ExternalMirrors
/
users-formula
mirror of https://github.com/saltstack-formulas/users-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 13 Wiki Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
114 Commits
3 Branches
Tree: 3fc2a2bac9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3fc2a2bac9'
${ noResults }
users-formula/users/init.sls

init.sls 9.2KB
Raw Normal View History

Add support FreeBSD using map.jinja (Tested on Freebsd10)
10 years ago
google auth package and config installation
10 years ago
Initial commit
11 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Clean up logic check to remove redundant check.
10 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
added option to specify user home directory mode
10 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
If createhome is set to false, don't touch the home directory or its permissions.
10 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
Change default shell to /bin/csh on FreeBSD This also made it necessary to introduce an additional entry 'shell' into the users lookup table as the formula previously conflated the shell used for running the visudo command and the default shell to be used for user accounts. Fixes: #48
10 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Add Password capabilities
10 years ago
Allow '!' prefix in password for locked\disabled accounts. Signed-off-by: Tim Jones <me@prototim.com>
10 years ago
Add Password capabilities
10 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Add 'createhome' option for 'user.present' state
10 years ago
Add support for setting user expire
10 years ago
Sorry for the spam, simplify this remove_groups rule a bit
10 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
Change .ssh permissions to 700
11 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
Modified Private Keys and Sudoers Changed Private keys to have content within pillar rather than the salt file repository. Changes sudoers entry to get values from pillar rather than assuming all sudo users want root.
11 years ago
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
11 years ago
Initial commit
11 years ago
possibility to define alternate user`s prime group
11 years ago
Initial commit
11 years ago
Do not echo Public/Private keys to stdout when running the state
10 years ago
Changed 'contents' to 'contents_pillar' to correctly parse newlines for private/public SSH keys.
11 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
11 years ago
Initial commit
11 years ago
change pub key to use user_group if you set an alternate prime_group this would break, replaced {{ name }} with {{ user_group }}
11 years ago
Initial commit
11 years ago
Do not echo Public/Private keys to stdout when running the state
10 years ago
Fix pubkey privkey typo Fixes #22
10 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Move ssh_auth_file key processing to before ssh_auth key to extend instead of overwrite functionality.
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Move ssh_auth_file key processing to before ssh_auth key to extend instead of overwrite functionality.
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Move ssh_auth_file key processing to before ssh_auth key to extend instead of overwrite functionality.
9 years ago
Initial commit
11 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add pulling keys from other pillar. Example pillar: ssh_keys: id_rsa: privkey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- pubkey: | ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Add pulling keys from other pillar. Example pillar: ssh_keys: id_rsa: privkey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- pubkey: | ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Add pulling keys from other pillar. Example pillar: ssh_keys: id_rsa: privkey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- pubkey: | ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
9 years ago
Added option to source ssh public keys from files.
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Added option to source ssh public keys from files.
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Added option to source ssh public keys from files.
9 years ago
added option to remove ssh public keys from auth (ssh_auth.absent)
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
added option to remove ssh public keys from auth (ssh_auth.absent)
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
added option to remove ssh public keys from auth (ssh_auth.absent)
10 years ago
Initial commit
11 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
Only include users.sudo when a user with sudouser is declared.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
Remove trailing slash from sudoers_dir
10 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
Add pulling keys from other pillar. Example pillar: ssh_keys: id_rsa: privkey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- pubkey: | ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
9 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
possibility to define user-specific Defaults
9 years ago
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
11 years ago
Validate user sudo rules before applying them
10 years ago
modified visudo to only report change in salt when there is an error.
10 years ago
Add pulling keys from other pillar. Example pillar: ssh_keys: id_rsa: privkey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- pubkey: | ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H....
9 years ago
Validate user sudo rules before applying them
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Validate user sudo rules before applying them
10 years ago
possibility to define user-specific Defaults
9 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
possibility to define user-specific Defaults
9 years ago
Validate user sudo rules before applying them
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Overwrite a sudoer file rather than append to fix #21
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Overwrite a sudoer file rather than append to fix #21
10 years ago
possibility to define user-specific Defaults
9 years ago
Overwrite a sudoer file rather than append to fix #21
10 years ago
possibility to define user-specific Defaults
9 years ago
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
11 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
Remove trailing slash from sudoers_dir
10 years ago
Initial commit
11 years ago
google auth package and config installation
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
google auth package and config installation
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
google auth package and config installation
10 years ago
Initial commit
11 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Remove trailing slash from sudoers_dir
10 years ago
New format of user.absent support introduced. Old format still supported.
10 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Initial commit
11 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
11 years ago
Remove trailing slash from sudoers_dir
10 years ago
Initial commit
11 years ago
Add absent_groups pillar to remove groups.
10 years ago
Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user).
9 years ago
Add absent_groups pillar to remove groups.
10 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323 
  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. 

