Saltstack Official Users Formula

11 лет назад
11 лет назад
10 лет назад
10 лет назад
8 лет назад
7 лет назад
7 лет назад
11 лет назад
9 лет назад
5 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185
  1. users-formula:
  2. use_vim_formula: True
  3. lookup: # override the defauls in map.jinja
  4. root_group: root
  5. users:
  6. ## Minimal required pillar values
  7. auser:
  8. fullname: A User
  9. ## Full list of pillar values
  10. allow_gid_change: False
  11. buser:
  12. fullname: B User
  13. password: $6$w.............
  14. enforce_password: True
  15. # WARNING: If 'empty_password' is set to True, the 'password' statement
  16. # will be ignored by enabling password-less login for the user.
  17. empty_password: False
  18. hash_password: False
  19. system: False
  20. home: /custom/buser
  21. homedir_owner: buser
  22. homedir_group: primarygroup
  23. user_dir_mode: 750
  24. createhome: True
  25. roomnumber: "A-1"
  26. workphone: "(555) 555-5555"
  27. homephone: "(555) 555-5551"
  28. manage_vimrc: False
  29. allow_gid_change: True
  30. manage_bashrc: False
  31. manage_profile: False
  32. expire: 16426
  33. # Disables user management except sudo rules.
  34. # Useful for setting sudo rules for system accounts created by package instalation
  35. sudoonly: False
  36. sudouser: True
  37. # sudo_rules doesn't need the username as a prefix for the rule
  38. # this is added automatically by the formula.
  39. # ----------------------------------------------------------------------
  40. # In case your sudo_rules have a colon please have in mind to not leave
  41. # spaces around it. For example:
  42. # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
  43. # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
  44. sudo_rules:
  45. - ALL=(root) /usr/bin/find
  46. - ALL=(otheruser) /usr/bin/script.sh
  47. sudo_defaults:
  48. - '!requiretty'
  49. shell: /bin/bash
  50. remove_groups: False
  51. prime_group:
  52. name: primarygroup
  53. gid: 500
  54. groups:
  55. - users
  56. optional_groups:
  57. - some_groups_that_might
  58. - not_exist_on_all_minions
  59. ssh_key_type: rsa
  60. # You can inline the private keys ...
  61. ssh_keys:
  62. privkey: PRIVATEKEY
  63. pubkey: PUBLICKEY
  64. # or you can provide path to key on Salt fileserver
  65. privkey: salt://path_to_PRIVATEKEY
  66. pubkey: salt://path_to_PUBLICKEY
  67. # you can provide multiple keys, the keyname is taken as filename
  68. # make sure your public keys suffix is .pub
  69. foobar: PRIVATEKEY
  70. foobar.pub: PUBLICKEY
  71. # ... or you can pull them from a different pillar,
  72. # for example one called "ssh_keys":
  73. ssh_keys_pillar:
  74. id_rsa: "ssh_keys"
  75. another_key_pair: "ssh_keys"
  76. ssh_auth:
  77. - PUBLICKEY
  78. ssh_auth.absent:
  79. - PUBLICKEY_TO_BE_REMOVED
  80. # Generates an authorized_keys file for the user
  81. # with the given keys
  82. ssh_auth_file:
  83. - PUBLICKEY
  84. # ... or you can pull them from a different pillar similar to ssh_keys_pillar
  85. ssh_auth_pillar:
  86. id_rsa: "ssh_keys"
  87. # If you prefer to keep public keys as files rather
  88. # than inline in pillar, this works.
  89. ssh_auth_sources:
  90. - salt://keys/buser.id_rsa.pub
  91. ssh_auth_sources.absent:
  92. - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
  93. # Manage the ~/.ssh/config file
  94. ssh_known_hosts:
  95. importanthost:
  96. port: 22
  97. fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
  98. key: PUBLICKEY
  99. enc: ssh-rsa
  100. hash_known_hosts: True
  101. timeout: 5
  102. fingerprint_hash_type: sha256
  103. ssh_known_hosts.absent:
  104. - notimportanthost
  105. ssh_config:
  106. all:
  107. hostname: "*"
  108. options:
  109. - "StrictHostKeyChecking no"
  110. - "UserKnownHostsFile=/dev/null"
  111. importanthost:
  112. hostname: "needcheck.example.com"
  113. options:
  114. - "StrictHostKeyChecking yes"
  115. # Using gitconfig without Git installed will result in an error
  116. # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
  117. # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
  118. gitconfig:
  119. user.name: B User
  120. user.email: buser@example.com
  121. "url.https://.insteadOf": "git://"
  122. gitconfig.absent:
  123. - push.default
  124. - color\..+
  125. google_2fa: True
  126. google_auth:
  127. ssh: |
  128. SOMEGAUTHHASHVAL
  129. " RESETTING_TIME_SKEW 46956472+2 46991595-2
  130. " RATE_LIMIT 3 30 1415800560
  131. " DISALLOW_REUSE 47193352
  132. " TOTP_AUTH
  133. 11111111
  134. 22222222
  135. 33333333
  136. 44444444
  137. 55555555
  138. # unique: True allows user to have non unique uid
  139. unique: False
  140. uid: 1001
  141. user_files:
  142. enabled: True
  143. # 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
  144. # should be a salt fileserver path either with or without 'salt://'
  145. # if not present, it defaults to 'salt://users/files/user/<username>
  146. source: users/files/default
  147. template: jinja
  148. # You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
  149. # it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
  150. # execution bit for example.
  151. file_mode: keep
  152. sym_mode: 640
  153. exclude_pat: "*.gitignore"
  154. ## Absent user
  155. cuser:
  156. absent: True
  157. purge: True
  158. force: True
  159. ## Old syntax of absent_users still supported
  160. absent_users:
  161. - donald
  162. - bad_guy
  163. groups:
  164. badguys:
  165. absent: True
  166. niceguys:
  167. gid: 4242
  168. system: False
  169. addusers: root
  170. delusers: toor
  171. ssl-cert:
  172. system: True
  173. members:
  174. - www-data
  175. - openldap