Saltstack Official Users Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.

523 lines
15KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudoonly' in user and user['sudoonly'] %}
  12. {%- set _dummy=user.update({'sudouser': True}) %}
  13. {%- endif %}
  14. {%- if 'sudouser' in user and user['sudouser'] %}
  15. {%- do used_sudo.append(1) %}
  16. {%- endif %}
  17. {%- if 'google_auth' in user %}
  18. {%- do used_googleauth.append(1) %}
  19. {%- endif %}
  20. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  21. {%- do used_user_files.append(1) %}
  22. {%- endif %}
  23. {%- endfor %}
  24. {%- if used_sudo or used_googleauth or used_user_files %}
  25. include:
  26. {%- if used_sudo %}
  27. - users.sudo
  28. {%- endif %}
  29. {%- if used_googleauth %}
  30. - users.googleauth
  31. {%- endif %}
  32. {%- if used_user_files %}
  33. - users.user_files
  34. {%- endif %}
  35. {%- endif %}
  36. {% for name, user in pillar.get('users', {}).items()
  37. if user.absent is not defined or not user.absent %}
  38. {%- if user == None -%}
  39. {%- set user = {} -%}
  40. {%- endif -%}
  41. {%- set current = salt.user.info(name) -%}
  42. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  43. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  44. {%- set user_group = user.prime_group.name -%}
  45. {%- else -%}
  46. {%- set user_group = name -%}
  47. {%- endif %}
  48. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}
  49. {% for group in user.get('groups', []) %}
  50. users_{{ name }}_{{ group }}_group:
  51. group.present:
  52. - name: {{ group }}
  53. {% if group == 'sudo' %}
  54. - system: True
  55. {% endif %}
  56. {% endfor %}
  57. users_{{ name }}_user:
  58. {% if user.get('createhome', True) %}
  59. file.directory:
  60. - name: {{ home }}
  61. - user: {{ user.get('homedir_owner', name) }}
  62. - group: {{ user.get('homedir_group', user_group) }}
  63. - mode: {{ user.get('user_dir_mode', '0750') }}
  64. - require:
  65. - user: users_{{ name }}_user
  66. - group: {{ user_group }}
  67. {%- endif %}
  68. group.present:
  69. - name: {{ user_group }}
  70. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  71. - gid: {{ user['prime_group']['gid'] }}
  72. {%- elif 'uid' in user %}
  73. - gid: {{ user['uid'] }}
  74. {%- endif %}
  75. {% if 'system' in user and user['system'] %}
  76. - system: True
  77. {% endif %}
  78. user.present:
  79. - name: {{ name }}
  80. - home: {{ home }}
  81. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  82. {% if 'uid' in user -%}
  83. - uid: {{ user['uid'] }}
  84. {% endif -%}
  85. {% if 'password' in user -%}
  86. - password: '{{ user['password'] }}'
  87. {% endif -%}
  88. {% if user.get('empty_password') -%}
  89. - empty_password: {{ user.get('empty_password') }}
  90. {% endif -%}
  91. {% if 'enforce_password' in user -%}
  92. - enforce_password: {{ user['enforce_password'] }}
  93. {% endif -%}
  94. {% if 'hash_password' in user -%}
  95. - hash_password: {{ user['hash_password'] }}
  96. {% endif -%}
  97. {% if user.get('system', False) -%}
  98. - system: True
  99. {% endif -%}
  100. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  101. - gid: {{ user['prime_group']['gid'] }}
  102. {% elif 'prime_group' in user and 'name' in user['prime_group'] %}
  103. - gid: {{ user['prime_group']['name'] }}
  104. {% else -%}
  105. - gid_from_name: True
  106. {% endif -%}
  107. {% if 'fullname' in user %}
  108. - fullname: {{ user['fullname'] }}
  109. {% endif -%}
  110. {% if 'roomnumber' in user %}
  111. - roomnumber: {{ user['roomnumber'] }}
  112. {% endif %}
  113. {% if 'workphone' in user %}
  114. - workphone: {{ user['workphone'] }}
  115. {% endif %}
  116. {% if 'homephone' in user %}
  117. - homephone: {{ user['workphone'] }}
  118. {% endif %}
  119. {% if not user.get('createhome', True) %}
  120. - createhome: False
  121. {% endif %}
  122. {% if 'expire' in user -%}
  123. {% if grains['kernel'].endswith('BSD') and
