Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

541 lines
16KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudoonly' in user and user['sudoonly'] %}
  12. {%- set _dummy=user.update({'sudouser': True}) %}
  13. {%- endif %}
  14. {%- if 'sudouser' in user and user['sudouser'] %}
  15. {%- do used_sudo.append(1) %}
  16. {%- endif %}
  17. {%- if 'google_auth' in user %}
  18. {%- do used_googleauth.append(1) %}
  19. {%- endif %}
  20. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  21. {%- do used_user_files.append(1) %}
  22. {%- endif %}
  23. {%- endfor %}
  24. {%- if used_sudo or used_googleauth or used_user_files %}
  25. include:
  26. {%- if used_sudo %}
  27. - users.sudo
  28. {%- endif %}
  29. {%- if used_googleauth %}
  30. - users.googleauth
  31. {%- endif %}
  32. {%- if used_user_files %}
  33. - users.user_files
  34. {%- endif %}
  35. {%- endif %}
  36. {% for name, user in pillar.get('users', {}).items()
  37. if user.absent is not defined or not user.absent %}
  38. {%- if user == None -%}
  39. {%- set user = {} -%}
  40. {%- endif -%}
  41. {%- set current = salt.user.info(name) -%}
  42. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  43. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  44. {%- set user_group = user.prime_group.name -%}
  45. {%- else -%}
  46. {%- set user_group = name -%}
  47. {%- endif %}
  48. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}
  49. {% for group in user.get('groups', []) %}
  50. users_{{ name }}_{{ group }}_group:
  51. group.present:
  52. - name: {{ group }}
  53. {% if group == 'sudo' %}
  54. - system: True
  55. {% endif %}
  56. {% endfor %}
  57. {# in case home subfolder doesn't exist, create it before the user exists #}
  58. {% if user.get('createhome', True) %}
  59. users_{{ name }}_user_prereq:
  60. file.directory:
  61. - name: {{ home }}
  62. - makedirs: True
  63. - prereq:
  64. - user: users_{{ name }}_user
  65. {%- endif %}
  66. users_{{ name }}_user:
  67. {% if user.get('createhome', True) %}
  68. file.directory:
  69. - name: {{ home }}
  70. - user: {{ user.get('homedir_owner', name) }}
  71. - group: {{ user.get('homedir_group', user_group) }}
  72. - mode: {{ user.get('user_dir_mode', '0750') }}
  73. - makedirs: True
  74. - require:
  75. - user: users_{{ name }}_user
  76. - group: {{ user_group }}
  77. {%- endif %}
  78. group.present:
  79. - name: {{ user_group }}
  80. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  81. - gid: {{ user['prime_group']['gid'] }}
  82. {%- elif 'uid' in user %}
  83. - gid: {{ user['uid'] }}
  84. {%- endif %}
  85. {% if 'system' in user and user['system'] %}
  86. - system: True
  87. {% endif %}
  88. user.present:
  89. - name: {{ name }}
  90. - home: {{ home }}
  91. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  92. {% if 'uid' in user -%}
  93. - uid: {{ user['uid'] }}
  94. {% endif -%}
  95. {% if 'password' in user -%}
  96. - password: '{{ user['password'] }}'
  97. {% endif -%}
  98. {% if user.get('empty_password') -%}
  99. - empty_password: {{ user.get('empty_password') }}
  100. {% endif -%}
  101. {% if 'enforce_password' in user -%}
  102. - enforce_password: {{ user['enforce_password'] }}
  103. {% endif -%}
  104. {% if 'hash_password' in user -%}
  105. - hash_password: {{ user['hash_password'] }}
  106. {% endif -%}
  107. {% if user.get('system', False) -%}
  108. - system: True
  109. {% endif -%}
  110. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  111. - gid: {{ user['prime_group']['gid'] }}
  112. {% elif 'prime_group' in user and 'name' in user['prime_group'] %}
  113. - gid: {{ user['prime_group']['name'] }}
  114. {% else -%}
  115. - gid_from_name: True
  116. {% endif -%}
  117. {% if 'fullname' in user %}
  118. - fullname: {{ user['fullname'] }}
  119. {% endif -%}
  120. {% if 'roomnumber' in user %}
  121. - roomnumber: {{ user['roomnumber'] }}
  122. {% endif %}
  123. {% if 'workphone' in user %}
  124. - workphone: {{ user['workphone'] }}
  125. {% endif %}
  126. {% if 'homephone' in user %}
  127. - homephone: {{ user['homephone'] }}
  128. {% endif %}
  129. {% if not user.get('createhome', True) %}
