Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

166 lines
5.0KB

  1. users-formula:
  2. use_vim_formula: True
  3. lookup: # override the defauls in map.jinja
  4. root_group: root
  5. users:
  6. ## Minimal required pillar values
  7. auser:
  8. fullname: A User
  9. ## Full list of pillar values
  10. buser:
  11. fullname: B User
  12. password: $6$w.............
  13. enforce_password: True
  14. # WARNING: If 'empty_password' is set to True, the 'password' statement
  15. # will be ignored by enabling password-less login for the user.
  16. empty_password: False
  17. hash_password: False
  18. system: False
  19. home: /custom/buser
  20. homedir_owner: buser
  21. homedir_group: primarygroup
  22. user_dir_mode: 750
  23. createhome: True
  24. roomnumber: "A-1"
  25. workphone: "(555) 555-5555"
  26. homephone: "(555) 555-5551"
  27. manage_vimrc: False
  28. manage_bashrc: False
  29. manage_profile: False
  30. expire: 16426
  31. # Disables user management except sudo rules.
  32. # Useful for setting sudo rules for system accounts created by package instalation
  33. sudoonly: False
  34. sudouser: True
  35. # sudo_rules doesn't need the username as a prefix for the rule
  36. # this is added automatically by the formula.
  37. # ----------------------------------------------------------------------
  38. # In case your sudo_rules have a colon please have in mind to not leave
  39. # spaces around it. For example:
  40. # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
  41. # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
  42. sudo_rules:
  43. - ALL=(root) /usr/bin/find
  44. - ALL=(otheruser) /usr/bin/script.sh
  45. sudo_defaults:
  46. - '!requiretty'
  47. shell: /bin/bash
  48. remove_groups: False
  49. prime_group:
  50. name: primarygroup
  51. gid: 500
  52. groups:
  53. - users
  54. optional_groups:
  55. - some_groups_that_might
  56. - not_exist_on_all_minions
  57. ssh_key_type: rsa
  58. # You can inline the private keys ...
  59. ssh_keys:
  60. privkey: PRIVATEKEY
  61. pubkey: PUBLICKEY
  62. # or you can provide path to key on Salt fileserver
  63. privkey: salt://path_to_PRIVATEKEY
  64. pubkey: salt://path_to_PUBLICKEY
  65. # you can provide multiple keys, the keyname is taken as filename
  66. # make sure your public keys suffix is .pub
  67. foobar: PRIVATEKEY
  68. foobar.pub: PUBLICKEY
  69. # ... or you can pull them from a different pillar,
  70. # for example one called "ssh_keys":
  71. ssh_keys_pillar:
  72. id_rsa: "ssh_keys"
  73. another_key_pair: "ssh_keys"
  74. ssh_auth:
  75. - PUBLICKEY
  76. ssh_auth.absent:
  77. - PUBLICKEY_TO_BE_REMOVED
  78. # Generates an authorized_keys file for the user
  79. # with the given keys
  80. ssh_auth_file:
  81. - PUBLICKEY
  82. # ... or you can pull them from a different pillar similar to ssh_keys_pillar
  83. ssh_auth_pillar:
  84. id_rsa: "ssh_keys"
  85. # If you prefer to keep public keys as files rather
  86. # than inline in pillar, this works.
  87. ssh_auth_sources:
  88. - salt://keys/buser.id_rsa.pub
  89. ssh_auth_sources.absent:
  90. - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
  91. # Manage the ~/.ssh/config file
  92. ssh_known_hosts:
  93. importanthost:
  94. port: 22
  95. fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
  96. key: PUBLICKEY
  97. enc: ssh-rsa
  98. hash_known_hosts: True
  99. timeout: 5
  100. fingerprint_hash_type: sha256
  101. ssh_known_hosts.absent:
  102. - notimportanthost
  103. ssh_config:
  104. all:
  105. hostname: "*"
  106. options:
  107. - "StrictHostKeyChecking no"
  108. - "UserKnownHostsFile=/dev/null"
  109. importanthost:
  110. hostname: "needcheck.example.com"
  111. options:
  112. - "StrictHostKeyChecking yes"
  113. # Using gitconfig without Git installed will result in an error
  114. # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
  115. # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
  116. gitconfig:
  117. user.name: B User
  118. user.email: buser@example.com
  119. "url.https://.insteadOf": "git://"
  120. google_2fa: True
  121. google_auth:
  122. ssh: |
  123. SOMEGAUTHHASHVAL
  124. " RESETTING_TIME_SKEW 46956472+2 46991595-2
  125. " RATE_LIMIT 3 30 1415800560
  126. " DISALLOW_REUSE 47193352
  127. " TOTP_AUTH
  128. 11111111
  129. 22222222
  130. 33333333
  131. 44444444
  132. 55555555
  133. # unique: True allows user to have non unique uid
  134. unique: False
  135. uid: 1001
  136. user_files:
  137. enabled: True
  138. # 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
  139. # should be a salt fileserver path either with or without 'salt://'
  140. # if not present, it defaults to 'salt://users/files/user/<username>
  141. source: users/files/default
  142. template: jinja
  143. # You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
  144. # it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
  145. # execution bit for example.
  146. file_mode: keep
  147. sym_mode: 640
  148. exclude_pat: "*.gitignore"
  149. ## Absent user
  150. cuser:
  151. absent: True
  152. purge: True
  153. force: True
  154. ## Old syntax of absent_users still supported
  155. absent_users:
  156. - donald
  157. - bad_guy