ExternalMirrors
/
users-formula
дзеркало https://github.com/saltstack-formulas/users-formula
Слідкувати 1
В обрані 0
Форк 1
Код Проблеми 0 Релізи 13 Вікі Активність
Saltstack Official Users Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
271 Коміти
3 Гілки
Дерево: 1dfef11303
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '1dfef11303'
${ noResults }
users-formula/users/init.sls

524 lines
15KB
Неформатований Blame Історія 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudouser' in user and user['sudouser'] %}

  13. {%- do used_sudo.append(1) %}

  14. {%- endif %}

  15. {%- if 'google_auth' in user %}

  16. {%- do used_googleauth.append(1) %}

  17. {%- endif %}

  18. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  19. {%- do used_user_files.append(1) %}

  20. {%- endif %}

  21. {%- endfor %}

  22. 

  23. {%- if used_sudo or used_googleauth or used_user_files %}

  24. include:

  25. {%- if used_sudo %}

  26.   - users.sudo

  27. {%- endif %}

  28. {%- if used_googleauth %}

  29.   - users.googleauth

  30. {%- endif %}

  31. {%- if used_user_files %}

  32.   - users.user_files

  33. {%- endif %}

  34. {%- endif %}

  35. 

  36. {% for name, user in pillar.get('users', {}).items()

  37.         if user.absent is not defined or not user.absent %}

  38. {%- if user == None -%}

  39. {%- set user = {} -%}

  40. {%- endif -%}

  41. {%- set current = salt.user.info(name) -%}

  42. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  43. 

  44. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  45. {%- set user_group = user.prime_group.name -%}

  46. {%- else -%}

  47. {%- set user_group = name -%}

  48. {%- endif %}

  49. 

  50. {% for group in user.get('groups', []) %}

  51. users_{{ name }}_{{ group }}_group:

  52.   group.present:

  53.     - name: {{ group }}

  54.     {% if group == 'sudo' %}

  55.     - system: True

  56.     {% endif %}

  57. {% endfor %}

  58. 

  59. users_{{ name }}_user:

  60.   {% if user.get('createhome', True) %}

  61.   file.directory:

  62.     - name: {{ home }}

  63.     - user: {{ user.get('homedir_owner', name) }}

  64.     - group: {{ user.get('homedir_group', user_group) }}

  65.     - mode: {{ user.get('user_dir_mode', '0750') }}

  66.     - require:

  67.       - user: users_{{ name }}_user

  68.       - group: {{ user_group }}

  69.   {%- endif %}

  70.   group.present:

  71.     - name: {{ user_group }}

  72.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  73.     - gid: {{ user['prime_group']['gid'] }}

  74.     {%- elif 'uid' in user %}

  75.     - gid: {{ user['uid'] }}

  76.     {%- endif %}

  77.     {% if 'system' in user and user['system'] %}

  78.     - system: True

  79.     {% endif %}

  80.   user.present:

  81.     - name: {{ name }}

  82.     - home: {{ home }}

  83.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  84.     {% if 'uid' in user -%}

  85.     - uid: {{ user['uid'] }}

  86.     {% endif -%}

  87.     {% if 'password' in user -%}

  88.     - password: '{{ user['password'] }}'

  89.     {% endif -%}

  90.     {% if user.get('empty_password') -%}

  91.     - empty_password: {{ user.get('empty_password') }}

  92.     {% endif -%}

  93.     {% if 'enforce_password' in user -%}

  94.     - enforce_password: {{ user['enforce_password'] }}

  95.     {% endif -%}

  96.     {% if 'hash_password' in user -%}

  97.     - hash_password: {{ user['hash_password'] }}

  98.     {% endif -%}

  99.     {% if user.get('system', False) -%}

  100.     - system: True

  101.     {% endif -%}

  102.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  103.     - gid: {{ user['prime_group']['gid'] }}

  104.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  105.     - gid: {{ user['prime_group']['name'] }}

  106.     {% else -%}

  107.     - gid_from_name: True

  108.     {% endif -%}

  109.     {% if 'fullname' in user %}

  110.     - fullname: {{ user['fullname'] }}

  111.     {% endif -%}

  112.     {% if 'roomnumber' in user %}

  113.     - roomnumber: {{ user['roomnumber'] }}

  114.     {% endif %}

  115.     {% if 'workphone' in user %}

  116.     - workphone: {{ user['workphone'] }}

  117.     {% endif %}

  118.     {% if 'homephone' in user %}

  119.     - homephone: {{ user['homephone'] }}

  120.     {% endif %}

  121.     {% if not user.get('createhome', True) %}

  122.     - createhome: False

  123.     {% endif %}

  124.     {% if 'expire' in user -%}

  125.         {% if grains['kernel'].endswith('BSD') and

  126.             user['expire'] < 157766400 %}

  127.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  128.     - expire: {{ user['expire'] * 86400 }}

