StephenKing · December 27, 2011 13:00
diff --git a/sysadmin.rb b/sysadmin.rb
 #
 # Cookbook Name:: users
 # Recipe:: sysadmins
 #
 # Copyright 2009-2011, Opscode, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 # 
 #     http://www.apache.org/licenses/LICENSE-2.0
 # 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 sysadmin_group = Array.new

 search(:users, 'groups:sysadmin') do |u|
  sysadmin_group << u['id']

  if node[:apache] and node[:apache][:allowed_openids]
    Array(u['openid']).compact.each do |oid|
      node[:apache][:allowed_openids] << oid unless node[:apache][:allowed_openids].include?(oid)
    end
  end

  home_dir = "/home/#{u['id']}"

  # fixes CHEF-1699
  ruby_block "reset group list" do
    block do
      Etc.endgrent
    end
    action :nothing
  end
  
  user u['id'] do
    uid u['uid']
    gid u['gid']
    shell u['shell']
    comment u['comment']
    supports :manage_home => true
    home home_dir
    notifies :run, "script[set_empty_password]", :immediately
    notifies :create, "ruby_block[reset group list]", :immediately
  end
  
  script "set_empty_password" do
    interpreter "bash"
    user "root"

    action :nothing

    code <<-EOH
    echo Running for #{u[:id]}
    # set empty password
    usermod -p "" #{u[:id]}
    # force password change on next login
    chage -d 0 #{u[:id]}
    EOH
    
    # username:!: in /etc/shadow indicates that no password has been set, yet
    #only_if do
    #  File.open("/etc/shadow", "rb").read().index(/^#{u[:id]}:!:/) != nil
    #end
  end
  
  directory "#{home_dir}/.ssh" do
    owner u['id']
    group u['gid'] || u['id']
    mode "0700"
  end

  template "#{home_dir}/.ssh/authorized_keys" do
    source "authorized_keys.erb"
    owner u['id']
    group u['gid'] || u['id']
    mode "0600"
    variables :ssh_keys => u['ssh_keys']
  end
 end

 group "sysadmin" do
  gid 2300
  members sysadmin_group
 end
	#
	# Cookbook Name:: users
	# Recipe:: sysadmins
	#
	# Copyright 2009-2011, Opscode, Inc.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	sysadmin_group = Array.new

	search(:users, 'groups:sysadmin') do \|u\|
	sysadmin_group << u['id']

	if node[:apache] and node[:apache][:allowed_openids]
	Array(u['openid']).compact.each do \|oid\|
	node[:apache][:allowed_openids] << oid unless node[:apache][:allowed_openids].include?(oid)
	end
	end

	home_dir = "/home/#{u['id']}"

	# fixes CHEF-1699
	ruby_block "reset group list" do
	block do
	Etc.endgrent
	end
	action :nothing
	end

	user u['id'] do
	uid u['uid']
	gid u['gid']
	shell u['shell']
	comment u['comment']
	supports :manage_home => true
	home home_dir
	notifies :run, "script[set_empty_password]", :immediately
	notifies :create, "ruby_block[reset group list]", :immediately
	end

	script "set_empty_password" do
	interpreter "bash"
	user "root"

	action :nothing

	code <<-EOH
	echo Running for #{u[:id]}
	# set empty password
	usermod -p "" #{u[:id]}
	# force password change on next login
	chage -d 0 #{u[:id]}
	EOH

	# username:!: in /etc/shadow indicates that no password has been set, yet
	#only_if do
	# File.open("/etc/shadow", "rb").read().index(/^#{u[:id]}:!:/) != nil
	#end
	end

	directory "#{home_dir}/.ssh" do
	owner u['id']
	group u['gid'] \|\| u['id']
	mode "0700"
	end

	template "#{home_dir}/.ssh/authorized_keys" do
	source "authorized_keys.erb"
	owner u['id']
	group u['gid'] \|\| u['id']
	mode "0600"
	variables :ssh_keys => u['ssh_keys']
	end
	end

	group "sysadmin" do
	gid 2300
	members sysadmin_group
	end