  130. - createhome: False
  131. {% endif %}
  132. {% if not user.get('unique', True) %}
  133. - unique: False
  134. {% endif %}
  135. {% if 'expire' in user -%}
  136. {% if grains['kernel'].endswith('BSD') and
  137. user['expire'] < 157766400 %}
  138. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  139. - expire: {{ user['expire'] * 86400 }}
  140. {% elif grains['kernel'] == 'Linux' and
  141. user['expire'] > 84006 %}
  142. {# 2932896 days since epoch equals 9999-12-31 #}
  143. - expire: {{ (user['expire'] / 86400) | int}}
  144. {% else %}
  145. - expire: {{ user['expire'] }}
  146. {% endif %}
  147. {% endif -%}
  148. - remove_groups: {{ user.get('remove_groups', 'False') }}
  149. - groups:
  150. - {{ user_group }}
  151. {% for group in user.get('groups', []) -%}
  152. - {{ group }}
  153. {% endfor %}
  154. {% if 'optional_groups' in user %}
  155. - optional_groups:
  156. {% for optional_group in user['optional_groups'] -%}
  157. - {{optional_group}}
  158. {% endfor %}
  159. {% endif %}
  160. - require:
  161. - group: {{ user_group }}
  162. {% for group in user.get('groups', []) -%}
  163. - group: {{ group }}
  164. {% endfor %}
  165. {% if 'ssh_keys' in user or
  166. 'ssh_auth' in user or
  167. 'ssh_auth_file' in user or
  168. 'ssh_auth_pillar' in user or
  169. 'ssh_auth.absent' in user or
  170. 'ssh_config' in user %}
  171. user_keydir_{{ name }}:
  172. file.directory:
  173. - name: {{ home }}/.ssh
  174. - user: {{ name }}
  175. - group: {{ user_group }}
  176. - makedirs: True
  177. - mode: 700
  178. - require:
  179. - user: {{ name }}
  180. - group: {{ user_group }}
  181. {%- for group in user.get('groups', []) %}
  182. - group: {{ group }}
  183. {%- endfor %}
  184. {% endif %}
  185. {% if 'ssh_keys' in user %}
  186. {% for _key in user.ssh_keys.keys() %}
  187. {% if _key == 'privkey' %}
  188. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}
  189. {% elif _key == 'pubkey' %}
  190. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}
  191. {% else %}
  192. {% set key_name = _key %}
  193. {% endif %}
  194. users_{{ name }}_{{ key_name }}_key:
  195. file.managed:
  196. - name: {{ home }}/.ssh/{{ key_name }}
  197. - user: {{ name }}
  198. - group: {{ user_group }}
  199. {% if key_name.endswith(".pub") %}
  200. - mode: 644
  201. {% else %}
  202. - mode: 600
  203. {% endif %}
  204. - show_diff: False
  205. {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}
  206. {%- if 'salt://' in key_value[:7] %}
  207. - source: {{ key_value }}
  208. {%- else %}
  209. - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}
  210. {%- endif %}
  211. - require:
  212. - user: users_{{ name }}_user
  213. {% for group in user.get('groups', []) %}
  214. - group: users_{{ name }}_{{ group }}_group
  215. {% endfor %}
  216. {% endfor %}
  217. {% endif %}
  218. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  219. users_authorized_keys_{{ name }}:
  220. file.managed:
  221. - name: {{ home }}/.ssh/authorized_keys
  222. - user: {{ name }}
  223. - group: {{ user_group }}
  224. - mode: 600
  225. {% if 'ssh_auth_file' in user %}
  226. - contents: |
  227. {% for auth in user.ssh_auth_file -%}
  228. {{ auth }}
  229. {% endfor -%}
  230. {% else %}
  231. - contents: |
  232. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  233. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  234. {%- endfor %}
  235. {% endif %}
  236. {% endif %}
  237. {% if 'ssh_auth' in user %}
  238. {% for auth in user['ssh_auth'] %}
  239. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  240. ssh_auth.present:
  241. - user: {{ name }}
  242. - name: {{ auth }}
  243. - require:
  244. - file: user_keydir_{{ name }}
  245. - user: users_{{ name }}_user
  246. {% endfor %}
  247. {% endif %}
  248. {% if 'ssh_keys_pillar' in user %}
  249. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  250. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  251. file.managed:
  252. - name: {{ home }}/.ssh/{{ key_name }}
  253. - user: {{ name }}
  254. - group: {{ user_group }}
  255. - mode: 600
  256. - show_diff: False
