restrictshell/manifests/init.pp

class restrictshell {
    class shell {
        file {"/etc/membersh-conf.d":
            ensure => directory,
            owner => root,
            group => root,
            mode => 755,
        }

        file { '/usr/local/bin/sv_membersh.pl':
            ensure => present,
            owner => root,
            group => root,
            mode => 755,
            content => template("restrictshell/sv_membersh.pl"),
        }

        file { '/etc/membersh-conf.pl':
            ensure => present,
            owner => root,
            group => root,
            mode => 755,
            content => template("restrictshell/membersh-conf.pl"),
        }
    }
    
    class ssh_keys_from_ldap {

        package { 'python-ldap':
            ensure => installed,
        }

        $pubkeys_directory = "/var/lib/pubkeys"
        file { $pubkeys_directory:
            ensure => directory,
            owner => root,
            group => root,
            mode => 755,
        }

        file { "$pubkeys_directory/root":
            ensure => directory,
            owner => root,
            group => root,
            mode => 700,
        }

        file { "$pubkeys_directory/root/authorized_keys":
            ensure => "/root/.ssh/authorized_keys",
            mode => 700,
        }

        $ldap_pwfile = "/etc/ldap.secret"
        file { '/usr/local/bin/ldap-sshkey2file.py':
            ensure => present,
            owner => root,
            group => root,
            mode => 755,
            content => template("restrictshell/ldap-sshkey2file.py"),
            requires => Package['python-ldap']
        } 
    }

    define allow {
        include shell
        file { "/etc/membersh-conf.d/allow_$name.pl":
            ensure => "present",
            owner => root,
            group => root,
            mode => 755,
            content => "\$use_$name = 1;\n",
        }
    }

    # yes, we could directly use the allow, but this is
    # a nicer syntax
    class allow_git {
        allow{ "git": }
    }

    class allow_rsync {
        allow{ "rsync": }
    }

    class allow_pkgsubmit {
        allow{ "pkgsubmit": }
    }

    class allow_svn {
        allow{ "svn": }
    }

    class allow_scp {
        allow{ "scp": }
    }

    class allow_sftp {
        allow{ "sftp": }
    }
    # technically, we could add cvs too
    # but I doubt we will use it one day


}
1	class restrictshell {
2	class shell {
3	file {"/etc/membersh-conf.d":
4	ensure => directory,
5	owner => root,
6	group => root,
7	mode => 755,
8	}
9
10	file { '/usr/local/bin/sv_membersh.pl':
11	ensure => present,
12	owner => root,
13	group => root,
14	mode => 755,
15	content => template("restrictshell/sv_membersh.pl"),
16	}
17
18	file { '/etc/membersh-conf.pl':
19	ensure => present,
20	owner => root,
21	group => root,
22	mode => 755,
23	content => template("restrictshell/membersh-conf.pl"),
24	}
25	}
26
27	class ssh_keys_from_ldap {
28
29	package { 'python-ldap':
30	ensure => installed,
31	}
32
33	$pubkeys_directory = "/var/lib/pubkeys"
34	file { $pubkeys_directory:
35	ensure => directory,
36	owner => root,
37	group => root,
38	mode => 755,
39	}
40
41	file { "$pubkeys_directory/root":
42	ensure => directory,
43	owner => root,
44	group => root,
45	mode => 700,
46	}
47
48	file { "$pubkeys_directory/root/authorized_keys":
49	ensure => "/root/.ssh/authorized_keys",
50	mode => 700,
51	}
52
53	$ldap_pwfile = "/etc/ldap.secret"
54	file { '/usr/local/bin/ldap-sshkey2file.py':
55	ensure => present,
56	owner => root,
57	group => root,
58	mode => 755,
59	content => template("restrictshell/ldap-sshkey2file.py"),
60	requires => Package['python-ldap']
61	}
62	}
63
64	define allow {
65	include shell
66	file { "/etc/membersh-conf.d/allow_$name.pl":
67	ensure => "present",
68	owner => root,
69	group => root,
70	mode => 755,
71	content => "\$use_$name = 1;\n",
72	}
73	}
74
75	# yes, we could directly use the allow, but this is
76	# a nicer syntax
77	class allow_git {
78	allow{ "git": }
79	}
80
81	class allow_rsync {
82	allow{ "rsync": }
83	}
84
85	class allow_pkgsubmit {
86	allow{ "pkgsubmit": }
87	}
88
89	class allow_svn {
90	allow{ "svn": }
91	}
92
93	class allow_scp {
94	allow{ "scp": }
95	}
96
97	class allow_sftp {
98	allow{ "sftp": }
99	}
100	# technically, we could add cvs too
101	# but I doubt we will use it one day
102
103
104	}