  6. {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  7. {%- if user == None -%}

  8. {%- set user = {} -%}

  9. {%- endif -%}

  10. {%- if 'sudouser' in user and user['sudouser'] %}

  11. {%- do used_sudo.append(1) %}

  12. {%- endif %}

  13. {%- if 'google_auth' in user %}

  14. {%- do used_googleauth.append(1) %}

  15. {%- endif %}

  16. {%- endfor %}

  17. 

  18. {%- if used_sudo or used_googleauth %}

  19. include:

  20. {%- if used_sudo %}

  21.   - users.sudo

  22. {%- endif %}

  23. {%- if used_googleauth %}

  24.   - users.googleauth

  25. {%- endif %}

  26. {%- endif %}

  27. 

  28. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  29. {%- if user == None -%}

  30. {%- set user = {} -%}

  31. {%- endif -%}

  32. {%- set home = user.get('home', "/home/%s" % name) -%}

  33. 

  34. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  35. {%- set user_group = user.prime_group.name -%}

  36. {%- else -%}

  37. {%- set user_group = name -%}

  38. {%- endif %}

  39. 

  40. {% for group in user.get('groups', []) %}

  41. users_{{ name }}_{{ group }}_group:

  42.   group:

  43.     - name: {{ group }}

  44.     - present

  45. {% endfor %}

  46. 

  47. users_{{ name }}_user:

  48.   {% if user.get('createhome', True) %}

  49.   file.directory:

  50.     - name: {{ home }}

  51.     - user: {{ name }}

  52.     - group: {{ user_group }}

  53.     - mode: {{ user.get('user_dir_mode', '0750') }}

  54.     - require:

  55.       - user: {{ name }}

  56.       - group: {{ user_group }}

  57.   {%- endif %}

  58.   group.present:

  59.     - name: {{ user_group }}

  60.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  61.     - gid: {{ user['prime_group']['gid'] }}

  62.     {%- elif 'uid' in user %}

  63.     - gid: {{ user['uid'] }}

  64.     {%- endif %}

  65.   user.present:

  66.     - name: {{ name }}

  67.     - home: {{ home }}

  68.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  69.     {% if 'uid' in user -%}

  70.     - uid: {{ user['uid'] }}

  71.     {% endif -%}

  72.     {% if 'password' in user -%}

  73.     - password: '{{ user['password'] }}'

  74.     {% endif -%}

  75.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  76.     - gid: {{ user['prime_group']['gid'] }}

  77.     {% else -%}

  78.     - gid_from_name: True

  79.     {% endif -%}

  80.     {% if 'fullname' in user %}

  81.     - fullname: {{ user['fullname'] }}

  82.     {% endif -%}

  83.     {% if not user.get('createhome', True) %}

  84.     - createhome: False

  85.     {% endif %}

  86.     {% if 'expire' in user -%}

  87.     - expire: {{ user['expire'] }}

  88.     {% endif -%}

  89.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  90.     - groups:

  91.       - {{ user_group }}

  92.       {% for group in user.get('groups', []) -%}

  93.       - {{ group }}

  94.       {% endfor %}

  95.     - require:

  96.       - group: {{ user_group }}

  97.       {% for group in user.get('groups', []) -%}

  98.       - group: {{ group }}

  99.       {% endfor %}

  100. 

