Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

480 lines
14KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudouser' in user and user['sudouser'] %}
  12. {%- do used_sudo.append(1) %}
  13. {%- endif %}
  14. {%- if 'google_auth' in user %}
  15. {%- do used_googleauth.append(1) %}
  16. {%- endif %}
  17. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  18. {%- do used_user_files.append(1) %}
  19. {%- endif %}
  20. {%- endfor %}
  21. {%- if used_sudo or used_googleauth or used_user_files %}
  22. include:
  23. {%- if used_sudo %}
  24. - users.sudo
  25. {%- endif %}
  26. {%- if used_googleauth %}
  27. - users.googleauth
  28. {%- endif %}
  29. {%- if used_user_files %}
  30. - users.user_files
  31. {%- endif %}
  32. {%- endif %}
  33. {% for name, user in pillar.get('users', {}).items()
  34. if user.absent is not defined or not user.absent %}
  35. {%- if user == None -%}
  36. {%- set user = {} -%}
  37. {%- endif -%}
  38. {%- set home = user.get('home', "/home/%s" % name) -%}
  39. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  40. {%- set user_group = user.prime_group.name -%}
  41. {%- else -%}
  42. {%- set user_group = name -%}
  43. {%- endif %}
  44. {% for group in user.get('groups', []) %}
  45. users_{{ name }}_{{ group }}_group:
  46. group.present:
  47. - name: {{ group }}
  48. {% if group == 'sudo' %}
  49. - system: True
  50. {% endif %}
  51. {% endfor %}
  52. users_{{ name }}_user:
  53. {% if user.get('createhome', True) %}
  54. file.directory:
  55. - name: {{ home }}
  56. - user: {{ name }}
  57. - group: {{ user_group }}
  58. - mode: {{ user.get('user_dir_mode', '0750') }}
  59. - require:
  60. - user: users_{{ name }}_user
  61. - group: {{ user_group }}
  62. {%- endif %}
  63. group.present:
  64. - name: {{ user_group }}
  65. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  66. - gid: {{ user['prime_group']['gid'] }}
  67. {%- elif 'uid' in user %}
  68. - gid: {{ user['uid'] }}
  69. {%- endif %}
  70. user.present:
  71. - name: {{ name }}
  72. - home: {{ home }}
  73. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  74. {% if 'uid' in user -%}
  75. - uid: {{ user['uid'] }}
  76. {% endif -%}
  77. {% if 'password' in user -%}
  78. - password: '{{ user['password'] }}'
  79. {% endif -%}
  80. {% if user.get('empty_password') -%}
  81. - empty_password: {{ user.get('empty_password') }}
  82. {% endif -%}
  83. {% if 'enforce_password' in user -%}
  84. - enforce_password: {{ user['enforce_password'] }}
  85. {% endif -%}
  86. {% if user.get('system', False) -%}
  87. - system: True
  88. {% endif -%}
  89. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  90. - gid: {{ user['prime_group']['gid'] }}
  91. {% else -%}
  92. - gid_from_name: True
  93. {% endif -%}
  94. {% if 'fullname' in user %}
  95. - fullname: {{ user['fullname'] }}
  96. {% endif -%}
  97. {% if 'roomnumber' in user %}
  98. - roomnumber: {{ user['roomnumber'] }}
  99. {% endif %}
  100. {% if 'workphone' in user %}
  101. - workphone: {{ user['workphone'] }}
  102. {% endif %}
  103. {% if 'homephone' in user %}
  104. - homephone: {{ user['workphone'] }}
  105. {% endif %}
  106. {% if not user.get('createhome', True) %}
  107. - createhome: False
  108. {% endif %}
  109. {% if 'expire' in user -%}
  110. {% if grains['kernel'].endswith('BSD') and
  111. user['expire'] < 157766400 %}
  112. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  113. - expire: {{ user['expire'] * 86400 }}
  114. {% elif grains['kernel'] == 'Linux' and
  115. user['expire'] > 84006 %}
  116. {# 2932896 days since epoch equals 9999-12-31 #}
  117. - expire: {{ (user['expire'] / 86400) | int}}
  118. {% else %}
  119. - expire: {{ user['expire'] }}
  120. {% endif %}
  121. {% endif -%}
  122. - remove_groups: {{ user.get('remove_groups', 'False') }}
