ExternalMirrors
/
users-formula
ミラー元 https://github.com/saltstack-formulas/users-formula
ウォッチ 1
スター 0
フォーク 1
コード 課題 0 リリース 13 Wiki アクティビティ
Saltstack Official Users Formula
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
257 コミット
3 ブランチ
ツリー: 72ef35fdfa
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'72ef35fdfa' から
${ noResults }
users-formula/users/init.sls

523 行
15KB
Raw Blame 履歴 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudoonly' in user and user['sudoonly'] %}

  13. {%- set _dummy=user.update({'sudouser': True}) %}

  14. {%- endif %}

  15. {%- if 'sudouser' in user and user['sudouser'] %}

  16. {%- do used_sudo.append(1) %}

  17. {%- endif %}

  18. {%- if 'google_auth' in user %}

  19. {%- do used_googleauth.append(1) %}

  20. {%- endif %}

  21. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  22. {%- do used_user_files.append(1) %}

  23. {%- endif %}

  24. {%- endfor %}

  25. 

  26. {%- if used_sudo or used_googleauth or used_user_files %}

  27. include:

  28. {%- if used_sudo %}

  29.   - users.sudo

  30. {%- endif %}

  31. {%- if used_googleauth %}

  32.   - users.googleauth

  33. {%- endif %}

  34. {%- if used_user_files %}

  35.   - users.user_files

  36. {%- endif %}

  37. {%- endif %}

  38. 

  39. {% for name, user in pillar.get('users', {}).items()

  40.         if user.absent is not defined or not user.absent %}

  41. {%- if user == None -%}

  42. {%- set user = {} -%}

  43. {%- endif -%}

  44. {%- set current = salt.user.info(name) -%}

  45. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  46. 

  47. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  48. {%- set user_group = user.prime_group.name -%}

  49. {%- else -%}

  50. {%- set user_group = name -%}

  51. {%- endif %}

  52. 

  53. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}

  54. {% for group in user.get('groups', []) %}

  55. users_{{ name }}_{{ group }}_group:

  56.   group.present:

  57.     - name: {{ group }}

  58.     {% if group == 'sudo' %}

  59.     - system: True

  60.     {% endif %}

  61. {% endfor %}

  62. 

  63. users_{{ name }}_user:

  64.   {% if user.get('createhome', True) %}

  65.   file.directory:

  66.     - name: {{ home }}

  67.     - user: {{ user.get('homedir_owner', name) }}

  68.     - group: {{ user.get('homedir_group', user_group) }}

  69.     - mode: {{ user.get('user_dir_mode', '0750') }}

  70.     - require:

  71.       - user: users_{{ name }}_user

  72.       - group: {{ user_group }}

  73.   {%- endif %}

  74.   group.present:

  75.     - name: {{ user_group }}

  76.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  77.     - gid: {{ user['prime_group']['gid'] }}

  78.     {%- elif 'uid' in user %}

  79.     - gid: {{ user['uid'] }}

  80.     {%- endif %}

  81.     {% if 'system' in user and user['system'] %}

  82.     - system: True

  83.     {% endif %}

  84.   user.present:

  85.     - name: {{ name }}

  86.     - home: {{ home }}

  87.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  88.     {% if 'uid' in user -%}

  89.     - uid: {{ user['uid'] }}

  90.     {% endif -%}

  91.     {% if 'password' in user -%}

  92.     - password: '{{ user['password'] }}'

  93.     {% endif -%}

  94.     {% if user.get('empty_password') -%}

  95.     - empty_password: {{ user.get('empty_password') }}

  96.     {% endif -%}

  97.     {% if 'enforce_password' in user -%}

  98.     - enforce_password: {{ user['enforce_password'] }}

  99.     {% endif -%}

  100.     {% if 'hash_password' in user -%}

  101.     - hash_password: {{ user['hash_password'] }}

  102.     {% endif -%}

  103.     {% if user.get('system', False) -%}

  104.     - system: True

  105.     {% endif -%}

  106.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  107.     - gid: {{ user['prime_group']['gid'] }}

  108.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  109.     - gid: {{ user['prime_group']['name'] }}

  110.     {% else -%}

  111.     - gid_from_name: True

  112.     {% endif -%}

  113.     {% if 'fullname' in user %}

  114.     - fullname: {{ user['fullname'] }}

  115.     {% endif -%}

  116.     {% if 'roomnumber' in user %}

  117.     - roomnumber: {{ user['roomnumber'] }}

  118.     {% endif %}

  119.     {% if 'workphone' in user %}

  120.     - workphone: {{ user['workphone'] }}

  121.     {% endif %}

  122.     {% if 'homephone' in user %}

  123.     - homephone: {{ user['workphone'] }}

  124.     {% endif %}

  125.     {% if not user.get('createhome', True) %}

  126.     - createhome: False

  127.     {% endif %}

  128.     {% if 'expire' in user -%}

  129.         {% if grains['kernel'].endswith('BSD') and

  130.             user['expire'] < 157766400 %}

  131.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  132.     - expire: {{ user['expire'] * 86400 }}