  101. users_user_keydir_{{ name }}:

  102.   file.directory:

  103.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  104.     - user: {{ name }}

  105.     - group: {{ user_group }}

  106.     - makedirs: True

  107.     - mode: 700

  108.     - require:

  109.       - user: {{ name }}

  110.       - group: {{ user_group }}

  111.       {%- for group in user.get('groups', []) %}

  112.       - group: {{ group }}

  113.       {%- endfor %}

  114. 

  115.   {% if 'ssh_keys' in user %}

  116.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  117. users_user_{{ name }}_private_key:

  118.   file.managed:

  119.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  120.     - user: {{ name }}

  121.     - group: {{ user_group }}

  122.     - mode: 600

  123.     - show_diff: False

  124.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  125.     - require:

  126.       - user: users_{{ name }}_user

  127.       {% for group in user.get('groups', []) %}

  128.       - group: users_{{ name }}_{{ group }}_group

  129.       {% endfor %}

  130. users_user_{{ name }}_public_key:

  131.   file.managed:

  132.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  133.     - user: {{ name }}

  134.     - group: {{ user_group }}

  135.     - mode: 644

  136.     - show_diff: False

  137.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  138.     - require:

  139.       - user: users_{{ name }}_user

  140.       {% for group in user.get('groups', []) %}

  141.       - group: users_{{ name }}_{{ group }}_group

  142.       {% endfor %}

  143.   {% endif %}

  144. 

  145. {% if 'ssh_auth_file' in user %}

  146. users_authorized_keys_{{ name }}:

  147.   file.managed:

  148.     - name: {{ home }}/.ssh/authorized_keys

  149.     - user: {{ name }}

  150.     - group: {{ name }}

  151.     - mode: 600

  152.     - contents: |

  153.         {% for auth in user.ssh_auth_file -%}

  154.         {{ auth }}

  155.         {% endfor -%}

  156. {% endif %}

  157. 

  158. {% if 'ssh_auth' in user %}

  159. {% for auth in user['ssh_auth'] %}

  160. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  161.   ssh_auth.present:

  162.     - user: {{ name }}

  163.     - name: {{ auth }}

  164.     - require:

  165.         - file: users_{{ name }}_user

  166.         - user: users_{{ name }}_user

  167. {% endfor %}

  168. {% endif %}

  169. 

  170. {% if 'ssh_keys_pillar' in user %}

  171. {% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems()  %}

  172. users_ssh_keys_files_{{ name }}_{{ key_name }}_pub:

  173.   file.managed:

  174.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name

  175.     }}.pub

  176.     - contents: |

  177.         {{ pillar[pillar_name][key_name]['pubkey'] }}

  178. users_ssh_keys_files_{{ name }}_{{ key_name }}_priv:

  179.   file.managed:

  180.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name

  181.     }}

  182.     - contents: |

  183.         {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}

  184. {% endfor %}

  185. {% endif %}

  186. 

  187. {% if 'ssh_auth_sources' in user %}

  188. {% for pubkey_file in user['ssh_auth_sources'] %}

  189. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  190.   ssh_auth.present:

  191.     - user: {{ name }}

  192.     - source: {{ pubkey_file }}

  193.     - require:

  194.         - file: users_{{ name }}_user

  195.         - user: users_{{ name }}_user

  196. {% endfor %}

  197. {% endif %}

  198. 

  199. {% if 'ssh_auth.absent' in user %}

  200. {% for auth in user['ssh_auth.absent'] %}

  201. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  202.   ssh_auth.absent:

  203.     - user: {{ name }}

  204.     - name: {{ auth }}

  205.     - require:

  206.         - file: users_{{ name }}_user

  207.         - user: users_{{ name }}_user

  208. {% endfor %}

  209. {% endif %}

  210. 

  211. {% if 'sudouser' in user and user['sudouser'] %}

  212. 

