ExternalMirrors
/
users-formula
镜像来自 https://github.com/saltstack-formulas/users-formula
關註 1
收藏 0
複製 1
程式碼 問題管理 0 版本發佈 13 Wiki Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
287 Commit
3 分支
目錄樹: 5b67c5513a
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '5b67c5513a'
${ noResults }
users-formula/users/init.sls

531 line
15KB
原始文件 Blame 文件歷史 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudoonly' in user and user['sudoonly'] %}

  13. {%- set _dummy=user.update({'sudouser': True}) %}

  14. {%- endif %}

  15. {%- if 'sudouser' in user and user['sudouser'] %}

  16. {%- do used_sudo.append(1) %}

  17. {%- endif %}

  18. {%- if 'google_auth' in user %}

  19. {%- do used_googleauth.append(1) %}

  20. {%- endif %}

  21. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  22. {%- do used_user_files.append(1) %}

  23. {%- endif %}

  24. {%- endfor %}

  25. 

  26. {%- if used_sudo or used_googleauth or used_user_files %}

  27. include:

  28. {%- if used_sudo %}

  29.   - users.sudo

  30. {%- endif %}

  31. {%- if used_googleauth %}

  32.   - users.googleauth

  33. {%- endif %}

  34. {%- if used_user_files %}

  35.   - users.user_files

  36. {%- endif %}

  37. {%- endif %}

  38. 

  39. {% for name, user in pillar.get('users', {}).items()

  40.         if user.absent is not defined or not user.absent %}

  41. {%- if user == None -%}

  42. {%- set user = {} -%}

  43. {%- endif -%}

  44. {%- set current = salt.user.info(name) -%}

  45. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  46. 

  47. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  48. {%- set user_group = user.prime_group.name -%}

  49. {%- else -%}

  50. {%- set user_group = name -%}

  51. {%- endif %}

  52. 

  53. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}

  54. {% for group in user.get('groups', []) %}

  55. users_{{ name }}_{{ group }}_group:

  56.   group.present:

  57.     - name: {{ group }}

  58.     {% if group == 'sudo' %}

  59.     - system: True

  60.     {% endif %}

  61. {% endfor %}

  62. 

  63. users_{{ name }}_user:

  64.   {% if user.get('createhome', True) %}

  65.   file.directory:

  66.     - name: {{ home }}

  67.     - user: {{ user.get('homedir_owner', name) }}

  68.     - group: {{ user.get('homedir_group', user_group) }}

  69.     - mode: {{ user.get('user_dir_mode', '0750') }}

  70.     - makedirs: True

  71.     - require:

  72.       - user: users_{{ name }}_user

  73.       - group: {{ user_group }}

  74.   {%- endif %}

  75.   group.present:

  76.     - name: {{ user_group }}

  77.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  78.     - gid: {{ user['prime_group']['gid'] }}

  79.     {%- elif 'uid' in user %}

  80.     - gid: {{ user['uid'] }}

  81.     {%- endif %}

  82.     {% if 'system' in user and user['system'] %}

  83.     - system: True

  84.     {% endif %}

  85.   user.present:

  86.     - name: {{ name }}

  87.     - home: {{ home }}

  88.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  89.     {% if 'uid' in user -%}

  90.     - uid: {{ user['uid'] }}

  91.     {% endif -%}

  92.     {% if 'password' in user -%}

  93.     - password: '{{ user['password'] }}'

  94.     {% endif -%}

  95.     {% if user.get('empty_password') -%}

  96.     - empty_password: {{ user.get('empty_password') }}

  97.     {% endif -%}

  98.     {% if 'enforce_password' in user -%}

  99.     - enforce_password: {{ user['enforce_password'] }}

  100.     {% endif -%}

  101.     {% if 'hash_password' in user -%}

  102.     - hash_password: {{ user['hash_password'] }}

  103.     {% endif -%}

  104.     {% if user.get('system', False) -%}

  105.     - system: True

  106.     {% endif -%}

  107.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  108.     - gid: {{ user['prime_group']['gid'] }}

  109.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  110.     - gid: {{ user['prime_group']['name'] }}

  111.     {% else -%}

  112.     - gid_from_name: True

  113.     {% endif -%}

  114.     {% if 'fullname' in user %}

  115.     - fullname: {{ user['fullname'] }}

  116.     {% endif -%}

  117.     {% if 'roomnumber' in user %}

  118.     - roomnumber: {{ user['roomnumber'] }}

  119.     {% endif %}

  120.     {% if 'workphone' in user %}

  121.     - workphone: {{ user['workphone'] }}

  122.     {% endif %}

  123.     {% if 'homephone' in user %}

  124.     - homephone: {{ user['homephone'] }}

  125.     {% endif %}

  126.     {% if not user.get('createhome', True) %}

  127.     - createhome: False

  128.     {% endif %}

  129.     {% if not user.get('unique', True) %}

  130.     - unique: False

  131.     {% endif %}

  132.     {% if 'expire' in user -%}

  133.         {% if grains['kernel'].endswith('BSD') and

  134.             user['expire'] < 157766400 %}

  135.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  136.     - expire: {{ user['expire'] * 86400 }}

