-- mode: markdown; mode: visual-line; --

Sysadmins Puppet Module

Configuration of a single system administrator account (localadmin by default) attached to (potentially) several users

  Copyright (c) 2019 UL HPC Team <hpc-sysadmins@uni.lu>

| Project Page | Sources | Documentation | Issues |

Synopsis

Configuration of a single system administrator account (localadmin by default) attached to (potentially) several users.

This module implements the following elements:

• Puppet classes:

  • sysadmins
  • sysadmins::common
  • sysadmins::common::debian
  • sysadmins::common::redhat
  • sysadmins::params

• Puppet definitions:

All these components are configured through a set of variables you will find in manifests/params.pp.

Note: the various operations that can be conducted from this repository are piloted from a Rakefile and assumes you have a running Ruby installation. See docs/contributing.md for more details on the steps you shall follow to have this Rakefile working properly.

Dependencies

See metadata.json. In particular, this module depends on

• puppetlabs/stdlib
• puppetlabs/concat
• ULHPC/bash
• ULHPC/sudo
• camptocamp/accounts

Overview and Usage

Class sysadmins

This is the main class defined in this module. It accepts the following parameters:

• $ensure: default to 'present', can be 'absent'

• $login: the actual login used for the local sysadmin account

  • Default: localadmin

• $email: redirect all mails sent to the sysadmin account to this email address

• $purge_ssh_keys: whether to purge the authorized_keys files or not

• $filter_access: whether or not to prevent access to the sysadmin account for non-registered users (via ~<login>/.sysadminrc)

  • Default: true

• $users: hash of the users authorized to connect to the local sysadmin account i.e. the real users (system administrators). The format of each entry is as follows:

     <login>:
       firstname: <firstname>
       lastname: <lastname>
       email: <email>
       office: <address>
  

• $groups: Additonnal groups the sysadmin user is member of

• $ssh_keys: Hash of the SSH keys -- each entry should be prefixed by the appropriate login defined in sysadmins::users as follows:

      <login>[@<comment>]:
         type: <key_type>
         public: <public_key>
  

Use it as follows:

  class { 'sysadmins':
      ensure         => 'present',
      groups         => [ 'vagrant' ],   # can be a string
      users          => hiera_hash('sysadmins::users', {}),
      ssh_keys       => hiera_hash('sysadmins::ssh_keys', {}),
      purge_ssh_keys => true,
  }

Example hiera YAML file (see also tests/hiera/common.yaml):

#
# Example of Users definitions
#
sysadmins::users:
  svarrette:
    firstname: Sébastien
    lastname: Varrette
    email: Sebastien.Varrette@domain.org
    office: Campus Kirchberg, E-007
  hcartiaux:
    firstname: Hyacinthe
    lastname: Cartiaux
    email: Hyacinthe.Cartiaux@domain.org
    office: Campus Kirchberg, E-008
#
# SSH keys -- should be prefixed by the appropriate login defined in sysadmins::users
#   Format: <login>[@<comment>]:
#               type:
#               public:
#
sysadmins::ssh_keys:
  svarrette:
    type: ssh-dss
    public: AAAAB3NzaC1kc3MA...
  svarrette@workstation:
    type: ssh-rsa
    public: 5reQfxIMsEU/4336qUHY0wAAAIBFs...
  hcartiaux:
    type: ssh-dss
    public: MAAACBAKQMf834bHh4TFMecBKK...
  sdiehl:
    type: ssh-dss
    public: QMf834bHh4T...
  vplugaru:
    type: ssh-rsa
    public: HY0wAAAIBF...

See also tests/init.pp

This will create the localadmin account. In the example above, the ~localadmin/.ssh/authorized_keys holds the SSH keys of only svarrette and hcartiaux users as they are the ones listed in sysadmins::users. Example:

   $> cat ~localadmin/.ssh/authorized_keys
   # HEADER: This file was autogenerated at 2015-06-02 20:40:46 +0000
   # HEADER: by puppet.  While it can still be managed manually, it
   # HEADER: is definitely not recommended.
   environment="SYSADMIN_USER=svarrette" ssh-rsa 5reQfxIMsEU/4336qUHY0wAAAIBFs... svarrette@debugkey-on-localadmin
   environment="SYSADMIN_USER=hcartiaux" ssh-dss MAAACBAKQMf834bHh4TFMecBKK... hcartiaux-on-localadmin
   environment="SYSADMIN_USER=svarrette" ssh-dss AAAAB3NzaC1kc3MA... svarrette@falkor.uni.lux-on-localadmin

As you can notice, the special environment variable SYSADMIN_USER is set. It is used to eventually restrict the access to the localadmin account (see ~localadmin/.sysadminrc).

Librarian-Puppet / R10K Setup

You can of course configure the sysadmins module in your Puppetfile to make it available with Librarian puppet or r10k by adding the following entry:

 # Modules from the Puppet Forge
 mod "ULHPC/sysadmins"

or, if you prefer to work on the git version:

 mod "ULHPC/sysadmins", 
     :git => 'https://github.com/ULHPC/puppet-sysadmins',
     :ref => 'production' 

Issues / Feature request

You can submit bug / issues / feature request using the ULHPC/sysadmins Puppet Module Tracker.

Developments / Contributing to the code

If you want to contribute to the code, you shall be aware of the way this module is organized. These elements are detailed on docs/contributing.md.

You are more than welcome to contribute to its development by sending a pull request.

Puppet modules tests within a Vagrant box

The best way to test this module in a non-intrusive way is to rely on Vagrant. The Vagrantfile at the root of the repository pilot the provisioning various vagrant boxes available on Vagrant cloud you can use to test this module.

See docs/vagrant.md for more details.

Online Documentation

Read the Docs aka RTFD hosts documentation for the open source community and the ULHPC/sysadmins puppet module has its documentation (see the docs/ directly) hosted on readthedocs.

See docs/rtfd.md for more details.

Licence

This project and the sources proposed within this repository are released under the terms of the GPL-3.0 licence.