make user/group of resources configurable

Author: saz

data/common.yaml

@@ -21,6 +21,11 @@ ssh::server::sshd_config_mode: '0600'
 ssh::client::ssh_config: '/etc/ssh/ssh_config'
 ssh::server::service_name: 'svc:/network/ssh:default'
 ssh::sftp_server_path: 'internal-sftp'
+ssh::client::config_user: 0
+ssh::client::config_group: 0
+ssh::server::config_user: 0
+ssh::server::config_group: 0
+ssh::server::host_priv_key_user: 0
 ssh::server::host_priv_key_group: 0
 ssh::server::host_priv_key_mode: '0600'
 ssh::validate_sshd_file             : false

manifests/client.pp

@@ -35,16 +35,23 @@
 # @param match_block
 #   Add ssh match_block (with concat)
 #
+# @param config_user
+#   Numeric id or name of the user for the config file
+# @param config_group
+#   Numeric id or name of the group for the config file
+#
 class ssh::client (
-  Stdlib::Absolutepath $ssh_config,
-  Hash                 $default_options,
-  Optional[String[1]]  $client_package_name  = undef,
-  String               $ensure               = present,
-  Boolean              $storeconfigs_enabled = true,
-  Hash                 $options              = {},
-  Boolean              $use_augeas           = false,
-  Array                $options_absent       = [],
-  Hash                 $match_block          = {},
+  Stdlib::Absolutepath        $ssh_config,
+  Hash                        $default_options,
+  Variant[Integer, String[1]] $config_user,
+  Variant[Integer, String[1]] $config_group,
+  Optional[String[1]]         $client_package_name  = undef,
+  String                      $ensure               = present,
+  Boolean                     $storeconfigs_enabled = true,
+  Hash                        $options              = {},
+  Boolean                     $use_augeas           = false,
+  Array                       $options_absent       = [],
+  Hash                        $match_block          = {},
 ) {
   if $use_augeas {
     $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config })

manifests/client/config.pp

@@ -18,8 +18,8 @@
   } else {
     concat { $ssh::client::ssh_config:
       ensure => present,
-      owner  => 0,
-      group  => 0,
+      owner  => $ssh::client::config_user,
+      group  => $ssh::client::config_group,
       mode   => '0644',
     }
 

manifests/server.pp

@@ -23,12 +23,21 @@
 # @param sshd_config_mode
 #   Mode to set on the sshd config file
 #
+# @param host_priv_key_user
+#   Numeric id or name of the user for the private host key
+#
 # @param host_priv_key_group
-#   Name of the group for the private host key
+#   Numeric id or name of the group for the private host key
 #
 # @param host_priv_key_mode
 #   Mode of the private host key
 #
+# @param config_user
+#   Numeric id or name of the user for the sshd config file
+#
+# @param config_group
+#   Numeric id or name of the group for the sshd config file
+#
 # @param default_options
 #   Default options to set, will be merged with options parameter
 #
@@ -80,8 +89,11 @@
   Stdlib::Absolutepath           $sshd_dir,
   Stdlib::Absolutepath           $sshd_binary,
   Stdlib::Filemode               $sshd_config_mode,
-  Integer                        $host_priv_key_group,
+  Variant[Integer, String[1]]    $host_priv_key_user,
+  Variant[Integer, String[1]]    $host_priv_key_group,
   Stdlib::Filemode               $host_priv_key_mode,
+  Variant[Integer, String[1]]    $config_user,
+  Variant[Integer, String[1]]    $config_group,
   Hash                           $default_options,
   String                         $ensure                 = present,
   Optional[Stdlib::Absolutepath] $include_dir            = undef,