  124. user['expire'] < 157766400 %}
  125. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  126. - expire: {{ user['expire'] * 86400 }}
  127. {% elif grains['kernel'] == 'Linux' and
  128. user['expire'] > 84006 %}
  129. {# 2932896 days since epoch equals 9999-12-31 #}
  130. - expire: {{ (user['expire'] / 86400) | int}}
  131. {% else %}
  132. - expire: {{ user['expire'] }}
  133. {% endif %}
  134. {% endif -%}
  135. - remove_groups: {{ user.get('remove_groups', 'False') }}
  136. - groups:
  137. - {{ user_group }}
  138. {% for group in user.get('groups', []) -%}
  139. - {{ group }}
  140. {% endfor %}
  141. {% if 'optional_groups' in user %}
  142. - optional_groups:
  143. {% for optional_group in user['optional_groups'] -%}
  144. - {{optional_group}}
  145. {% endfor %}
  146. {% endif %}
  147. - require:
  148. - group: {{ user_group }}
  149. {% for group in user.get('groups', []) -%}
  150. - group: {{ group }}
  151. {% endfor %}
  152. {% if 'ssh_keys' in user or
  153. 'ssh_auth' in user or
  154. 'ssh_auth_file' in user or
  155. 'ssh_auth_pillar' in user or
  156. 'ssh_auth.absent' in user or
  157. 'ssh_config' in user %}
  158. user_keydir_{{ name }}:
  159. file.directory:
  160. - name: {{ home }}/.ssh
  161. - user: {{ name }}
  162. - group: {{ user_group }}
  163. - makedirs: True
  164. - mode: 700
  165. - require:
  166. - user: {{ name }}
  167. - group: {{ user_group }}
  168. {%- for group in user.get('groups', []) %}
  169. - group: {{ group }}
  170. {%- endfor %}
  171. {% endif %}
  172. {% if 'ssh_keys' in user %}
  173. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  174. users_user_{{ name }}_private_key:
  175. file.managed:
  176. - name: {{ home }}/.ssh/{{ key_type }}
  177. - user: {{ name }}
  178. - group: {{ user_group }}
  179. - mode: 600
  180. - show_diff: False
  181. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  182. - require:
  183. - user: users_{{ name }}_user
  184. {% for group in user.get('groups', []) %}
  185. - group: users_{{ name }}_{{ group }}_group
  186. {% endfor %}
  187. users_user_{{ name }}_public_key:
  188. file.managed:
  189. - name: {{ home }}/.ssh/{{ key_type }}.pub
  190. - user: {{ name }}
  191. - group: {{ user_group }}
  192. - mode: 644
  193. - show_diff: False
  194. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  195. - require:
  196. - user: users_{{ name }}_user
  197. {% for group in user.get('groups', []) %}
  198. - group: users_{{ name }}_{{ group }}_group
  199. {% endfor %}
  200. {% endif %}
  201. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  202. users_authorized_keys_{{ name }}:
  203. file.managed:
  204. - name: {{ home }}/.ssh/authorized_keys
  205. - user: {{ name }}
  206. - group: {{ user_group }}
  207. - mode: 600
  208. {% if 'ssh_auth_file' in user %}
  209. - contents: |
  210. {% for auth in user.ssh_auth_file -%}
  211. {{ auth }}
  212. {% endfor -%}
  213. {% else %}
  214. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  215. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  216. {%- endfor %}
  217. {% endif %}
  218. {% endif %}
  219. {% if 'ssh_auth' in user %}
  220. {% for auth in user['ssh_auth'] %}
  221. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  222. ssh_auth.present:
  223. - user: {{ name }}
  224. - name: {{ auth }}
  225. - require:
  226. - file: user_keydir_{{ name }}
  227. - user: users_{{ name }}_user
  228. {% endfor %}
  229. {% endif %}
  230. {% if 'ssh_keys_pillar' in user %}
  231. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  232. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  233. file.managed:
  234. - name: {{ home }}/.ssh/{{ key_name }}
  235. - user: {{ name }}
  236. - group: {{ user_group }}
  237. - mode: 600
  238. - show_diff: False
  239. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  240. - require:
  241. - user: users_{{ name }}_user
  242. {% for group in user.get('groups', []) %}
  243. - group: users_{{ name }}_{{ group }}_group
