A bit of beautification and more documentation

81e63369 · Christopher Huhn · 21fbc9bb · 81e63369 · 81e63369
Commit 81e63369 authored Nov 20, 2018 by Christopher Huhn
--- a/documents/accounts.md
+++ b/documents/accounts.md
+# `sys::accounts`
+
 Create user accounts.

 ↪ `attributes/accounts.rb`  
 ↪ `recipes/accounts.rb`  
 ↪ `tests/roles/sys_accounts_test.rb`  

-**Attributes**
+## Standard user ressource attributes

-All attributes in `node.sys.accounts`, where each key is a user 
-name with a configuration value. It wraps the `user` resources,
-thus supports all of its options.
+Attributes are set beneath `node['sys']['accounts'][_username_]`.
+It wraps the `user` resources, thus supports all of its options.

-**Example**
+### Example

    :sys => {
      :accounts => {
@@ -27,10 +28,44 @@ thus supports all of its options.
        :uhura => {
          :home => '/home/uhura',
          :password => '$6$M4oxTop4k/2kd1nmrsiZdFfzKr1Q/',
-          :supports => {
-            :manage_home => true
-          }
+          :manage_home => true
        }
      }
    }

+
+## Non-standard attributes
+
+`sys::accounts` supports additional attributes:
+
+### Remote access
+
+`node['sys'}['accounts'][_username_]['remote']` will add a rule
+to `/etc/security/access.conf` cf. `recipes/pam.rb`, eg:
+
+    sys: {
+      accounts: {
+        picard: {
+          remote: 'ALL'
+        }
+        riker: {
+          remote: 'ncc.1701.de'
+        }
+      }
+    }
+
+### sudo permissions
+
+`node['sys'}['accounts'][_username_]['sudo']` will add a rule
+to `/etc/sudoers.d/localadmin` cf. `recipes/sudo.rb`, eg:
+
+    sys: {
+      accounts: {
+        q: {
+          sudo: 'NOPASSWD: ALL'
+        }
+        picard: {
+          sudo: '/sbin/shutdown'
+        }
+      }
+    }
--- a/recipes/accounts.rb
+++ b/recipes/accounts.rb
@@ -143,6 +143,7 @@ unless (node['sys']['accounts'].empty? and node['sys']['groups'].empty?)
        end
      end

+      # add sudo rules from the sudo attribute:
      if account.has_key?('sudo')
        rule = "#{name} #{node['fqdn']} = #{account['sudo']}"
        if node['sys']['sudo'].has_key?('localadmin')
@@ -154,13 +155,14 @@ unless (node['sys']['accounts'].empty? and node['sys']['groups'].empty?)
        end
      end

+      # add pam_access rules from the remote attribute:
      if account.key?('remote')
        if node['sys']['pam'].key?('access')
          node.default['sys']['pam']['access'] <<
-            "+:#{name}:#{account['remote']} LOCAL"
+            "+ : #{name} : #{account['remote']} LOCAL"
        else
          node.default['sys']['pam']['access'] = [
-            "+:#{name}:#{account['remote']} LOCAL"
+            "+ : #{name} : #{account['remote']} LOCAL"
          ]
        end
        log "Configuring remote access rules for #{name}" do