ExternalMirrors
/
users-formula
kopia lustrzana https://github.com/saltstack-formulas/users-formula
Obserwuj 1
Polub 0
Forkuj 1
Kod Zgłoszenia 0 Wydania 13 Wiki Aktywność
Saltstack Official Users Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
153 Commity
3 Gałęzie
Drzewo: 99a1a66010
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '99a1a66010'
${ noResults }
users-formula/users/init.sls

377 lines
11KB
Czysty Wina Historia 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. 

  6. {%- for name, user in pillar.get('users', {}).items()

  7.         if user.absent is not defined or not user.absent %}

  8. {%- if user == None -%}

  9. {%- set user = {} -%}

  10. {%- endif -%}

  11. {%- if 'sudouser' in user and user['sudouser'] %}

  12. {%- do used_sudo.append(1) %}

  13. {%- endif %}

  14. {%- if 'google_auth' in user %}

  15. {%- do used_googleauth.append(1) %}

  16. {%- endif %}

  17. {%- endfor %}

  18. 

  19. {%- if used_sudo or used_googleauth %}

  20. include:

  21. {%- if used_sudo %}

  22.   - users.sudo

  23. {%- endif %}

  24. {%- if used_googleauth %}

  25.   - users.googleauth

  26. {%- endif %}

  27. {%- endif %}

  28. 

  29. {% for name, user in pillar.get('users', {}).items()

  30.         if user.absent is not defined or not user.absent %}

  31. {%- if user == None -%}

  32. {%- set user = {} -%}

  33. {%- endif -%}

  34. {%- set home = user.get('home', "/home/%s" % name) -%}

  35. 

  36. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  37. {%- set user_group = user.prime_group.name -%}

  38. {%- else -%}

  39. {%- set user_group = name -%}

  40. {%- endif %}

  41. 

  42. {% for group in user.get('groups', []) %}

  43. users_{{ name }}_{{ group }}_group:

  44.   group:

  45.     - name: {{ group }}

  46.     - present

  47. {% endfor %}

  48. 

  49. users_{{ name }}_user:

  50.   {% if user.get('createhome', True) %}

  51.   file.directory:

  52.     - name: {{ home }}

  53.     - user: {{ name }}

  54.     - group: {{ user_group }}

  55.     - mode: {{ user.get('user_dir_mode', '0750') }}

  56.     - require:

  57.       - user: users_{{ name }}_user

  58.       - group: {{ user_group }}

  59.   {%- endif %}

  60.   group.present:

  61.     - name: {{ user_group }}

  62.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  63.     - gid: {{ user['prime_group']['gid'] }}

  64.     {%- elif 'uid' in user %}

  65.     - gid: {{ user['uid'] }}

  66.     {%- endif %}

  67.   user.present:

  68.     - name: {{ name }}

  69.     - home: {{ home }}

  70.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  71.     {% if 'uid' in user -%}

  72.     - uid: {{ user['uid'] }}

  73.     {% endif -%}

  74.     {% if 'password' in user -%}

  75.     - password: '{{ user['password'] }}'

  76.     {% endif -%}

  77.     {% if 'enforce_password' in user -%}

  78.     - enforce_password: {{ user['enforce_password'] }}

  79.     {% endif -%}

  80.     {% if user.get('system', False) -%}

  81.     - system: True

  82.     {% endif -%}

  83.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  84.     - gid: {{ user['prime_group']['gid'] }}

  85.     {% else -%}

  86.     - gid_from_name: True

  87.     {% endif -%}

  88.     {% if 'fullname' in user %}

  89.     - fullname: {{ user['fullname'] }}

  90.     {% endif -%}

  91.     {% if not user.get('createhome', True) %}

  92.     - createhome: False

  93.     {% endif %}

  94.     {% if 'expire' in user -%}

  95.     - expire: {{ user['expire'] }}

  96.     {% endif -%}

  97.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  98.     - groups:

  99.       - {{ user_group }}

  100.       {% for group in user.get('groups', []) -%}

  101.       - {{ group }}

  102.       {% endfor %}

  103.     - require:

  104.       - group: {{ user_group }}

  105.       {% for group in user.get('groups', []) -%}

  106.       - group: {{ group }}

  107.       {% endfor %}

  108. 

  109. 

