ExternalMirrors
/
users-formula
miroir de https://github.com/saltstack-formulas/users-formula
Suivre 1
Ajouter aux favoris 0
Bifurcation 1
Code Tickets 0 Versions 13 Wiki Activité
Saltstack Official Users Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
283 Révisions
3 Branches
Aborescence: e33c76edb6
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'e33c76edb6'
${ noResults }
users-formula/users/init.sls

523 lines
15KB
Brut Annotations Historique 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudouser' in user and user['sudouser'] %}

  13. {%- do used_sudo.append(1) %}

  14. {%- endif %}

  15. {%- if 'google_auth' in user %}

  16. {%- do used_googleauth.append(1) %}

  17. {%- endif %}

  18. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  19. {%- do used_user_files.append(1) %}

  20. {%- endif %}

  21. {%- endfor %}

  22. 

  23. {%- if used_sudo or used_googleauth or used_user_files %}

  24. include:

  25. {%- if used_sudo %}

  26.   - users.sudo

  27. {%- endif %}

  28. {%- if used_googleauth %}

  29.   - users.googleauth

  30. {%- endif %}

  31. {%- if used_user_files %}

  32.   - users.user_files

  33. {%- endif %}

  34. {%- endif %}

  35. 

  36. {% for name, user in pillar.get('users', {}).items()

  37.         if user.absent is not defined or not user.absent %}

  38. {%- if user == None -%}

  39. {%- set user = {} -%}

  40. {%- endif -%}

  41. {%- set current = salt.user.info(name) -%}

  42. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  43. 

  44. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  45. {%- set user_group = user.prime_group.name -%}

  46. {%- else -%}

  47. {%- set user_group = name -%}

  48. {%- endif %}

  49. 

  50. {% for group in user.get('groups', []) %}

  51. users_{{ name }}_{{ group }}_group:

  52.   group.present:

  53.     - name: {{ group }}

  54.     {% if group == 'sudo' %}

  55.     - system: True

  56.     {% endif %}

  57. {% endfor %}

  58. 

  59. users_{{ name }}_user:

  60.   {% if user.get('createhome', True) %}

  61.   file.directory:

  62.     - name: {{ home }}

  63.     - user: {{ user.get('homedir_owner', name) }}

  64.     - group: {{ user.get('homedir_group', user_group) }}

  65.     - mode: {{ user.get('user_dir_mode', '0750') }}

  66.     - makedirs: True

  67.     - require:

  68.       - user: users_{{ name }}_user

  69.       - group: {{ user_group }}

  70.   {%- endif %}

  71.   group.present:

  72.     - name: {{ user_group }}

  73.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  74.     - gid: {{ user['prime_group']['gid'] }}

  75.     {%- elif 'uid' in user %}

  76.     - gid: {{ user['uid'] }}

  77.     {%- endif %}

  78.     {% if 'system' in user and user['system'] %}

  79.     - system: True

  80.     {% endif %}

  81.   user.present:

  82.     - name: {{ name }}

  83.     - home: {{ home }}

  84.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  85.     {% if 'uid' in user -%}

  86.     - uid: {{ user['uid'] }}

  87.     {% endif -%}

  88.     {% if 'password' in user -%}

  89.     - password: '{{ user['password'] }}'

  90.     {% endif -%}

  91.     {% if user.get('empty_password') -%}

  92.     - empty_password: {{ user.get('empty_password') }}

  93.     {% endif -%}

  94.     {% if 'enforce_password' in user -%}

  95.     - enforce_password: {{ user['enforce_password'] }}

  96.     {% endif -%}

  97.     {% if 'hash_password' in user -%}

  98.     - hash_password: {{ user['hash_password'] }}

  99.     {% endif -%}

  100.     {% if user.get('system', False) -%}

  101.     - system: True

  102.     {% endif -%}

  103.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  104.     - gid: {{ user['prime_group']['gid'] }}

  105.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  106.     - gid: {{ user['prime_group']['name'] }}

  107.     {% else -%}

  108.     - gid_from_name: True

  109.     {% endif -%}

  110.     {% if 'fullname' in user %}

  111.     - fullname: {{ user['fullname'] }}

  112.     {% endif -%}

  113.     {% if 'roomnumber' in user %}

  114.     - roomnumber: {{ user['roomnumber'] }}

  115.     {% endif %}

  116.     {% if 'workphone' in user %}

  117.     - workphone: {{ user['workphone'] }}

  118.     {% endif %}

  119.     {% if 'homephone' in user %}

  120.     - homephone: {{ user['homephone'] }}

  121.     {% endif %}

  122.     {% if not user.get('createhome', True) %}

  123.     - createhome: False

  124.     {% endif %}

  125.     {% if 'expire' in user -%}

  126.         {% if grains['kernel'].endswith('BSD') and

  127.             user['expire'] < 157766400 %}

  128.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  129.     - expire: {{ user['expire'] * 86400 }}