  123. - groups:
  124. - {{ user_group }}
  125. {% for group in user.get('groups', []) -%}
  126. - {{ group }}
  127. {% endfor %}
  128. - require:
  129. - group: {{ user_group }}
  130. {% for group in user.get('groups', []) -%}
  131. - group: {{ group }}
  132. {% endfor %}
  133. {% if 'ssh_keys' in user or
  134. 'ssh_auth' in user or
  135. 'ssh_auth_file' in user or
  136. 'ssh_auth_pillar' in user or
  137. 'ssh_auth.absent' in user or
  138. 'ssh_config' in user %}
  139. user_keydir_{{ name }}:
  140. file.directory:
  141. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  142. - user: {{ name }}
  143. - group: {{ user_group }}
  144. - makedirs: True
  145. - mode: 700
  146. - require:
  147. - user: {{ name }}
  148. - group: {{ user_group }}
  149. {%- for group in user.get('groups', []) %}
  150. - group: {{ group }}
  151. {%- endfor %}
  152. {% endif %}
  153. {% if 'ssh_keys' in user %}
  154. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  155. users_user_{{ name }}_private_key:
  156. file.managed:
  157. - name: {{ user.get('home',
  158. '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  159. - user: {{ name }}
  160. - group: {{ user_group }}
  161. - mode: 600
  162. - show_diff: False
  163. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  164. - require:
  165. - user: users_{{ name }}_user
  166. {% for group in user.get('groups', []) %}
  167. - group: users_{{ name }}_{{ group }}_group
  168. {% endfor %}
  169. users_user_{{ name }}_public_key:
  170. file.managed:
  171. - name: {{ user.get('home',
  172. '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  173. - user: {{ name }}
  174. - group: {{ user_group }}
  175. - mode: 644
  176. - show_diff: False
  177. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  178. - require:
  179. - user: users_{{ name }}_user
  180. {% for group in user.get('groups', []) %}
  181. - group: users_{{ name }}_{{ group }}_group
  182. {% endfor %}
  183. {% endif %}
  184. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  185. users_authorized_keys_{{ name }}:
  186. file.managed:
  187. - name: {{ home }}/.ssh/authorized_keys
  188. - user: {{ name }}
  189. - group: {{ user_group }}
  190. - mode: 600
  191. {% if 'ssh_auth_file' in user %}
  192. - contents: |
  193. {% for auth in user.ssh_auth_file -%}
  194. {{ auth }}
  195. {% endfor -%}
  196. {% else %}
  197. - contents: |
  198. {%- for key_name, pillar_name in user['ssh_auth_pillar'].iteritems() %}
  199. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  200. {%- endfor %}
  201. {% endif %}
  202. {% endif %}
  203. {% if 'ssh_auth' in user %}
  204. {% for auth in user['ssh_auth'] %}
  205. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  206. ssh_auth.present:
  207. - user: {{ name }}
  208. - name: {{ auth }}
  209. - require:
  210. - file: users_{{ name }}_user
  211. - user: users_{{ name }}_user
  212. {% endfor %}
  213. {% endif %}
  214. {% if 'ssh_keys_pillar' in user %}
  215. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  216. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  217. file.managed:
  218. - name: {{ user.get('home',
  219. '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
  220. - user: {{ name }}
  221. - group: {{ user_group }}
  222. - mode: 600
  223. - show_diff: False
  224. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  225. - require:
  226. - user: users_{{ name }}_user
  227. {% for group in user.get('groups', []) %}
  228. - group: users_{{ name }}_{{ group }}_group
  229. {% endfor %}
  230. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  231. file.managed:
  232. - name: {{ user.get('home',
  233. '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
  234. - user: {{ name }}
  235. - group: {{ user_group }}
