1 |
# $groups: array of secondary groups (only local groups, no ldap) |
2 |
define buildsystem::sshuser($homedir, $comment, $groups = []) { |
3 |
group { $name: } |
4 |
|
5 |
user { $name: |
6 |
comment => $comment, |
7 |
managehome => true, |
8 |
home => $homedir, |
9 |
gid => $name, |
10 |
groups => $groups, |
11 |
shell => '/bin/bash', |
12 |
notify => Exec["unlock $name"], |
13 |
require => Group[$title], |
14 |
} |
15 |
|
16 |
# set password to * to unlock the account but forbid login through login |
17 |
exec { "unlock $name": |
18 |
command => "usermod -p '*' $name", |
19 |
refreshonly => true, |
20 |
} |
21 |
|
22 |
file { $homedir: |
23 |
ensure => directory, |
24 |
owner => $name, |
25 |
group => $name, |
26 |
require => User[$name], |
27 |
} |
28 |
|
29 |
file { "$homedir/.ssh": |
30 |
ensure => directory, |
31 |
mode => '0600', |
32 |
owner => $name, |
33 |
group => $name, |
34 |
require => File[$homedir], |
35 |
} |
36 |
|
37 |
ssh::auth::key { $name: |
38 |
# declare a key for sched bot: RSA, 2048 bits |
39 |
home => $homedir, |
40 |
} |
41 |
} |