Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

607 lines
18KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {% set used_polkit = [] %}
  7. {% for group, setting in salt['pillar.get']('groups', {}).items() %}
  8. {% if setting.absent is defined and setting.absent or setting.get('state', "present") == 'absent' %}
  9. users_group_absent_{{ group }}:
  10. group.absent:
  11. - name: {{ group }}
  12. {% else %}
  13. users_group_present_{{ group }}:
  14. group.present:
  15. - name: {{ group }}
  16. - gid: {{ setting.get('gid', "null") }}
  17. - system: {{ setting.get('system',"False") }}
  18. - members: {{ setting.get('members')|json }}
  19. - addusers: {{ setting.get('addusers')|json }}
  20. - delusers: {{ setting.get('delusers')|json }}
  21. {% endif %}
  22. {% endfor %}
  23. {%- for name, user in pillar.get('users', {}).items()
  24. if user.absent is not defined or not user.absent %}
  25. {%- if user == None -%}
  26. {%- set user = {} -%}
  27. {%- endif -%}
  28. {%- if 'sudoonly' in user and user['sudoonly'] %}
  29. {%- set _dummy=user.update({'sudouser': True}) %}
  30. {%- endif %}
  31. {%- if 'sudouser' in user and user['sudouser'] %}
  32. {%- do used_sudo.append(1) %}
  33. {%- endif %}
  34. {%- if 'google_auth' in user %}
  35. {%- do used_googleauth.append(1) %}
  36. {%- endif %}
  37. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  38. {%- do used_user_files.append(1) %}
  39. {%- endif %}
  40. {%- if user.get('polkitadmin', False) == True %}
  41. {%- do used_polkit.append(1) %}
  42. {%- endif %}
  43. {%- endfor %}
  44. {%- if used_sudo or used_googleauth or used_user_files or used_polkit %}
  45. include:
  46. {%- if used_sudo %}
  47. - users.sudo
  48. {%- endif %}
  49. {%- if used_googleauth %}
  50. - users.googleauth
  51. {%- endif %}
  52. {%- if used_user_files %}
  53. - users.user_files
  54. {%- endif %}
  55. {%- if used_polkit %}
  56. - users.polkit
  57. {%- endif %}
  58. {%- endif %}
  59. {% for name, user in pillar.get('users', {}).items()
  60. if user.absent is not defined or not user.absent %}
  61. {%- if user == None -%}
  62. {%- set user = {} -%}
  63. {%- endif -%}
  64. {%- set current = salt.user.info(name) -%}
  65. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  66. {%- set createhome = user.get('createhome', users.get('createhome')) -%}
  67. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  68. {%- set user_group = user.prime_group.name -%}
  69. {%- else -%}
  70. {%- set user_group = name -%}
  71. {%- endif %}
  72. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}
  73. {% for group in user.get('groups', []) %}
  74. users_{{ name }}_{{ group }}_group:
  75. group.present:
  76. - name: {{ group }}
  77. {% if group == 'sudo' %}
  78. - system: True
  79. {% endif %}
  80. {% endfor %}
  81. {# in case home subfolder doesn't exist, create it before the user exists #}
  82. {% if createhome -%}
  83. users_{{ name }}_user_prereq:
  84. file.directory:
  85. - name: {{ salt['file.dirname'](home) }}
  86. - makedirs: True
  87. - prereq:
  88. - user: users_{{ name }}_user
  89. {%- endif %}
  90. users_{{ name }}_user:
  91. {% if createhome -%}
  92. file.directory:
  93. - name: {{ home }}
  94. - user: {{ user.get('homedir_owner', name) }}
  95. - group: {{ user.get('homedir_group', user_group) }}
  96. - mode: {{ user.get('user_dir_mode', '0750') }}
  97. - makedirs: True
  98. - require:
  99. - user: users_{{ name }}_user
  100. - group: {{ user_group }}
  101. {%- endif %}
  102. group.present:
  103. - name: {{ user_group }}
  104. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  105. - gid: {{ user['prime_group']['gid'] }}
  106. {%- elif 'uid' in user %}
  107. - gid: {{ user['uid'] }}
  108. {%- endif %}