  110.   {% if 'ssh_keys' in user or

  111.       'ssh_auth' in user or

  112.       'ssh_auth_file' in user or

  113.       'ssh_auth.absent' in user or

  114.       'ssh_config' in user %}

  115. user_keydir_{{ name }}:

  116.   file.directory:

  117.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  118.     - user: {{ name }}

  119.     - group: {{ user_group }}

  120.     - makedirs: True

  121.     - mode: 700

  122.     - require:

  123.       - user: {{ name }}

  124.       - group: {{ user_group }}

  125.       {%- for group in user.get('groups', []) %}

  126.       - group: {{ group }}

  127.       {%- endfor %}

  128.   {% endif %}

  129. 

  130.   {% if 'ssh_keys' in user %}

  131.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  132. users_user_{{ name }}_private_key:

  133.   file.managed:

  134.     - name: {{ user.get('home',

  135.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  136.     - user: {{ name }}

  137.     - group: {{ user_group }}

  138.     - mode: 600

  139.     - show_diff: False

  140.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  141.     - require:

  142.       - user: users_{{ name }}_user

  143.       {% for group in user.get('groups', []) %}

  144.       - group: users_{{ name }}_{{ group }}_group

  145.       {% endfor %}

  146. users_user_{{ name }}_public_key:

  147.   file.managed:

  148.     - name: {{ user.get('home',

  149.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  150.     - user: {{ name }}

  151.     - group: {{ user_group }}

  152.     - mode: 644

  153.     - show_diff: False

  154.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  155.     - require:

  156.       - user: users_{{ name }}_user

  157.       {% for group in user.get('groups', []) %}

  158.       - group: users_{{ name }}_{{ group }}_group

  159.       {% endfor %}

  160.   {% endif %}

  161. 

  162. {% if 'ssh_auth_file' in user %}

  163. users_authorized_keys_{{ name }}:

  164.   file.managed:

  165.     - name: {{ home }}/.ssh/authorized_keys

  166.     - user: {{ name }}

  167.     - group: {{ name }}

  168.     - mode: 600

  169.     - contents: |

  170.         {% for auth in user.ssh_auth_file -%}

  171.         {{ auth }}

  172.         {% endfor -%}

  173. {% endif %}

  174. 

  175. {% if 'ssh_auth' in user %}

  176. {% for auth in user['ssh_auth'] %}

  177. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  178.   ssh_auth.present:

  179.     - user: {{ name }}

  180.     - name: {{ auth }}

  181.     - require:

  182.         - file: users_{{ name }}_user

  183.         - user: users_{{ name }}_user

  184. {% endfor %}

  185. {% endif %}

  186. 

  187. {% if 'ssh_keys_pillar' in user %}

  188. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  189. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  190.   file.managed:

  191.     - name: {{ user.get('home',

  192.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}

  193.     - user: {{ name }}

  194.     - group: {{ user_group }}

  195.     - mode: 600

  196.     - show_diff: False

  197.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  198.     - require:

  199.       - user: users_{{ name }}_user

  200.       {% for group in user.get('groups', []) %}

  201.       - group: users_{{ name }}_{{ group }}_group

  202.       {% endfor %}

  203. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  204.   file.managed:

  205.     - name: {{ user.get('home',

  206.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub

  207.     - user: {{ name }}

  208.     - group: {{ user_group }}

  209.     - mode: 644

  210.     - show_diff: False

  211.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  212.     - require:

  213.       - user: users_{{ name }}_user

  214.       {% for group in user.get('groups', []) %}

  215.       - group: users_{{ name }}_{{ group }}_group

  216.       {% endfor %}

  217. {% endfor %}

  218. {% endif %}

  219. 

  220. {% if 'ssh_auth_sources' in user %}

  221. {% for pubkey_file in user['ssh_auth_sources'] %}

  222. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  223.   ssh_auth.present:

  224.     - user: {{ name }}

  225.     - source: {{ pubkey_file }}

  226.     - require:

  227.         - file: users_{{ name }}_user

  228.         - user: users_{{ name }}_user

  229. {% endfor %}

  230. {% endif %}

  231. 

  232. {% if 'ssh_auth.absent' in user %}

  233. {% for auth in user['ssh_auth.absent'] %}

  234. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  235.   ssh_auth.absent:

  236.     - user: {{ name }}

  237.     - name: {{ auth }}

  238.     - require:

  239.         - file: users_{{ name }}_user

  240.         - user: users_{{ name }}_user

  241. {% endfor %}

  242. {% endif %}

  243. 

  244. {% if 'ssh_config' in user %}

  245. users_ssh_config_{{ name }}:

  246.   file.managed:

  247.     - name: {{ home }}/.ssh/config

  248.     - user: {{ name }}

  249.     - group: {{ user_group }}

  250.     - mode: 640

  251.     - contents: |

  252.         # Managed by Saltstack

  253.         # Do Not Edit

  254.         {% for label, setting in user.ssh_config.items() %}

  255.         # {{ label }}

  256.         Host {{ setting.get('hostname') }}

  257.           {%- for opts in setting.get('options') %}

  258.           {{ opts }}

  259.           {%- endfor %}

  260.         {% endfor -%}

  261. {% endif %}

  262. 

