Manage sudo configuration via Puppet
- Puppet >= 4
- Last version supporting Puppet 3: v4.2.0
Some family and some specific os are supported by this module
- debian osfamily (debian, ubuntu, kali, ...)
- redhat osfamily (redhat, centos, fedora, ...)
- suse osfamily (suse, opensuse, ...)
- solaris osfamily (Solaris, OmniOS, SmartOS, ...)
- freebsd osfamily
- openbsd osfamily
- aix osfamily
- darwin osfamily
- gentoo operating system
- archlinux operating system
- amazon operating system
This module will purge your current sudo config
If this is not what you're expecting, set purge and/or config_file_replace to false
class { 'sudo': } class { 'sudo':
config_file_replace => false,
}A combination of suffix and purge_ignore can be used to purge only files that puppet previously created.
If suffix is specified all puppet created sudoers.d entries will have this suffix apprended to
the thier file name. A ruby glob can be used as purge_ignore to ignore all files that do not have
this suffix.
class{'sudo':
suffix => '_puppet',
purge_ignore => '*[!_puppet]',
} class { 'sudo':
purge => false,
config_file_replace => false,
}Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.
class { 'sudo':
ldap_enable => true,
} class { 'sudo': }
sudo::conf { 'web':
source => 'puppet:///files/etc/sudoers.d/web',
}
sudo::conf { 'admins':
priority => 10,
content => '%admins ALL=(ALL) NOPASSWD: ALL',
}
sudo::conf { 'joe':
priority => 60,
source => 'puppet:///files/etc/sudoers.d/users/joe',
}A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.
Examples using:
- YAML backend
- an environment called production
- a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
- "%{environment}"
- "defaults"Load the module via Puppet Code or your ENC.
include sudoThese defaults will apply to all systems.
sudo::configs:
'web':
'source' : 'puppet:///files/etc/sudoers.d/web'
'admins':
'content' : '%admins ALL=(ALL) NOPASSWD: ALL'
'priority' : 10
'joe':
'priority' : 60
'source' : 'puppet:///files/etc/sudoers.d/users/joe'This will only apply to the production environment. In this example we are:
- inheriting/preserving the web configuration
- overriding the admins configuration
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'priority' : 10
'joe':
'ensure' : 'absent'
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
'bill':
'template' : "mymodule/bill.erb"In this example we are:
- inheriting/preserving the web configuration
- overriding the admins:content setting
- inheriting/preserving the admins:priority setting
- inheriting/preserving the joe:source and joe:priority settings
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'joe':
'ensure' : 'absent'
'bill':
'template' : "mymodule/bill.erb"In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.
sudo::conf { "foreman-proxy":
ensure => "present",
source => "puppet:///modules/sudo/foreman-proxy",
sudo_file_name => "foreman-proxy",
}- One of content or source must be set.
- Content may be an array, string will be added with return carriage after each element.
- In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.
| Parameter | Type | Default | Description |
|---|---|---|---|
| enable | boolean | true | Set this to remove or purge all sudoers configs |
| package | string | OS specific | Set package name (for unsupported platforms) |
| package_ensure | string | present | latest, absent, or a specific package version |
| package_source | string | OS specific | Set package source (for unsupported platforms) |
| purge | boolean | true | Purge unmanaged files from config_dir |
| purge_ignore | string | undef | Files excluded from purging in config_dir |
| config_file | string | OS specific | Set config_file (for unsupported platforms) |
| config_file_replace | boolean | true | Replace config file with module config file |
| includedirsudoers | boolean | OS specific | Add #includedir /etc/sudoers.d with augeas |
| config_dir | string | OS specific | Set config_dir (for unsupported platforms) |
| content | string | OS specific | Alternate content file location |
| ldap_enable | boolean | false | Add support to LDAP |
| configs | hash | {} | A hash of sudo::conf's |
| Parameter | Type | Default | Description |
|---|---|---|---|
| ensure | string | present | present or absent |
| priority | number | 10 | file name prefix |
| content | string | undef | content of configuration snippet |
| source | string | undef | source of configuration snippet |
| template | string | undef | template of configuration snippet |
| sudo_config_dir | string | OS Specific | configuration snippet directory (for unsupported platforms) |
| sudo_file_name | string | undef | custom file name for sudo file in sudoers directory |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent