ExternalMirrors
/
users-formula
mirror of https://github.com/saltstack-formulas/users-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 13 Wiki Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
237 Commits
3 Branches
Tree: 83c9ad42c8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '83c9ad42c8'
${ noResults }
users-formula/users/init.sls

512 lines
15KB
Raw Blame History 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. {% set used_polkit = False %}

  7. 

  8. {%- for name, user in pillar.get('users', {}).items()

  9.         if user.absent is not defined or not user.absent %}

  10. {%- if user == None -%}

  11. {%- set user = {} -%}

  12. {%- endif -%}

  13. {%- if 'sudouser' in user and user['sudouser'] %}

  14. {%- do used_sudo.append(1) %}

  15. {%- endif %}

  16. {%- if 'google_auth' in user %}

  17. {%- do used_googleauth.append(1) %}

  18. {%- endif %}

  19. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  20. {%- do used_user_files.append(1) %}

  21. {%- endif %}

  22. {%- if user.get('polkitadmin', False) == True %}

  23. {%- set used_polkit = True %}

  24. {%- endif %}

  25. {%- endfor %}

  26. 

  27. {%- if used_sudo or used_googleauth or used_user_files or used_polkit %}

  28. include:

  29. {%- if used_sudo %}

  30.   - users.sudo

  31. {%- endif %}

  32. {%- if used_googleauth %}

  33.   - users.googleauth

  34. {%- endif %}

  35. {%- if used_user_files %}

  36.   - users.user_files

  37. {%- endif %}

  38. {%- if used_polkit %}

  39.   - users.polkit

  40. {%- endif %}

  41. {%- endif %}

  42. 

  43. {% for name, user in pillar.get('users', {}).items()

  44.         if user.absent is not defined or not user.absent %}

  45. {%- if user == None -%}

  46. {%- set user = {} -%}

  47. {%- endif -%}

  48. {%- set current = salt.user.info(name) -%}

  49. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  50. 

  51. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  52. {%- set user_group = user.prime_group.name -%}

  53. {%- else -%}

  54. {%- set user_group = name -%}

  55. {%- endif %}

  56. 

  57. {% for group in user.get('groups', []) %}

  58. users_{{ name }}_{{ group }}_group:

  59.   group.present:

  60.     - name: {{ group }}

  61.     {% if group == 'sudo' %}

  62.     - system: True

  63.     {% endif %}

  64. {% endfor %}

  65. 

  66. users_{{ name }}_user:

  67.   {% if user.get('createhome', True) %}

  68.   file.directory:

  69.     - name: {{ home }}

  70.     - user: {{ user.get('homedir_owner', name) }}

  71.     - group: {{ user.get('homedir_group', user_group) }}

  72.     - mode: {{ user.get('user_dir_mode', '0750') }}

  73.     - require:

  74.       - user: users_{{ name }}_user

  75.       - group: {{ user_group }}

  76.   {%- endif %}

  77.   group.present:

  78.     - name: {{ user_group }}

  79.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  80.     - gid: {{ user['prime_group']['gid'] }}

  81.     {%- elif 'uid' in user %}

  82.     - gid: {{ user['uid'] }}

  83.     {%- endif %}

  84.     {% if 'system' in user and user['system'] %}

  85.     - system: True

  86.     {% endif %}

  87.   user.present:

  88.     - name: {{ name }}

  89.     - home: {{ home }}

  90.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  91.     {% if 'uid' in user -%}

  92.     - uid: {{ user['uid'] }}

  93.     {% endif -%}

  94.     {% if 'password' in user -%}

  95.     - password: '{{ user['password'] }}'

  96.     {% endif -%}

  97.     {% if user.get('empty_password') -%}

  98.     - empty_password: {{ user.get('empty_password') }}

  99.     {% endif -%}

  100.     {% if 'enforce_password' in user -%}

  101.     - enforce_password: {{ user['enforce_password'] }}

  102.     {% endif -%}

  103.     {% if 'hash_password' in user -%}

  104.     - hash_password: {{ user['hash_password'] }}

  105.     {% endif -%}

  106.     {% if user.get('system', False) -%}

  107.     - system: True

  108.     {% endif -%}

  109.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  110.     - gid: {{ user['prime_group']['gid'] }}

  111.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  112.     - gid: {{ user['prime_group']['name'] }}

  113.     {% else -%}

  114.     - gid_from_name: True

  115.     {% endif -%}

  116.     {% if 'fullname' in user %}

  117.     - fullname: {{ user['fullname'] }}

  118.     {% endif -%}

  119.     {% if 'roomnumber' in user %}

  120.     - roomnumber: {{ user['roomnumber'] }}

  121.     {% endif %}

  122.     {% if 'workphone' in user %}

  123.     - workphone: {{ user['workphone'] }}

  124.     {% endif %}

  125.     {% if 'homephone' in user %}

  126.     - homephone: {{ user['workphone'] }}

  127.     {% endif %}

  128.     {% if not user.get('createhome', True) %}

  129.     - createhome: False

  130.     {% endif %}

  131.     {% if 'expire' in user -%}

  132.         {% if grains['kernel'].endswith('BSD') and

  133.             user['expire'] < 157766400 %}

  134.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  135.     - expire: {{ user['expire'] * 86400 }}

  136.         {% elif grains['kernel'] == 'Linux' and

  137.             user['expire'] > 84006 %}

  138.         {# 2932896 days since epoch equals 9999-12-31 #}

  139.     - expire: {{ (user['expire'] / 86400) | int}}

  140.         {% else %}

  141.     - expire: {{ user['expire'] }}

  142.         {% endif %}

  143.     {% endif -%}

  144.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  145.     - groups:

  146.       - {{ user_group }}

  147.       {% for group in user.get('groups', []) -%}

  148.       - {{ group }}

  149.       {% endfor %}

  150.     {% if 'optional_groups' in user %}

  151.     - optional_groups:

  152.       {% for optional_group in user['optional_groups'] -%}

  153.       - {{optional_group}}

  154.       {% endfor %}

  155.     {% endif %}

  156.     - require:

  157.       - group: {{ user_group }}

  158.       {% for group in user.get('groups', []) -%}

  159.       - group: {{ group }}

  160.       {% endfor %}

  161. 

  162. 

  163.   {% if 'ssh_keys' in user or

  164.       'ssh_auth' in user or

  165.       'ssh_auth_file' in user or

  166.       'ssh_auth_pillar' in user or

  167.       'ssh_auth.absent' in user or

  168.       'ssh_config' in user %}

  169. user_keydir_{{ name }}:

  170.   file.directory:

  171.     - name: {{ home }}/.ssh

  172.     - user: {{ name }}

  173.     - group: {{ user_group }}

  174.     - makedirs: True

  175.     - mode: 700

  176.     - require:

  177.       - user: {{ name }}

  178.       - group: {{ user_group }}

  179.       {%- for group in user.get('groups', []) %}

  180.       - group: {{ group }}

  181.       {%- endfor %}

  182.   {% endif %}

  183. 

  184.   {% if 'ssh_keys' in user %}

  185.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  186. users_user_{{ name }}_private_key:

  187.   file.managed:

  188.     - name: {{ home }}/.ssh/{{ key_type }}

  189.     - user: {{ name }}

  190.     - group: {{ user_group }}

  191.     - mode: 600

  192.     - show_diff: False

  193.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  194.     - require:

  195.       - user: users_{{ name }}_user

  196.       {% for group in user.get('groups', []) %}

  197.       - group: users_{{ name }}_{{ group }}_group

  198.       {% endfor %}

  199. users_user_{{ name }}_public_key:

  200.   file.managed:

  201.     - name: {{ home }}/.ssh/{{ key_type }}.pub

  202.     - user: {{ name }}

  203.     - group: {{ user_group }}

  204.     - mode: 644

  205.     - show_diff: False

  206.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  207.     - require:

  208.       - user: users_{{ name }}_user

  209.       {% for group in user.get('groups', []) %}

  210.       - group: users_{{ name }}_{{ group }}_group

  211.       {% endfor %}

  212.   {% endif %}

  213. 

  214. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  215. users_authorized_keys_{{ name }}:

  216.   file.managed:

  217.     - name: {{ home }}/.ssh/authorized_keys

  218.     - user: {{ name }}

  219.     - group: {{ user_group }}

  220.     - mode: 600

  221. {% if 'ssh_auth_file' in user %}

  222.     - contents: |

  223.         {% for auth in user.ssh_auth_file -%}

  224.         {{ auth }}

  225.         {% endfor -%}

  226. {% else %}

  227.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  228.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  229.         {%- endfor %}

  230. {% endif %}

  231. {% endif %}

  232. 

  233. {% if 'ssh_auth' in user %}

  234. {% for auth in user['ssh_auth'] %}

  235. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  236.   ssh_auth.present:

  237.     - user: {{ name }}

  238.     - name: {{ auth }}

  239.     - require:

  240.         - file: user_keydir_{{ name }}

  241.         - user: users_{{ name }}_user

  242. {% endfor %}

  243. {% endif %}

  244. 

  245. {% if 'ssh_keys_pillar' in user %}

  246. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  247. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  248.   file.managed:

  249.     - name: {{ home }}/.ssh/{{ key_name }}

  250.     - user: {{ name }}

  251.     - group: {{ user_group }}

  252.     - mode: 600

  253.     - show_diff: False

  254.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  255.     - require:

  256.       - user: users_{{ name }}_user

  257.       {% for group in user.get('groups', []) %}

  258.       - group: users_{{ name }}_{{ group }}_group

  259.       {% endfor %}

  260. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  261.   file.managed:

  262.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  263.     - user: {{ name }}

  264.     - group: {{ user_group }}

  265.     - mode: 644

  266.     - show_diff: False

  267.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  268.     - require:

  269.       - user: users_{{ name }}_user

  270.       {% for group in user.get('groups', []) %}

  271.       - group: users_{{ name }}_{{ group }}_group

  272.       {% endfor %}

  273. {% endfor %}

  274. {% endif %}

  275. 

  276. {% if 'ssh_auth_sources' in user %}

  277. {% for pubkey_file in user['ssh_auth_sources'] %}

  278. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  279.   ssh_auth.present:

  280.     - user: {{ name }}

  281.     - source: {{ pubkey_file }}

  282.     - require:

  283.         - file: users_{{ name }}_user

  284.         - user: users_{{ name }}_user

  285. {% endfor %}

  286. {% endif %}

  287. 

  288. {% if 'ssh_auth.absent' in user %}

  289. {% for auth in user['ssh_auth.absent'] %}

  290. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  291.   ssh_auth.absent:

  292.     - user: {{ name }}

  293.     - name: {{ auth }}

  294.     - require:

  295.         - file: users_{{ name }}_user

  296.         - user: users_{{ name }}_user

  297. {% endfor %}

  298. {% endif %}

  299. 

  300. {% if 'ssh_config' in user %}

  301. users_ssh_config_{{ name }}:

  302.   file.managed:

  303.     - name: {{ home }}/.ssh/config

  304.     - user: {{ name }}

  305.     - group: {{ user_group }}

  306.     - mode: 640

  307.     - contents: |

  308.         # Managed by Saltstack

  309.         # Do Not Edit

  310.         {% for label, setting in user.ssh_config.items() %}

  311.         # {{ label }}

  312.         Host {{ setting.get('hostname') }}

  313.           {%- for opts in setting.get('options') %}

  314.           {{ opts }}

  315.           {%- endfor %}

  316.         {% endfor -%}

  317. {% endif %}

  318. 

  319. {% if 'ssh_known_hosts' in user %}

  320. {% for hostname, host in user['ssh_known_hosts'].items() %}

  321. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  322.   ssh_known_hosts.present:

  323.     - user: {{ name }}

  324.     - name: {{ hostname }}

  325.     {% if 'port' in host %}

  326.     - port: {{ host['port'] }}

  327.     {% endif -%}

  328.     {% if 'fingerprint' in host %}

  329.     - fingerprint: {{ host['fingerprint'] }}

  330.     {% endif -%}

  331.     {% if 'key' in host %}

  332.     - key: {{ host['key'] }}

  333.     {% endif -%}

  334.     {% if 'enc' in host %}

  335.     - enc: {{ host['enc'] }}

  336.     {% endif -%}

  337.     {% if 'hash_hostname' in host %}

  338.     - hash_hostname: {{ host['hash_hostname'] }}

  339.     {% endif -%}

  340. {% endfor %}

  341. {% endif %}

  342. 

  343. {% if 'ssh_known_hosts.absent' in user %}

  344. {% for host in user['ssh_known_hosts.absent'] %}

  345. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  346.   ssh_known_hosts.absent:

  347.     - user: {{ name }}

  348.     - name: {{ host }}

  349. {% endfor %}

  350. {% endif %}

  351. 

  352. {% if 'sudouser' in user and user['sudouser'] %}

  353. 

  354. users_sudoer-{{ name }}:

  355.   file.managed:

  356.     - replace: False

  357.     - name: {{ users.sudoers_dir }}/{{ name }}

  358.     - user: root

  359.     - group: {{ users.root_group }}

  360.     - mode: '0440'

  361. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  362. #{#%

  363. {% if 'sudo_rules' in user %}

  364. {% for rule in user['sudo_rules'] %}

  365. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  366.   cmd.run:

  367.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  368.     - stateful: True

  369.     - shell: {{ users.visudo_shell }}

  370.     - env:

  371.       # Specify the rule via an env var to avoid shell quoting issues.