  236. - mode: 644
  237. - show_diff: False
  238. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  239. - require:
  240. - user: users_{{ name }}_user
  241. {% for group in user.get('groups', []) %}
  242. - group: users_{{ name }}_{{ group }}_group
  243. {% endfor %}
  244. {% endfor %}
  245. {% endif %}
  246. {% if 'ssh_auth_sources' in user %}
  247. {% for pubkey_file in user['ssh_auth_sources'] %}
  248. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  249. ssh_auth.present:
  250. - user: {{ name }}
  251. - source: {{ pubkey_file }}
  252. - require:
  253. - file: users_{{ name }}_user
  254. - user: users_{{ name }}_user
  255. {% endfor %}
  256. {% endif %}
  257. {% if 'ssh_auth.absent' in user %}
  258. {% for auth in user['ssh_auth.absent'] %}
  259. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  260. ssh_auth.absent:
  261. - user: {{ name }}
  262. - name: {{ auth }}
  263. - require:
  264. - file: users_{{ name }}_user
  265. - user: users_{{ name }}_user
  266. {% endfor %}
  267. {% endif %}
  268. {% if 'ssh_config' in user %}
  269. users_ssh_config_{{ name }}:
  270. file.managed:
  271. - name: {{ home }}/.ssh/config
  272. - user: {{ name }}
  273. - group: {{ user_group }}
  274. - mode: 640
  275. - contents: |
  276. # Managed by Saltstack
  277. # Do Not Edit
  278. {% for label, setting in user.ssh_config.items() %}
  279. # {{ label }}
  280. Host {{ setting.get('hostname') }}
  281. {%- for opts in setting.get('options') %}
  282. {{ opts }}
  283. {%- endfor %}
  284. {% endfor -%}
  285. {% endif %}
  286. {% if 'ssh_known_hosts' in user %}
  287. {% for hostname, host in user['ssh_known_hosts'].items() %}
  288. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  289. ssh_known_hosts.present:
  290. - user: {{ name }}
  291. - name: {{ hostname }}
  292. {% if 'port' in host %}
  293. - port: {{ host['port'] }}
  294. {% endif -%}
  295. {% if 'fingerprint' in host %}
  296. - fingerprint: {{ host['fingerprint'] }}
  297. {% endif -%}
  298. {% if 'key' in host %}
  299. - key: {{ host['key'] }}
  300. {% endif -%}
  301. {% if 'enc' in host %}
  302. - enc: {{ host['enc'] }}
  303. {% endif -%}
  304. {% if 'hash_hostname' in host %}
  305. - hash_hostname: {{ host['hash_hostname'] }}
  306. {% endif -%}
  307. {% endfor %}
  308. {% endif %}
  309. {% if 'ssh_known_hosts.absent' in user %}
  310. {% for host in user['ssh_known_hosts.absent'] %}
  311. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  312. ssh_known_hosts.absent:
  313. - user: {{ name }}
  314. - name: {{ host }}
  315. {% endfor %}
  316. {% endif %}
  317. {% if 'sudouser' in user and user['sudouser'] %}
  318. users_sudoer-{{ name }}:
  319. file.managed:
  320. - name: {{ users.sudoers_dir }}/{{ name }}
  321. - user: root
  322. - group: {{ users.root_group }}
  323. - mode: '0440'
  324. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  325. #{#%
  326. {% if 'sudo_rules' in user %}
  327. {% for rule in user['sudo_rules'] %}
  328. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  329. cmd.run:
  330. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  331. - stateful: True
  332. - shell: {{ users.visudo_shell }}
  333. - env:
  334. # Specify the rule via an env var to avoid shell quoting issues.
  335. - rule: "{{ name }} {{ rule }}"
  336. - require_in:
  337. - file: users_{{ users.sudoers_dir }}/{{ name }}
  338. {% endfor %}
  339. {% endif %}
  340. {% if 'sudo_defaults' in user %}
  341. {% for entry in user['sudo_defaults'] %}
  342. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  343. cmd.run:
  344. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  345. - stateful: True
  346. - shell: {{ users.visudo_shell }}
  347. - env:
  348. # Specify the rule via an env var to avoid shell quoting issues.