  137.         {% elif grains['kernel'] == 'Linux' and

  138.             user['expire'] > 84006 %}

  139.         {# 2932896 days since epoch equals 9999-12-31 #}

  140.     - expire: {{ (user['expire'] / 86400) | int}}

  141.         {% else %}

  142.     - expire: {{ user['expire'] }}

  143.         {% endif %}

  144.     {% endif -%}

  145.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  146.     - groups:

  147.       - {{ user_group }}

  148.       {% for group in user.get('groups', []) -%}

  149.       - {{ group }}

  150.       {% endfor %}

  151.     {% if 'optional_groups' in user %}

  152.     - optional_groups:

  153.       {% for optional_group in user['optional_groups'] -%}

  154.       - {{optional_group}}

  155.       {% endfor %}

  156.     {% endif %}

  157.     - require:

  158.       - group: {{ user_group }}

  159.       {% for group in user.get('groups', []) -%}

  160.       - group: {{ group }}

  161.       {% endfor %}

  162. 

  163. 

  164.   {% if 'ssh_keys' in user or

  165.       'ssh_auth' in user or

  166.       'ssh_auth_file' in user or

  167.       'ssh_auth_pillar' in user or

  168.       'ssh_auth.absent' in user or

  169.       'ssh_config' in user %}

  170. user_keydir_{{ name }}:

  171.   file.directory:

  172.     - name: {{ home }}/.ssh

  173.     - user: {{ name }}

  174.     - group: {{ user_group }}

  175.     - makedirs: True

  176.     - mode: 700

  177.     - require:

  178.       - user: {{ name }}

  179.       - group: {{ user_group }}

  180.       {%- for group in user.get('groups', []) %}

  181.       - group: {{ group }}

  182.       {%- endfor %}

  183.   {% endif %}

  184. 

  185.   {% if 'ssh_keys' in user %}

  186.     {% for _key in user.ssh_keys.keys() %}

  187.       {% if _key == 'privkey' %}

  188.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}

  189.       {% elif _key ==  'pubkey' %}

  190.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}

  191.       {% else %}

  192.         {% set key_name = _key %}

  193.       {% endif %}

  194. users_{{ name }}_{{ key_name }}_key:

  195.   file.managed:

  196.     - name: {{ home }}/.ssh/{{ key_name }}

  197.     - user: {{ name }}

  198.     - group: {{ user_group }}

  199.       {% if key_name.endswith(".pub") %}

  200.     - mode: 644

  201.       {% else %}

  202.     - mode: 600

  203.       {% endif %}

  204.     - show_diff: False

  205.     {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}

  206.     {%- if 'salt://' in key_value[:7] %}

  207.     - source: {{ key_value }}

  208.     {%- else %}

  209.     - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}

  210.     {%- endif %}

  211.     - require:

  212.       - user: users_{{ name }}_user

  213.       {% for group in user.get('groups', []) %}

  214.       - group: users_{{ name }}_{{ group }}_group

  215.       {% endfor %}

  216.     {% endfor %}

  217.   {% endif %}

  218. 

  219. 

  220. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  221. users_authorized_keys_{{ name }}:

  222.   file.managed:

  223.     - name: {{ home }}/.ssh/authorized_keys

  224.     - user: {{ name }}

  225.     - group: {{ user_group }}

  226.     - mode: 600

  227. {% if 'ssh_auth_file' in user %}

  228.     - contents: |

  229.         {% for auth in user.ssh_auth_file -%}

  230.         {{ auth }}

  231.         {% endfor -%}

  232. {% else %}

  233.     - contents: |

  234.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  235.         {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}

  236.         {%- endfor %}

  237. {% endif %}

  238. {% endif %}

  239. 

  240. {% if 'ssh_auth' in user %}

  241. {% for auth in user['ssh_auth'] %}

  242. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  243.   ssh_auth.present:

  244.     - user: {{ name }}

  245.     - name: {{ auth }}

  246.     - require:

  247.         - file: user_keydir_{{ name }}

  248.         - user: users_{{ name }}_user

  249. {% endfor %}

  250. {% endif %}

  251. 

