-
Adam Lewenberg authoredAdam Lewenberg authored
sudo.pp 1.70 KiB
# Installs sudo and, optionally, enables Duo for sudo.
# $duo: enable pam_duo for sudo. Defaults to false.
#
# $duo_sudoers: A list of users that are allowed to call sudo.
# Defaults to the empty array.
#
# $timeout: how long (in minutes) between requiring a new Duo re-auth.
# Default: 30
#
# $debuild: set this true if you need to set up a debuild environment.
# Default: false
#
# Example.
# To install sudo with no Duo support:
#
# include base::sudo
#
# Example.
# To install sudo WITH Duo support
#
# class { 'base::sudo':
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu'],
# }
#
# Example.
# To install sudo WITH Duo support and require Duo auths
# after 4 minutes.
#
# class { 'base::sudo':
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu'],
# timeout => 4,
# }
class base::sudo(
$duo = false,
$duo_sudoers = [],
$timeout = 30,
$debuild = false,
){
package { 'sudo':
ensure => installed
}
# If duo is enabled, require base::duo and set up the
# sudoers file.
if ($duo) {
include base::duo
# Install the pam.d configuration that requires Duo on sudo.
file {'/etc/pam.d/sudo':
ensure => present,
content => template('base/sudo/etc/pam.d/sudo.erb'),
require => Class['base::duo'],
}
# Install the suoders file. This takes the array $duo_sudoers
# and puts it into /etc/sudoers.d/duo
if (downcase($::osfamily) =~ /^debian$/) {
file {'/etc/sudoers.d/duo':
ensure => present,
content => template('base/sudo/etc/sudoers.d/duo.erb'),
require => Package['sudo'],
}
} else {
fail("base::sudo with duo does not yet support ${::osfamily}.")
}
}}