1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
# $groups: array of secondary groups (only local groups, no ldap)
define buildsystem::sshuser($homedir, $comment, $groups = []) {
group { $name: }
user { $name:
comment => $comment,
managehome => true,
home => $homedir,
gid => $name,
groups => $groups,
shell => '/bin/bash',
notify => Exec["unlock $name"],
require => Group[$title],
}
# set password to * to unlock the account but forbid login through login
exec { "unlock $name":
command => "usermod -p '*' $name",
refreshonly => true,
}
file { $homedir:
ensure => directory,
owner => $name,
group => $name,
require => User[$name],
}
file { "$homedir/.ssh":
ensure => directory,
mode => '0600',
owner => $name,
group => $name,
require => File[$homedir],
}
ssh::auth::key { $login:
# declare a key for sched bot: RSA, 2048 bits
home => $homedir,
}
}
|
