ExternalMirrors
/
users-formula
mirror of https://github.com/saltstack-formulas/users-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 13 Wiki Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
143 Commits
3 Branches
Tree: 0e72cc20b9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0e72cc20b9'
${ noResults }
users-formula/users/init.sls

366 lines
10KB
Raw Blame History 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. 

  6. {%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}

  7. {%- if user == None -%}

  8. {%- set user = {} -%}

  9. {%- endif -%}

  10. {%- if 'sudouser' in user and user['sudouser'] %}

  11. {%- do used_sudo.append(1) %}

  12. {%- endif %}

  13. {%- if 'google_auth' in user %}

  14. {%- do used_googleauth.append(1) %}

  15. {%- endif %}

  16. {%- endfor %}

  17. 

  18. {%- if used_sudo or used_googleauth %}

  19. include:

  20. {%- if used_sudo %}

  21.   - users.sudo

  22. {%- endif %}

  23. {%- if used_googleauth %}

  24.   - users.googleauth

  25. {%- endif %}

  26. {%- endif %}

  27. 

  28. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}

  29. {%- if user == None -%}

  30. {%- set user = {} -%}

  31. {%- endif -%}

  32. {%- set home = user.get('home', "/home/%s" % name) -%}

  33. 

  34. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  35. {%- set user_group = user.prime_group.name -%}

  36. {%- else -%}

  37. {%- set user_group = name -%}

  38. {%- endif %}

  39. 

  40. {% for group in user.get('groups', []) %}

  41. users_{{ name }}_{{ group }}_group:

  42.   group:

  43.     - name: {{ group }}

  44.     - present

  45. {% endfor %}

  46. 

  47. users_{{ name }}_user:

  48.   {% if user.get('createhome', True) %}

  49.   file.directory:

  50.     - name: {{ home }}

  51.     - user: {{ name }}

  52.     - group: {{ user_group }}

  53.     - mode: {{ user.get('user_dir_mode', '0750') }}

  54.     - require:

  55.       - user: users_{{ name }}_user

  56.       - group: {{ user_group }}

  57.   {%- endif %}

  58.   group.present:

  59.     - name: {{ user_group }}

  60.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  61.     - gid: {{ user['prime_group']['gid'] }}

  62.     {%- elif 'uid' in user %}

  63.     - gid: {{ user['uid'] }}

  64.     {%- endif %}

  65.   user.present:

  66.     - name: {{ name }}

  67.     - home: {{ home }}

  68.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  69.     {% if 'uid' in user -%}

  70.     - uid: {{ user['uid'] }}

  71.     {% endif -%}

  72.     {% if 'password' in user -%}

  73.     - password: '{{ user['password'] }}'

  74.     {% endif -%}

  75.     {% if 'enforce_password' in user -%}

  76.     - enforce_password: '{{ user['enforce_password'] }}'

  77.     {% endif -%}

  78.     {% if user.get('system', False) -%}

  79.     - system: True

  80.     {% endif -%}

  81.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  82.     - gid: {{ user['prime_group']['gid'] }}

  83.     {% else -%}

  84.     - gid_from_name: True

  85.     {% endif -%}

  86.     {% if 'fullname' in user %}

  87.     - fullname: {{ user['fullname'] }}

  88.     {% endif -%}

  89.     {% if not user.get('createhome', True) %}

  90.     - createhome: False

  91.     {% endif %}

  92.     {% if 'expire' in user -%}

  93.     - expire: {{ user['expire'] }}

  94.     {% endif -%}

  95.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  96.     - groups:

  97.       - {{ user_group }}

  98.       {% for group in user.get('groups', []) -%}

  99.       - {{ group }}

  100.       {% endfor %}

  101.     - require:

  102.       - group: {{ user_group }}

  103.       {% for group in user.get('groups', []) -%}

  104.       - group: {{ group }}

  105.       {% endfor %}

  106. 

  107. 

  108.   {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %}

  109. user_keydir_{{ name }}:

  110.   file.directory:

  111.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  112.     - user: {{ name }}

  113.     - group: {{ user_group }}

  114.     - makedirs: True

  115.     - mode: 700

  116.     - require:

  117.       - user: {{ name }}

  118.       - group: {{ user_group }}

  119.       {%- for group in user.get('groups', []) %}

  120.       - group: {{ group }}

  121.       {%- endfor %}

  122.   {% endif %}

  123. 

