ExternalMirrors
/
users-formula
의 미러 https://github.com/saltstack-formulas/users-formula
보기 1
좋아요 0
포크 1
코드 이슈 0 릴리즈 13 위키 Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
222 커밋
3 브랜치
트리: d8d2017629
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from 'd8d2017629'
${ noResults }
users-formula/users/init.sls

493 lines
14KB
Raw Blame 히스토리 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudouser' in user and user['sudouser'] %}

  13. {%- do used_sudo.append(1) %}

  14. {%- endif %}

  15. {%- if 'google_auth' in user %}

  16. {%- do used_googleauth.append(1) %}

  17. {%- endif %}

  18. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  19. {%- do used_user_files.append(1) %}

  20. {%- endif %}

  21. {%- endfor %}

  22. 

  23. {%- if used_sudo or used_googleauth or used_user_files %}

  24. include:

  25. {%- if used_sudo %}

  26.   - users.sudo

  27. {%- endif %}

  28. {%- if used_googleauth %}

  29.   - users.googleauth

  30. {%- endif %}

  31. {%- if used_user_files %}

  32.   - users.user_files

  33. {%- endif %}

  34. {%- endif %}

  35. 

  36. {% for name, user in pillar.get('users', {}).items()

  37.         if user.absent is not defined or not user.absent %}

  38. {%- if user == None -%}

  39. {%- set user = {} -%}

  40. {%- endif -%}

  41. {%- set current = salt.user.info(name) -%}

  42. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  43. 

  44. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  45. {%- set user_group = user.prime_group.name -%}

  46. {%- else -%}

  47. {%- set user_group = name -%}

  48. {%- endif %}

  49. 

  50. {% for group in user.get('groups', []) %}

  51. users_{{ name }}_{{ group }}_group:

  52.   group.present:

  53.     - name: {{ group }}

  54.     {% if group == 'sudo' %}

  55.     - system: True

  56.     {% endif %}

  57. {% endfor %}

  58. 

  59. users_{{ name }}_user:

  60.   {% if user.get('createhome', True) %}

  61.   file.directory:

  62.     - name: {{ home }}

  63.     - user: {{ name }}

  64.     - group: {{ user_group }}

  65.     - mode: {{ user.get('user_dir_mode', '0750') }}

  66.     - require:

  67.       - user: users_{{ name }}_user

  68.       - group: {{ user_group }}

  69.   {%- endif %}

  70.   group.present:

  71.     - name: {{ user_group }}

  72.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  73.     - gid: {{ user['prime_group']['gid'] }}

  74.     {%- elif 'uid' in user %}

  75.     - gid: {{ user['uid'] }}

  76.     {%- endif %}

  77.     {% if 'system' in user and user['system'] %}

  78.     - system: True

  79.     {% endif %}

  80.   user.present:

  81.     - name: {{ name }}

  82.     - home: {{ home }}

  83.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  84.     {% if 'uid' in user -%}

  85.     - uid: {{ user['uid'] }}

  86.     {% endif -%}

  87.     {% if 'password' in user -%}

  88.     - password: '{{ user['password'] }}'

  89.     {% endif -%}

  90.     {% if user.get('empty_password') -%}

  91.     - empty_password: {{ user.get('empty_password') }}

  92.     {% endif -%}

  93.     {% if 'enforce_password' in user -%}

  94.     - enforce_password: {{ user['enforce_password'] }}

  95.     {% endif -%}

  96.     {% if user.get('system', False) -%}

  97.     - system: True

  98.     {% endif -%}

  99.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  100.     - gid: {{ user['prime_group']['gid'] }}

  101.     {% else -%}

  102.     - gid_from_name: True

  103.     {% endif -%}

  104.     {% if 'fullname' in user %}

  105.     - fullname: {{ user['fullname'] }}

  106.     {% endif -%}

  107.     {% if 'roomnumber' in user %}

  108.     - roomnumber: {{ user['roomnumber'] }}

  109.     {% endif %}

  110.     {% if 'workphone' in user %}

  111.     - workphone: {{ user['workphone'] }}

  112.     {% endif %}

  113.     {% if 'homephone' in user %}

  114.     - homephone: {{ user['workphone'] }}

  115.     {% endif %}

  116.     {% if not user.get('createhome', True) %}

  117.     - createhome: False

  118.     {% endif %}

  119.     {% if 'expire' in user -%}

  120.         {% if grains['kernel'].endswith('BSD') and

  121.             user['expire'] < 157766400 %}

  122.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  123.     - expire: {{ user['expire'] * 86400 }}