  257. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  258. - require:
  259. - user: users_{{ name }}_user
  260. {% for group in user.get('groups', []) %}
  261. - group: users_{{ name }}_{{ group }}_group
  262. {% endfor %}
  263. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  264. file.managed:
  265. - name: {{ home }}/.ssh/{{ key_name }}.pub
  266. - user: {{ name }}
  267. - group: {{ user_group }}
  268. - mode: 644
  269. - show_diff: False
  270. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  271. - require:
  272. - user: users_{{ name }}_user
  273. {% for group in user.get('groups', []) %}
  274. - group: users_{{ name }}_{{ group }}_group
  275. {% endfor %}
  276. {% endfor %}
  277. {% endif %}
  278. {% if 'ssh_auth_sources' in user %}
  279. {% for pubkey_file in user['ssh_auth_sources'] %}
  280. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  281. ssh_auth.present:
  282. - user: {{ name }}
  283. - source: {{ pubkey_file }}
  284. - require:
  285. - file: users_{{ name }}_user
  286. - user: users_{{ name }}_user
  287. {% endfor %}
  288. {% endif %}
  289. {% if 'ssh_auth_sources.absent' in user %}
  290. {% for pubkey_file in user['ssh_auth_sources.absent'] %}
  291. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
  292. ssh_auth.absent:
  293. - user: {{ name }}
  294. - source: {{ pubkey_file }}
  295. - require:
  296. - file: users_{{ name }}_user
  297. - user: users_{{ name }}_user
  298. {% endfor %}
  299. {% endif %}
  300. {% if 'ssh_auth.absent' in user %}
  301. {% for auth in user['ssh_auth.absent'] %}
  302. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  303. ssh_auth.absent:
  304. - user: {{ name }}
  305. - name: {{ auth }}
  306. - require:
  307. - file: users_{{ name }}_user
  308. - user: users_{{ name }}_user
  309. {% endfor %}
  310. {% endif %}
  311. {% if 'ssh_config' in user %}
  312. users_ssh_config_{{ name }}:
  313. file.managed:
  314. - name: {{ home }}/.ssh/config
  315. - user: {{ name }}
  316. - group: {{ user_group }}
  317. - mode: 640
  318. - contents: |
  319. # Managed by Saltstack
  320. # Do Not Edit
  321. {% for label, setting in user.ssh_config.items() %}
  322. # {{ label }}
  323. Host {{ setting.get('hostname') }}
  324. {%- for opts in setting.get('options') %}
  325. {{ opts }}
  326. {%- endfor %}
  327. {% endfor -%}
  328. {% endif %}
  329. {% if 'ssh_known_hosts' in user %}
  330. {% for hostname, host in user['ssh_known_hosts'].items() %}
  331. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  332. ssh_known_hosts.present:
  333. - user: {{ name }}
  334. - name: {{ hostname }}
  335. {% if 'port' in host %}
  336. - port: {{ host['port'] }}
  337. {% endif -%}
  338. {% if 'fingerprint' in host %}
  339. - fingerprint: {{ host['fingerprint'] }}
  340. {% endif -%}
  341. {% if 'key' in host %}
  342. - key: {{ host['key'] }}
  343. {% endif -%}
  344. {% if 'enc' in host %}
  345. - enc: {{ host['enc'] }}
  346. {% endif -%}
  347. {% if 'hash_hostname' in host %}
  348. - hash_hostname: {{ host['hash_hostname'] }}
  349. {% endif -%}
  350. {% endfor %}
  351. {% endif %}
  352. {% if 'ssh_known_hosts.absent' in user %}
  353. {% for host in user['ssh_known_hosts.absent'] %}
  354. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  355. ssh_known_hosts.absent:
  356. - user: {{ name }}
  357. - name: {{ host }}
  358. {% endfor %}
  359. {% endif %}
  360. {% endif %}
  361. {% set sudoers_d_filename = name|replace('.','_') %}
  362. {% if 'sudouser' in user and user['sudouser'] %}
  363. users_sudoer-{{ name }}:
  364. file.managed:
  365. - replace: False
  366. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  367. - user: root
  368. - group: {{ users.root_group }}
  369. - mode: '0440'
  370. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  371. #{#%
  372. {% if 'sudo_rules' in user %}
  373. {% for rule in user['sudo_rules'] %}
  374. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  375. cmd.run:
  376. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  377. - stateful: True
  378. - shell: {{ users.visudo_shell }}
  379. - env:
  380. # Specify the rule via an env var to avoid shell quoting issues.