  244. {% endfor %}
  245. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  246. file.managed:
  247. - name: {{ home }}/.ssh/{{ key_name }}.pub
  248. - user: {{ name }}
  249. - group: {{ user_group }}
  250. - mode: 644
  251. - show_diff: False
  252. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  253. - require:
  254. - user: users_{{ name }}_user
  255. {% for group in user.get('groups', []) %}
  256. - group: users_{{ name }}_{{ group }}_group
  257. {% endfor %}
  258. {% endfor %}
  259. {% endif %}
  260. {% if 'ssh_auth_sources' in user %}
  261. {% for pubkey_file in user['ssh_auth_sources'] %}
  262. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  263. ssh_auth.present:
  264. - user: {{ name }}
  265. - source: {{ pubkey_file }}
  266. - require:
  267. - file: users_{{ name }}_user
  268. - user: users_{{ name }}_user
  269. {% endfor %}
  270. {% endif %}
  271. {% if 'ssh_auth_sources.absent' in user %}
  272. {% for pubkey_file in user['ssh_auth_sources.absent'] %}
  273. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
  274. ssh_auth.absent:
  275. - user: {{ name }}
  276. - source: {{ pubkey_file }}
  277. - require:
  278. - file: users_{{ name }}_user
  279. - user: users_{{ name }}_user
  280. {% endfor %}
  281. {% endif %}
  282. {% if 'ssh_auth.absent' in user %}
  283. {% for auth in user['ssh_auth.absent'] %}
  284. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  285. ssh_auth.absent:
  286. - user: {{ name }}
  287. - name: {{ auth }}
  288. - require:
  289. - file: users_{{ name }}_user
  290. - user: users_{{ name }}_user
  291. {% endfor %}
  292. {% endif %}
  293. {% if 'ssh_config' in user %}
  294. users_ssh_config_{{ name }}:
  295. file.managed:
  296. - name: {{ home }}/.ssh/config
  297. - user: {{ name }}
  298. - group: {{ user_group }}
  299. - mode: 640
  300. - contents: |
  301. # Managed by Saltstack
  302. # Do Not Edit
  303. {% for label, setting in user.ssh_config.items() %}
  304. # {{ label }}
  305. Host {{ setting.get('hostname') }}
  306. {%- for opts in setting.get('options') %}
  307. {{ opts }}
  308. {%- endfor %}
  309. {% endfor -%}
  310. {% endif %}
  311. {% if 'ssh_known_hosts' in user %}
  312. {% for hostname, host in user['ssh_known_hosts'].items() %}
  313. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  314. ssh_known_hosts.present:
  315. - user: {{ name }}
  316. - name: {{ hostname }}
  317. {% if 'port' in host %}
  318. - port: {{ host['port'] }}
  319. {% endif -%}
  320. {% if 'fingerprint' in host %}
  321. - fingerprint: {{ host['fingerprint'] }}
  322. {% endif -%}
  323. {% if 'key' in host %}
  324. - key: {{ host['key'] }}
  325. {% endif -%}
  326. {% if 'enc' in host %}
  327. - enc: {{ host['enc'] }}
  328. {% endif -%}
  329. {% if 'hash_hostname' in host %}
  330. - hash_hostname: {{ host['hash_hostname'] }}
  331. {% endif -%}
  332. {% endfor %}
  333. {% endif %}
  334. {% if 'ssh_known_hosts.absent' in user %}
  335. {% for host in user['ssh_known_hosts.absent'] %}
  336. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  337. ssh_known_hosts.absent:
  338. - user: {{ name }}
  339. - name: {{ host }}
  340. {% endfor %}
  341. {% endif %}
  342. {% endif %}
  343. {% set sudoers_d_filename = name|replace('.','_') %}
  344. {% if 'sudouser' in user and user['sudouser'] %}
  345. users_sudoer-{{ name }}:
  346. file.managed:
  347. - replace: False
  348. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  349. - user: root
  350. - group: {{ users.root_group }}
  351. - mode: '0440'
  352. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  353. #{#%
  354. {% if 'sudo_rules' in user %}
  355. {% for rule in user['sudo_rules'] %}
  356. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  357. cmd.run:
  358. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  359. - stateful: True
  360. - shell: {{ users.visudo_shell }}
  361. - env:
  362. # Specify the rule via an env var to avoid shell quoting issues.