  109. {% if 'system' in user and user['system'] %}
  110. - system: True
  111. {% endif %}
  112. user.present:
  113. - name: {{ name }}
  114. - home: {{ home }}
  115. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  116. {% if 'uid' in user -%}
  117. - uid: {{ user['uid'] }}
  118. {% endif -%}
  119. {% if 'password' in user -%}
  120. - password: '{{ user['password'] }}'
  121. {% endif -%}
  122. {% if user.get('empty_password') -%}
  123. - empty_password: {{ user.get('empty_password') }}
  124. {% endif -%}
  125. {% if 'enforce_password' in user -%}
  126. - enforce_password: {{ user['enforce_password'] }}
  127. {% endif -%}
  128. {% if 'hash_password' in user -%}
  129. - hash_password: {{ user['hash_password'] }}
  130. {% endif -%}
  131. {% if user.get('system', False) -%}
  132. - system: True
  133. {% endif -%}
  134. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  135. - gid: {{ user['prime_group']['gid'] }}
  136. {% elif 'prime_group' in user and 'name' in user['prime_group'] %}
  137. - gid: {{ user['prime_group']['name'] }}
  138. {% else -%}
  139. - gid: {{ name }}
  140. {% endif -%}
  141. {% if 'fullname' in user %}
  142. - fullname: {{ user['fullname'] }}
  143. {% endif -%}
  144. {% if 'roomnumber' in user %}
  145. - roomnumber: {{ user['roomnumber'] }}
  146. {% endif %}
  147. {% if 'workphone' in user %}
  148. - workphone: {{ user['workphone'] }}
  149. {% endif %}
  150. {% if 'homephone' in user %}
  151. - homephone: {{ user['homephone'] }}
  152. {% endif %}
  153. - createhome: {{ createhome }}
  154. {% if not user.get('unique', True) %}
  155. - unique: False
  156. {% endif %}
  157. {%- if grains['saltversioninfo'] >= [2018, 3, 1] %}
  158. - allow_gid_change: {{ users.allow_gid_change if 'allow_gid_change' not in user else user['allow_gid_change'] }}
  159. {%- endif %}
  160. {% if 'expire' in user -%}
  161. {% if grains['kernel'].endswith('BSD') and
  162. user['expire'] < 157766400 %}
  163. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  164. - expire: {{ user['expire'] * 86400 }}
  165. {% elif grains['kernel'] == 'Linux' and
  166. user['expire'] > 84006 %}
  167. {# 2932896 days since epoch equals 9999-12-31 #}
  168. - expire: {{ (user['expire'] / 86400) | int }}
  169. {% else %}
  170. - expire: {{ user['expire'] }}
  171. {% endif %}
  172. {% endif -%}
  173. {% if 'mindays' in user %}
  174. - mindays: {{ user.get('mindays', None) }}
  175. {% endif %}
  176. {% if 'maxdays' in user %}
  177. - maxdays: {{ user.get('maxdays', None) }}
  178. {% endif %}
  179. {% if 'inactdays' in user %}
  180. - inactdays: {{ user.get('inactdays', None) }}
  181. {% endif %}
  182. {% if 'warndays' in user %}
  183. - warndays: {{ user.get('warndays', None) }}
  184. {% endif %}
  185. - remove_groups: {{ user.get('remove_groups', 'False') }}
  186. - groups:
  187. - {{ user_group }}
  188. {% for group in user.get('groups', []) -%}
  189. - {{ group }}
  190. {% endfor %}
  191. {% if 'optional_groups' in user %}
  192. - optional_groups:
  193. {% for optional_group in user['optional_groups'] -%}
  194. - {{ optional_group }}
  195. {% endfor %}
  196. {% endif %}
  197. - require:
  198. - group: {{ user_group }}
  199. {% for group in user.get('groups', []) -%}
  200. - group: {{ group }}
  201. {% endfor %}
  202. {% if 'ssh_keys' in user or
  203. 'ssh_auth' in user or
  204. 'ssh_auth_file' in user or
  205. 'ssh_auth_pillar' in user or
  206. 'ssh_auth.absent' in user or
  207. 'ssh_config' in user %}
  208. user_keydir_{{ name }}:
  209. file.directory:
  210. - name: {{ home }}/.ssh
  211. - user: {{ name }}
  212. - group: {{ user_group }}
  213. - makedirs: True
  214. - mode: 700
  215. - dir_mode: 700
  216. - require:
  217. - user: {{ name }}
  218. - group: {{ user_group }}