  124.   {% if 'ssh_keys' in user %}

  125.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  126. users_user_{{ name }}_private_key:

  127.   file.managed:

  128.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  129.     - user: {{ name }}

  130.     - group: {{ user_group }}

  131.     - mode: 600

  132.     - show_diff: False

  133.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  134.     - require:

  135.       - user: users_{{ name }}_user

  136.       {% for group in user.get('groups', []) %}

  137.       - group: users_{{ name }}_{{ group }}_group

  138.       {% endfor %}

  139. users_user_{{ name }}_public_key:

  140.   file.managed:

  141.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  142.     - user: {{ name }}

  143.     - group: {{ user_group }}

  144.     - mode: 644

  145.     - show_diff: False

  146.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  147.     - require:

  148.       - user: users_{{ name }}_user

  149.       {% for group in user.get('groups', []) %}

  150.       - group: users_{{ name }}_{{ group }}_group

  151.       {% endfor %}

  152.   {% endif %}

  153. 

  154. {% if 'ssh_auth_file' in user %}

  155. users_authorized_keys_{{ name }}:

  156.   file.managed:

  157.     - name: {{ home }}/.ssh/authorized_keys

  158.     - user: {{ name }}

  159.     - group: {{ name }}

  160.     - mode: 600

  161.     - contents: |

  162.         {% for auth in user.ssh_auth_file -%}

  163.         {{ auth }}

  164.         {% endfor -%}

  165. {% endif %}

  166. 

  167. {% if 'ssh_auth' in user %}

  168. {% for auth in user['ssh_auth'] %}

  169. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  170.   ssh_auth.present:

  171.     - user: {{ name }}

  172.     - name: {{ auth }}

  173.     - require:

  174.         - file: users_{{ name }}_user

  175.         - user: users_{{ name }}_user

  176. {% endfor %}

  177. {% endif %}

  178. 

  179. {% if 'ssh_keys_pillar' in user %}

  180. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  181. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  182.   file.managed:

  183.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}

  184.     - user: {{ name }}

  185.     - group: {{ user_group }}

  186.     - mode: 600

  187.     - show_diff: False

  188.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  189.     - require:

  190.       - user: users_{{ name }}_user

  191.       {% for group in user.get('groups', []) %}

  192.       - group: users_{{ name }}_{{ group }}_group

  193.       {% endfor %}

  194. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  195.   file.managed:

  196.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub

  197.     - user: {{ name }}

  198.     - group: {{ user_group }}

  199.     - mode: 644

  200.     - show_diff: False

  201.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  202.     - require:

  203.       - user: users_{{ name }}_user

  204.       {% for group in user.get('groups', []) %}

  205.       - group: users_{{ name }}_{{ group }}_group

  206.       {% endfor %}

  207. {% endfor %}

  208. {% endif %}

  209. 

  210. {% if 'ssh_auth_sources' in user %}

  211. {% for pubkey_file in user['ssh_auth_sources'] %}

  212. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  213.   ssh_auth.present:

  214.     - user: {{ name }}

  215.     - source: {{ pubkey_file }}

  216.     - require:

  217.         - file: users_{{ name }}_user

  218.         - user: users_{{ name }}_user

  219. {% endfor %}

  220. {% endif %}

  221. 

  222. {% if 'ssh_auth.absent' in user %}

  223. {% for auth in user['ssh_auth.absent'] %}

  224. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  225.   ssh_auth.absent:

  226.     - user: {{ name }}

  227.     - name: {{ auth }}

  228.     - require:

  229.         - file: users_{{ name }}_user

  230.         - user: users_{{ name }}_user

  231. {% endfor %}

  232. {% endif %}

  233. 

  234. {% if 'ssh_config' in user %}

  235. users_ssh_config_{{ name }}:

  236.   file.managed:

  237.     - name: {{ home }}/.ssh/config

  238.     - user: {{ name }}

  239.     - group: {{ user_group }}

  240.     - mode: 640

  241.     - contents: |

  242.         # Managed by Saltstack

  243.         # Do Not Edit

  244.         {% for label, setting in user.ssh_config.items() %}

  245.         # {{ label }}

  246.         Host {{ setting.get('hostname') }}

  247.           {%- for opts in setting.get('options') %}

  248.           {{ opts }}

  249.           {%- endfor %}

  250.         {% endfor -%}

  251. {% endif %}

  252. 