  133.         {% elif grains['kernel'] == 'Linux' and

  134.             user['expire'] > 84006 %}

  135.         {# 2932896 days since epoch equals 9999-12-31 #}

  136.     - expire: {{ (user['expire'] / 86400) | int}}

  137.         {% else %}

  138.     - expire: {{ user['expire'] }}

  139.         {% endif %}

  140.     {% endif -%}

  141.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  142.     - groups:

  143.       - {{ user_group }}

  144.       {% for group in user.get('groups', []) -%}

  145.       - {{ group }}

  146.       {% endfor %}

  147.     {% if 'optional_groups' in user %}

  148.     - optional_groups:

  149.       {% for optional_group in user['optional_groups'] -%}

  150.       - {{optional_group}}

  151.       {% endfor %}

  152.     {% endif %}

  153.     - require:

  154.       - group: {{ user_group }}

  155.       {% for group in user.get('groups', []) -%}

  156.       - group: {{ group }}

  157.       {% endfor %}

  158. 

  159. 

  160.   {% if 'ssh_keys' in user or

  161.       'ssh_auth' in user or

  162.       'ssh_auth_file' in user or

  163.       'ssh_auth_pillar' in user or

  164.       'ssh_auth.absent' in user or

  165.       'ssh_config' in user %}

  166. user_keydir_{{ name }}:

  167.   file.directory:

  168.     - name: {{ home }}/.ssh

  169.     - user: {{ name }}

  170.     - group: {{ user_group }}

  171.     - makedirs: True

  172.     - mode: 700

  173.     - require:

  174.       - user: {{ name }}

  175.       - group: {{ user_group }}

  176.       {%- for group in user.get('groups', []) %}

  177.       - group: {{ group }}

  178.       {%- endfor %}

  179.   {% endif %}

  180. 

  181.   {% if 'ssh_keys' in user %}

  182.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  183. users_user_{{ name }}_private_key:

  184.   file.managed:

  185.     - name: {{ home }}/.ssh/{{ key_type }}

  186.     - user: {{ name }}

  187.     - group: {{ user_group }}

  188.     - mode: 600

  189.     - show_diff: False

  190.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  191.     - require:

  192.       - user: users_{{ name }}_user

  193.       {% for group in user.get('groups', []) %}

  194.       - group: users_{{ name }}_{{ group }}_group

  195.       {% endfor %}

  196. users_user_{{ name }}_public_key:

  197.   file.managed:

  198.     - name: {{ home }}/.ssh/{{ key_type }}.pub

  199.     - user: {{ name }}

  200.     - group: {{ user_group }}

  201.     - mode: 644

  202.     - show_diff: False

  203.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  204.     - require:

  205.       - user: users_{{ name }}_user

  206.       {% for group in user.get('groups', []) %}

  207.       - group: users_{{ name }}_{{ group }}_group

  208.       {% endfor %}

  209.   {% endif %}

  210. 

  211. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  212. users_authorized_keys_{{ name }}:

  213.   file.managed:

  214.     - name: {{ home }}/.ssh/authorized_keys

  215.     - user: {{ name }}

  216.     - group: {{ user_group }}

  217.     - mode: 600

  218. {% if 'ssh_auth_file' in user %}

  219.     - contents: |

  220.         {% for auth in user.ssh_auth_file -%}

  221.         {{ auth }}

  222.         {% endfor -%}

  223. {% else %}

  224.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  225.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  226.         {%- endfor %}

  227. {% endif %}

  228. {% endif %}

  229. 

  230. {% if 'ssh_auth' in user %}

  231. {% for auth in user['ssh_auth'] %}

  232. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  233.   ssh_auth.present:

  234.     - user: {{ name }}

  235.     - name: {{ auth }}

  236.     - require:

  237.         - file: user_keydir_{{ name }}

  238.         - user: users_{{ name }}_user

  239. {% endfor %}

  240. {% endif %}

  241. 

