Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.21.0 < 8.0.0
- OpenBSD
Start using this module
Add this module to your Puppetfile:
mod 'kn-doas', '0.1.1'Learn more about managing modules with a PuppetfileDocumentation
doas
Description
Manager doas.conf(5) rulesets on OpenBSD. Strong types, stable configuration order and validation help avoiding mistakes.
Usage
Ensure the configuration file to be absent in case no rules are defined:
include doas
Permit the developer's group to deploy tests without flexibility:
doas::rule { 'deploy':
identity => ':dev',
target => '_push',
cmd => '/usr/local/bin/deploy',
args => [
'--testing',
],
}
Grant the admin group passwordless access to all users and programs:
doas::rule { 'admins':
identity => ':wheel',
nopass => true,
}
Permit user to run script as root, e.g. doas /usr/local/bin/script:
doas::rule { 'script':
identity => 'kn',
target => 'root',
cmd => '/usr/local/bin/script',
}
Permit admin to configure the network, but in dry-run, i.e. doas /bin/sh /etc/netstart -n:
doas::rule { 'netstart':
identity => ':wheel',
target => 'root',
cmd => '/usr/local/bin/script',
}
Limitations
This module is written for and tested on OpenBSD.
Development
Feedback and diffs are always welcome.
Reference
Table of Contents
Classes
doas: Manage doas.conf(5)
Defined types
doas::rule: Individual doas.conf(5) rule
Data types
Classes
doas
Maintain uniform and validated doas(1) rulesets
Examples
include doas
Parameters
The following parameters are available in the doas class.
config_file
Data type: Stdlib::Unixpath
The configuration file to be managed
Default value: '/etc/doas.conf'
rules
Data type: Optional[Hash]
Individual rules
Default value: undef
Defined types
doas::rule
Generate a single line for doas
Examples
doas::rule { 'everything goes for wheel':
nopass => true,
keepenv => true,
setenv => [
'HOME',
],
identity => ':wheel',
}
Parameters
The following parameters are available in the doas::rule defined type.
order
Data type: Variant[String,Integer]
Alphanumerical key to sort this rule in the file
Default value: $title
action
Data type: Enum['permit','deny']
The action to be taken if this rule matches
Default value: 'permit'
nopass
Data type: Boolean
Whether the user is required to enter a password
Default value: false
nolog
Data type: Boolean
Whether successful command execution is logged to syslogd(8)
Default value: false
persist
Data type: Boolean
Whether successful authentication persists for some time
Default value: false
keepenv
Data type: Boolean
Whether environment variables are retained for the new process
Default value: false
setenv
Data type: Optional[Array[String[1],1]]
List of variables to set or remove
Default value: undef
identity
Data type: Doas::Identity
Running user- or groupname to match
Default value: $title
target
Data type: Optional[Doas::Target]
Target user allowed or denied to run as
Default value: undef
cmd
Data type: Optional[Stdlib::Unixpath]
Command allowed or denied to run
Default value: undef
args
Data type: Optional[Array[String]]
Exact command arguments
Default value: undef
Data types
Doas::Identity
The Doas::Identity data type.
Alias of Pattern[/^:?[a-zA-Z0-9._][a-zA-Z0-9._-]{1,30}\$?$/]
Doas::Target
The Doas::Target data type.
Alias of Pattern[/^[a-zA-Z0-9._][a-zA-Z0-9._-]{1,30}\$?$/]
Dependencies
- puppetlabs/concat (>= 7.1.1)
- puppetlabs/stdlib (>= 8.0.0)