  381. - rule: "{{ name }} {{ rule }}"
  382. - require_in:
  383. - file: users_{{ users.sudoers_dir }}/{{ name }}
  384. {% endfor %}
  385. {% endif %}
  386. {% if 'sudo_defaults' in user %}
  387. {% for entry in user['sudo_defaults'] %}
  388. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  389. cmd.run:
  390. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  391. - stateful: True
  392. - shell: {{ users.visudo_shell }}
  393. - env:
  394. # Specify the rule via an env var to avoid shell quoting issues.
  395. - rule: "Defaults:{{ name }} {{ entry }}"
  396. - require_in:
  397. - file: users_{{ users.sudoers_dir }}/{{ name }}
  398. {% endfor %}
  399. {% endif %}
  400. #%#}
  401. users_{{ users.sudoers_dir }}/{{ name }}:
  402. file.managed:
  403. - replace: True
  404. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  405. - contents: |
  406. {%- if 'sudo_defaults' in user %}
  407. {%- for entry in user['sudo_defaults'] %}
  408. Defaults:{{ name }} {{ entry }}
  409. {%- endfor %}
  410. {%- endif %}
  411. {%- if 'sudo_rules' in user %}
  412. ########################################################################
  413. # File managed by Salt (users-formula).
  414. # Your changes will be overwritten.
  415. ########################################################################
  416. #
  417. {%- for rule in user['sudo_rules'] %}
  418. {{ name }} {{ rule }}
  419. {%- endfor %}
  420. {%- endif %}
  421. - require:
  422. - file: users_sudoer-defaults
  423. - file: users_sudoer-{{ name }}
  424. cmd.wait:
  425. - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
  426. - watch:
  427. - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  428. {% endif %}
  429. {% else %}
  430. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
  431. file.absent:
  432. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  433. {% endif %}
  434. {%- if 'google_auth' in user %}
  435. {%- for svc in user['google_auth'] %}
  436. users_googleauth-{{ svc }}-{{ name }}:
  437. file.managed:
  438. - replace: false
  439. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  440. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  441. - user: root
  442. - group: {{ users.root_group }}
  443. - mode: 400
  444. - require:
  445. - pkg: users_googleauth-package
  446. {%- endfor %}
  447. {%- endif %}
  448. # this doesn't work (Salt bug), therefore need to run state.apply twice
  449. #include:
  450. # - users
  451. #
  452. #git:
  453. # pkg.installed:
  454. # - require_in:
  455. # - sls: users
  456. #
  457. {% if 'gitconfig' in user %}
  458. {% if salt['cmd.has_exec']('git') %}
  459. {% for key, value in user['gitconfig'].items() %}
  460. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  461. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  462. git.config_set:
  463. {% else %}
  464. git.config:
  465. {% endif %}
  466. - name: {{ key }}
  467. - value: "{{ value }}"
  468. - user: {{ name }}
  469. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  470. - global: True
  471. {% else %}
  472. - is_global: True
  473. {% endif %}
  474. {% endfor %}
  475. {% endif %}
  476. {% endif %}
  477. {% endfor %}
  478. {% for name, user in pillar.get('users', {}).items()
  479. if user.absent is defined and user.absent %}
  480. users_absent_user_{{ name }}:
  481. {% if 'purge' in user or 'force' in user %}
  482. user.absent:
  483. - name: {{ name }}
  484. {% if 'purge' in user %}
  485. - purge: {{ user['purge'] }}
  486. {% endif %}
  487. {% if 'force' in user %}
  488. - force: {{ user['force'] }}
  489. {% endif %}
  490. {% else %}
  491. user.absent:
  492. - name: {{ name }}
  493. {% endif -%}
  494. users_{{ users.sudoers_dir }}/{{ name }}:
  495. file.absent:
  496. - name: {{ users.sudoers_dir }}/{{ name }}
  497. {% endfor %}
  498. {% for user in pillar.get('absent_users', []) %}
  499. users_absent_user_2_{{ user }}:
  500. user.absent:
  501. - name: {{ user }}
  502. users_2_{{ users.sudoers_dir }}/{{ user }}:
  503. file.absent:
  504. - name: {{ users.sudoers_dir }}/{{ user }}
  505. {% endfor %}
  506. {% for group in pillar.get('absent_groups', []) %}
  507. users_absent_group_{{ group }}:
  508. group.absent:
  509. - name: {{ group }}
  510. {% endfor %}