  219. {%- for group in user.get('groups', []) %}
  220. - group: {{ group }}
  221. {%- endfor %}
  222. {% endif %}
  223. {% if 'ssh_keys' in user %}
  224. {% for _key in user.ssh_keys.keys() %}
  225. {% if _key == 'privkey' %}
  226. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}
  227. {% elif _key == 'pubkey' %}
  228. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}
  229. {% else %}
  230. {% set key_name = _key %}
  231. {% endif %}
  232. users_{{ name }}_{{ key_name }}_key:
  233. file.managed:
  234. - name: {{ home }}/.ssh/{{ key_name }}
  235. - user: {{ name }}
  236. - group: {{ user_group }}
  237. {% if key_name.endswith(".pub") %}
  238. - mode: 644
  239. {% else %}
  240. - mode: 600
  241. {% endif %}
  242. - show_diff: False
  243. {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}
  244. {%- if 'salt://' in key_value[:7] %}
  245. - source: {{ key_value }}
  246. {%- else %}
  247. - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}
  248. {%- endif %}
  249. - require:
  250. - user: users_{{ name }}_user
  251. {% for group in user.get('groups', []) %}
  252. - group: users_{{ name }}_{{ group }}_group
  253. {% endfor %}
  254. {% endfor %}
  255. {% endif %}
  256. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  257. users_authorized_keys_{{ name }}:
  258. file.managed:
  259. - name: {{ home }}/.ssh/authorized_keys
  260. - user: {{ name }}
  261. - group: {{ user_group }}
  262. - mode: 600
  263. {% if 'ssh_auth_file' in user %}
  264. - contents: |
  265. {% for auth in user.ssh_auth_file -%}
  266. {{ auth }}
  267. {% endfor -%}
  268. {% else %}
  269. - contents: |
  270. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  271. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  272. {%- endfor %}
  273. {% endif %}
  274. {% endif %}
  275. {% if 'ssh_auth' in user %}
  276. {% for auth in user['ssh_auth'] %}
  277. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  278. ssh_auth.present:
  279. - user: {{ name }}
  280. - name: {{ auth }}
  281. - require:
  282. - file: user_keydir_{{ name }}
  283. - user: users_{{ name }}_user
  284. {% endfor %}
  285. {% endif %}
  286. {% if 'ssh_keys_pillar' in user %}
  287. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  288. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  289. file.managed:
  290. - name: {{ home }}/.ssh/{{ key_name }}
  291. - user: {{ name }}
  292. - group: {{ user_group }}
  293. - mode: 600
  294. - show_diff: False
  295. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  296. - require:
  297. - user: users_{{ name }}_user
  298. {% for group in user.get('groups', []) %}
  299. - group: users_{{ name }}_{{ group }}_group
  300. {% endfor %}
  301. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  302. file.managed:
  303. - name: {{ home }}/.ssh/{{ key_name }}.pub
  304. - user: {{ name }}
  305. - group: {{ user_group }}
  306. - mode: 644
  307. - show_diff: False
  308. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  309. - require:
  310. - user: users_{{ name }}_user
  311. {% for group in user.get('groups', []) %}
  312. - group: users_{{ name }}_{{ group }}_group
  313. {% endfor %}
  314. {% endfor %}
  315. {% endif %}
  316. {% if 'ssh_auth_sources' in user %}
  317. {% for pubkey_file in user['ssh_auth_sources'] %}
  318. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  319. ssh_auth.present:
  320. - user: {{ name }}
  321. - source: {{ pubkey_file }}
  322. - require:
  323. {% if createhome -%}
  324. - file: users_{{ name }}_user
  325. {% endif -%}
  326. - user: users_{{ name }}_user
  327. {% endfor %}
  328. {% endif %}
  329. {% if 'ssh_auth_sources.absent' in user %}
  330. {% for pubkey_file in user['ssh_auth_sources.absent'] %}
  331. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