  129.         {% elif grains['kernel'] == 'Linux' and

  130.             user['expire'] > 84006 %}

  131.         {# 2932896 days since epoch equals 9999-12-31 #}

  132.     - expire: {{ (user['expire'] / 86400) | int}}

  133.         {% else %}

  134.     - expire: {{ user['expire'] }}

  135.         {% endif %}

  136.     {% endif -%}

  137.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  138.     - groups:

  139.       - {{ user_group }}

  140.       {% for group in user.get('groups', []) -%}

  141.       - {{ group }}

  142.       {% endfor %}

  143.     {% if 'optional_groups' in user %}

  144.     - optional_groups:

  145.       {% for optional_group in user['optional_groups'] -%}

  146.       - {{optional_group}}

  147.       {% endfor %}

  148.     {% endif %}

  149.     - require:

  150.       - group: {{ user_group }}

  151.       {% for group in user.get('groups', []) -%}

  152.       - group: {{ group }}

  153.       {% endfor %}

  154. 

  155. 

  156.   {% if 'ssh_keys' in user or

  157.       'ssh_auth' in user or

  158.       'ssh_auth_file' in user or

  159.       'ssh_auth_pillar' in user or

  160.       'ssh_auth.absent' in user or

  161.       'ssh_config' in user %}

  162. user_keydir_{{ name }}:

  163.   file.directory:

  164.     - name: {{ home }}/.ssh

  165.     - user: {{ name }}

  166.     - group: {{ user_group }}

  167.     - makedirs: True

  168.     - mode: 700

  169.     - require:

  170.       - user: {{ name }}

  171.       - group: {{ user_group }}

  172.       {%- for group in user.get('groups', []) %}

  173.       - group: {{ group }}

  174.       {%- endfor %}

  175.   {% endif %}

  176. 

  177.   {% if 'ssh_keys' in user %}

  178.     {% for _key in user.ssh_keys.keys() %}

  179.       {% if _key == 'privkey' %}

  180.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}

  181.       {% elif _key ==  'pubkey' %}

  182.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}

  183.       {% else %}

  184.         {% set key_name = _key %}

  185.       {% endif %}

  186. users_{{ name }}_{{ key_name }}_key:

  187.   file.managed:

  188.     - name: {{ home }}/.ssh/{{ key_name }}

  189.     - user: {{ name }}

  190.     - group: {{ user_group }}

  191.       {% if key_name.endswith(".pub") %}

  192.     - mode: 644

  193.       {% else %}

  194.     - mode: 600

  195.       {% endif %}

  196.     - show_diff: False

  197.     {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}

  198.     {%- if 'salt://' in key_value[:7] %}

  199.     - source: {{ key_value }}

  200.     {%- else %}

  201.     - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}

  202.     {%- endif %}

  203.     - require:

  204.       - user: users_{{ name }}_user

  205.       {% for group in user.get('groups', []) %}

  206.       - group: users_{{ name }}_{{ group }}_group

  207.       {% endfor %}

  208.     {% endfor %}

  209.   {% endif %}

  210. 

  211. 

  212. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  213. users_authorized_keys_{{ name }}:

  214.   file.managed:

  215.     - name: {{ home }}/.ssh/authorized_keys

  216.     - user: {{ name }}

  217.     - group: {{ user_group }}

  218.     - mode: 600

  219. {% if 'ssh_auth_file' in user %}

  220.     - contents: |

  221.         {% for auth in user.ssh_auth_file -%}

  222.         {{ auth }}

  223.         {% endfor -%}

  224. {% else %}

  225.     - contents: |

  226.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  227.         {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}

  228.         {%- endfor %}

  229. {% endif %}

  230. {% endif %}

  231. 

  232. {% if 'ssh_auth' in user %}

  233. {% for auth in user['ssh_auth'] %}

  234. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  235.   ssh_auth.present:

  236.     - user: {{ name }}

  237.     - name: {{ auth }}

  238.     - require:

  239.         - file: user_keydir_{{ name }}

  240.         - user: users_{{ name }}_user

  241. {% endfor %}

  242. {% endif %}

  243. 