  213. users_sudoer-{{ name }}:

  214.   file.managed:

  215.     - name: {{ users.sudoers_dir }}/{{ name }}

  216.     - user: root

  217.     - group: {{ users.root_group }}

  218.     - mode: '0440'

  219. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  220. {% if 'sudo_rules' in user %}

  221. {% for rule in user['sudo_rules'] %}

  222. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  223.   cmd.run:

  224.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  225.     - stateful: True

  226.     - shell: {{ users.visudo_shell }}

  227.     - env:

  228.       # Specify the rule via an env var to avoid shell quoting issues.

  229.       - rule: "{{ name }} {{ rule }}"

  230.     - require_in:

  231.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  232. {% endfor %}

  233. {% endif %}

  234. {% if 'sudo_defaults' in user %}

  235. {% for entry in user['sudo_defaults'] %}

  236. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  237.   cmd.run:

  238.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  239.     - stateful: True

  240.     - shell: {{ users.visudo_shell }}

  241.     - env:

  242.       # Specify the rule via an env var to avoid shell quoting issues.

  243.       - rule: "Defaults:{{ name }} {{ entry }}"

  244.     - require_in:

  245.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  246. {% endfor %}

  247. {% endif %}

  248. 

  249. users_{{ users.sudoers_dir }}/{{ name }}:

  250.   file.managed:

  251.     - name: {{ users.sudoers_dir }}/{{ name }}

  252.     - contents: |

  253.       {%- if 'sudo_defaults' in user %}

  254.       {%- for entry in user['sudo_defaults'] %}

  255.         Defaults:{{ name }} {{ entry }}

  256.       {%- endfor %}

  257.       {%- endif %}

  258.       {%- if 'sudo_rules' in user %}

  259.       {%- for rule in user['sudo_rules'] %}

  260.         {{ name }} {{ rule }}

  261.       {%- endfor %}

  262.       {%- endif %}

  263.     - require:

  264.       - file: users_sudoer-defaults

  265.       - file: users_sudoer-{{ name }}

  266. {% endif %}

  267. {% else %}

  268. users_{{ users.sudoers_dir }}/{{ name }}:

  269.   file.absent:

  270.     - name: {{ users.sudoers_dir }}/{{ name }}

  271. {% endif %}

  272. 

  273. {%- if 'google_auth' in user %}

  274. {%- for svc in user['google_auth'] %}

  275. users_googleauth-{{ svc }}-{{ name }}:

  276.   file.managed:

  277.     - replace: false

  278.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  279.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  280.     - user: root

  281.     - group: {{ users.root_group }}

  282.     - mode: 600

  283.     - require:

  284.       - pkg: users_googleauth-package

  285. {%- endfor %}

  286. {%- endif %}

  287. 

  288. {% endfor %}

  289. 

  290. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

  291. users_absent_user_{{ name }}:

  292. {% if 'purge' in user or 'force' in user %}

  293.   user.absent:

  294.     - name: {{ name }}

  295.     {% if 'purge' in user %}

  296.     - purge: {{ user['purge'] }}

  297.     {% endif %}

  298.     {% if 'force' in user %}

  299.     - force: {{ user['force'] }}

  300.     {% endif %}

  301. {% else %}

  302.   user.absent:

  303.     - name: {{ name }}

  304. {% endif -%}

  305. users_{{ users.sudoers_dir }}/{{ name }}:

  306.   file.absent:

  307.     - name: {{ users.sudoers_dir }}/{{ name }}

  308. {% endfor %}

  309. 

  310. {% for user in pillar.get('absent_users', []) %}

  311. users_absent_user_2_{{ user }}:

  312.   user.absent

  313. users_2_{{ users.sudoers_dir }}/{{ user }}:

  314.   file.absent:

  315.     - name: {{ users.sudoers_dir }}/{{ user }}

  316. {% endfor %}

  317. 

  318. {% for group in pillar.get('absent_groups', []) %}

  319. users_absent_group_{{ group }}:

  320.   group.absent:

  321.     - name: {{ group }}

  322. {% endfor %}

  323.