Saltstack Official Users Formula
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.

199 líneas
5.7KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. users-formula:
  5. use_vim_formula: true
  6. lookup: # override the defauls in map.jinja
  7. root_group: root
  8. # group initialization
  9. groups:
  10. foo:
  11. state: present
  12. gid: 1500
  13. system: false
  14. badguys:
  15. absent: true
  16. niceguys:
  17. gid: 4242
  18. system: false
  19. addusers: root
  20. delusers: toor
  21. ssl-cert:
  22. system: true
  23. members:
  24. - www-data
  25. - openldap
  26. users:
  27. ## Minimal required pillar values
  28. auser:
  29. fullname: A User
  30. ## Full list of pillar values
  31. buser:
  32. fullname: B User
  33. password: $6$w.............
  34. enforce_password: true
  35. # WARNING: If 'empty_password' is set to true, the 'password' statement
  36. # will be ignored by enabling password-less login for the user.
  37. empty_password: false
  38. hash_password: false
  39. system: false
  40. home: /custom/buser
  41. homedir_owner: buser
  42. homedir_group: primarygroup
  43. user_dir_mode: 750
  44. createhome: true
  45. roomnumber: "A-1"
  46. workphone: "(555) 555-5555"
  47. homephone: "(555) 555-5551"
  48. manage_vimrc: false
  49. allow_gid_change: false
  50. manage_bashrc: false
  51. manage_profile: false
  52. expire: 16426
  53. # Disables user management except sudo rules.
  54. # Useful for setting sudo rules for system accounts created by package instalation
  55. sudoonly: false
  56. sudouser: true
  57. # sudo_rules doesn't need the username as a prefix for the rule
  58. # this is added automatically by the formula.
  59. # ----------------------------------------------------------------------
  60. # In case your sudo_rules have a colon please have in mind to not leave
  61. # spaces around it. For example:
  62. # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
  63. # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
  64. sudo_rules:
  65. - ALL=(root) /usr/bin/find
  66. - ALL=(otheruser) /usr/bin/script.sh
  67. sudo_defaults:
  68. - '!requiretty'
  69. # enable polkitadmin to make user an AdminIdentity for polkit
  70. polkitadmin: true
  71. shell: /bin/bash
  72. remove_groups: false
  73. prime_group:
  74. name: primarygroup
  75. gid: 1501
  76. groups:
  77. - users
  78. optional_groups:
  79. - some_groups_that_might
  80. - not_exist_on_all_minions
  81. ssh_key_type: rsa
  82. ssh_keys:
  83. # You can inline the private keys ...
  84. # privkey: PRIVATEKEY
  85. # pubkey: PUBLICKEY
  86. # or you can provide path to key on Salt fileserver
  87. privkey: salt://path_to_PRIVATEKEY
  88. pubkey: salt://path_to_PUBLICKEY
  89. # you can provide multiple keys, the keyname is taken as filename
  90. # make sure your public keys suffix is .pub
  91. foobar: PRIVATEKEY
  92. foobar.pub: PUBLICKEY
  93. # ... or you can pull them from a different pillar,
  94. # for example one called "ssh_keys":
  95. ssh_keys_pillar:
  96. id_rsa: "ssh_keys"
  97. another_key_pair: "ssh_keys"
  98. ssh_auth:
  99. - PUBLICKEY
  100. ssh_auth.absent:
  101. - PUBLICKEY_TO_BE_REMOVED
  102. # Generates an authorized_keys file for the user
  103. # with the given keys
  104. ssh_auth_file:
  105. - PUBLICKEY
  106. # ... or you can pull them from a different pillar similar to ssh_keys_pillar
  107. ssh_auth_pillar:
  108. id_rsa: "ssh_keys"
  109. # If you prefer to keep public keys as files rather
  110. # than inline in pillar, this works.
  111. ssh_auth_sources:
  112. - salt://keys/buser.id_rsa.pub
  113. ssh_auth_sources.absent:
  114. - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
  115. # Manage the ~/.ssh/config file
  116. ssh_known_hosts:
  117. importanthost:
  118. port: 22
  119. fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
  120. key: PUBLICKEY
  121. enc: ssh-rsa
  122. hash_known_hosts: true
  123. timeout: 5
  124. fingerprint_hash_type: sha256
  125. ssh_known_hosts.absent:
  126. - notimportanthost
  127. ssh_config:
  128. all:
  129. hostname: "*"
  130. options:
  131. - "StrictHostKeyChecking no"
  132. - "UserKnownHostsFile=/dev/null"
  133. importanthost:
  134. hostname: "needcheck.example.com"
  135. options:
  136. - "StrictHostKeyChecking yes"
  137. # Using gitconfig without Git installed will result in an error
  138. # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
  139. # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
  140. gitconfig:
  141. user.name: B User
  142. user.email: buser@example.com
  143. "url.https://.insteadOf": "git://"
  144. gitconfig.absent:
  145. - push.default
  146. - color\..+
  147. google_2fa: true
  148. google_auth:
  149. sshd: |
  150. SOMEGAUTHHASHVAL
  151. " RESETTING_TIME_SKEW 46956472+2 46991595-2
  152. " RATE_LIMIT 3 30 1415800560
  153. " DISALLOW_REUSE 47193352
  154. " TOTP_AUTH
  155. 11111111
  156. 22222222
  157. 33333333
  158. 44444444
  159. 55555555
  160. # unique: true allows user to have non unique uid
  161. unique: false
  162. uid: 1001
  163. user_files:
  164. enabled: true
  165. # 'source' allows you to define an arbitrary directory to sync,
  166. # useful to use for default files.
  167. # should be a salt fileserver path either with or without 'salt://'
  168. # if not present, it defaults to 'salt://users/files/user/<username>
  169. source: users/files
  170. # template: jinja
  171. # You can specify octal mode for files and symlinks that will be copied.
  172. # Since version 2016.11.0 it's possible to use 'keep' for file_mode,
  173. # to preserve file original mode, thus you can save execution bit for example.
  174. file_mode: keep
  175. # You can specify octal mode for directories as well.
  176. # This won't work on Windows minions
  177. # dir_mode: 775
  178. sym_mode: 640
  179. exclude_pat: "*.gitignore"
  180. ## Absent user
  181. cuser:
  182. absent: true
  183. purge: true
  184. force: true
  185. ## Old syntax of absent_users still supported
  186. absent_users:
  187. - donald
  188. - bad_guy