I am currently trying to move our Puppet setup to further use Hiera. In regard to this, I would like to create the users with Hiera, but having some problems how to do this when moving up in the hierarchy.
The scenario is that I want to have a set of base users which are included in every installation. Also, I sometimes need to add some specific users only for a different subset of nodes, maybe specific to some datacenters or to some nodes.
So I thought about the following setup:
hiera.yaml:
:hierarchy:
- "nodes/%{::trusted.certname}"
- "datacenter/${::datacenter}"
- "common"
users.pp:
class profile::users {
$user_accounts = hiera('user_accounts')
create_resources(user, $user_accounts)
}
and in common.yaml:
user_accounts:
bob:
comment: "Bob"
managehome: true
and then go up the hierarchy. The main problems I see with this is:
- How do I implement default attributes for each user? For example, in this example, I want to set
managehome: truefor all users, and not explicitly write it every time. I maybe want to disable it sometimes, though. - If I have
user_accountsfurther up in the hierarchy, it would overwrite theuser_accountshash from common.yaml, so that I would need to duplicate the entries. I stumbled across the deep merging in Hiera, but wonder if this is actually used or is best practice. Also, it would not solve the first problem, and I need to setmerge_behaviorin hiera.yaml, which I want to avoid. - How could I insert ssh keys for every user here? The nicest solution would be to just add the ssh keys as an attribute to the user account.
So, does anyone have an insight how user management is actually nicely done with Puppet? Thanks :)
Implement default attributes for each user in the type definition:
Yes, you need to use merging, but rather than specifying it in the hiera data, use the
hiera_arrayfunction to do the lookup for the data you want.SSH keys are just another attribute in the data set, which your
usertype should set appropriately on the system.