  130.         {% elif grains['kernel'] == 'Linux' and

  131.             user['expire'] > 84006 %}

  132.         {# 2932896 days since epoch equals 9999-12-31 #}

  133.     - expire: {{ (user['expire'] / 86400) | int}}

  134.         {% else %}

  135.     - expire: {{ user['expire'] }}

  136.         {% endif %}

  137.     {% endif -%}

  138.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  139.     - groups:

  140.       - {{ user_group }}

  141.       {% for group in user.get('groups', []) -%}

  142.       - {{ group }}

  143.       {% endfor %}

  144.     {% if 'optional_groups' in user %}

  145.     - optional_groups:

  146.       {% for optional_group in user['optional_groups'] -%}

  147.       - {{optional_group}}

  148.       {% endfor %}

  149.     {% endif %}

  150.     - require:

  151.       - group: {{ user_group }}

  152.       {% for group in user.get('groups', []) -%}

  153.       - group: {{ group }}

  154.       {% endfor %}

  155. 

  156. 

  157.   {% if 'ssh_keys' in user or

  158.       'ssh_auth' in user or

  159.       'ssh_auth_file' in user or

  160.       'ssh_auth_pillar' in user or

  161.       'ssh_auth.absent' in user or

  162.       'ssh_config' in user %}

  163. user_keydir_{{ name }}:

  164.   file.directory:

  165.     - name: {{ home }}/.ssh

  166.     - user: {{ name }}

  167.     - group: {{ user_group }}

  168.     - makedirs: True

  169.     - mode: 700

  170.     - require:

  171.       - user: {{ name }}

  172.       - group: {{ user_group }}

  173.       {%- for group in user.get('groups', []) %}

  174.       - group: {{ group }}

  175.       {%- endfor %}

  176.   {% endif %}

  177. 

  178.   {% if 'ssh_keys' in user %}

  179.     {% for _key in user.ssh_keys.keys() %}

  180.       {% if _key == 'privkey' %}

  181.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}

  182.       {% elif _key ==  'pubkey' %}

  183.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}

  184.       {% else %}

  185.         {% set key_name = _key %}

  186.       {% endif %}

  187. users_{{ name }}_{{ key_name }}_key:

  188.   file.managed:

  189.     - name: {{ home }}/.ssh/{{ key_name }}

  190.     - user: {{ name }}

  191.     - group: {{ user_group }}

  192.       {% if key_name.endswith(".pub") %}

  193.     - mode: 644

  194.       {% else %}

  195.     - mode: 600

  196.       {% endif %}

  197.     - show_diff: False

  198.     {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}

  199.     {%- if 'salt://' in key_value[:7] %}

  200.     - source: {{ key_value }}

  201.     {%- else %}

  202.     - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}

  203.     {%- endif %}

  204.     - require:

  205.       - user: users_{{ name }}_user

  206.       {% for group in user.get('groups', []) %}

  207.       - group: users_{{ name }}_{{ group }}_group

  208.       {% endfor %}

  209.     {% endfor %}

  210.   {% endif %}

  211. 

  212. 

  213. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  214. users_authorized_keys_{{ name }}:

  215.   file.managed:

  216.     - name: {{ home }}/.ssh/authorized_keys

  217.     - user: {{ name }}

  218.     - group: {{ user_group }}

  219.     - mode: 600

  220. {% if 'ssh_auth_file' in user %}

  221.     - contents: |

  222.         {% for auth in user.ssh_auth_file -%}

  223.         {{ auth }}

  224.         {% endfor -%}

  225. {% else %}

  226.     - contents: |

  227.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  228.         {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}

  229.         {%- endfor %}

  230. {% endif %}

  231. {% endif %}

  232. 

  233. {% if 'ssh_auth' in user %}

  234. {% for auth in user['ssh_auth'] %}

  235. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  236.   ssh_auth.present:

  237.     - user: {{ name }}

  238.     - name: {{ auth }}

  239.     - require:

  240.         - file: user_keydir_{{ name }}

  241.         - user: users_{{ name }}_user

  242. {% endfor %}

  243. {% endif %}

  244. 

  245. {% if 'ssh_keys_pillar' in user %}

  246. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  247. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  248.   file.managed:

  249.     - name: {{ home }}/.ssh/{{ key_name }}

  250.     - user: {{ name }}

  251.     - group: {{ user_group }}

  252.     - mode: 600

  253.     - show_diff: False

  254.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  255.     - require:

  256.       - user: users_{{ name }}_user

  257.       {% for group in user.get('groups', []) %}

  258.       - group: users_{{ name }}_{{ group }}_group

  259.       {% endfor %}

  260. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  261.   file.managed:

  262.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  263.     - user: {{ name }}

  264.     - group: {{ user_group }}

  265.     - mode: 644

  266.     - show_diff: False

  267.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  268.     - require:

  269.       - user: users_{{ name }}_user

  270.       {% for group in user.get('groups', []) %}

  271.       - group: users_{{ name }}_{{ group }}_group

  272.       {% endfor %}

  273. {% endfor %}

  274. {% endif %}

  275. 

  276. {% if 'ssh_auth_sources' in user %}

  277. {% for pubkey_file in user['ssh_auth_sources'] %}

  278. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  279.   ssh_auth.present:

  280.     - user: {{ name }}

  281.     - source: {{ pubkey_file }}

  282.     - require:

  283.         - file: users_{{ name }}_user

  284.         - user: users_{{ name }}_user

  285. {% endfor %}

  286. {% endif %}

  287. 

  288. {% if 'ssh_auth_sources.absent' in user %}

  289. {% for pubkey_file in user['ssh_auth_sources.absent'] %}

  290. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:

  291.   ssh_auth.absent:

  292.     - user: {{ name }}

  293.     - source: {{ pubkey_file }}

  294.     - require:

  295.         - file: users_{{ name }}_user

  296.         - user: users_{{ name }}_user

  297. {% endfor %}

  298. {% endif %}

  299. 

  300. {% if 'ssh_auth.absent' in user %}

  301. {% for auth in user['ssh_auth.absent'] %}

  302. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  303.   ssh_auth.absent:

  304.     - user: {{ name }}

  305.     - name: {{ auth }}

  306.     - require:

  307.         - file: users_{{ name }}_user

  308.         - user: users_{{ name }}_user

  309. {% endfor %}

  310. {% endif %}

  311. 

  312. {% if 'ssh_config' in user %}

  313. users_ssh_config_{{ name }}:

  314.   file.managed:

  315.     - name: {{ home }}/.ssh/config

  316.     - user: {{ name }}

  317.     - group: {{ user_group }}

  318.     - mode: 640

  319.     - contents: |

  320.         # Managed by Saltstack

  321.         # Do Not Edit

  322.         {% for label, setting in user.ssh_config.items() %}

  323.         # {{ label }}

  324.         Host {{ setting.get('hostname') }}

  325.           {%- for opts in setting.get('options') %}

  326.           {{ opts }}

  327.           {%- endfor %}

  328.         {% endfor -%}

  329. {% endif %}

  330. 

  331. {% if 'ssh_known_hosts' in user %}

  332. {% for hostname, host in user['ssh_known_hosts'].items() %}

  333. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  334.   ssh_known_hosts.present:

  335.     - user: {{ name }}

  336.     - name: {{ hostname }}

  337.     {% if 'port' in host %}

  338.     - port: {{ host['port'] }}

  339.     {% endif -%}

  340.     {% if 'fingerprint' in host %}

  341.     - fingerprint: {{ host['fingerprint'] }}

  342.     {% endif -%}

  343.     {% if 'key' in host %}

  344.     - key: {{ host['key'] }}

  345.     {% endif -%}

  346.     {% if 'enc' in host %}

  347.     - enc: {{ host['enc'] }}

  348.     {% endif -%}

  349.     {% if 'hash_hostname' in host %}

  350.     - hash_hostname: {{ host['hash_hostname'] }}

  351.     {% endif -%}

  352. {% endfor %}

  353. {% endif %}

  354. 

  355. {% if 'ssh_known_hosts.absent' in user %}

  356. {% for host in user['ssh_known_hosts.absent'] %}

  357. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  358.   ssh_known_hosts.absent:

  359.     - user: {{ name }}

  360.     - name: {{ host }}

  361. {% endfor %}

  362. {% endif %}

  363. 

  364. {% set sudoers_d_filename = name|replace('.','_') %}

  365. {% if 'sudouser' in user and user['sudouser'] %}

  366. 

  367. users_sudoer-{{ name }}:

  368.   file.managed:

  369.     - replace: False

  370.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  371.     - user: root

  372.     - group: {{ users.root_group }}

  373.     - mode: '0440'

  374. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  375. #{#%

  376. {% if 'sudo_rules' in user %}

  377. {% for rule in user['sudo_rules'] %}

  378. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  379.   cmd.run:

  380.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  381.     - stateful: True

  382.     - shell: {{ users.visudo_shell }}

  383.     - env:

  384.       # Specify the rule via an env var to avoid shell quoting issues.

