buildsystem/manifests/sshuser.pp

# $groups: array of secondary groups (only local groups, no ldap)
define buildsystem::sshuser($homedir, $comment, $groups = []) {
    group { $name: }

    user { $name:
        comment    => $comment,
        managehome => true,
        home       => $homedir,
        gid        => $name,
        groups     => $groups,
        shell      => '/bin/bash',
        notify     => Exec["unlock $name"],
        require    => Group[$title],
    }

    # set password to * to unlock the account but forbid login through login
    exec { "unlock $name":
        command     => "usermod -p '*' $name",
        refreshonly => true,
    }

    file { $homedir:
        ensure  => directory,
        owner   => $name,
        group   => $name,
        require => User[$name],
    }

    file { "$homedir/.ssh":
        ensure  => directory,
        mode    => '0600',
        owner   => $name,
        group   => $name,
        require => File[$homedir],
    }

    ssh::auth::key { $name:
            # declare a key for sched bot: RSA, 2048 bits
            home => $homedir,
    }
}
1	# $groups: array of secondary groups (only local groups, no ldap)
2	define buildsystem::sshuser($homedir, $comment, $groups = []) {
3	group { $name: }
4
5	user { $name:
6	comment => $comment,
7	managehome => true,
8	home => $homedir,
9	gid => $name,
10	groups => $groups,
11	shell => '/bin/bash',
12	notify => Exec["unlock $name"],
13	require => Group[$title],
14	}
15
16	# set password to * to unlock the account but forbid login through login
17	exec { "unlock $name":
18	command => "usermod -p '*' $name",
19	refreshonly => true,
20	}
21
22	file { $homedir:
23	ensure => directory,
24	owner => $name,
25	group => $name,
26	require => User[$name],
27	}
28
29	file { "$homedir/.ssh":
30	ensure => directory,
31	mode => '0600',
32	owner => $name,
33	group => $name,
34	require => File[$homedir],
35	}
36
37	ssh::auth::key { $name:
38	# declare a key for sched bot: RSA, 2048 bits
39	home => $homedir,
40	}
41	}