  242. {% if 'ssh_keys_pillar' in user %}

  243. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  244. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  245.   file.managed:

  246.     - name: {{ home }}/.ssh/{{ key_name }}

  247.     - user: {{ name }}

  248.     - group: {{ user_group }}

  249.     - mode: 600

  250.     - show_diff: False

  251.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  252.     - require:

  253.       - user: users_{{ name }}_user

  254.       {% for group in user.get('groups', []) %}

  255.       - group: users_{{ name }}_{{ group }}_group

  256.       {% endfor %}

  257. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  258.   file.managed:

  259.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  260.     - user: {{ name }}

  261.     - group: {{ user_group }}

  262.     - mode: 644

  263.     - show_diff: False

  264.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  265.     - require:

  266.       - user: users_{{ name }}_user

  267.       {% for group in user.get('groups', []) %}

  268.       - group: users_{{ name }}_{{ group }}_group

  269.       {% endfor %}

  270. {% endfor %}

  271. {% endif %}

  272. 

  273. {% if 'ssh_auth_sources' in user %}

  274. {% for pubkey_file in user['ssh_auth_sources'] %}

  275. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  276.   ssh_auth.present:

  277.     - user: {{ name }}

  278.     - source: {{ pubkey_file }}

  279.     - require:

  280.         - file: users_{{ name }}_user

  281.         - user: users_{{ name }}_user

  282. {% endfor %}

  283. {% endif %}

  284. 

  285. {% if 'ssh_auth_sources.absent' in user %}

  286. {% for pubkey_file in user['ssh_auth_sources.absent'] %}

  287. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:

  288.   ssh_auth.absent:

  289.     - user: {{ name }}

  290.     - source: {{ pubkey_file }}

  291.     - require:

  292.         - file: users_{{ name }}_user

  293.         - user: users_{{ name }}_user

  294. {% endfor %}

  295. {% endif %}

  296. 

  297. {% if 'ssh_auth.absent' in user %}

  298. {% for auth in user['ssh_auth.absent'] %}

  299. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  300.   ssh_auth.absent:

  301.     - user: {{ name }}

  302.     - name: {{ auth }}

  303.     - require:

  304.         - file: users_{{ name }}_user

  305.         - user: users_{{ name }}_user

  306. {% endfor %}

  307. {% endif %}

  308. 

  309. {% if 'ssh_config' in user %}

  310. users_ssh_config_{{ name }}:

  311.   file.managed:

  312.     - name: {{ home }}/.ssh/config

  313.     - user: {{ name }}

  314.     - group: {{ user_group }}

  315.     - mode: 640

  316.     - contents: |

  317.         # Managed by Saltstack

  318.         # Do Not Edit

  319.         {% for label, setting in user.ssh_config.items() %}

  320.         # {{ label }}

  321.         Host {{ setting.get('hostname') }}

  322.           {%- for opts in setting.get('options') %}

  323.           {{ opts }}

  324.           {%- endfor %}

  325.         {% endfor -%}

  326. {% endif %}

  327. 

  328. {% if 'ssh_known_hosts' in user %}

  329. {% for hostname, host in user['ssh_known_hosts'].items() %}

  330. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  331.   ssh_known_hosts.present:

  332.     - user: {{ name }}

  333.     - name: {{ hostname }}

  334.     {% if 'port' in host %}

  335.     - port: {{ host['port'] }}

  336.     {% endif -%}

  337.     {% if 'fingerprint' in host %}

  338.     - fingerprint: {{ host['fingerprint'] }}

  339.     {% endif -%}

  340.     {% if 'key' in host %}

  341.     - key: {{ host['key'] }}

  342.     {% endif -%}

  343.     {% if 'enc' in host %}

  344.     - enc: {{ host['enc'] }}

  345.     {% endif -%}

  346.     {% if 'hash_hostname' in host %}

  347.     - hash_hostname: {{ host['hash_hostname'] }}

  348.     {% endif -%}

  349. {% endfor %}

  350. {% endif %}

  351. 

  352. {% if 'ssh_known_hosts.absent' in user %}

  353. {% for host in user['ssh_known_hosts.absent'] %}

  354. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  355.   ssh_known_hosts.absent:

  356.     - user: {{ name }}

  357.     - name: {{ host }}

  358. {% endfor %}

  359. {% endif %}

  360. {% endif %}

  361. 

  362. {% set sudoers_d_filename = name|replace('.','_') %}

  363. {% if 'sudouser' in user and user['sudouser'] %}

  364. 

  365. users_sudoer-{{ name }}:

  366.   file.managed:

  367.     - replace: False

  368.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  369.     - user: root

  370.     - group: {{ users.root_group }}

  371.     - mode: '0440'

  372. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  373. #{#%

  374. {% if 'sudo_rules' in user %}

  375. {% for rule in user['sudo_rules'] %}

  376. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  377.   cmd.run:

  378.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  379.     - stateful: True

  380.     - shell: {{ users.visudo_shell }}

  381.     - env:

  382.       # Specify the rule via an env var to avoid shell quoting issues.

