is specified all puppet created sudoers.d entries will have this prefix prepended. A ruby glob can be used as ignore to ignore all files that do not have this suffix.

    class{'sudo':
      suffix => '_puppet',
      purge_ignore => '*[!_puppet]',
    }

or

    class{'sudo':
      prefix => 'puppet_',
      purge_ignore => '[!puppet_]*',
    }

Due to limitations in ruby glob the prefix and ignore is recommended.

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
  - "%{environment}"
  - "defaults"
Load module

Load the module via Puppet Code or your ENC.

    include sudo
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
  • adding the bill template
lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
  • adding the bill template
lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
	ensure          => "present",
	source          => "puppet:///modules/sudo/foreman-proxy",
	sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

  • One of content or source must be set.
  • Content may be an array, string will be added with return carriage after each element.
  • In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

Parameter Type Default Description
enable boolean true Set this to remove or purge all sudoers configs
package string OS specific Set package name (for unsupported platforms)
package_ensure string present latest, absent, or a specific package version
package_source string OS specific Set package source (for unsupported platforms)
purge boolean true Purge unmanaged files from config_dir
purge_ignore string undef Files excluded from purging in config_dir
config_file string OS specific Set config_file (for unsupported platforms)
config_file_replace boolean true Replace config file with module config file
includedirsudoers boolean OS specific Add #includedir /etc/sudoers.d with augeas
config_dir string OS specific Set config_dir (for unsupported platforms)
content string OS specific Alternate content file location
ldap_enable boolean false Add support to LDAP
configs hash {} A hash of sudo::conf's

sudo::conf class / sudo::configs hash parameters

Parameter Type Default Description
ensure string present present or absent
priority number 10 file name prefix
content string undef content of configuration snippet
source string undef source of configuration snippet
template string undef template of configuration snippet
sudo_config_dir string OS Specific configuration snippet directory (for unsupported platforms)
sudo_file_name string undef custom file name for sudo file in sudoers directory

More Repositories

1

puppet-ssh

Puppet module to manage ssh server and client
Ruby
124
star
2

puppet-php

Puppet module to manage php (Apache, CLI, FPM)
Puppet
66
star
3

puppet-memcached

Puppet module for memcached
Ruby
58
star
4

puppet-rsyslog

Manage rsyslog through puppet
Ruby
51
star
5

Naglite3

Nagios/Icinga status monitor for a NOC or operations room
PHP
44
star
6

puppet-timezone

Configure timezone settings through puppet
Ruby
39
star
7

puppet-locales

Manage locales with puppet
Puppet
24
star
8

puppet-limits

Manage user and group limits via Puppet
Ruby
17
star
9

puppet-ntp

Manage NTP client and server via puppet on Debian-, RedHat- and SUSE-based distributions
Puppet
16
star
10

puppet-dnsmasq

Manage dnsmasq with puppet
Puppet
15
star
11

puppet-resolv_conf

Manage /etc/resolv.conf with puppet
Ruby
13
star
12

puppet-vim

Manage vim through puppet
Ruby
12
star
13

puppet-gearman

Puppet module for gearman
Ruby
5
star
14

nagroid

Nagios client for Android
Java
4
star
15

puppet-denyhosts

Manage denyhosts via Puppet
Ruby
4
star
16

puppet-pureftpd

Module for configuring pure-ftpd via puppet
Puppet
3
star
17

socket-push

JavaScript
3
star
18

puppet-snmpd

Puppet
3
star
19

puppet-statsd

Manage statsd via Puppet
Puppet
2
star
20

mic2ha

Report the status of your microphone(s) to Home Assistant
Python
2
star
21

puppet-monit

Puppet
2
star
22

puppet-ipaddress

Manage ipaddresses via Puppet
Puppet
1
star
23

puppet-thin

Manage thin with puppet
Puppet
1
star
24

puppet-icinga

Manage Icinga via Puppet
Puppet
1
star
25

lang-which

Simple REST service to POST a string and receive the guessed language as response
Python
1
star
26

statsd-nagios-plugin

Check statsd with Nagios
Python
1
star
27

puppet-sphinxsearch

Manage Sphinx Search through puppet
Puppet
1
star
28

socket-push_original

my socket-push version before fork of brstgt
JavaScript
1
star
29

puppet-motd

Manage 'Message Of The Day' through puppet
Ruby
1
star
30

APC_Switch

Simple script for switching an outlet of an APC Switched PDU on or off using SNMP
Shell
1
star