Saltstack Official Users Formula

203 lines
5.8KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. users-formula:
  5. use_vim_formula: true
  6. lookup: # override the defauls in map.jinja
  7. root_group: root
  8. # group initialization
  9. groups:
  10. foo:
  11. state: present
  12. gid: 1500
  13. system: false
  14. badguys:
  15. absent: true
  16. niceguys:
  17. gid: 4242
  18. system: false
  19. addusers: root
  20. delusers: toor
  21. ssl-cert:
  22. system: true
  23. members:
  24. # *TODO*: run groups after all users created and then use `auser` and
  25. # `buser` instead
  26. - root
  27. - sshd
  28. # - bin
  29. # - daemon
  30. users:
  31. ## Minimal required pillar values
  32. auser:
  33. fullname: A User
  34. ## Full list of pillar values
  35. buser:
  36. fullname: B User
  37. password: $6$w.............
  38. enforce_password: true
  39. # WARNING: If 'empty_password' is set to true, the 'password' statement
  40. # will be ignored by enabling password-less login for the user.
  41. empty_password: false
  42. hash_password: false
  43. system: false
  44. home: /custom/buser
  45. homedir_owner: buser
  46. homedir_group: primarygroup
  47. user_dir_mode: 750
  48. createhome: true
  49. roomnumber: "A-1"
  50. workphone: "(555) 555-5555"
  51. homephone: "(555) 555-5551"
  52. manage_vimrc: false
  53. allow_gid_change: false
  54. manage_bashrc: false
  55. manage_profile: false
  56. expire: 16426
  57. # Disables user management except sudo rules.
  58. # Useful for setting sudo rules for system accounts created by package instalation
  59. sudoonly: false
  60. sudouser: true
  61. # sudo_rules doesn't need the username as a prefix for the rule
  62. # this is added automatically by the formula.
  63. # ----------------------------------------------------------------------
  64. # In case your sudo_rules have a colon please have in mind to not leave
  65. # spaces around it. For example:
  66. # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
  67. # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
  68. sudo_rules:
  69. - ALL=(root) /usr/bin/find
  70. - ALL=(otheruser) /usr/bin/script.sh
  71. sudo_defaults:
  72. - '!requiretty'
  73. # enable polkitadmin to make user an AdminIdentity for polkit
  74. polkitadmin: true
  75. shell: /bin/bash
  76. remove_groups: false
  77. prime_group:
  78. name: primarygroup
  79. gid: 1501
  80. groups:
  81. - users
  82. optional_groups:
  83. - some_groups_that_might
  84. - not_exist_on_all_minions
  85. ssh_key_type: rsa
  86. # # You can inline the private keys ...
  87. # ssh_keys:
  88. # privkey: PRIVATEKEY
  89. # pubkey: PUBLICKEY
  90. # # or you can provide path to key on Salt fileserver
  91. # # privkey: salt://path_to_PRIVATEKEY
  92. # # pubkey: salt://path_to_PUBLICKEY
  93. # # you can provide multiple keys, the keyname is taken as filename
  94. # # make sure your public keys suffix is .pub
  95. # foobar: PRIVATEKEY
  96. # foobar.pub: PUBLICKEY
  97. # # ... or you can pull them from a different pillar,
  98. # # for example one called "ssh_keys":
  99. # ssh_keys_pillar:
  100. # id_rsa: "ssh_keys"
  101. # another_key_pair: "ssh_keys"
  102. # ssh_auth:
  103. # - PUBLICKEY
  104. # ssh_auth.absent:
  105. # - PUBLICKEY_TO_BE_REMOVED
  106. # # Generates an authorized_keys file for the user
  107. # # with the given keys
  108. # ssh_auth_file:
  109. # - PUBLICKEY
  110. # # ... or you can pull them from a different pillar similar to ssh_keys_pillar
  111. # ssh_auth_pillar:
  112. # id_rsa: "ssh_keys"
  113. # # If you prefer to keep public keys as files rather
  114. # # than inline in pillar, this works.
  115. # ssh_auth_sources:
  116. # - salt://keys/buser.id_rsa.pub
  117. # ssh_auth_sources.absent:
  118. # - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
  119. # Manage the ~/.ssh/config file
  120. ssh_known_hosts:
  121. importanthost:
  122. port: 22
  123. fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
  124. key: PUBLICKEY
  125. enc: ssh-rsa
  126. hash_known_hosts: true
  127. timeout: 5
  128. fingerprint_hash_type: sha256
  129. ssh_known_hosts.absent:
  130. - notimportanthost
  131. ssh_config:
  132. all:
  133. hostname: "*"
  134. options:
  135. - "StrictHostKeyChecking no"
  136. - "UserKnownHostsFile=/dev/null"
  137. importanthost:
  138. hostname: "needcheck.example.com"
  139. options:
  140. - "StrictHostKeyChecking yes"
  141. # Using gitconfig without Git installed will result in an error
  142. # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
  143. # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
  144. gitconfig:
  145. user.name: B User
  146. user.email: buser@example.com
  147. "url.https://.insteadOf": "git://"
  148. gitconfig.absent:
  149. - push.default
  150. - color\..+
  151. google_2fa: true
  152. google_auth:
  153. sshd: |
  154. SOMEGAUTHHASHVAL
  155. " RESETTING_TIME_SKEW 46956472+2 46991595-2
  156. " RATE_LIMIT 3 30 1415800560
  157. " DISALLOW_REUSE 47193352
  158. " TOTP_AUTH
  159. 11111111
  160. 22222222
  161. 33333333
  162. 44444444
  163. 55555555
  164. # unique: true allows user to have non unique uid
  165. unique: false
  166. uid: 1001
  167. user_files:
  168. enabled: true
  169. # 'source' allows you to define an arbitrary directory to sync,
  170. # useful to use for default files.
  171. # should be a salt fileserver path either with or without 'salt://'
  172. # if not present, it defaults to 'salt://users/files/user/<username>
  173. source: users/files
  174. # template: jinja
  175. # You can specify octal mode for files and symlinks that will be copied.
  176. # Since version 2016.11.0 it's possible to use 'keep' for file_mode,
  177. # to preserve file original mode, thus you can save execution bit for example.
  178. file_mode: keep
  179. # You can specify octal mode for directories as well.
  180. # This won't work on Windows minions
  181. # dir_mode: 775
  182. sym_mode: 640
  183. exclude_pat: "*.gitignore"
  184. ## Absent user
  185. cuser:
  186. absent: true
  187. purge: true
  188. force: true
  189. ## Old syntax of absent_users still supported
  190. absent_users:
  191. - donald
  192. - bad_guy