- # -*- coding: utf-8 -*-
- # vim: ft=yaml
- ---
- users-formula:
- use_vim_formula: True
- lookup: # override the defauls in map.jinja
- root_group: root
-
- # group initialization
- groups:
- foo:
- state: present
- gid: 1500
- system: False
- badguys:
- absent: True
- niceguys:
- gid: 4242
- system: False
- addusers: root
- delusers: toor
- ssl-cert:
- system: True
- members:
- - www-data
- - openldap
-
- users:
- ## Minimal required pillar values
- auser:
- fullname: A User
-
- ## Full list of pillar values
- buser:
- fullname: B User
- password: $6$w.............
- enforce_password: True
- # WARNING: If 'empty_password' is set to True, the 'password' statement
- # will be ignored by enabling password-less login for the user.
- empty_password: False
- hash_password: False
- system: False
- home: /custom/buser
- homedir_owner: buser
- homedir_group: primarygroup
- user_dir_mode: 750
- createhome: True
- roomnumber: "A-1"
- workphone: "(555) 555-5555"
- homephone: "(555) 555-5551"
- manage_vimrc: False
- allow_gid_change: False
- manage_bashrc: False
- manage_profile: False
- expire: 16426
- # Disables user management except sudo rules.
- # Useful for setting sudo rules for system accounts created by package instalation
- sudoonly: False
- sudouser: True
- # sudo_rules doesn't need the username as a prefix for the rule
- # this is added automatically by the formula.
- # ----------------------------------------------------------------------
- # In case your sudo_rules have a colon please have in mind to not leave
- # spaces around it. For example:
- # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
- # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
- sudo_rules:
- - ALL=(root) /usr/bin/find
- - ALL=(otheruser) /usr/bin/script.sh
- sudo_defaults:
- - '!requiretty'
- # enable polkitadmin to make user an AdminIdentity for polkit
- polkitadmin: True
- shell: /bin/bash
- remove_groups: False
- prime_group:
- name: primarygroup
- gid: 1501
- groups:
- - users
- optional_groups:
- - some_groups_that_might
- - not_exist_on_all_minions
- ssh_key_type: rsa
- # You can inline the private keys ...
- ssh_keys:
- privkey: PRIVATEKEY
- pubkey: PUBLICKEY
- # or you can provide path to key on Salt fileserver
- privkey: salt://path_to_PRIVATEKEY
- pubkey: salt://path_to_PUBLICKEY
- # you can provide multiple keys, the keyname is taken as filename
- # make sure your public keys suffix is .pub
- foobar: PRIVATEKEY
- foobar.pub: PUBLICKEY
- # ... or you can pull them from a different pillar,
- # for example one called "ssh_keys":
- ssh_keys_pillar:
- id_rsa: "ssh_keys"
- another_key_pair: "ssh_keys"
- ssh_auth:
- - PUBLICKEY
- ssh_auth.absent:
- - PUBLICKEY_TO_BE_REMOVED
- # Generates an authorized_keys file for the user
- # with the given keys
- ssh_auth_file:
- - PUBLICKEY
- # ... or you can pull them from a different pillar similar to ssh_keys_pillar
- ssh_auth_pillar:
- id_rsa: "ssh_keys"
- # If you prefer to keep public keys as files rather
- # than inline in pillar, this works.
- ssh_auth_sources:
- - salt://keys/buser.id_rsa.pub
- ssh_auth_sources.absent:
- - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
- # Manage the ~/.ssh/config file
- ssh_known_hosts:
- importanthost:
- port: 22
- fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
- key: PUBLICKEY
- enc: ssh-rsa
- hash_known_hosts: True
- timeout: 5
- fingerprint_hash_type: sha256
- ssh_known_hosts.absent:
- - notimportanthost
- ssh_config:
- all:
- hostname: "*"
- options:
- - "StrictHostKeyChecking no"
- - "UserKnownHostsFile=/dev/null"
- importanthost:
- hostname: "needcheck.example.com"
- options:
- - "StrictHostKeyChecking yes"
-
- # Using gitconfig without Git installed will result in an error
- # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
- # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
- gitconfig:
- user.name: B User
- user.email: buser@example.com
- "url.https://.insteadOf": "git://"
-
- gitconfig.absent:
- - push.default
- - color\..+
-
- google_2fa: True
- google_auth:
- sshd: |
- SOMEGAUTHHASHVAL
- " RESETTING_TIME_SKEW 46956472+2 46991595-2
- " RATE_LIMIT 3 30 1415800560
- " DISALLOW_REUSE 47193352
- " TOTP_AUTH
- 11111111
- 22222222
- 33333333
- 44444444
- 55555555
- # unique: True allows user to have non unique uid
- unique: False
- uid: 1001
-
- user_files:
- enabled: True
- # 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
- # should be a salt fileserver path either with or without 'salt://'
- # if not present, it defaults to 'salt://users/files/user/<username>
- source: users/files
- # template: jinja
- # You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
- # it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
- # execution bit for example.
- file_mode: keep
- # You can specify octal mode for directories as well. This won't work on Windows minions
- # dir_mode: 775
- sym_mode: 640
- exclude_pat: "*.gitignore"
-
- ## Absent user
- cuser:
- absent: True
- purge: True
- force: True
-
-
- ## Old syntax of absent_users still supported
- absent_users:
- - donald
- - bad_guy
|