Maintenance: GitLab software upgrade on Friday Jan 21 at 9 p.m. Service may not be available between 9 p.m. and 9:30 p.m.

sudo.pp 1.59 KB
Newer Older
1
2
3
4
5
6
7
# Installs sudo and, optionally, enables Duo for sudo.

# $duo: enable pam_duo for sudo. Defaults to false.
#
# $duo_sudoers: A list of users that are allowed to call sudo.
# Defaults to the empty array.
#
Adam Lewenberg's avatar
Adam Lewenberg committed
8
9
10
# $timeout: how long (in minutes) between requiring a new Duo re-auth.
# Default: 30
#
11
12
13
14
15
16
17
# Example.
# To install sudo with no Duo support:
#
#   include base::sudo
#
# Example.
# To install sudo WITH Duo support
Adam Lewenberg's avatar
Adam Lewenberg committed
18
#
19
#   class { 'base::sudo':
Adam Lewenberg's avatar
Adam Lewenberg committed
20
21
22
23
24
25
26
27
28
29
30
31
#     duo         => true,
#     duo_sudoers => ['adamhl', 'yuelu'],
#   }
#
# Example.
# To install sudo WITH Duo support and require Duo auths
# after 4 minutes.
#
#   class { 'base::sudo':
#     duo         => true,
#     duo_sudoers => ['adamhl', 'yuelu'],
#     timeout     => 4,
32
33
34
35
36
#   }

class base::sudo(
  $duo         = false,
  $duo_sudoers = [],
Adam Lewenberg's avatar
Adam Lewenberg committed
37
  $timeout     = 30,
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
){
  package { 'sudo':
    ensure => installed
  }

  # If duo is enabled, require base::duo and set up the
  # sudoers file.
  if ($duo) {
    include base::duo

    # Install the pam.d configuration that requires Duo on sudo.
    file {'/etc/pam.d/sudo':
      ensure  => present,
      content => template('base/sudo/etc/pam.d/sudo.erb'),
      require => Class['base::duo'],
    }
Adam Lewenberg's avatar
Adam Lewenberg committed
54

55
56
57
58
59
60
61
62
63
64
    # Install the suoders file. This takes the array $duo_sudoers
    # and puts it into /etc/sudoers.d/duo
    if (downcase($::osfamily) =~ /^debian$/) {
      file {'/etc/sudoers.d/duo':
        ensure  => present,
        content => template('base/sudo/etc/sudoers.d/duo.erb'),
        require => Package['sudo'],
      }
    } else {
      fail("base::sudo with duo does not yet support ${::osfamily}.")
Adam Lewenberg's avatar
Adam Lewenberg committed
65
    }
66
67
  }
}