  124.         {% elif grains['kernel'] == 'Linux' and

  125.             user['expire'] > 84006 %}

  126.         {# 2932896 days since epoch equals 9999-12-31 #}

  127.     - expire: {{ (user['expire'] / 86400) | int}}

  128.         {% else %}

  129.     - expire: {{ user['expire'] }}

  130.         {% endif %}

  131.     {% endif -%}

  132.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  133.     - groups:

  134.       - {{ user_group }}

  135.       {% for group in user.get('groups', []) -%}

  136.       - {{ group }}

  137.       {% endfor %}

  138.     {% if 'optional_groups' in user %}

  139.     - optional_groups:

  140.       {% for optional_group in user['optional_groups'] -%}

  141.       - {{optional_group}}

  142.       {% endfor %}

  143.     {% endif %}

  144.     - require:

  145.       - group: {{ user_group }}

  146.       {% for group in user.get('groups', []) -%}

  147.       - group: {{ group }}

  148.       {% endfor %}

  149. 

  150. 

  151.   {% if 'ssh_keys' in user or

  152.       'ssh_auth' in user or

  153.       'ssh_auth_file' in user or

  154.       'ssh_auth_pillar' in user or

  155.       'ssh_auth.absent' in user or

  156.       'ssh_config' in user %}

  157. user_keydir_{{ name }}:

  158.   file.directory:

  159.     - name: {{ home }}/.ssh

  160.     - user: {{ name }}

  161.     - group: {{ user_group }}

  162.     - makedirs: True

  163.     - mode: 700

  164.     - require:

  165.       - user: {{ name }}

  166.       - group: {{ user_group }}

  167.       {%- for group in user.get('groups', []) %}

  168.       - group: {{ group }}

  169.       {%- endfor %}

  170.   {% endif %}

  171. 

  172.   {% if 'ssh_keys' in user %}

  173.     {% for _key in user.ssh_keys.keys() %}

  174.       {% if _key == 'privkey' %}

  175.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}

  176.       {% elif _key ==  'pubkey' %}

  177.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}

  178.       {% else %}

  179.         {% set key_name = _key %}

  180.       {% endif %}

  181. users_{{ name }}_{{ key_name }}_key:

  182.   file.managed:

  183.     - name: {{ home }}/.ssh/{{ key_name }}

  184.     - user: {{ name }}

  185.     - group: {{ user_group }}

  186.       {% if key_name.endswith(".pub") %}

  187.     - mode: 644

  188.       {% else %}

  189.     - mode: 600

  190.       {% endif %}

  191.     - show_diff: False

  192.     - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}

  193.     - require:

  194.       - user: users_{{ name }}_user

  195.       {% for group in user.get('groups', []) %}

  196.       - group: users_{{ name }}_{{ group }}_group

  197.       {% endfor %}

  198.     {% endfor %}

  199.   {% endif %}

  200. 

  201. 

  202. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  203. users_authorized_keys_{{ name }}:

  204.   file.managed:

  205.     - name: {{ home }}/.ssh/authorized_keys

  206.     - user: {{ name }}

  207.     - group: {{ user_group }}

  208.     - mode: 600

  209. {% if 'ssh_auth_file' in user %}

  210.     - contents: |

  211.         {% for auth in user.ssh_auth_file -%}

  212.         {{ auth }}

  213.         {% endfor -%}

  214. {% else %}

  215.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  216.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  217.         {%- endfor %}

  218. {% endif %}

  219. {% endif %}

  220. 

  221. {% if 'ssh_auth' in user %}

  222. {% for auth in user['ssh_auth'] %}

  223. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  224.   ssh_auth.present:

  225.     - user: {{ name }}

  226.     - name: {{ auth }}

  227.     - require:

  228.         - file: user_keydir_{{ name }}

  229.         - user: users_{{ name }}_user

  230. {% endfor %}

  231. {% endif %}

  232. 