  244. {% if 'ssh_keys_pillar' in user %}

  245. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  246. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  247.   file.managed:

  248.     - name: {{ home }}/.ssh/{{ key_name }}

  249.     - user: {{ name }}

  250.     - group: {{ user_group }}

  251.     - mode: 600

  252.     - show_diff: False

  253.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  254.     - require:

  255.       - user: users_{{ name }}_user

  256.       {% for group in user.get('groups', []) %}

  257.       - group: users_{{ name }}_{{ group }}_group

  258.       {% endfor %}

  259. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  260.   file.managed:

  261.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  262.     - user: {{ name }}

  263.     - group: {{ user_group }}

  264.     - mode: 644

  265.     - show_diff: False

  266.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  267.     - require:

  268.       - user: users_{{ name }}_user

  269.       {% for group in user.get('groups', []) %}

  270.       - group: users_{{ name }}_{{ group }}_group

  271.       {% endfor %}

  272. {% endfor %}

  273. {% endif %}

  274. 

  275. {% if 'ssh_auth_sources' in user %}

  276. {% for pubkey_file in user['ssh_auth_sources'] %}

  277. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  278.   ssh_auth.present:

  279.     - user: {{ name }}

  280.     - source: {{ pubkey_file }}

  281.     - require:

  282.         - file: users_{{ name }}_user

  283.         - user: users_{{ name }}_user

  284. {% endfor %}

  285. {% endif %}

  286. 

  287. {% if 'ssh_auth_sources.absent' in user %}

  288. {% for pubkey_file in user['ssh_auth_sources.absent'] %}

  289. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:

  290.   ssh_auth.absent:

  291.     - user: {{ name }}

  292.     - source: {{ pubkey_file }}

  293.     - require:

  294.         - file: users_{{ name }}_user

  295.         - user: users_{{ name }}_user

  296. {% endfor %}

  297. {% endif %}

  298. 

  299. {% if 'ssh_auth.absent' in user %}

  300. {% for auth in user['ssh_auth.absent'] %}

  301. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  302.   ssh_auth.absent:

  303.     - user: {{ name }}

  304.     - name: {{ auth }}

  305.     - require:

  306.         - file: users_{{ name }}_user

  307.         - user: users_{{ name }}_user

  308. {% endfor %}

  309. {% endif %}

  310. 

  311. {% if 'ssh_config' in user %}

  312. users_ssh_config_{{ name }}:

  313.   file.managed:

  314.     - name: {{ home }}/.ssh/config

  315.     - user: {{ name }}

  316.     - group: {{ user_group }}

  317.     - mode: 640

  318.     - contents: |

  319.         # Managed by Saltstack

  320.         # Do Not Edit

  321.         {% for label, setting in user.ssh_config.items() %}

  322.         # {{ label }}

  323.         Host {{ setting.get('hostname') }}

  324.           {%- for opts in setting.get('options') %}

  325.           {{ opts }}

  326.           {%- endfor %}

  327.         {% endfor -%}

  328. {% endif %}

  329. 

  330. {% if 'ssh_known_hosts' in user %}

  331. {% for hostname, host in user['ssh_known_hosts'].items() %}

  332. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  333.   ssh_known_hosts.present:

  334.     - user: {{ name }}

  335.     - name: {{ hostname }}

  336.     {% if 'port' in host %}

  337.     - port: {{ host['port'] }}

  338.     {% endif -%}

  339.     {% if 'fingerprint' in host %}

  340.     - fingerprint: {{ host['fingerprint'] }}

  341.     {% endif -%}

  342.     {% if 'key' in host %}

  343.     - key: {{ host['key'] }}

  344.     {% endif -%}

  345.     {% if 'enc' in host %}

  346.     - enc: {{ host['enc'] }}

  347.     {% endif -%}

  348.     {% if 'hash_hostname' in host %}

  349.     - hash_hostname: {{ host['hash_hostname'] }}

  350.     {% endif -%}

  351. {% endfor %}

  352. {% endif %}

  353. 

  354. {% if 'ssh_known_hosts.absent' in user %}

  355. {% for host in user['ssh_known_hosts.absent'] %}

  356. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  357.   ssh_known_hosts.absent:

  358.     - user: {{ name }}

  359.     - name: {{ host }}

  360. {% endfor %}

  361. {% endif %}

  362. 

  363. {% set sudoers_d_filename = name|replace('.','_') %}

  364. {% if 'sudouser' in user and user['sudouser'] %}

  365. 

  366. users_sudoer-{{ name }}:

  367.   file.managed:

  368.     - replace: False

  369.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  370.     - user: root

  371.     - group: {{ users.root_group }}

  372.     - mode: '0440'

  373. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  374. #{#%

  375. {% if 'sudo_rules' in user %}

  376. {% for rule in user['sudo_rules'] %}

  377. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  378.   cmd.run:

  379.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  380.     - stateful: True

  381.     - shell: {{ users.visudo_shell }}

  382.     - env:

  383.       # Specify the rule via an env var to avoid shell quoting issues.