  349. - rule: "Defaults:{{ name }} {{ entry }}"
  350. - require_in:
  351. - file: users_{{ users.sudoers_dir }}/{{ name }}
  352. {% endfor %}
  353. {% endif %}
  354. #%#}
  355. users_{{ users.sudoers_dir }}/{{ name }}:
  356. file.managed:
  357. - name: {{ users.sudoers_dir }}/{{ name }}
  358. - contents: |
  359. {%- if 'sudo_defaults' in user %}
  360. {%- for entry in user['sudo_defaults'] %}
  361. Defaults:{{ name }} {{ entry }}
  362. {%- endfor %}
  363. {%- endif %}
  364. {%- if 'sudo_rules' in user %}
  365. {%- for rule in user['sudo_rules'] %}
  366. {{ name }} {{ rule }}
  367. {%- endfor %}
  368. {%- endif %}
  369. - require:
  370. - file: users_sudoer-defaults
  371. - file: users_sudoer-{{ name }}
  372. cmd.wait:
  373. - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )
  374. - watch:
  375. - file: {{ users.sudoers_dir }}/{{ name }}
  376. {% endif %}
  377. {% else %}
  378. users_{{ users.sudoers_dir }}/{{ name }}:
  379. file.absent:
  380. - name: {{ users.sudoers_dir }}/{{ name }}
  381. {% endif %}
  382. {%- if 'google_auth' in user %}
  383. {%- for svc in user['google_auth'] %}
  384. users_googleauth-{{ svc }}-{{ name }}:
  385. file.managed:
  386. - replace: false
  387. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  388. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  389. - user: root
  390. - group: {{ users.root_group }}
  391. - mode: 400
  392. - require:
  393. - pkg: users_googleauth-package
  394. {%- endfor %}
  395. {%- endif %}
  396. {% if 'gitconfig' in user %}
  397. {% if not salt['cmd.has_exec']('git') %}
  398. skip_{{ name }}_gitconfig_since_git_not_installed:
  399. test.fail_without_changes:
  400. - name: "Git configuration for user {{ name }} has been skipped because Git is not installed."
  401. {% else %}
  402. {% for key, value in user['gitconfig'].items() %}
  403. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  404. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  405. git.config_set:
  406. {% else %}
  407. git.config:
  408. {% endif %}
  409. - name: {{ key }}
  410. - value: "{{ value }}"
  411. - user: {{ name }}
  412. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  413. - global: True
  414. {% else %}
  415. - is_global: True
  416. {% endif %}
  417. {% endfor %}
  418. {% endif %}
  419. {% endif %}
  420. {% endfor %}
  421. {% for name, user in pillar.get('users', {}).items()
  422. if user.absent is defined and user.absent %}
  423. users_absent_user_{{ name }}:
  424. {% if 'purge' in user or 'force' in user %}
  425. user.absent:
  426. - name: {{ name }}
  427. {% if 'purge' in user %}
  428. - purge: {{ user['purge'] }}
  429. {% endif %}
  430. {% if 'force' in user %}
  431. - force: {{ user['force'] }}
  432. {% endif %}
  433. {% else %}
  434. user.absent:
  435. - name: {{ name }}
  436. {% endif -%}
  437. users_{{ users.sudoers_dir }}/{{ name }}:
  438. file.absent:
  439. - name: {{ users.sudoers_dir }}/{{ name }}
  440. {% endfor %}
  441. {% for user in pillar.get('absent_users', []) %}
  442. users_absent_user_2_{{ user }}:
  443. user.absent
  444. users_2_{{ users.sudoers_dir }}/{{ user }}:
  445. file.absent:
  446. - name: {{ users.sudoers_dir }}/{{ user }}
  447. {% endfor %}
  448. {% for group in pillar.get('absent_groups', []) %}
  449. users_absent_group_{{ group }}:
  450. group.absent:
  451. - name: {{ group }}
  452. {% endfor %}