  252. {% if 'ssh_keys_pillar' in user %}

  253. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  254. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  255.   file.managed:

  256.     - name: {{ home }}/.ssh/{{ key_name }}

  257.     - user: {{ name }}

  258.     - group: {{ user_group }}

  259.     - mode: 600

  260.     - show_diff: False

  261.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  262.     - require:

  263.       - user: users_{{ name }}_user

  264.       {% for group in user.get('groups', []) %}

  265.       - group: users_{{ name }}_{{ group }}_group

  266.       {% endfor %}

  267. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  268.   file.managed:

  269.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  270.     - user: {{ name }}

  271.     - group: {{ user_group }}

  272.     - mode: 644

  273.     - show_diff: False

  274.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  275.     - require:

  276.       - user: users_{{ name }}_user

  277.       {% for group in user.get('groups', []) %}

  278.       - group: users_{{ name }}_{{ group }}_group

  279.       {% endfor %}

  280. {% endfor %}

  281. {% endif %}

  282. 

  283. {% if 'ssh_auth_sources' in user %}

  284. {% for pubkey_file in user['ssh_auth_sources'] %}

  285. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  286.   ssh_auth.present:

  287.     - user: {{ name }}

  288.     - source: {{ pubkey_file }}

  289.     - require:

  290.         - file: users_{{ name }}_user

  291.         - user: users_{{ name }}_user

  292. {% endfor %}

  293. {% endif %}

  294. 

  295. {% if 'ssh_auth_sources.absent' in user %}

  296. {% for pubkey_file in user['ssh_auth_sources.absent'] %}

  297. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:

  298.   ssh_auth.absent:

  299.     - user: {{ name }}

  300.     - source: {{ pubkey_file }}

  301.     - require:

  302.         - file: users_{{ name }}_user

  303.         - user: users_{{ name }}_user

  304. {% endfor %}

  305. {% endif %}

  306. 

  307. {% if 'ssh_auth.absent' in user %}

  308. {% for auth in user['ssh_auth.absent'] %}

  309. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  310.   ssh_auth.absent:

  311.     - user: {{ name }}

  312.     - name: {{ auth }}

  313.     - require:

  314.         - file: users_{{ name }}_user

  315.         - user: users_{{ name }}_user

  316. {% endfor %}

  317. {% endif %}

  318. 

  319. {% if 'ssh_config' in user %}

  320. users_ssh_config_{{ name }}:

  321.   file.managed:

  322.     - name: {{ home }}/.ssh/config

  323.     - user: {{ name }}

  324.     - group: {{ user_group }}

  325.     - mode: 640

  326.     - contents: |

  327.         # Managed by Saltstack

  328.         # Do Not Edit

  329.         {% for label, setting in user.ssh_config.items() %}

  330.         # {{ label }}

  331.         Host {{ setting.get('hostname') }}

  332.           {%- for opts in setting.get('options') %}

  333.           {{ opts }}

  334.           {%- endfor %}

  335.         {% endfor -%}

  336. {% endif %}

  337. 

  338. {% if 'ssh_known_hosts' in user %}

  339. {% for hostname, host in user['ssh_known_hosts'].items() %}

  340. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  341.   ssh_known_hosts.present:

  342.     - user: {{ name }}

  343.     - name: {{ hostname }}

  344.     {% if 'port' in host %}

  345.     - port: {{ host['port'] }}

  346.     {% endif -%}

  347.     {% if 'fingerprint' in host %}

  348.     - fingerprint: {{ host['fingerprint'] }}

  349.     {% endif -%}

  350.     {% if 'key' in host %}

  351.     - key: {{ host['key'] }}

  352.     {% endif -%}

  353.     {% if 'enc' in host %}

  354.     - enc: {{ host['enc'] }}

  355.     {% endif -%}

  356.     {% if 'hash_hostname' in host %}

  357.     - hash_hostname: {{ host['hash_hostname'] }}

  358.     {% endif -%}

  359. {% endfor %}

  360. {% endif %}

  361. 

  362. {% if 'ssh_known_hosts.absent' in user %}

  363. {% for host in user['ssh_known_hosts.absent'] %}

  364. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  365.   ssh_known_hosts.absent:

  366.     - user: {{ name }}

  367.     - name: {{ host }}

  368. {% endfor %}

  369. {% endif %}

  370. {% endif %}

  371. 

  372. {% set sudoers_d_filename = name|replace('.','_') %}

  373. {% if 'sudouser' in user and user['sudouser'] %}

  374. 

  375. users_sudoer-{{ name }}:

  376.   file.managed:

  377.     - replace: False

  378.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  379.     - user: root

  380.     - group: {{ users.root_group }}

  381.     - mode: '0440'

  382. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  383. #{#%

  384. {% if 'sudo_rules' in user %}

  385. {% for rule in user['sudo_rules'] %}

  386. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  387.   cmd.run:

  388.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  389.     - stateful: True

  390.     - shell: {{ users.visudo_shell }}

  391.     - env:

  392.       # Specify the rule via an env var to avoid shell quoting issues.