  363. - rule: "{{ name }} {{ rule }}"
  364. - require_in:
  365. - file: users_{{ users.sudoers_dir }}/{{ name }}
  366. {% endfor %}
  367. {% endif %}
  368. {% if 'sudo_defaults' in user %}
  369. {% for entry in user['sudo_defaults'] %}
  370. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  371. cmd.run:
  372. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  373. - stateful: True
  374. - shell: {{ users.visudo_shell }}
  375. - env:
  376. # Specify the rule via an env var to avoid shell quoting issues.
  377. - rule: "Defaults:{{ name }} {{ entry }}"
  378. - require_in:
  379. - file: users_{{ users.sudoers_dir }}/{{ name }}
  380. {% endfor %}
  381. {% endif %}
  382. #%#}
  383. users_{{ users.sudoers_dir }}/{{ name }}:
  384. file.managed:
  385. - replace: True
  386. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  387. - contents: |
  388. {%- if 'sudo_defaults' in user %}
  389. {%- for entry in user['sudo_defaults'] %}
  390. Defaults:{{ name }} {{ entry }}
  391. {%- endfor %}
  392. {%- endif %}
  393. {%- if 'sudo_rules' in user %}
  394. ########################################################################
  395. # File managed by Salt (users-formula).
  396. # Your changes will be overwritten.
  397. ########################################################################
  398. #
  399. {%- for rule in user['sudo_rules'] %}
  400. {{ name }} {{ rule }}
  401. {%- endfor %}
  402. {%- endif %}
  403. - require:
  404. - file: users_sudoer-defaults
  405. - file: users_sudoer-{{ name }}
  406. cmd.wait:
  407. - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
  408. - watch:
  409. - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  410. {% endif %}
  411. {% else %}
  412. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
  413. file.absent:
  414. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  415. {% endif %}
  416. {%- if 'google_auth' in user %}
  417. {%- for svc in user['google_auth'] %}
  418. users_googleauth-{{ svc }}-{{ name }}:
  419. file.managed:
  420. - replace: false
  421. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  422. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  423. - user: root
  424. - group: {{ users.root_group }}
  425. - mode: 400
  426. - require:
  427. - pkg: users_googleauth-package
  428. {%- endfor %}
  429. {%- endif %}
  430. #
  431. # if not salt['cmd.has_exec']('git')
  432. # fails even if git is installed
  433. #
  434. # this doesn't work (Salt bug), therefore need to run state.apply twice
  435. #include:
  436. # - users
  437. #
  438. #git:
  439. # pkg.installed:
  440. # - require_in:
  441. # - sls: users
  442. #
  443. {% if 'gitconfig' in user %}
  444. {% for key, value in user['gitconfig'].items() %}
  445. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  446. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  447. git.config_set:
  448. {% else %}
  449. git.config:
  450. {% endif %}
  451. - name: {{ key }}
  452. - value: "{{ value }}"
  453. - user: {{ name }}
  454. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  455. - global: True
  456. {% else %}
  457. - is_global: True
  458. {% endif %}
  459. {% endfor %}
  460. {% endif %}
  461. {% endfor %}
  462. {% for name, user in pillar.get('users', {}).items()
  463. if user.absent is defined and user.absent %}
  464. users_absent_user_{{ name }}:
  465. {% if 'purge' in user or 'force' in user %}
  466. user.absent:
  467. - name: {{ name }}
  468. {% if 'purge' in user %}
  469. - purge: {{ user['purge'] }}
  470. {% endif %}
  471. {% if 'force' in user %}
  472. - force: {{ user['force'] }}
  473. {% endif %}
  474. {% else %}
  475. user.absent:
  476. - name: {{ name }}
  477. {% endif -%}
  478. users_{{ users.sudoers_dir }}/{{ name }}:
  479. file.absent:
  480. - name: {{ users.sudoers_dir }}/{{ name }}
  481. {% endfor %}
  482. {% for user in pillar.get('absent_users', []) %}
  483. users_absent_user_2_{{ user }}:
  484. user.absent:
  485. - name: {{ user }}
  486. users_2_{{ users.sudoers_dir }}/{{ user }}:
  487. file.absent:
  488. - name: {{ users.sudoers_dir }}/{{ user }}
  489. {% endfor %}
  490. {% for group in pillar.get('absent_groups', []) %}
  491. users_absent_group_{{ group }}:
  492. group.absent:
  493. - name: {{ group }}
  494. {% endfor %}