ExternalMirrors
/
users-formula
mirror of https://github.com/saltstack-formulas/users-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 13 Wiki Activity
Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
233 Commits
3 Branches
Tree: e1d0de230d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e1d0de230d'
${ noResults }
users-formula/users/init.sls

506 lines
14KB
Raw Blame History 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudouser' in user and user['sudouser'] %}

  13. {%- do used_sudo.append(1) %}

  14. {%- endif %}

  15. {%- if 'google_auth' in user %}

  16. {%- do used_googleauth.append(1) %}

  17. {%- endif %}

  18. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  19. {%- do used_user_files.append(1) %}

  20. {%- endif %}

  21. {%- endfor %}

  22. 

  23. {%- if used_sudo or used_googleauth or used_user_files %}

  24. include:

  25. {%- if used_sudo %}

  26.   - users.sudo

  27. {%- endif %}

  28. {%- if used_googleauth %}

  29.   - users.googleauth

  30. {%- endif %}

  31. {%- if used_user_files %}

  32.   - users.user_files

  33. {%- endif %}

  34. {%- endif %}

  35.   - users.polkit

  36. 

  37. {% for name, user in pillar.get('users', {}).items()

  38.         if user.absent is not defined or not user.absent %}

  39. {%- if user == None -%}

  40. {%- set user = {} -%}

  41. {%- endif -%}

  42. {%- set current = salt.user.info(name) -%}

  43. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  44. 

  45. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  46. {%- set user_group = user.prime_group.name -%}

  47. {%- else -%}

  48. {%- set user_group = name -%}

  49. {%- endif %}

  50. 

  51. {% for group in user.get('groups', []) %}

  52. users_{{ name }}_{{ group }}_group:

  53.   group.present:

  54.     - name: {{ group }}

  55.     {% if group == 'sudo' %}

  56.     - system: True

  57.     {% endif %}

  58. {% endfor %}

  59. 

  60. users_{{ name }}_user:

  61.   {% if user.get('createhome', True) %}

  62.   file.directory:

  63.     - name: {{ home }}

  64.     - user: {{ user.get('homedir_owner', name) }}

  65.     - group: {{ user.get('homedir_group', user_group) }}

  66.     - mode: {{ user.get('user_dir_mode', '0750') }}

  67.     - require:

  68.       - user: users_{{ name }}_user

  69.       - group: {{ user_group }}

  70.   {%- endif %}

  71.   group.present:

  72.     - name: {{ user_group }}

  73.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  74.     - gid: {{ user['prime_group']['gid'] }}

  75.     {%- elif 'uid' in user %}

  76.     - gid: {{ user['uid'] }}

  77.     {%- endif %}

  78.     {% if 'system' in user and user['system'] %}

  79.     - system: True

  80.     {% endif %}

  81.   user.present:

  82.     - name: {{ name }}

  83.     - home: {{ home }}

  84.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  85.     {% if 'uid' in user -%}

  86.     - uid: {{ user['uid'] }}

  87.     {% endif -%}

  88.     {% if 'password' in user -%}

  89.     - password: '{{ user['password'] }}'

  90.     {% endif -%}

  91.     {% if user.get('empty_password') -%}

  92.     - empty_password: {{ user.get('empty_password') }}

  93.     {% endif -%}

  94.     {% if 'enforce_password' in user -%}

  95.     - enforce_password: {{ user['enforce_password'] }}

  96.     {% endif -%}

  97.     {% if 'hash_password' in user -%}

  98.     - hash_password: {{ user['hash_password'] }}

  99.     {% endif -%}

  100.     {% if user.get('system', False) -%}

  101.     - system: True

  102.     {% endif -%}

  103.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  104.     - gid: {{ user['prime_group']['gid'] }}

  105.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  106.     - gid: {{ user['prime_group']['name'] }}

  107.     {% else -%}

  108.     - gid_from_name: True

  109.     {% endif -%}

  110.     {% if 'fullname' in user %}

  111.     - fullname: {{ user['fullname'] }}

  112.     {% endif -%}

  113.     {% if 'roomnumber' in user %}

  114.     - roomnumber: {{ user['roomnumber'] }}

  115.     {% endif %}

  116.     {% if 'workphone' in user %}

  117.     - workphone: {{ user['workphone'] }}

  118.     {% endif %}

  119.     {% if 'homephone' in user %}

  120.     - homephone: {{ user['workphone'] }}

  121.     {% endif %}

  122.     {% if not user.get('createhome', True) %}

  123.     - createhome: False

  124.     {% endif %}

  125.     {% if 'expire' in user -%}

  126.         {% if grains['kernel'].endswith('BSD') and

  127.             user['expire'] < 157766400 %}

  128.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  129.     - expire: {{ user['expire'] * 86400 }}