  372.       - rule: "{{ name }} {{ rule }}"

  373.     - require_in:

  374.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  375. {% endfor %}

  376. {% endif %}

  377. {% if 'sudo_defaults' in user %}

  378. {% for entry in user['sudo_defaults'] %}

  379. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  380.   cmd.run:

  381.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  382.     - stateful: True

  383.     - shell: {{ users.visudo_shell }}

  384.     - env:

  385.       # Specify the rule via an env var to avoid shell quoting issues.

  386.       - rule: "Defaults:{{ name }} {{ entry }}"

  387.     - require_in:

  388.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  389. {% endfor %}

  390. {% endif %}

  391. #%#}

  392. 

  393. users_{{ users.sudoers_dir }}/{{ name }}:

  394.   file.managed:

  395.     - replace: True

  396.     - name: {{ users.sudoers_dir }}/{{ name }}

  397.     - contents: |

  398.       {%- if 'sudo_defaults' in user %}

  399.       {%- for entry in user['sudo_defaults'] %}

  400.         Defaults:{{ name }} {{ entry }}

  401.       {%- endfor %}

  402.       {%- endif %}

  403.       {%- if 'sudo_rules' in user %}

  404.         ########################################################################

  405.         # File managed by Salt (users-formula).

  406.         # Your changes will be overwritten.

  407.         ########################################################################

  408.         #

  409.       {%- for rule in user['sudo_rules'] %}

  410.         {{ name }} {{ rule }}

  411.       {%- endfor %}

  412.       {%- endif %}

  413.     - require:

  414.       - file: users_sudoer-defaults

  415.       - file: users_sudoer-{{ name }}

  416.   cmd.wait:

  417.     - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )

  418.     - watch:

  419.       - file: {{ users.sudoers_dir }}/{{ name }}

  420. {% endif %}

  421. {% else %}

  422. users_{{ users.sudoers_dir }}/{{ name }}:

  423.   file.absent:

  424.     - name: {{ users.sudoers_dir }}/{{ name }}

  425. {% endif %}

  426. 

  427. {%- if 'google_auth' in user %}

  428. {%- for svc in user['google_auth'] %}

  429. users_googleauth-{{ svc }}-{{ name }}:

  430.   file.managed:

  431.     - replace: false

  432.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  433.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  434.     - user: root

  435.     - group: {{ users.root_group }}

  436.     - mode: 400

  437.     - require:

  438.       - pkg: users_googleauth-package

  439. {%- endfor %}

  440. {%- endif %}

  441. 

  442. #

  443. # if not salt['cmd.has_exec']('git')

  444. # fails even if git is installed

  445. #

  446. # this doesn't work (Salt bug), therefore need to run state.apply twice

  447. #include:

  448. #  - users

  449. #

  450. #git:

  451. #  pkg.installed:

  452. #    - require_in:

  453. #      - sls: users

  454. #

  455. {% if 'gitconfig' in user %}

  456. {% for key, value in user['gitconfig'].items() %}

  457. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  458.   {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  459.   git.config_set:

  460.   {% else %}

  461.   git.config:

  462.   {% endif %}

  463.     - name: {{ key }}

  464.     - value: "{{ value }}"

  465.     - user: {{ name }}

  466.     {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  467.     - global: True

  468.     {% else %}

  469.     - is_global: True

  470.     {% endif %}

  471. {% endfor %}

  472. {% endif %}

  473. 

  474. {% endfor %}

  475. 

  476. 

  477. {% for name, user in pillar.get('users', {}).items()

  478.         if user.absent is defined and user.absent %}

  479. users_absent_user_{{ name }}:

  480. {% if 'purge' in user or 'force' in user %}

  481.   user.absent:

  482.     - name: {{ name }}

  483.     {% if 'purge' in user %}

  484.     - purge: {{ user['purge'] }}

  485.     {% endif %}

  486.     {% if 'force' in user %}

  487.     - force: {{ user['force'] }}

  488.     {% endif %}

  489. {% else %}

  490.   user.absent:

  491.     - name: {{ name }}

  492. {% endif -%}

  493. users_{{ users.sudoers_dir }}/{{ name }}:

  494.   file.absent:

  495.     - name: {{ users.sudoers_dir }}/{{ name }}

  496. {% endfor %}

  497. 

  498. {% for user in pillar.get('absent_users', []) %}

  499. users_absent_user_2_{{ user }}:

  500.   user.absent:

  501.     - name: {{ user }}

  502. users_2_{{ users.sudoers_dir }}/{{ user }}:

  503.   file.absent:

  504.     - name: {{ users.sudoers_dir }}/{{ user }}

  505. {% endfor %}

  506. 

  507. {% for group in pillar.get('absent_groups', []) %}

  508. users_absent_group_{{ group }}:

  509.   group.absent:

  510.     - name: {{ group }}

  511. {% endfor %}