  233. {% if 'ssh_keys_pillar' in user %}

  234. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  235. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  236.   file.managed:

  237.     - name: {{ home }}/.ssh/{{ key_name }}

  238.     - user: {{ name }}

  239.     - group: {{ user_group }}

  240.     - mode: 600

  241.     - show_diff: False

  242.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  243.     - require:

  244.       - user: users_{{ name }}_user

  245.       {% for group in user.get('groups', []) %}

  246.       - group: users_{{ name }}_{{ group }}_group

  247.       {% endfor %}

  248. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  249.   file.managed:

  250.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  251.     - user: {{ name }}

  252.     - group: {{ user_group }}

  253.     - mode: 644

  254.     - show_diff: False

  255.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  256.     - require:

  257.       - user: users_{{ name }}_user

  258.       {% for group in user.get('groups', []) %}

  259.       - group: users_{{ name }}_{{ group }}_group

  260.       {% endfor %}

  261. {% endfor %}

  262. {% endif %}

  263. 

  264. {% if 'ssh_auth_sources' in user %}

  265. {% for pubkey_file in user['ssh_auth_sources'] %}

  266. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  267.   ssh_auth.present:

  268.     - user: {{ name }}

  269.     - source: {{ pubkey_file }}

  270.     - require:

  271.         - file: users_{{ name }}_user

  272.         - user: users_{{ name }}_user

  273. {% endfor %}

  274. {% endif %}

  275. 

  276. {% if 'ssh_auth.absent' in user %}

  277. {% for auth in user['ssh_auth.absent'] %}

  278. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  279.   ssh_auth.absent:

  280.     - user: {{ name }}

  281.     - name: {{ auth }}

  282.     - require:

  283.         - file: users_{{ name }}_user

  284.         - user: users_{{ name }}_user

  285. {% endfor %}

  286. {% endif %}

  287. 

  288. {% if 'ssh_config' in user %}

  289. users_ssh_config_{{ name }}:

  290.   file.managed:

  291.     - name: {{ home }}/.ssh/config

  292.     - user: {{ name }}

  293.     - group: {{ user_group }}

  294.     - mode: 640

  295.     - contents: |

  296.         # Managed by Saltstack

  297.         # Do Not Edit

  298.         {% for label, setting in user.ssh_config.items() %}

  299.         # {{ label }}

  300.         Host {{ setting.get('hostname') }}

  301.           {%- for opts in setting.get('options') %}

  302.           {{ opts }}

  303.           {%- endfor %}

  304.         {% endfor -%}

  305. {% endif %}

  306. 

  307. {% if 'ssh_known_hosts' in user %}

  308. {% for hostname, host in user['ssh_known_hosts'].items() %}

  309. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  310.   ssh_known_hosts.present:

  311.     - user: {{ name }}

  312.     - name: {{ hostname }}

  313.     {% if 'port' in host %}

  314.     - port: {{ host['port'] }}

  315.     {% endif -%}

  316.     {% if 'fingerprint' in host %}

  317.     - fingerprint: {{ host['fingerprint'] }}

  318.     {% endif -%}

  319.     {% if 'key' in host %}

  320.     - key: {{ host['key'] }}

  321.     {% endif -%}

  322.     {% if 'enc' in host %}

  323.     - enc: {{ host['enc'] }}

  324.     {% endif -%}

  325.     {% if 'hash_hostname' in host %}

  326.     - hash_hostname: {{ host['hash_hostname'] }}

  327.     {% endif -%}

  328. {% endfor %}

  329. {% endif %}

  330. 

  331. {% if 'ssh_known_hosts.absent' in user %}

  332. {% for host in user['ssh_known_hosts.absent'] %}

  333. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  334.   ssh_known_hosts.absent:

  335.     - user: {{ name }}

  336.     - name: {{ host }}

  337. {% endfor %}

  338. {% endif %}

  339. 

  340. {% if 'sudouser' in user and user['sudouser'] %}

  341. 

  342. users_sudoer-{{ name }}:

  343.   file.managed:

  344.     - replace: False

  345.     - name: {{ users.sudoers_dir }}/{{ name }}

  346.     - user: root

  347.     - group: {{ users.root_group }}

  348.     - mode: '0440'

  349. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  350. #{#%

  351. {% if 'sudo_rules' in user %}

  352. {% for rule in user['sudo_rules'] %}

  353. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  354.   cmd.run:

  355.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  356.     - stateful: True

  357.     - shell: {{ users.visudo_shell }}

  358.     - env:

  359.       # Specify the rule via an env var to avoid shell quoting issues.

  360.       - rule: "{{ name }} {{ rule }}"

  361.     - require_in:

  362.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  363. {% endfor %}

  364. {% endif %}

  365. {% if 'sudo_defaults' in user %}

  366. {% for entry in user['sudo_defaults'] %}

  367. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  368.   cmd.run:

  369.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  370.     - stateful: True

  371.     - shell: {{ users.visudo_shell }}

  372.     - env:

  373.       # Specify the rule via an env var to avoid shell quoting issues.