manifests/server/config.pp

@@ -34,8 +34,8 @@
   } else {
     concat { $ssh::server::sshd_config:
       ensure       => present,
-      owner        => 0,
-      group        => 0,
+      owner        => $ssh::server::config_user,
+      group        => $ssh::server::config_group,
       mode         => $ssh::server::sshd_config_mode,
       validate_cmd => $sshd_validate_cmd,
       notify       => Service[$ssh::server::service_name],
@@ -51,8 +51,8 @@
   if $ssh::server::include_dir {
     file { $ssh::server::include_dir:
       ensure  => directory,
-      owner   => 0,
-      group   => 0,
+      owner   => $ssh::server::config_user,
+      group   => $ssh::server::config_group,
       mode    => $ssh::server::include_dir_mode,
       purge   => $ssh::server::include_dir_purge,
       recurse => $ssh::server::include_dir_purge,
@@ -68,8 +68,8 @@
   if $ssh::server::use_issue_net {
     file { $ssh::server::issue_net:
       ensure  => file,
-      owner   => 0,
-      group   => 0,
+      owner   => $ssh::server::config_user,
+      group   => $ssh::server::config_group,
       mode    => $ssh::server::sshd_config_mode,
       content => template("${module_name}/issue.net.erb"),
       notify  => Service[$ssh::server::service_name],

manifests/server/config_file.pp

@@ -31,8 +31,8 @@
 
   concat { $path:
     ensure       => present,
-    owner        => 0,
-    group        => 0,
+    owner        => $ssh::server::config_user,
+    group        => $ssh::server::config_group,
     mode         => $mode,
     validate_cmd => $sshd_validate_cmd,
     notify       => Service[$ssh::server::service_name],

manifests/server/host_key.pp

@@ -87,8 +87,8 @@
   if $ensure == 'present' {
     file { "${name}_pub":
       ensure  => $ensure,
-      owner   => 0,
-      group   => 0,
+      owner   => $ssh::server::config_user,
+      group   => $ssh::server::config_group,
       mode    => '0644',
       path    => "${ssh::server::sshd_dir}/${name}.pub",
       source  => $manage_pub_key_source,
@@ -98,7 +98,7 @@
 
     file { "${name}_priv":
       ensure    => $ensure,
-      owner     => 0,
+      owner     => $ssh::server::host_priv_key_user,
       group     => $ssh::server::host_priv_key_group,
       mode      => $ssh::server::host_priv_key_mode,
       path      => "${ssh::server::sshd_dir}/${name}",
@@ -110,16 +110,16 @@
   } else {
     file { "${name}_pub":
       ensure => $ensure,
-      owner  => 0,
-      group  => 0,
+      owner  => $ssh::server::config_user,
+      group  => $ssh::server::config_group,
       mode   => '0644',
       path   => "${ssh::server::sshd_dir}/${name}.pub",
       notify => Class['ssh::server::service'],
     }
 
     file { "${name}_priv":
       ensure    => $ensure,
-      owner     => 0,
+      owner     => $ssh::server::host_priv_key_user,
       group     => $ssh::server::host_priv_key_group,
       mode      => $ssh::server::host_priv_key_mode,
       path      => "${ssh::server::sshd_dir}/${name}",
@@ -132,8 +132,8 @@
     if $ensure == 'present' {
       file { "${name}_cert":
         ensure  => $ensure,
-        owner   => 0,
-        group   => 0,
+        owner   => $ssh::server::config_user,
+        group   => $ssh::server::config_group,
         mode    => '0644',
         path    => "${ssh::server::sshd_dir}/${name}-cert.pub",
         source  => $manage_cert_source,
@@ -143,8 +143,8 @@
     } else {
       file { "${name}_cert":
         ensure => $ensure,
-        owner  => 0,
-        group  => 0,
+        owner  => $ssh::server::config_user,
+        group  => $ssh::server::config_group,
         mode   => '0644',
         path   => "${ssh::server::sshd_dir}/${name}-cert.pub",
         notify => Class['ssh::server::service'],

manifests/server/instances.pp

@@ -55,8 +55,8 @@
 
     concat { $sshd_instance_config_file:
       ensure       => $ensure,
-      owner        => 0,
-      group        => 0,
+      owner        => $ssh::server::config_user,
+      group        => $ssh::server::config_group,
       mode         => '0600',
       validate_cmd => $validate_cmd,
       notify       => Service["${title}.service"],