Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 10 година
пре 10 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 10 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
пре 11 година
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  6. {%- if user == None -%}
  7. {%- set user = {} -%}
  8. {%- endif -%}
  9. {%- if 'sudouser' in user and user['sudouser'] %}
  10. {%- do used_sudo.append(1) %}
  11. {%- endif %}
  12. {%- if 'google_auth' in user %}
  13. {%- do used_googleauth.append(1) %}
  14. {%- endif %}
  15. {%- endfor %}
  16. {%- if used_sudo or used_googleauth %}
  17. include:
  18. {%- if used_sudo %}
  19. - users.sudo
  20. {%- endif %}
  21. {%- if used_googleauth %}
  22. - users.googleauth
  23. {%- endif %}
  24. {%- endif %}
  25. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  26. {%- if user == None -%}
  27. {%- set user = {} -%}
  28. {%- endif -%}
  29. {%- set home = user.get('home', "/home/%s" % name) -%}
  30. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  31. {%- set user_group = user.prime_group.name -%}
  32. {%- else -%}
  33. {%- set user_group = name -%}
  34. {%- endif %}
  35. {% for group in user.get('groups', []) %}
  36. users_{{ name }}_{{ group }}_group:
  37. group:
  38. - name: {{ group }}
  39. - present
  40. {% endfor %}
  41. users_{{ name }}_user:
  42. {% if user.get('createhome', True) %}
  43. file.directory:
  44. - name: {{ home }}
  45. - user: {{ name }}
  46. - group: {{ user_group }}
  47. - mode: {{ user.get('user_dir_mode', '0750') }}
  48. - require:
  49. - user: {{ name }}
  50. - group: {{ user_group }}
  51. {%- endif %}
  52. group.present:
  53. - name: {{ user_group }}
  54. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  55. - gid: {{ user['prime_group']['gid'] }}
  56. {%- elif 'uid' in user %}
  57. - gid: {{ user['uid'] }}
  58. {%- endif %}
  59. user.present:
  60. - name: {{ name }}
  61. - home: {{ home }}
  62. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  63. {% if 'uid' in user -%}
  64. - uid: {{ user['uid'] }}
  65. {% endif -%}
  66. {% if 'password' in user -%}
  67. - password: '{{ user['password'] }}'
  68. {% endif -%}
  69. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  70. - gid: {{ user['prime_group']['gid'] }}
  71. {% else -%}
  72. - gid_from_name: True
  73. {% endif -%}
  74. {% if 'fullname' in user %}
  75. - fullname: {{ user['fullname'] }}
  76. {% endif -%}
  77. {% if not user.get('createhome', True) %}
  78. - createhome: False
  79. {% endif %}
  80. {% if 'expire' in user -%}
  81. - expire: {{ user['expire'] }}
  82. {% endif -%}
  83. - remove_groups: {{ user.get('remove_groups', 'False') }}
  84. - groups:
  85. - {{ user_group }}
  86. {% for group in user.get('groups', []) -%}
  87. - {{ group }}
  88. {% endfor %}
  89. - require:
  90. - group: {{ user_group }}
  91. {% for group in user.get('groups', []) -%}
  92. - group: {{ group }}
  93. {% endfor %}
  94. users_user_keydir_{{ name }}:
  95. file.directory:
  96. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  97. - user: {{ name }}
  98. - group: {{ user_group }}
  99. - makedirs: True
  100. - mode: 700
  101. - require:
  102. - user: {{ name }}
  103. - group: {{ user_group }}
  104. {%- for group in user.get('groups', []) %}
  105. - group: {{ group }}
  106. {%- endfor %}
  107. {% if 'ssh_keys' in user %}
  108. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  109. users_user_{{ name }}_private_key:
  110. file.managed:
  111. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  112. - user: {{ name }}
  113. - group: {{ user_group }}
  114. - mode: 600
  115. - show_diff: False
  116. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  117. - require:
  118. - user: users_{{ name }}_user
  119. {% for group in user.get('groups', []) %}
  120. - group: users_{{ name }}_{{ group }}_group
  121. {% endfor %}
  122. users_user_{{ name }}_public_key:
  123. file.managed:
  124. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  125. - user: {{ name }}
  126. - group: {{ user_group }}
  127. - mode: 644
  128. - show_diff: False
  129. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  130. - require:
  131. - user: users_{{ name }}_user
  132. {% for group in user.get('groups', []) %}
  133. - group: users_{{ name }}_{{ group }}_group
  134. {% endfor %}
  135. {% endif %}
  136. {% if 'ssh_auth_file' in user %}
  137. users_authorized_keys_{{ name }}:
  138. file.managed:
  139. - name: {{ home }}/.ssh/authorized_keys
  140. - user: {{ name }}
  141. - group: {{ name }}
  142. - mode: 600
  143. - contents: |
  144. {% for auth in user.ssh_auth_file -%}
  145. {{ auth }}
  146. {% endfor -%}
  147. {% endif %}
  148. {% if 'ssh_auth' in user %}
  149. {% for auth in user['ssh_auth'] %}
  150. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  151. ssh_auth.present:
  152. - user: {{ name }}
  153. - name: {{ auth }}
  154. - require:
  155. - file: users_{{ name }}_user
  156. - user: users_{{ name }}_user
  157. {% endfor %}
  158. {% endif %}
  159. {% if 'ssh_keys_pillar' in user %}
  160. {% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %}
  161. users_ssh_keys_files_{{ name }}_{{ key_name }}_pub:
  162. file.managed:
  163. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
  164. }}.pub
  165. - contents: |
  166. {{ pillar[pillar_name][key_name]['pubkey'] }}
  167. users_ssh_keys_files_{{ name }}_{{ key_name }}_priv:
  168. file.managed:
  169. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
  170. }}
  171. - contents: |
  172. {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}
  173. {% endfor %}
  174. {% endif %}
  175. {% if 'ssh_auth_sources' in user %}
  176. {% for pubkey_file in user['ssh_auth_sources'] %}
  177. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  178. ssh_auth.present:
  179. - user: {{ name }}
  180. - source: {{ pubkey_file }}
  181. - require:
  182. - file: users_{{ name }}_user
  183. - user: users_{{ name }}_user
  184. {% endfor %}
  185. {% endif %}
  186. {% if 'ssh_auth.absent' in user %}
  187. {% for auth in user['ssh_auth.absent'] %}
  188. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  189. ssh_auth.absent:
  190. - user: {{ name }}
  191. - name: {{ auth }}
  192. - require:
  193. - file: users_{{ name }}_user
  194. - user: users_{{ name }}_user
  195. {% endfor %}
  196. {% endif %}
  197. {% if 'ssh_config' in user %}
  198. users_ssh_config_{{ name }}:
  199. file.managed:
  200. - name: {{ home }}/.ssh/config
  201. - user: {{ name }}
  202. - group: {{ user_group }}
  203. - mode: 640
  204. - contents: |
  205. # Managed by Saltstack
  206. {% for label, setting in user.ssh_config.items() %}
  207. # {{ label }}
  208. Host {{ setting.get('hostname') }}
  209. {%- for opts in setting.get('options') %}
  210. {{ opts }}
  211. {%- endfor %}
  212. {% endfor -%}
  213. {% endif %}
  214. {% if 'sudouser' in user and user['sudouser'] %}
  215. users_sudoer-{{ name }}:
  216. file.managed:
  217. - name: {{ users.sudoers_dir }}/{{ name }}
  218. - user: root
  219. - group: {{ users.root_group }}
  220. - mode: '0440'
  221. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  222. {% if 'sudo_rules' in user %}
  223. {% for rule in user['sudo_rules'] %}
  224. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  225. cmd.run:
  226. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  227. - stateful: True
  228. - shell: {{ users.visudo_shell }}
  229. - env:
  230. # Specify the rule via an env var to avoid shell quoting issues.
  231. - rule: "{{ name }} {{ rule }}"
  232. - require_in:
  233. - file: users_{{ users.sudoers_dir }}/{{ name }}
  234. {% endfor %}
  235. {% endif %}
  236. {% if 'sudo_defaults' in user %}
  237. {% for entry in user['sudo_defaults'] %}
  238. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  239. cmd.run:
  240. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  241. - stateful: True
  242. - shell: {{ users.visudo_shell }}
  243. - env:
  244. # Specify the rule via an env var to avoid shell quoting issues.
  245. - rule: "Defaults:{{ name }} {{ entry }}"
  246. - require_in:
  247. - file: users_{{ users.sudoers_dir }}/{{ name }}
  248. {% endfor %}
  249. {% endif %}
  250. users_{{ users.sudoers_dir }}/{{ name }}:
  251. file.managed:
  252. - name: {{ users.sudoers_dir }}/{{ name }}
  253. - contents: |
  254. {%- if 'sudo_defaults' in user %}
  255. {%- for entry in user['sudo_defaults'] %}
  256. Defaults:{{ name }} {{ entry }}
  257. {%- endfor %}
  258. {%- endif %}
  259. {%- if 'sudo_rules' in user %}
  260. {%- for rule in user['sudo_rules'] %}
  261. {{ name }} {{ rule }}
  262. {%- endfor %}
  263. {%- endif %}
  264. - require:
  265. - file: users_sudoer-defaults
  266. - file: users_sudoer-{{ name }}
  267. {% endif %}
  268. {% else %}
  269. users_{{ users.sudoers_dir }}/{{ name }}:
  270. file.absent:
  271. - name: {{ users.sudoers_dir }}/{{ name }}
  272. {% endif %}
  273. {%- if 'google_auth' in user %}
  274. {%- for svc in user['google_auth'] %}
  275. users_googleauth-{{ svc }}-{{ name }}:
  276. file.managed:
  277. - replace: false
  278. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  279. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  280. - user: root
  281. - group: {{ users.root_group }}
  282. - mode: 600
  283. - require:
  284. - pkg: users_googleauth-package
  285. {%- endfor %}
  286. {%- endif %}
  287. {% endfor %}
  288. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}
  289. users_absent_user_{{ name }}:
  290. {% if 'purge' in user or 'force' in user %}
  291. user.absent:
  292. - name: {{ name }}
  293. {% if 'purge' in user %}
  294. - purge: {{ user['purge'] }}
  295. {% endif %}
  296. {% if 'force' in user %}
  297. - force: {{ user['force'] }}
  298. {% endif %}
  299. {% else %}
  300. user.absent:
  301. - name: {{ name }}
  302. {% endif -%}
  303. users_{{ users.sudoers_dir }}/{{ name }}:
  304. file.absent:
  305. - name: {{ users.sudoers_dir }}/{{ name }}
  306. {% endfor %}
  307. {% for user in pillar.get('absent_users', []) %}
  308. users_absent_user_2_{{ user }}:
  309. user.absent
  310. users_2_{{ users.sudoers_dir }}/{{ user }}:
  311. file.absent:
  312. - name: {{ users.sudoers_dir }}/{{ user }}
  313. {% endfor %}
  314. {% for group in pillar.get('absent_groups', []) %}
  315. users_absent_group_{{ group }}:
  316. group.absent:
  317. - name: {{ group }}
  318. {% endfor %}