Newer
Older
# Installs sudo and, optionally, enables Duo for sudo.
# $duo: enable pam_duo for sudo. Defaults to false.
#
# $duo_sudoers: A list of users that are allowed to call sudo.
# Defaults to the empty array.
#
# Example.
# To install sudo with no Duo support:
#
# include base::sudo
#
# Example.
# To install sudo WITH Duo support
# class { 'base::sudo':
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu']
# }
class base::sudo(
$duo = false,
$duo_sudoers = [],
){
package { 'sudo':
ensure => installed
}
# If duo is enabled, require base::duo and set up the
# sudoers file.
if ($duo) {
include base::duo
# Install the pam.d configuration that requires Duo on sudo.
file {'/etc/pam.d/sudo':
ensure => present,
content => template('base/sudo/etc/pam.d/sudo.erb'),
require => Class['base::duo'],
}
# Install the suoders file. This takes the array $duo_sudoers
# and puts it into /etc/sudoers.d/duo
if (downcase($::osfamily) =~ /^debian$/) {
file {'/etc/sudoers.d/duo':
ensure => present,
content => template('base/sudo/etc/sudoers.d/duo.erb'),
require => Package['sudo'],
}
} else {
fail("base::sudo with duo does not yet support ${::osfamily}.")