  130.         {% elif grains['kernel'] == 'Linux' and

  131.             user['expire'] > 84006 %}

  132.         {# 2932896 days since epoch equals 9999-12-31 #}

  133.     - expire: {{ (user['expire'] / 86400) | int}}

  134.         {% else %}

  135.     - expire: {{ user['expire'] }}

  136.         {% endif %}

  137.     {% endif -%}

  138.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  139.     - groups:

  140.       - {{ user_group }}

  141.       {% for group in user.get('groups', []) -%}

  142.       - {{ group }}

  143.       {% endfor %}

  144.     {% if 'optional_groups' in user %}

  145.     - optional_groups:

  146.       {% for optional_group in user['optional_groups'] -%}

  147.       - {{optional_group}}

  148.       {% endfor %}

  149.     {% endif %}

  150.     - require:

  151.       - group: {{ user_group }}

  152.       {% for group in user.get('groups', []) -%}

  153.       - group: {{ group }}

  154.       {% endfor %}

  155. 

  156. 

  157.   {% if 'ssh_keys' in user or

  158.       'ssh_auth' in user or

  159.       'ssh_auth_file' in user or

  160.       'ssh_auth_pillar' in user or

  161.       'ssh_auth.absent' in user or

  162.       'ssh_config' in user %}

  163. user_keydir_{{ name }}:

  164.   file.directory:

  165.     - name: {{ home }}/.ssh

  166.     - user: {{ name }}

  167.     - group: {{ user_group }}

  168.     - makedirs: True

  169.     - mode: 700

  170.     - require:

  171.       - user: {{ name }}

  172.       - group: {{ user_group }}

  173.       {%- for group in user.get('groups', []) %}

  174.       - group: {{ group }}

  175.       {%- endfor %}

  176.   {% endif %}

  177. 

  178.   {% if 'ssh_keys' in user %}

  179.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  180. users_user_{{ name }}_private_key:

  181.   file.managed:

  182.     - name: {{ home }}/.ssh/{{ key_type }}

  183.     - user: {{ name }}

  184.     - group: {{ user_group }}

  185.     - mode: 600

  186.     - show_diff: False

  187.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  188.     - require:

  189.       - user: users_{{ name }}_user

  190.       {% for group in user.get('groups', []) %}

  191.       - group: users_{{ name }}_{{ group }}_group

  192.       {% endfor %}

  193. users_user_{{ name }}_public_key:

  194.   file.managed:

  195.     - name: {{ home }}/.ssh/{{ key_type }}.pub

  196.     - user: {{ name }}

  197.     - group: {{ user_group }}

  198.     - mode: 644

  199.     - show_diff: False

  200.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  201.     - require:

  202.       - user: users_{{ name }}_user

  203.       {% for group in user.get('groups', []) %}

  204.       - group: users_{{ name }}_{{ group }}_group

  205.       {% endfor %}

  206.   {% endif %}

  207. 

  208. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  209. users_authorized_keys_{{ name }}:

  210.   file.managed:

  211.     - name: {{ home }}/.ssh/authorized_keys

  212.     - user: {{ name }}

  213.     - group: {{ user_group }}

  214.     - mode: 600

  215. {% if 'ssh_auth_file' in user %}

  216.     - contents: |

  217.         {% for auth in user.ssh_auth_file -%}

  218.         {{ auth }}

  219.         {% endfor -%}

  220. {% else %}

  221.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  222.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  223.         {%- endfor %}

  224. {% endif %}

  225. {% endif %}

  226. 

  227. {% if 'ssh_auth' in user %}

  228. {% for auth in user['ssh_auth'] %}

  229. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  230.   ssh_auth.present:

  231.     - user: {{ name }}

  232.     - name: {{ auth }}

  233.     - require:

  234.         - file: user_keydir_{{ name }}

  235.         - user: users_{{ name }}_user

  236. {% endfor %}

  237. {% endif %}

  238. 