  263. {% if 'sudouser' in user and user['sudouser'] %}

  264. 

  265. users_sudoer-{{ name }}:

  266.   file.managed:

  267.     - name: {{ users.sudoers_dir }}/{{ name }}

  268.     - user: root

  269.     - group: {{ users.root_group }}

  270.     - mode: '0440'

  271. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  272. {% if 'sudo_rules' in user %}

  273. {% for rule in user['sudo_rules'] %}

  274. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  275.   cmd.run:

  276.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  277.     - stateful: True

  278.     - shell: {{ users.visudo_shell }}

  279.     - env:

  280.       # Specify the rule via an env var to avoid shell quoting issues.

  281.       - rule: "{{ name }} {{ rule }}"

  282.     - require_in:

  283.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  284. {% endfor %}

  285. {% endif %}

  286. {% if 'sudo_defaults' in user %}

  287. {% for entry in user['sudo_defaults'] %}

  288. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  289.   cmd.run:

  290.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  291.     - stateful: True

  292.     - shell: {{ users.visudo_shell }}

  293.     - env:

  294.       # Specify the rule via an env var to avoid shell quoting issues.

  295.       - rule: "Defaults:{{ name }} {{ entry }}"

  296.     - require_in:

  297.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  298. {% endfor %}

  299. {% endif %}

  300. 

  301. users_{{ users.sudoers_dir }}/{{ name }}:

  302.   file.managed:

  303.     - name: {{ users.sudoers_dir }}/{{ name }}

  304.     - contents: |

  305.       {%- if 'sudo_defaults' in user %}

  306.       {%- for entry in user['sudo_defaults'] %}

  307.         Defaults:{{ name }} {{ entry }}

  308.       {%- endfor %}

  309.       {%- endif %}

  310.       {%- if 'sudo_rules' in user %}

  311.       {%- for rule in user['sudo_rules'] %}

  312.         {{ name }} {{ rule }}

  313.       {%- endfor %}

  314.       {%- endif %}

  315.     - require:

  316.       - file: users_sudoer-defaults

  317.       - file: users_sudoer-{{ name }}

  318. {% endif %}

  319. {% else %}

  320. users_{{ users.sudoers_dir }}/{{ name }}:

  321.   file.absent:

  322.     - name: {{ users.sudoers_dir }}/{{ name }}

  323. {% endif %}

  324. 

  325. {%- if 'google_auth' in user %}

  326. {%- for svc in user['google_auth'] %}

  327. users_googleauth-{{ svc }}-{{ name }}:

  328.   file.managed:

  329.     - replace: false

  330.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  331.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  332.     - user: root

  333.     - group: {{ users.root_group }}

  334.     - mode: 400

  335.     - require:

  336.       - pkg: users_googleauth-package

  337. {%- endfor %}

  338. {%- endif %}

  339. 

  340. {% endfor %}

  341. 

  342. 

  343. {% for name, user in pillar.get('users', {}).items()

  344.         if user.absent is defined and user.absent %}

  345. users_absent_user_{{ name }}:

  346. {% if 'purge' in user or 'force' in user %}

  347.   user.absent:

  348.     - name: {{ name }}

  349.     {% if 'purge' in user %}

  350.     - purge: {{ user['purge'] }}

  351.     {% endif %}

  352.     {% if 'force' in user %}

  353.     - force: {{ user['force'] }}

  354.     {% endif %}

  355. {% else %}

  356.   user.absent:

  357.     - name: {{ name }}

  358. {% endif -%}

  359. users_{{ users.sudoers_dir }}/{{ name }}:

  360.   file.absent:

  361.     - name: {{ users.sudoers_dir }}/{{ name }}

  362. {% endfor %}

  363. 

  364. {% for user in pillar.get('absent_users', []) %}

  365. users_absent_user_2_{{ user }}:

  366.   user.absent

  367. users_2_{{ users.sudoers_dir }}/{{ user }}:

  368.   file.absent:

  369.     - name: {{ users.sudoers_dir }}/{{ user }}

  370. {% endfor %}

  371. 

  372. {% for group in pillar.get('absent_groups', []) %}

  373. users_absent_group_{{ group }}:

  374.   group.absent:

  375.     - name: {{ group }}

  376. {% endfor %}