  383.       - rule: "{{ name }} {{ rule }}"

  384.     - require_in:

  385.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  386. {% endfor %}

  387. {% endif %}

  388. {% if 'sudo_defaults' in user %}

  389. {% for entry in user['sudo_defaults'] %}

  390. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  391.   cmd.run:

  392.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  393.     - stateful: True

  394.     - shell: {{ users.visudo_shell }}

  395.     - env:

  396.       # Specify the rule via an env var to avoid shell quoting issues.

  397.       - rule: "Defaults:{{ name }} {{ entry }}"

  398.     - require_in:

  399.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  400. {% endfor %}

  401. {% endif %}

  402. #%#}

  403. 

  404. users_{{ users.sudoers_dir }}/{{ name }}:

  405.   file.managed:

  406.     - replace: True

  407.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  408.     - contents: |

  409.       {%- if 'sudo_defaults' in user %}

  410.       {%- for entry in user['sudo_defaults'] %}

  411.         Defaults:{{ name }} {{ entry }}

  412.       {%- endfor %}

  413.       {%- endif %}

  414.       {%- if 'sudo_rules' in user %}

  415.         ########################################################################

  416.         # File managed by Salt (users-formula).

  417.         # Your changes will be overwritten.

  418.         ########################################################################

  419.         #

  420.       {%- for rule in user['sudo_rules'] %}

  421.         {{ name }} {{ rule }}

  422.       {%- endfor %}

  423.       {%- endif %}

  424.     - require:

  425.       - file: users_sudoer-defaults

  426.       - file: users_sudoer-{{ name }}

  427.   cmd.wait:

  428.     - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )

  429.     - watch:

  430.       - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  431. {% endif %}

  432. {% else %}

  433. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:

  434.   file.absent:

  435.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  436. {% endif %}

  437. 

  438. {%- if 'google_auth' in user %}

  439. {%- for svc in user['google_auth'] %}

  440. users_googleauth-{{ svc }}-{{ name }}:

  441.   file.managed:

  442.     - replace: false

  443.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  444.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  445.     - user: root

  446.     - group: {{ users.root_group }}

  447.     - mode: 400

  448.     - require:

  449.       - pkg: users_googleauth-package

  450. {%- endfor %}

  451. {%- endif %}

  452. 

  453. #

  454. # if not salt['cmd.has_exec']('git')

  455. # fails even if git is installed

  456. #

  457. # this doesn't work (Salt bug), therefore need to run state.apply twice

  458. #include:

  459. #  - users

  460. #

  461. #git:

  462. #  pkg.installed:

  463. #    - require_in:

  464. #      - sls: users

  465. #

  466. {% if 'gitconfig' in user %}

  467. {% for key, value in user['gitconfig'].items() %}

  468. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  469.   {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  470.   git.config_set:

  471.   {% else %}

  472.   git.config:

  473.   {% endif %}

  474.     - name: {{ key }}

  475.     - value: "{{ value }}"

  476.     - user: {{ name }}

  477.     {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  478.     - global: True

  479.     {% else %}

  480.     - is_global: True

  481.     {% endif %}

  482. {% endfor %}

  483. {% endif %}

  484. 

  485. {% endfor %}

  486. 

  487. 

  488. {% for name, user in pillar.get('users', {}).items()

  489.         if user.absent is defined and user.absent %}

  490. users_absent_user_{{ name }}:

  491. {% if 'purge' in user or 'force' in user %}

  492.   user.absent:

  493.     - name: {{ name }}

  494.     {% if 'purge' in user %}

  495.     - purge: {{ user['purge'] }}

  496.     {% endif %}

  497.     {% if 'force' in user %}

  498.     - force: {{ user['force'] }}

  499.     {% endif %}

  500. {% else %}

  501.   user.absent:

  502.     - name: {{ name }}

  503. {% endif -%}

  504. users_{{ users.sudoers_dir }}/{{ name }}:

  505.   file.absent:

  506.     - name: {{ users.sudoers_dir }}/{{ name }}

  507. {% endfor %}

  508. 

  509. {% for user in pillar.get('absent_users', []) %}

  510. users_absent_user_2_{{ user }}:

  511.   user.absent:

  512.     - name: {{ user }}

  513. users_2_{{ users.sudoers_dir }}/{{ user }}:

  514.   file.absent:

  515.     - name: {{ users.sudoers_dir }}/{{ user }}

  516. {% endfor %}

  517. 

  518. {% for group in pillar.get('absent_groups', []) %}

  519. users_absent_group_{{ group }}:

  520.   group.absent:

  521.     - name: {{ group }}

  522. {% endfor %}