Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

195 line
5.5KB

  1. users-formula:
  2. use_vim_formula: True
  3. lookup: # override the defauls in map.jinja
  4. root_group: root
  5. # group initialization
  6. groups:
  7. foo:
  8. state: present
  9. gid: 500
  10. system: False
  11. users:
  12. ## Minimal required pillar values
  13. auser:
  14. fullname: A User
  15. ## Full list of pillar values
  16. allow_gid_change: False
  17. buser:
  18. fullname: B User
  19. password: $6$w.............
  20. enforce_password: True
  21. # WARNING: If 'empty_password' is set to True, the 'password' statement
  22. # will be ignored by enabling password-less login for the user.
  23. empty_password: False
  24. hash_password: False
  25. system: False
  26. home: /custom/buser
  27. homedir_owner: buser
  28. homedir_group: primarygroup
  29. user_dir_mode: 750
  30. createhome: True
  31. roomnumber: "A-1"
  32. workphone: "(555) 555-5555"
  33. homephone: "(555) 555-5551"
  34. manage_vimrc: False
  35. allow_gid_change: True
  36. manage_bashrc: False
  37. manage_profile: False
  38. expire: 16426
  39. # Disables user management except sudo rules.
  40. # Useful for setting sudo rules for system accounts created by package instalation
  41. sudoonly: False
  42. sudouser: True
  43. # sudo_rules doesn't need the username as a prefix for the rule
  44. # this is added automatically by the formula.
  45. # ----------------------------------------------------------------------
  46. # In case your sudo_rules have a colon please have in mind to not leave
  47. # spaces around it. For example:
  48. # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
  49. # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
  50. sudo_rules:
  51. - ALL=(root) /usr/bin/find
  52. - ALL=(otheruser) /usr/bin/script.sh
  53. sudo_defaults:
  54. - '!requiretty'
  55. # enable polkitadmin to make user an AdminIdentity for polkit
  56. polkitadmin: True
  57. shell: /bin/bash
  58. remove_groups: False
  59. prime_group:
  60. name: primarygroup
  61. gid: 500
  62. groups:
  63. - users
  64. optional_groups:
  65. - some_groups_that_might
  66. - not_exist_on_all_minions
  67. ssh_key_type: rsa
  68. # You can inline the private keys ...
  69. ssh_keys:
  70. privkey: PRIVATEKEY
  71. pubkey: PUBLICKEY
  72. # or you can provide path to key on Salt fileserver
  73. privkey: salt://path_to_PRIVATEKEY
  74. pubkey: salt://path_to_PUBLICKEY
  75. # you can provide multiple keys, the keyname is taken as filename
  76. # make sure your public keys suffix is .pub
  77. foobar: PRIVATEKEY
  78. foobar.pub: PUBLICKEY
  79. # ... or you can pull them from a different pillar,
  80. # for example one called "ssh_keys":
  81. ssh_keys_pillar:
  82. id_rsa: "ssh_keys"
  83. another_key_pair: "ssh_keys"
  84. ssh_auth:
  85. - PUBLICKEY
  86. ssh_auth.absent:
  87. - PUBLICKEY_TO_BE_REMOVED
  88. # Generates an authorized_keys file for the user
  89. # with the given keys
  90. ssh_auth_file:
  91. - PUBLICKEY
  92. # ... or you can pull them from a different pillar similar to ssh_keys_pillar
  93. ssh_auth_pillar:
  94. id_rsa: "ssh_keys"
  95. # If you prefer to keep public keys as files rather
  96. # than inline in pillar, this works.
  97. ssh_auth_sources:
  98. - salt://keys/buser.id_rsa.pub
  99. ssh_auth_sources.absent:
  100. - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
  101. # Manage the ~/.ssh/config file
  102. ssh_known_hosts:
  103. importanthost:
  104. port: 22
  105. fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
  106. key: PUBLICKEY
  107. enc: ssh-rsa
  108. hash_known_hosts: True
  109. timeout: 5
  110. fingerprint_hash_type: sha256
  111. ssh_known_hosts.absent:
  112. - notimportanthost
  113. ssh_config:
  114. all:
  115. hostname: "*"
  116. options:
  117. - "StrictHostKeyChecking no"
  118. - "UserKnownHostsFile=/dev/null"
  119. importanthost:
  120. hostname: "needcheck.example.com"
  121. options:
  122. - "StrictHostKeyChecking yes"
  123. # Using gitconfig without Git installed will result in an error
  124. # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
  125. # This state module now requires git 1.6.5 (released 10 October 2009) or newer.
  126. gitconfig:
  127. user.name: B User
  128. user.email: buser@example.com
  129. "url.https://.insteadOf": "git://"
  130. gitconfig.absent:
  131. - push.default
  132. - color\..+
  133. google_2fa: True
  134. google_auth:
  135. ssh: |
  136. SOMEGAUTHHASHVAL
  137. " RESETTING_TIME_SKEW 46956472+2 46991595-2
  138. " RATE_LIMIT 3 30 1415800560
  139. " DISALLOW_REUSE 47193352
  140. " TOTP_AUTH
  141. 11111111
  142. 22222222
  143. 33333333
  144. 44444444
  145. 55555555
  146. # unique: True allows user to have non unique uid
  147. unique: False
  148. uid: 1001
  149. user_files:
  150. enabled: True
  151. # 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
  152. # should be a salt fileserver path either with or without 'salt://'
  153. # if not present, it defaults to 'salt://users/files/user/<username>
  154. source: users/files/default
  155. template: jinja
  156. # You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
  157. # it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
  158. # execution bit for example.
  159. file_mode: keep
  160. sym_mode: 640
  161. exclude_pat: "*.gitignore"
  162. ## Absent user
  163. cuser:
  164. absent: True
  165. purge: True
  166. force: True
  167. ## Old syntax of absent_users still supported
  168. absent_users:
  169. - donald
  170. - bad_guy
  171. groups:
  172. badguys:
  173. absent: True
  174. niceguys:
  175. gid: 4242
  176. system: False
  177. addusers: root
  178. delusers: toor
  179. ssl-cert:
  180. system: True
  181. members:
  182. - www-data
  183. - openldap