  385.       - rule: "{{ name }} {{ rule }}"

  386.     - require_in:

  387.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  388. {% endfor %}

  389. {% endif %}

  390. {% if 'sudo_defaults' in user %}

  391. {% for entry in user['sudo_defaults'] %}

  392. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  393.   cmd.run:

  394.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  395.     - stateful: True

  396.     - shell: {{ users.visudo_shell }}

  397.     - env:

  398.       # Specify the rule via an env var to avoid shell quoting issues.

  399.       - rule: "Defaults:{{ name }} {{ entry }}"

  400.     - require_in:

  401.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  402. {% endfor %}

  403. {% endif %}

  404. #%#}

  405. 

  406. users_{{ users.sudoers_dir }}/{{ name }}:

  407.   file.managed:

  408.     - replace: True

  409.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  410.     - contents: |

  411.       {%- if 'sudo_defaults' in user %}

  412.       {%- for entry in user['sudo_defaults'] %}

  413.         Defaults:{{ name }} {{ entry }}

  414.       {%- endfor %}

  415.       {%- endif %}

  416.       {%- if 'sudo_rules' in user %}

  417.         ########################################################################

  418.         # File managed by Salt (users-formula).

  419.         # Your changes will be overwritten.

  420.         ########################################################################

  421.         #

  422.       {%- for rule in user['sudo_rules'] %}

  423.         {{ name }} {{ rule }}

  424.       {%- endfor %}

  425.       {%- endif %}

  426.     - require:

  427.       - file: users_sudoer-defaults

  428.       - file: users_sudoer-{{ name }}

  429.   cmd.wait:

  430.     - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )

  431.     - watch:

  432.       - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  433. {% endif %}

  434. {% else %}

  435. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:

  436.   file.absent:

  437.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  438. {% endif %}

  439. 

  440. {%- if 'google_auth' in user %}

  441. {%- for svc in user['google_auth'] %}

  442. users_googleauth-{{ svc }}-{{ name }}:

  443.   file.managed:

  444.     - replace: false

  445.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  446.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  447.     - user: root

  448.     - group: {{ users.root_group }}

  449.     - mode: 400

  450.     - require:

  451.       - pkg: users_googleauth-package

  452. {%- endfor %}

  453. {%- endif %}

  454. 

  455. # this doesn't work (Salt bug), therefore need to run state.apply twice

  456. #include:

  457. #  - users

  458. #

  459. #git:

  460. #  pkg.installed:

  461. #    - require_in:

  462. #      - sls: users

  463. #

  464. {% if 'gitconfig' in user %}

  465. {% if salt['cmd.has_exec']('git') %}

  466. {% for key, value in user['gitconfig'].items() %}

  467. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  468.   {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  469.   git.config_set:

  470.   {% else %}

  471.   git.config:

  472.   {% endif %}

  473.     - name: {{ key }}

  474.     - value: "{{ value }}"

  475.     - user: {{ name }}

  476.     {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  477.     - global: True

  478.     {% else %}

  479.     - is_global: True

  480.     {% endif %}

  481. {% endfor %}

  482. {% endif %}

  483. {% endif %}

  484. 

  485. {% endfor %}

  486. 

  487. 

  488. {% for name, user in pillar.get('users', {}).items()

  489.         if user.absent is defined and user.absent %}

  490. users_absent_user_{{ name }}:

  491. {% if 'purge' in user or 'force' in user %}

  492.   user.absent:

  493.     - name: {{ name }}

  494.     {% if 'purge' in user %}

  495.     - purge: {{ user['purge'] }}

  496.     {% endif %}

  497.     {% if 'force' in user %}

  498.     - force: {{ user['force'] }}

  499.     {% endif %}

  500. {% else %}

  501.   user.absent:

  502.     - name: {{ name }}

  503. {% endif -%}

  504. users_{{ users.sudoers_dir }}/{{ name }}:

  505.   file.absent:

  506.     - name: {{ users.sudoers_dir }}/{{ name }}

  507. {% endfor %}

  508. 

  509. {% for user in pillar.get('absent_users', []) %}

  510. users_absent_user_2_{{ user }}:

  511.   user.absent:

  512.     - name: {{ user }}

  513. users_2_{{ users.sudoers_dir }}/{{ user }}:

  514.   file.absent:

  515.     - name: {{ users.sudoers_dir }}/{{ user }}

  516. {% endfor %}

  517. 

  518. {% for group in pillar.get('absent_groups', []) %}

  519. users_absent_group_{{ group }}:

  520.   group.absent:

  521.     - name: {{ group }}

  522. {% endfor %}