  374.       - rule: "Defaults:{{ name }} {{ entry }}"

  375.     - require_in:

  376.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  377. {% endfor %}

  378. {% endif %}

  379. #%#}

  380. 

  381. users_{{ users.sudoers_dir }}/{{ name }}:

  382.   file.managed:

  383.     - replace: True

  384.     - name: {{ users.sudoers_dir }}/{{ name }}

  385.     - contents: |

  386.       {%- if 'sudo_defaults' in user %}

  387.       {%- for entry in user['sudo_defaults'] %}

  388.         Defaults:{{ name }} {{ entry }}

  389.       {%- endfor %}

  390.       {%- endif %}

  391.       {%- if 'sudo_rules' in user %}

  392.         ########################################################################

  393.         # File managed by Salt (users-formula).

  394.         # Your changes will be overwritten.

  395.         ########################################################################

  396.         #

  397.       {%- for rule in user['sudo_rules'] %}

  398.         {{ name }} {{ rule }}

  399.       {%- endfor %}

  400.       {%- endif %}

  401.     - require:

  402.       - file: users_sudoer-defaults

  403.       - file: users_sudoer-{{ name }}

  404.   cmd.wait:

  405.     - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )

  406.     - watch:

  407.       - file: {{ users.sudoers_dir }}/{{ name }}

  408. {% endif %}

  409. {% else %}

  410. users_{{ users.sudoers_dir }}/{{ name }}:

  411.   file.absent:

  412.     - name: {{ users.sudoers_dir }}/{{ name }}

  413. {% endif %}

  414. 

  415. {%- if 'google_auth' in user %}

  416. {%- for svc in user['google_auth'] %}

  417. users_googleauth-{{ svc }}-{{ name }}:

  418.   file.managed:

  419.     - replace: false

  420.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  421.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  422.     - user: root

  423.     - group: {{ users.root_group }}

  424.     - mode: 400

  425.     - require:

  426.       - pkg: users_googleauth-package

  427. {%- endfor %}

  428. {%- endif %}

  429. 

  430. {% if 'gitconfig' in user %}

  431. {% if not salt['cmd.has_exec']('git') %}

  432. skip_{{ name }}_gitconfig_since_git_not_installed:

  433.   test.fail_without_changes:

  434.     - name: "Git configuration for user {{ name }} has been skipped because Git is not installed."

  435. {% else %}

  436. {% for key, value in user['gitconfig'].items() %}

  437. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  438.   {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  439.   git.config_set:

  440.   {% else %}

  441.   git.config:

  442.   {% endif %}

  443.     - name: {{ key }}

  444.     - value: "{{ value }}"

  445.     - user: {{ name }}

  446.     {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  447.     - global: True

  448.     {% else %}

  449.     - is_global: True

  450.     {% endif %}

  451. {% endfor %}

  452. {% endif %}

  453. {% endif %}

  454. 

  455. {% endfor %}

  456. 

  457. 

  458. {% for name, user in pillar.get('users', {}).items()

  459.         if user.absent is defined and user.absent %}

  460. users_absent_user_{{ name }}:

  461. {% if 'purge' in user or 'force' in user %}

  462.   user.absent:

  463.     - name: {{ name }}

  464.     {% if 'purge' in user %}

  465.     - purge: {{ user['purge'] }}

  466.     {% endif %}

  467.     {% if 'force' in user %}

  468.     - force: {{ user['force'] }}

  469.     {% endif %}

  470. {% else %}

  471.   user.absent:

  472.     - name: {{ name }}

  473. {% endif -%}

  474. users_{{ users.sudoers_dir }}/{{ name }}:

  475.   file.absent:

  476.     - name: {{ users.sudoers_dir }}/{{ name }}

  477. {% endfor %}

  478. 

  479. {% for user in pillar.get('absent_users', []) %}

  480. users_absent_user_2_{{ user }}:

  481.   user.absent:

  482.     - name: {{ name }}

  483. users_2_{{ users.sudoers_dir }}/{{ user }}:

  484.   file.absent:

  485.     - name: {{ users.sudoers_dir }}/{{ user }}

  486. {% endfor %}

  487. 

  488. {% for group in pillar.get('absent_groups', []) %}

  489. users_absent_group_{{ group }}:

  490.   group.absent:

  491.     - name: {{ group }}

  492. {% endfor %}