  393.       - rule: "{{ name }} {{ rule }}"

  394.     - require_in:

  395.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  396. {% endfor %}

  397. {% endif %}

  398. {% if 'sudo_defaults' in user %}

  399. {% for entry in user['sudo_defaults'] %}

  400. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  401.   cmd.run:

  402.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  403.     - stateful: True

  404.     - shell: {{ users.visudo_shell }}

  405.     - env:

  406.       # Specify the rule via an env var to avoid shell quoting issues.

  407.       - rule: "Defaults:{{ name }} {{ entry }}"

  408.     - require_in:

  409.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  410. {% endfor %}

  411. {% endif %}

  412. #%#}

  413. 

  414. users_{{ users.sudoers_dir }}/{{ name }}:

  415.   file.managed:

  416.     - replace: True

  417.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  418.     - contents: |

  419.       {%- if 'sudo_defaults' in user %}

  420.       {%- for entry in user['sudo_defaults'] %}

  421.         Defaults:{{ name }} {{ entry }}

  422.       {%- endfor %}

  423.       {%- endif %}

  424.       {%- if 'sudo_rules' in user %}

  425.         ########################################################################

  426.         # File managed by Salt (users-formula).

  427.         # Your changes will be overwritten.

  428.         ########################################################################

  429.         #

  430.       {%- for rule in user['sudo_rules'] %}

  431.         {{ name }} {{ rule }}

  432.       {%- endfor %}

  433.       {%- endif %}

  434.     - require:

  435.       - file: users_sudoer-defaults

  436.       - file: users_sudoer-{{ name }}

  437.   cmd.wait:

  438.     - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )

  439.     - watch:

  440.       - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  441. {% endif %}

  442. {% else %}

  443. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:

  444.   file.absent:

  445.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  446. {% endif %}

  447. 

  448. {%- if 'google_auth' in user %}

  449. {%- for svc in user['google_auth'] %}

  450. users_googleauth-{{ svc }}-{{ name }}:

  451.   file.managed:

  452.     - replace: false

  453.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  454.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  455.     - user: root

  456.     - group: {{ users.root_group }}

  457.     - mode: 400

  458.     - require:

  459.       - pkg: users_googleauth-package

  460. {%- endfor %}

  461. {%- endif %}

  462. 

  463. # this doesn't work (Salt bug), therefore need to run state.apply twice

  464. #include:

  465. #  - users

  466. #

  467. #git:

  468. #  pkg.installed:

  469. #    - require_in:

  470. #      - sls: users

  471. #

  472. {% if 'gitconfig' in user %}

  473. {% if salt['cmd.has_exec']('git') %}

  474. {% for key, value in user['gitconfig'].items() %}

  475. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  476.   {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  477.   git.config_set:

  478.   {% else %}

  479.   git.config:

  480.   {% endif %}

  481.     - name: {{ key }}

  482.     - value: "{{ value }}"

  483.     - user: {{ name }}

  484.     {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  485.     - global: True

  486.     {% else %}

  487.     - is_global: True

  488.     {% endif %}

  489. {% endfor %}

  490. {% endif %}

  491. {% endif %}

  492. 

  493. {% endfor %}

  494. 

  495. 

  496. {% for name, user in pillar.get('users', {}).items()

  497.         if user.absent is defined and user.absent %}

  498. users_absent_user_{{ name }}:

  499. {% if 'purge' in user or 'force' in user %}

  500.   user.absent:

  501.     - name: {{ name }}

  502.     {% if 'purge' in user %}

  503.     - purge: {{ user['purge'] }}

  504.     {% endif %}

  505.     {% if 'force' in user %}

  506.     - force: {{ user['force'] }}

  507.     {% endif %}

  508. {% else %}

  509.   user.absent:

  510.     - name: {{ name }}

  511. {% endif -%}

  512. users_{{ users.sudoers_dir }}/{{ name }}:

  513.   file.absent:

  514.     - name: {{ users.sudoers_dir }}/{{ name }}

  515. {% endfor %}

  516. 

  517. {% for user in pillar.get('absent_users', []) %}

  518. users_absent_user_2_{{ user }}:

  519.   user.absent:

  520.     - name: {{ user }}

  521. users_2_{{ users.sudoers_dir }}/{{ user }}:

  522.   file.absent:

  523.     - name: {{ users.sudoers_dir }}/{{ user }}

  524. {% endfor %}

  525. 

  526. {% for group in pillar.get('absent_groups', []) %}

  527. users_absent_group_{{ group }}:

  528.   group.absent:

  529.     - name: {{ group }}

  530. {% endfor %}