Saltstack Official Users Formula

204 lines
5.8KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. users-formula:
  5. lookup: # override the defauls in map.jinja
  6. root_group: root
  7. # group initialization
  8. groups:
  9. foo:
  10. state: present
  11. gid: 1500
  12. system: false
  13. badguys:
  14. absent: true
  15. niceguys:
  16. gid: 4242
  17. system: false
  18. addusers:
  19. - root
  20. delusers:
  21. - toor
  22. ssl-cert:
  23. system: true
  24. members:
  25. # *TODO*: run groups after all users created and then use `auser` and
  26. # `buser` instead
  27. - root
  28. - sshd
  29. # - bin
  30. # - daemon
  31. users:
  32. ## Minimal required pillar values
  33. auser:
  34. fullname: A User
  35. ## Full list of pillar values
  36. buser:
  37. fullname: B User
  38. password: $6$w.............
  39. enforce_password: true
  40. # WARNING: If 'empty_password' is set to true, the 'password' statement
  41. # will be ignored by enabling password-less login for the user.
  42. empty_password: false
  43. hash_password: false
  44. system: false
  45. home: /custom/buser
  46. homedir_owner: buser
  47. homedir_group: primarygroup
  48. user_dir_mode: 750
  49. createhome: true
  50. roomnumber: "A-1"
  51. workphone: "(555) 555-5555"
  52. homephone: "(555) 555-5551"
  53. manage_vimrc: false
  54. allow_gid_change: false
  55. manage_bashrc: false
  56. manage_profile: false
  57. expire: 16426
  58. # Disables user management except sudo rules.
  59. # Useful for setting sudo rules for system accounts created by package instalation
  60. sudoonly: false
  61. sudouser: true
  62. # sudo_rules doesn't need the username as a prefix for the rule
  63. # this is added automatically by the formula.
  64. # ----------------------------------------------------------------------
  65. # In case your sudo_rules have a colon please have in mind to not leave
  66. # spaces around it. For example:
  67. # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
  68. # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
  69. sudo_rules:
  70. - ALL=(root) /usr/bin/find
  71. - ALL=(otheruser) /usr/bin/script.sh
  72. sudo_defaults:
  73. - '!requiretty'
  74. # enable polkitadmin to make user an AdminIdentity for polkit
  75. polkitadmin: true
  76. shell: /bin/bash
  77. remove_groups: false
  78. prime_group:
  79. name: primarygroup
  80. gid: 1501
  81. groups:
  82. - users
  83. optional_groups:
  84. - some_groups_that_might
  85. - not_exist_on_all_minions
  86. ssh_key_type: rsa
  87. # # You can inline the private keys ...
  88. # ssh_keys:
  89. # privkey: PRIVATEKEY
  90. # pubkey: PUBLICKEY
  91. # # or you can provide path to key on Salt fileserver
  92. # # privkey: salt://path_to_PRIVATEKEY
  93. # # pubkey: salt://path_to_PUBLICKEY
  94. # # you can provide multiple keys, the keyname is taken as filename
  95. # # make sure your public keys suffix is .pub
  96. # foobar: PRIVATEKEY
  97. # foobar.pub: PUBLICKEY
  98. # # ... or you can pull them from a different pillar,
  99. # # for example one called "ssh_keys":
  100. # ssh_keys_pillar:
  101. # id_rsa: "ssh_keys"
  102. # another_key_pair: "ssh_keys"
  103. # ssh_auth:
  104. # - PUBLICKEY
  105. # ssh_auth.absent:
  106. # - PUBLICKEY_TO_BE_REMOVED
  107. # # Generates an authorized_keys file for the user
  108. # # with the given keys
  109. # ssh_auth_file:
  110. # - PUBLICKEY
  111. # # ... or you can pull them from a different pillar similar to ssh_keys_pillar
  112. # ssh_auth_pillar:
  113. # id_rsa: "ssh_keys"
  114. # # If you prefer to keep public keys as files rather
  115. # # than inline in pillar, this works.
  116. # ssh_auth_sources:
  117. # - salt://keys/buser.id_rsa.pub
  118. # ssh_auth_sources.absent:
  119. # - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
  120. # Manage the ~/.ssh/config file
  121. ssh_known_hosts:
  122. importanthost:
  123. port: 22
  124. fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
  125. key: PUBLICKEY
  126. enc: ssh-rsa
  127. hash_known_hosts: true
  128. timeout: 5
  129. fingerprint_hash_type: sha256
  130. ssh_known_hosts.absent:
  131. - notimportanthost
  132. ssh_config:
  133. all:
  134. hostname: "*"
  135. options:
  136. - "StrictHostKeyChecking no"
  137. - "UserKnownHostsFile=/dev/null"
  138. importanthost:
  139. hostname: "needcheck.example.com"
  140. options:
  141. - "StrictHostKeyChecking yes"
  142. # Using gitconfig without Git installed will result in an error
  143. # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
  144. # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
  145. gitconfig:
  146. user.name: B User
  147. user.email: buser@example.com
  148. "url.https://.insteadOf": "git://"
  149. gitconfig.absent:
  150. - push.default
  151. - color\..+
  152. google_2fa: true
  153. google_auth:
  154. sshd: |
  155. SOMEGAUTHHASHVAL
  156. " RESETTING_TIME_SKEW 46956472+2 46991595-2
  157. " RATE_LIMIT 3 30 1415800560
  158. " DISALLOW_REUSE 47193352
  159. " TOTP_AUTH
  160. 11111111
  161. 22222222
  162. 33333333
  163. 44444444
  164. 55555555
  165. # unique: true allows user to have non unique uid
  166. unique: false
  167. uid: 1001
  168. user_files:
  169. enabled: true
  170. # 'source' allows you to define an arbitrary directory to sync,
  171. # useful to use for default files.
  172. # should be a salt fileserver path either with or without 'salt://'
  173. # if not present, it defaults to 'salt://users/files/user/<username>
  174. source: users/files
  175. # template: jinja
  176. # You can specify octal mode for files and symlinks that will be copied.
  177. # Since version 2016.11.0 it's possible to use 'keep' for file_mode,
  178. # to preserve file original mode, thus you can save execution bit for example.
  179. file_mode: keep
  180. # You can specify octal mode for directories as well.
  181. # This won't work on Windows minions
  182. # dir_mode: 775
  183. sym_mode: 640
  184. exclude_pat: "*.gitignore"
  185. ## Absent user
  186. cuser:
  187. absent: true
  188. purge: true
  189. force: true
  190. ## Old syntax of absent_users still supported
  191. absent_users:
  192. - donald
  193. - bad_guy