This took a little doing, and most of what I found on the Internet was very slightly off. Here’s what I came up with (and what works on RHEL 6):
augeas {
"Add MD5 password to Grub":
context => "/files/boot/grub/menu.lst",
changes => [
"ins password after timeout",
"clear password/md5",
"set password \$1\$KeSTX0\$giM/W8SGhE4tbBTSiaguu.",
],
onlyif => "match password size == 0";
}
The password here, by the way, is ‘password’ encrypted with the tool grub-md5-crypt. Special characters like $ must be escaped with backslashes. On my computer, /boot/grub/menu.lst is a symlink to /boot/grub/grub.conf (so is /etc/grub.conf). Different versions of puppet and augeas look for the grub configuration file in different places. It all depends on how the lens is configured. On EFI systems, the file /boot/grub/grub.conf may not exist. In that case, for context, try using /files/etc/grub.conf, which should always point to the right location.
Update: The usual way to set a grub password is actually with SHA-512. Here’s how you’d use Augeas to set a normal SHA-512 password (generate one with grub-crypt, not grub-md5-crypt):
augeas {
"Add SHA-512 password to Grub":
context => "/files/boot/grub/menu.lst",
changes => [
"ins password after timeout",
"clear password/encrypted",
"set password \$6\$uWBUVE443zRnRHyY\$/NuljJoao/DnN/KVCQRyQPWJdt2kgRIuKlp8K4QuAuuoUIyUnBmsTPCeT8oWm1jvhBIuPwW5o18F.KpfyClB1.",
],
onlyif => "match password size == 0";
}