  253. {% if 'sudouser' in user and user['sudouser'] %}

  254. 

  255. users_sudoer-{{ name }}:

  256.   file.managed:

  257.     - name: {{ users.sudoers_dir }}/{{ name }}

  258.     - user: root

  259.     - group: {{ users.root_group }}

  260.     - mode: '0440'

  261. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  262. {% if 'sudo_rules' in user %}

  263. {% for rule in user['sudo_rules'] %}

  264. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  265.   cmd.run:

  266.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  267.     - stateful: True

  268.     - shell: {{ users.visudo_shell }}

  269.     - env:

  270.       # Specify the rule via an env var to avoid shell quoting issues.

  271.       - rule: "{{ name }} {{ rule }}"

  272.     - require_in:

  273.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  274. {% endfor %}

  275. {% endif %}

  276. {% if 'sudo_defaults' in user %}

  277. {% for entry in user['sudo_defaults'] %}

  278. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  279.   cmd.run:

  280.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  281.     - stateful: True

  282.     - shell: {{ users.visudo_shell }}

  283.     - env:

  284.       # Specify the rule via an env var to avoid shell quoting issues.

  285.       - rule: "Defaults:{{ name }} {{ entry }}"

  286.     - require_in:

  287.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  288. {% endfor %}

  289. {% endif %}

  290. 

  291. users_{{ users.sudoers_dir }}/{{ name }}:

  292.   file.managed:

  293.     - name: {{ users.sudoers_dir }}/{{ name }}

  294.     - contents: |

  295.       {%- if 'sudo_defaults' in user %}

  296.       {%- for entry in user['sudo_defaults'] %}

  297.         Defaults:{{ name }} {{ entry }}

  298.       {%- endfor %}

  299.       {%- endif %}

  300.       {%- if 'sudo_rules' in user %}

  301.       {%- for rule in user['sudo_rules'] %}

  302.         {{ name }} {{ rule }}

  303.       {%- endfor %}

  304.       {%- endif %}

  305.     - require:

  306.       - file: users_sudoer-defaults

  307.       - file: users_sudoer-{{ name }}

  308. {% endif %}

  309. {% else %}

  310. users_{{ users.sudoers_dir }}/{{ name }}:

  311.   file.absent:

  312.     - name: {{ users.sudoers_dir }}/{{ name }}

  313. {% endif %}

  314. 

  315. {%- if 'google_auth' in user %}

  316. {%- for svc in user['google_auth'] %}

  317. users_googleauth-{{ svc }}-{{ name }}:

  318.   file.managed:

  319.     - replace: false

  320.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  321.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  322.     - user: root

  323.     - group: {{ users.root_group }}

  324.     - mode: 400

  325.     - require:

  326.       - pkg: users_googleauth-package

  327. {%- endfor %}

  328. {%- endif %}

  329. 

  330. {% endfor %}

  331. 

  332. 

  333. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}

  334. users_absent_user_{{ name }}:

  335. {% if 'purge' in user or 'force' in user %}

  336.   user.absent:

  337.     - name: {{ name }}

  338.     {% if 'purge' in user %}

  339.     - purge: {{ user['purge'] }}

  340.     {% endif %}

  341.     {% if 'force' in user %}

  342.     - force: {{ user['force'] }}

  343.     {% endif %}

  344. {% else %}

  345.   user.absent:

  346.     - name: {{ name }}

  347. {% endif -%}

  348. users_{{ users.sudoers_dir }}/{{ name }}:

  349.   file.absent:

  350.     - name: {{ users.sudoers_dir }}/{{ name }}

  351. {% endfor %}

  352. 

  353. {% for user in pillar.get('absent_users', []) %}

  354. users_absent_user_2_{{ user }}:

  355.   user.absent

  356. users_2_{{ users.sudoers_dir }}/{{ user }}:

  357.   file.absent:

  358.     - name: {{ users.sudoers_dir }}/{{ user }}

  359. {% endfor %}

  360. 

  361. {% for group in pillar.get('absent_groups', []) %}

  362. users_absent_group_{{ group }}:

  363.   group.absent:

  364.     - name: {{ group }}

  365. {% endfor %}