  332. ssh_auth.absent:
  333. - user: {{ name }}
  334. - source: {{ pubkey_file }}
  335. - require:
  336. {% if createhome -%}
  337. - file: users_{{ name }}_user
  338. {% endif -%}
  339. - user: users_{{ name }}_user
  340. {% endfor %}
  341. {% endif %}
  342. {% if 'ssh_auth.absent' in user %}
  343. {% for auth in user['ssh_auth.absent'] %}
  344. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  345. ssh_auth.absent:
  346. - user: {{ name }}
  347. - name: {{ auth }}
  348. - require:
  349. {% if createhome -%}
  350. - file: users_{{ name }}_user
  351. {% endif -%}
  352. - user: users_{{ name }}_user
  353. {% endfor %}
  354. {% endif %}
  355. {% if 'ssh_config' in user %}
  356. users_ssh_config_{{ name }}:
  357. file.managed:
  358. - name: {{ home }}/.ssh/config
  359. - user: {{ name }}
  360. - group: {{ user_group }}
  361. - mode: 640
  362. - contents: |
  363. # Managed by Saltstack
  364. # Do Not Edit
  365. {% for label, setting in user.ssh_config.items() %}
  366. # {{ label }}
  367. Host {{ setting.get('hostname') }}
  368. {%- for opts in setting.get('options') %}
  369. {{ opts }}
  370. {%- endfor %}
  371. {% endfor -%}
  372. {% endif %}
  373. {% if 'ssh_known_hosts' in user %}
  374. {% for hostname, host in user['ssh_known_hosts'].items() %}
  375. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  376. ssh_known_hosts.present:
  377. - user: {{ name }}
  378. - name: {{ hostname }}
  379. {% if 'port' in host %}
  380. - port: {{ host['port'] }}
  381. {% endif -%}
  382. {% if 'fingerprint' in host %}
  383. - fingerprint: {{ host['fingerprint'] }}
  384. {% endif -%}
  385. {% if 'key' in host %}
  386. - key: {{ host['key'] }}
  387. {% endif -%}
  388. {% if 'enc' in host %}
  389. - enc: {{ host['enc'] }}
  390. {% endif -%}
  391. {% if 'hash_known_hosts' in host %}
  392. - hash_known_hosts: {{ host['hash_known_hosts'] }}
  393. {% endif -%}
  394. {% if 'timeout' in host %}
  395. - timeout: {{ host['timeout'] }}
  396. {% endif -%}
  397. {% if 'fingerprint_hash_type' in host %}
  398. - fingerprint_hash_type: {{ host['fingerprint_hash_type'] }}
  399. {% endif -%}
  400. {% endfor %}
  401. {% endif %}
  402. {% if 'ssh_known_hosts.absent' in user %}
  403. {% for host in user['ssh_known_hosts.absent'] %}
  404. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  405. ssh_known_hosts.absent:
  406. - user: {{ name }}
  407. - name: {{ host }}
  408. {% endfor %}
  409. {% endif %}
  410. {% endif %}
  411. {% set sudoers_d_filename = name|replace('.','_') %}
  412. {% if 'sudouser' in user and user['sudouser'] %}
  413. users_sudoer-{{ name }}:
  414. file.managed:
  415. - replace: False
  416. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  417. - user: root
  418. - group: {{ users.root_group }}
  419. - mode: '0440'
  420. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  421. #{#%
  422. {% if 'sudo_rules' in user %}
  423. {% for rule in user['sudo_rules'] %}
  424. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  425. cmd.run:
  426. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  427. - stateful: True
  428. - shell: {{ users.visudo_shell }}
  429. - env:
  430. # Specify the rule via an env var to avoid shell quoting issues.
  431. - rule: "{{ name }} {{ rule }}"
  432. - require_in:
  433. - file: users_{{ users.sudoers_dir }}/{{ name }}
  434. {% endfor %}
  435. {% endif %}
  436. {% if 'sudo_defaults' in user %}
  437. {% for entry in user['sudo_defaults'] %}
  438. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  439. cmd.run:
  440. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  441. - stateful: True
  442. - shell: {{ users.visudo_shell }}
  443. - env:
  444. # Specify the rule via an env var to avoid shell quoting issues.
