Saltstack Official Users Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
10 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = False %}
  4. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  5. {%- if user == None -%}
  6. {%- set user = {} -%}
  7. {%- endif -%}
  8. {%- set home = user.get('home', "/home/%s" % name) -%}
  9. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  10. {%- set user_group = user.prime_group.name -%}
  11. {%- else -%}
  12. {%- set user_group = name -%}
  13. {%- endif %}
  14. {% for group in user.get('groups', []) %}
  15. {{ name }}_{{ group }}_group:
  16. group:
  17. - name: {{ group }}
  18. - present
  19. {% endfor %}
  20. {{ name }}_user:
  21. file.directory:
  22. - name: {{ home }}
  23. - user: {{ name }}
  24. - group: {{ user_group }}
  25. - mode: {{ user.get('user_dir_mode', '0750') }}
  26. - require:
  27. - user: {{ name }}
  28. - group: {{ user_group }}
  29. group.present:
  30. - name: {{ user_group }}
  31. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  32. - gid: {{ user['prime_group']['gid'] }}
  33. {%- elif 'uid' in user %}
  34. - gid: {{ user['uid'] }}
  35. {%- endif %}
  36. user.present:
  37. - name: {{ name }}
  38. - home: {{ home }}
  39. - shell: {{ users.get('visudo_shell', '/bin/bash') }}
  40. {% if 'uid' in user -%}
  41. - uid: {{ user['uid'] }}
  42. {% endif -%}
  43. {% if 'password' in user -%}
  44. - password: {{ user['password'] }}
  45. {% endif -%}
  46. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  47. - gid: {{ user['prime_group']['gid'] }}
  48. {% else -%}
  49. - gid_from_name: True
  50. {% endif -%}
  51. {% if 'fullname' in user %}
  52. - fullname: {{ user['fullname'] }}
  53. {% endif -%}
  54. - groups:
  55. - {{ user_group }}
  56. {% for group in user.get('groups', []) -%}
  57. - {{ group }}
  58. {% endfor %}
  59. - require:
  60. - group: {{ user_group }}
  61. {% for group in user.get('groups', []) -%}
  62. - group: {{ group }}
  63. {% endfor %}
  64. user_keydir_{{ name }}:
  65. file.directory:
  66. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  67. - user: {{ name }}
  68. - group: {{ user_group }}
  69. - makedirs: True
  70. - mode: 700
  71. - require:
  72. - user: {{ name }}
  73. - group: {{ user_group }}
  74. {%- for group in user.get('groups', []) %}
  75. - group: {{ group }}
  76. {%- endfor %}
  77. {% if 'ssh_keys' in user %}
  78. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  79. user_{{ name }}_private_key:
  80. file.managed:
  81. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  82. - user: {{ name }}
  83. - group: {{ user_group }}
  84. - mode: 600
  85. - show_diff: False
  86. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  87. - require:
  88. - user: {{ name }}_user
  89. {% for group in user.get('groups', []) %}
  90. - group: {{ name }}_{{ group }}_group
  91. {% endfor %}
  92. user_{{ name }}_public_key:
  93. file.managed:
  94. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  95. - user: {{ name }}
  96. - group: {{ user_group }}
  97. - mode: 644
  98. - show_diff: False
  99. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  100. - require:
  101. - user: {{ name }}_user
  102. {% for group in user.get('groups', []) %}
  103. - group: {{ name }}_{{ group }}_group
  104. {% endfor %}
  105. {% endif %}
  106. {% if 'ssh_auth' in user %}
  107. {% for auth in user['ssh_auth'] %}
  108. ssh_auth_{{ name }}_{{ loop.index0 }}:
  109. ssh_auth.present:
  110. - user: {{ name }}
  111. - name: {{ auth }}
  112. - require:
  113. - file: {{ name }}_user
  114. - user: {{ name }}_user
  115. {% endfor %}
  116. {% endif %}
  117. {% if 'ssh_auth.absent' in user %}
  118. {% for auth in user['ssh_auth.absent'] %}
  119. ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  120. ssh_auth.absent:
  121. - user: {{ name }}
  122. - name: {{ auth }}
  123. - require:
  124. - file: {{ name }}_user
  125. - user: {{ name }}_user
  126. {% endfor %}
  127. {% endif %}
  128. {% if 'sudouser' in user and user['sudouser'] %}
  129. {% if not used_sudo %}
  130. {% set used_sudo = True %}
  131. include:
  132. - users.sudo
  133. {% endif %}
  134. sudoer-{{ name }}:
  135. file.managed:
  136. - name: {{ users.sudoers_dir }}{{ name }}
  137. - user: root
  138. - group: {{ users.root_group }}
  139. - mode: '0440'
  140. {% if 'sudo_rules' in user %}
  141. {% for rule in user['sudo_rules'] %}
  142. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  143. cmd.run:
  144. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  145. - stateful: True
  146. - shell: {{ users.visudo_shell }}
  147. - env:
  148. # Specify the rule via an env var to avoid shell quoting issues.
  149. - rule: "{{ name }} {{ rule }}"
  150. - require_in:
  151. - file: {{ users.sudoers_dir }}{{ name }}
  152. {% endfor %}
  153. {{ users.sudoers_dir }}{{ name }}:
  154. file.managed:
  155. - contents: |
  156. {%- for rule in user['sudo_rules'] %}
  157. {{ name }} {{ rule }}
  158. {%- endfor %}
  159. - require:
  160. - file: sudoer-defaults
  161. - file: sudoer-{{ name }}
  162. {% endif %}
  163. {% else %}
  164. {{ users.sudoers_dir }}{{ name }}:
  165. file.absent:
  166. - name: {{ users.sudoers_dir }}{{ name }}
  167. {% endif %}
  168. {% endfor %}
  169. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}
  170. {{ name }}:
  171. {% if 'purge' in user or 'force' in user %}
  172. user.absent:
  173. {% if 'purge' in user %}
  174. - purge: {{ user['purge'] }}
  175. {% endif %}
  176. {% if 'force' in user %}
  177. - force: {{ user['force'] }}
  178. {% endif %}
  179. {% else %}
  180. user.absent
  181. {% endif -%}
  182. {{ users.sudoers_dir }}{{ name }}:
  183. file.absent:
  184. - name: {{ users.sudoers_dir }}{{ name }}
  185. {% endfor %}
  186. {% for user in pillar.get('absent_users', []) %}
  187. {{ user }}:
  188. user.absent
  189. {{ users.sudoers_dir }}{{ user }}:
  190. file.absent:
  191. - name: {{ users.sudoers_dir }}{{ user }}
  192. {% endfor %}
  193. {% for group in pillar.get('absent_groups', []) %}
  194. {{ group }}:
  195. group.absent
  196. {% endfor %}