ExternalMirrors
/
users-formula
mirror of https://github.com/saltstack-formulas/users-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 13 Wiki Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
95 Commits
3 Branches
Tree: 7aa32881b7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7aa32881b7'
${ noResults }
users-formula/users/init.sls

223 lines
6.0KB
Raw Blame History 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = False %}

  4. 

  5. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  6. {%- if user == None -%}

  7. {%- set user = {} -%}

  8. {%- endif -%}

  9. {%- set home = user.get('home', "/home/%s" % name) -%}

  10. 

  11. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  12. {%- set user_group = user.prime_group.name -%}

  13. {%- else -%}

  14. {%- set user_group = name -%}

  15. {%- endif %}

  16. 

  17. {% for group in user.get('groups', []) %}

  18. {{ name }}_{{ group }}_group:

  19.   group:

  20.     - name: {{ group }}

  21.     - present

  22. {% endfor %}

  23. 

  24. {{ name }}_user:

  25.   {% if user.get('createhome', True) %}

  26.   file.directory:

  27.     - name: {{ home }}

  28.     - user: {{ name }}

  29.     - group: {{ user_group }}

  30.     - mode: {{ user.get('user_dir_mode', '0750') }}

  31.     - require:

  32.       - user: {{ name }}

  33.       - group: {{ user_group }}

  34.   {%- endif %}

  35.   group.present:

  36.     - name: {{ user_group }}

  37.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  38.     - gid: {{ user['prime_group']['gid'] }}

  39.     {%- elif 'uid' in user %}

  40.     - gid: {{ user['uid'] }}

  41.     {%- endif %}

  42.   user.present:

  43.     - name: {{ name }}

  44.     - home: {{ home }}

  45.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  46.     {% if 'uid' in user -%}

  47.     - uid: {{ user['uid'] }}

  48.     {% endif -%}

  49.     {% if 'password' in user -%}

  50.     - password: '{{ user['password'] }}'

  51.     {% endif -%}

  52.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  53.     - gid: {{ user['prime_group']['gid'] }}

  54.     {% else -%}

  55.     - gid_from_name: True

  56.     {% endif -%}

  57.     {% if 'fullname' in user %}

  58.     - fullname: {{ user['fullname'] }}

  59.     {% endif -%}

  60.     {% if not user.get('createhome', True) %}

  61.     - createhome: False

  62.     {% endif %}

  63.     {% if 'expire' in user -%}

  64.     - expire: {{ user['expire'] }}

  65.     {% endif -%}

  66.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  67.     - groups:

  68.       - {{ user_group }}

  69.       {% for group in user.get('groups', []) -%}

  70.       - {{ group }}

  71.       {% endfor %}

  72.     - require:

  73.       - group: {{ user_group }}

  74.       {% for group in user.get('groups', []) -%}

  75.       - group: {{ group }}

  76.       {% endfor %}

  77. 

  78. user_keydir_{{ name }}:

  79.   file.directory:

  80.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  81.     - user: {{ name }}

  82.     - group: {{ user_group }}

  83.     - makedirs: True

  84.     - mode: 700

  85.     - require:

  86.       - user: {{ name }}

  87.       - group: {{ user_group }}

  88.       {%- for group in user.get('groups', []) %}

  89.       - group: {{ group }}

  90.       {%- endfor %}

  91. 

  92.   {% if 'ssh_keys' in user %}

  93.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  94. user_{{ name }}_private_key:

  95.   file.managed:

  96.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  97.     - user: {{ name }}

  98.     - group: {{ user_group }}

  99.     - mode: 600

  100.     - show_diff: False

  101.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  102.     - require:

  103.       - user: {{ name }}_user

  104.       {% for group in user.get('groups', []) %}

  105.       - group: {{ name }}_{{ group }}_group

  106.       {% endfor %}

  107. user_{{ name }}_public_key:

  108.   file.managed:

  109.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  110.     - user: {{ name }}

  111.     - group: {{ user_group }}

  112.     - mode: 644

  113.     - show_diff: False

  114.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  115.     - require:

  116.       - user: {{ name }}_user

  117.       {% for group in user.get('groups', []) %}

  118.       - group: {{ name }}_{{ group }}_group

  119.       {% endfor %}

  120.   {% endif %}

  121. 

  122. 

  123. {% if 'ssh_auth' in user %}

  124. {% for auth in user['ssh_auth'] %}

  125. ssh_auth_{{ name }}_{{ loop.index0 }}:

  126.   ssh_auth.present:

  127.     - user: {{ name }}

  128.     - name: {{ auth }}

  129.     - require:

  130.         - file: {{ name }}_user

  131.         - user: {{ name }}_user

  132. {% endfor %}

  133. {% endif %}

  134. 

  135. {% if 'ssh_auth.absent' in user %}

  136. {% for auth in user['ssh_auth.absent'] %}

  137. ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  138.   ssh_auth.absent:

  139.     - user: {{ name }}

  140.     - name: {{ auth }}

  141.     - require:

  142.         - file: {{ name }}_user

  143.         - user: {{ name }}_user

  144. {% endfor %}

  145. {% endif %}

  146. 

  147. {% if 'sudouser' in user and user['sudouser'] %}

  148. {% if not used_sudo %}

  149. {% set used_sudo = True %}

  150. include:

  151.   - users.sudo

  152. {% endif %}

  153. 

  154. sudoer-{{ name }}:

  155.   file.managed:

  156.     - name: {{ users.sudoers_dir }}/{{ name }}

  157.     - user: root

  158.     - group: {{ users.root_group }} 

  159.     - mode: '0440'

  160. {% if 'sudo_rules' in user %}

  161. {% for rule in user['sudo_rules'] %}

  162. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  163.   cmd.run:

  164.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  165.     - stateful: True

  166.     - shell: {{ users.visudo_shell }} 

  167.     - env:

  168.       # Specify the rule via an env var to avoid shell quoting issues.

  169.       - rule: "{{ name }} {{ rule }}"

  170.     - require_in:

  171.       - file: {{ users.sudoers_dir }}/{{ name }}

  172. {% endfor %}

  173. 

  174. {{ users.sudoers_dir }}/{{ name }}:

  175.   file.managed:

  176.     - contents: |

  177.       {%- for rule in user['sudo_rules'] %}

  178.         {{ name }} {{ rule }}

  179.       {%- endfor %}

  180.     - require:

  181.       - file: sudoer-defaults

  182.       - file: sudoer-{{ name }}

  183. {% endif %}

  184. {% else %}

  185. {{ users.sudoers_dir }}/{{ name }}:

  186.   file.absent:

  187.     - name: {{ users.sudoers_dir }}/{{ name }}

  188. {% endif %}

  189. 

  190. {% endfor %}

  191. 

  192. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

  193. {{ name }}:

  194. {% if 'purge' in user or 'force' in user %}

  195.   user.absent:

  196.     {% if 'purge' in user %}

  197.     - purge: {{ user['purge'] }}

  198.     {% endif %}

  199.     {% if 'force' in user %}

  200.     - force: {{ user['force'] }}

  201.     {% endif %}

  202. {% else %}

  203.   user.absent

  204. {% endif -%}

  205. {{ users.sudoers_dir }}/{{ name }}:

  206.   file.absent:

  207.     - name: {{ users.sudoers_dir }}/{{ name }}

  208. {% endfor %}

  209. 

  210. {% for user in pillar.get('absent_users', []) %}

  211. {{ user }}:

  212.   user.absent

  213. {{ users.sudoers_dir }}/{{ user }}:

  214.   file.absent:

  215.     - name: {{ users.sudoers_dir }}/{{ user }}

  216. {% endfor %}

  217. 

  218. {% for group in pillar.get('absent_groups', []) %}

  219. {{ group }}:

  220.   group.absent

  221. {% endfor %}