  384.       - rule: "{{ name }} {{ rule }}"

  385.     - require_in:

  386.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  387. {% endfor %}

  388. {% endif %}

  389. {% if 'sudo_defaults' in user %}

  390. {% for entry in user['sudo_defaults'] %}

  391. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  392.   cmd.run:

  393.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  394.     - stateful: True

  395.     - shell: {{ users.visudo_shell }}

  396.     - env:

  397.       # Specify the rule via an env var to avoid shell quoting issues.

  398.       - rule: "Defaults:{{ name }} {{ entry }}"

  399.     - require_in:

  400.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  401. {% endfor %}

  402. {% endif %}

  403. #%#}

  404. 

  405. users_{{ users.sudoers_dir }}/{{ name }}:

  406.   file.managed:

  407.     - replace: True

  408.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  409.     - contents: |

  410.       {%- if 'sudo_defaults' in user %}

  411.       {%- for entry in user['sudo_defaults'] %}

  412.         Defaults:{{ name }} {{ entry }}

  413.       {%- endfor %}

  414.       {%- endif %}

  415.       {%- if 'sudo_rules' in user %}

  416.         ########################################################################

  417.         # File managed by Salt (users-formula).

  418.         # Your changes will be overwritten.

  419.         ########################################################################

  420.         #

  421.       {%- for rule in user['sudo_rules'] %}

  422.         {{ name }} {{ rule }}

  423.       {%- endfor %}

  424.       {%- endif %}

  425.     - require:

  426.       - file: users_sudoer-defaults

  427.       - file: users_sudoer-{{ name }}

  428.   cmd.wait:

  429.     - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )

  430.     - watch:

  431.       - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  432. {% endif %}

  433. {% else %}

  434. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:

  435.   file.absent:

  436.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  437. {% endif %}

  438. 

  439. {%- if 'google_auth' in user %}

  440. {%- for svc in user['google_auth'] %}

  441. users_googleauth-{{ svc }}-{{ name }}:

  442.   file.managed:

  443.     - replace: false

  444.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  445.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  446.     - user: root

  447.     - group: {{ users.root_group }}

  448.     - mode: 400

  449.     - require:

  450.       - pkg: users_googleauth-package

  451. {%- endfor %}

  452. {%- endif %}

  453. 

  454. #

  455. # if not salt['cmd.has_exec']('git')

  456. # fails even if git is installed

  457. #

  458. # this doesn't work (Salt bug), therefore need to run state.apply twice

  459. #include:

  460. #  - users

  461. #

  462. #git:

  463. #  pkg.installed:

  464. #    - require_in:

  465. #      - sls: users

  466. #

  467. {% if 'gitconfig' in user %}

  468. {% for key, value in user['gitconfig'].items() %}

  469. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  470.   {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  471.   git.config_set:

  472.   {% else %}

  473.   git.config:

  474.   {% endif %}

  475.     - name: {{ key }}

  476.     - value: "{{ value }}"

  477.     - user: {{ name }}

  478.     {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  479.     - global: True

  480.     {% else %}

  481.     - is_global: True

  482.     {% endif %}

  483. {% endfor %}

  484. {% endif %}

  485. 

  486. {% endfor %}

  487. 

  488. 

  489. {% for name, user in pillar.get('users', {}).items()

  490.         if user.absent is defined and user.absent %}

  491. users_absent_user_{{ name }}:

  492. {% if 'purge' in user or 'force' in user %}

  493.   user.absent:

  494.     - name: {{ name }}

  495.     {% if 'purge' in user %}

  496.     - purge: {{ user['purge'] }}

  497.     {% endif %}

  498.     {% if 'force' in user %}

  499.     - force: {{ user['force'] }}

  500.     {% endif %}

  501. {% else %}

  502.   user.absent:

  503.     - name: {{ name }}

  504. {% endif -%}

  505. users_{{ users.sudoers_dir }}/{{ name }}:

  506.   file.absent:

  507.     - name: {{ users.sudoers_dir }}/{{ name }}

  508. {% endfor %}

  509. 

  510. {% for user in pillar.get('absent_users', []) %}

  511. users_absent_user_2_{{ user }}:

  512.   user.absent:

  513.     - name: {{ user }}

  514. users_2_{{ users.sudoers_dir }}/{{ user }}:

  515.   file.absent:

  516.     - name: {{ users.sudoers_dir }}/{{ user }}

  517. {% endfor %}

  518. 

  519. {% for group in pillar.get('absent_groups', []) %}

  520. users_absent_group_{{ group }}:

  521.   group.absent:

  522.     - name: {{ group }}

  523. {% endfor %}