  239. {% if 'ssh_keys_pillar' in user %}

  240. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  241. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  242.   file.managed:

  243.     - name: {{ home }}/.ssh/{{ key_name }}

  244.     - user: {{ name }}

  245.     - group: {{ user_group }}

  246.     - mode: 600

  247.     - show_diff: False

  248.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  249.     - require:

  250.       - user: users_{{ name }}_user

  251.       {% for group in user.get('groups', []) %}

  252.       - group: users_{{ name }}_{{ group }}_group

  253.       {% endfor %}

  254. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  255.   file.managed:

  256.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  257.     - user: {{ name }}

  258.     - group: {{ user_group }}

  259.     - mode: 644

  260.     - show_diff: False

  261.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  262.     - require:

  263.       - user: users_{{ name }}_user

  264.       {% for group in user.get('groups', []) %}

  265.       - group: users_{{ name }}_{{ group }}_group

  266.       {% endfor %}

  267. {% endfor %}

  268. {% endif %}

  269. 

  270. {% if 'ssh_auth_sources' in user %}

  271. {% for pubkey_file in user['ssh_auth_sources'] %}

  272. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  273.   ssh_auth.present:

  274.     - user: {{ name }}

  275.     - source: {{ pubkey_file }}

  276.     - require:

  277.         - file: users_{{ name }}_user

  278.         - user: users_{{ name }}_user

  279. {% endfor %}

  280. {% endif %}

  281. 

  282. {% if 'ssh_auth.absent' in user %}

  283. {% for auth in user['ssh_auth.absent'] %}

  284. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  285.   ssh_auth.absent:

  286.     - user: {{ name }}

  287.     - name: {{ auth }}

  288.     - require:

  289.         - file: users_{{ name }}_user

  290.         - user: users_{{ name }}_user

  291. {% endfor %}

  292. {% endif %}

  293. 

  294. {% if 'ssh_config' in user %}

  295. users_ssh_config_{{ name }}:

  296.   file.managed:

  297.     - name: {{ home }}/.ssh/config

  298.     - user: {{ name }}

  299.     - group: {{ user_group }}

  300.     - mode: 640

  301.     - contents: |

  302.         # Managed by Saltstack

  303.         # Do Not Edit

  304.         {% for label, setting in user.ssh_config.items() %}

  305.         # {{ label }}

  306.         Host {{ setting.get('hostname') }}

  307.           {%- for opts in setting.get('options') %}

  308.           {{ opts }}

  309.           {%- endfor %}

  310.         {% endfor -%}

  311. {% endif %}

  312. 

  313. {% if 'ssh_known_hosts' in user %}

  314. {% for hostname, host in user['ssh_known_hosts'].items() %}

  315. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  316.   ssh_known_hosts.present:

  317.     - user: {{ name }}

  318.     - name: {{ hostname }}

  319.     {% if 'port' in host %}

  320.     - port: {{ host['port'] }}

  321.     {% endif -%}

  322.     {% if 'fingerprint' in host %}

  323.     - fingerprint: {{ host['fingerprint'] }}

  324.     {% endif -%}

  325.     {% if 'key' in host %}

  326.     - key: {{ host['key'] }}

  327.     {% endif -%}

  328.     {% if 'enc' in host %}

  329.     - enc: {{ host['enc'] }}

  330.     {% endif -%}

  331.     {% if 'hash_hostname' in host %}

  332.     - hash_hostname: {{ host['hash_hostname'] }}

  333.     {% endif -%}

  334. {% endfor %}

  335. {% endif %}

  336. 

  337. {% if 'ssh_known_hosts.absent' in user %}

  338. {% for host in user['ssh_known_hosts.absent'] %}

  339. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  340.   ssh_known_hosts.absent:

  341.     - user: {{ name }}

  342.     - name: {{ host }}

  343. {% endfor %}

  344. {% endif %}

  345. 

  346. {% if 'sudouser' in user and user['sudouser'] %}

  347. 

  348. users_sudoer-{{ name }}:

  349.   file.managed:

  350.     - replace: False

  351.     - name: {{ users.sudoers_dir }}/{{ name }}

  352.     - user: root

  353.     - group: {{ users.root_group }}

  354.     - mode: '0440'

  355. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  356. #{#%

  357. {% if 'sudo_rules' in user %}

  358. {% for rule in user['sudo_rules'] %}

  359. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  360.   cmd.run:

  361.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  362.     - stateful: True

  363.     - shell: {{ users.visudo_shell }}

  364.     - env:

  365.       # Specify the rule via an env var to avoid shell quoting issues.

  366.       - rule: "{{ name }} {{ rule }}"

  367.     - require_in:

  368.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  369. {% endfor %}

  370. {% endif %}

  371. {% if 'sudo_defaults' in user %}

  372. {% for entry in user['sudo_defaults'] %}

  373. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  374.   cmd.run:

  375.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  376.     - stateful: True

  377.     - shell: {{ users.visudo_shell }}

  378.     - env:

  379.       # Specify the rule via an env var to avoid shell quoting issues.