  445. - rule: "Defaults:{{ name }} {{ entry }}"
  446. - require_in:
  447. - file: users_{{ users.sudoers_dir }}/{{ name }}
  448. {% endfor %}
  449. {% endif %}
  450. #%#}
  451. users_{{ users.sudoers_dir }}/{{ name }}:
  452. file.managed:
  453. - replace: True
  454. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  455. - contents: |
  456. {%- if 'sudo_defaults' in user %}
  457. {%- for entry in user['sudo_defaults'] %}
  458. Defaults:{{ name }} {{ entry }}
  459. {%- endfor %}
  460. {%- endif %}
  461. {%- if 'sudo_rules' in user %}
  462. ########################################################################
  463. # File managed by Salt (users-formula).
  464. # Your changes will be overwritten.
  465. ########################################################################
  466. #
  467. {%- for rule in user['sudo_rules'] %}
  468. {{ name }} {{ rule }}
  469. {%- endfor %}
  470. {%- endif %}
  471. - require:
  472. - file: users_sudoer-defaults
  473. - file: users_sudoer-{{ name }}
  474. cmd.wait:
  475. - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
  476. - watch:
  477. - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  478. {% endif %}
  479. {% else %}
  480. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
  481. file.absent:
  482. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  483. {% endif %}
  484. {%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
  485. {%- if 'google_auth' in user %}
  486. {%- for svc in user['google_auth'] %}
  487. users_googleauth-{{ svc }}-{{ name }}:
  488. file.managed:
  489. - replace: false
  490. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  491. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  492. - user: root
  493. - group: {{ users.root_group }}
  494. - mode: 400
  495. - require:
  496. - pkg: users_googleauth-package
  497. {%- endfor %}
  498. {%- endif %}
  499. {%- endif %}
  500. # this doesn't work (Salt bug), therefore need to run state.apply twice
  501. #include:
  502. # - users
  503. #
  504. #git:
  505. # pkg.installed:
  506. # - require_in:
  507. # - sls: users
  508. #
  509. {% if salt['cmd.has_exec']('git') %}
  510. {% if 'gitconfig' in user %}
  511. {% for key, value in user['gitconfig'].items() %}
  512. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  513. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  514. git.config_set:
  515. {% else %}
  516. git.config:
  517. {% endif %}
  518. - name: {{ key }}
  519. - value: "{{ value }}"
  520. - user: {{ name }}
  521. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  522. - global: True
  523. {% else %}
  524. - is_global: True
  525. {% endif %}
  526. {% endfor %}
  527. {% endif %}
  528. {% if 'gitconfig.absent' in user and grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  529. {% for key in user.get('gitconfig.absent') %}
  530. users_{{ name }}_user_gitconfig_absent_{{ key }}:
  531. git.config_unset:
  532. - name: '{{ key }}'
  533. - user: {{ name }}
  534. - global: True
  535. - all: True
  536. {% endfor %}
  537. {% endif %}
  538. {% endif %}
  539. {% endfor %}
  540. {% for name, user in pillar.get('users', {}).items()
  541. if user.absent is defined and user.absent %}
  542. users_absent_user_{{ name }}:
  543. {% if 'purge' in user or 'force' in user %}
  544. user.absent:
  545. - name: {{ name }}
  546. {% if 'purge' in user %}
  547. - purge: {{ user['purge'] }}
  548. {% endif %}
  549. {% if 'force' in user %}
  550. - force: {{ user['force'] }}
  551. {% endif %}
  552. {% else %}
  553. user.absent:
  554. - name: {{ name }}
  555. {% endif -%}
  556. users_{{ users.sudoers_dir }}/{{ name }}:
  557. file.absent:
  558. - name: {{ users.sudoers_dir }}/{{ name }}
  559. {% endfor %}
  560. {% for user in pillar.get('absent_users', []) %}
  561. users_absent_user_2_{{ user }}:
  562. user.absent:
  563. - name: {{ user }}
  564. users_2_{{ users.sudoers_dir }}/{{ user }}:
  565. file.absent:
  566. - name: {{ users.sudoers_dir }}/{{ user }}
  567. {% endfor %}
  568. {% for group in pillar.get('absent_groups', []) %}
  569. users_absent_group_{{ group }}:
  570. group.absent:
  571. - name: {{ group }}
  572. {% endfor %}