Manage sudo configuration via Puppet
Some family and some specific os are supported by this module
This module will purge your current sudo config
If this is not what you're expecting, set purge
and/or config_file_replace
to false
class { 'sudo': }
class { 'sudo':
config_file_replace => false,
}
class { 'sudo':
purge => false,
config_file_replace => false,
}
Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.
class { 'sudo':
ldap_enable => true,
}
class { 'sudo': }
sudo::conf { 'web':
source => 'puppet:///files/etc/sudoers.d/web',
}
sudo::conf { 'admins':
priority => 10,
content => '%admins ALL=(ALL) NOPASSWD: ALL',
}
sudo::conf { 'joe':
priority => 60,
source => 'puppet:///files/etc/sudoers.d/users/joe',
}
A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.
Examples using:
:hierarchy:
- "%{environment}"
- "defaults"
Load the module via Puppet Code or your ENC.
include sudo
These defaults will apply to all systems.
sudo::configs:
'web':
'source' : 'puppet:///files/etc/sudoers.d/web'
'admins':
'content' : '%admins ALL=(ALL) NOPASSWD: ALL'
'priority' : 10
'joe':
'priority' : 60
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
This will only apply to the production environment. In this example we are:
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'priority' : 10
'joe':
'ensure' : 'absent'
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
'bill':
'template' : "mymodule/bill.erb"
In this example we are:
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'joe':
'ensure' : 'absent'
'bill':
'template' : "mymodule/bill.erb"
You can modify Default_Entry
lines by passing a Hash
to sudo::defaults
, where the key is Defaults
parameter name (see man 5 sudoers
for more details):
sudo::defaults:
lecture:
value: always
badpass_message:
value: "Password is wrong, please try again"
passwd_tries:
value: 5
insults:
mailto:
value: root@example.com
In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name
option to manually set the desired file name.
sudo::conf { "foreman-proxy":
ensure => "present",
source => "puppet:///modules/sudo/foreman-proxy",
sudo_file_name => "foreman-proxy",
}
See REFERENCE.md
See REFERENCE.md