  380.       - rule: "Defaults:{{ name }} {{ entry }}"

  381.     - require_in:

  382.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  383. {% endfor %}

  384. {% endif %}

  385. #%#}

  386. 

  387. users_{{ users.sudoers_dir }}/{{ name }}:

  388.   file.managed:

  389.     - replace: True

  390.     - name: {{ users.sudoers_dir }}/{{ name }}

  391.     - contents: |

  392.       {%- if 'sudo_defaults' in user %}

  393.       {%- for entry in user['sudo_defaults'] %}

  394.         Defaults:{{ name }} {{ entry }}

  395.       {%- endfor %}

  396.       {%- endif %}

  397.       {%- if 'sudo_rules' in user %}

  398.         ########################################################################

  399.         # File managed by Salt (users-formula).

  400.         # Your changes will be overwritten.

  401.         ########################################################################

  402.         #

  403.       {%- for rule in user['sudo_rules'] %}

  404.         {{ name }} {{ rule }}

  405.       {%- endfor %}

  406.       {%- endif %}

  407.     - require:

  408.       - file: users_sudoer-defaults

  409.       - file: users_sudoer-{{ name }}

  410.   cmd.wait:

  411.     - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )

  412.     - watch:

  413.       - file: {{ users.sudoers_dir }}/{{ name }}

  414. {% endif %}

  415. {% else %}

  416. users_{{ users.sudoers_dir }}/{{ name }}:

  417.   file.absent:

  418.     - name: {{ users.sudoers_dir }}/{{ name }}

  419. {% endif %}

  420. 

  421. {%- if 'google_auth' in user %}

  422. {%- for svc in user['google_auth'] %}

  423. users_googleauth-{{ svc }}-{{ name }}:

  424.   file.managed:

  425.     - replace: false

  426.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  427.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  428.     - user: root

  429.     - group: {{ users.root_group }}

  430.     - mode: 400

  431.     - require:

  432.       - pkg: users_googleauth-package

  433. {%- endfor %}

  434. {%- endif %}

  435. 

  436. #

  437. # if not salt['cmd.has_exec']('git')

  438. # fails even if git is installed

  439. #

  440. # this doesn't work (Salt bug), therefore need to run state.apply twice

  441. #include:

  442. #  - users

  443. #

  444. #git:

  445. #  pkg.installed:

  446. #    - require_in:

  447. #      - sls: users

  448. #

  449. {% if 'gitconfig' in user %}

  450. {% for key, value in user['gitconfig'].items() %}

  451. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  452.   {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  453.   git.config_set:

  454.   {% else %}

  455.   git.config:

  456.   {% endif %}

  457.     - name: {{ key }}

  458.     - value: "{{ value }}"

  459.     - user: {{ name }}

  460.     {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  461.     - global: True

  462.     {% else %}

  463.     - is_global: True

  464.     {% endif %}

  465. {% endfor %}

  466. {% endif %}

  467. 

  468. {% endfor %}

  469. 

  470. 

  471. {% for name, user in pillar.get('users', {}).items()

  472.         if user.absent is defined and user.absent %}

  473. users_absent_user_{{ name }}:

  474. {% if 'purge' in user or 'force' in user %}

  475.   user.absent:

  476.     - name: {{ name }}

  477.     {% if 'purge' in user %}

  478.     - purge: {{ user['purge'] }}

  479.     {% endif %}

  480.     {% if 'force' in user %}

  481.     - force: {{ user['force'] }}

  482.     {% endif %}

  483. {% else %}

  484.   user.absent:

  485.     - name: {{ name }}

  486. {% endif -%}

  487. users_{{ users.sudoers_dir }}/{{ name }}:

  488.   file.absent:

  489.     - name: {{ users.sudoers_dir }}/{{ name }}

  490. {% endfor %}

  491. 

  492. {% for user in pillar.get('absent_users', []) %}

  493. users_absent_user_2_{{ user }}:

  494.   user.absent:

  495.     - name: {{ user }}

  496. users_2_{{ users.sudoers_dir }}/{{ user }}:

  497.   file.absent:

  498.     - name: {{ users.sudoers_dir }}/{{ user }}

  499. {% endfor %}

  500. 

  501. {% for group in pillar.get('absent_groups', []) %}

  502. users_absent_group_{{ group }}:

  503.   group.absent:

  504.     - name: {{ group }}

  505. {% endfor %}