Saltstack Official Users Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

523 lines
15KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudouser' in user and user['sudouser'] %}
  12. {%- do used_sudo.append(1) %}
  13. {%- endif %}
  14. {%- if 'google_auth' in user %}
  15. {%- do used_googleauth.append(1) %}
  16. {%- endif %}
  17. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  18. {%- do used_user_files.append(1) %}
  19. {%- endif %}
  20. {%- endfor %}
  21. {%- if used_sudo or used_googleauth or used_user_files %}
  22. include:
  23. {%- if used_sudo %}
  24. - users.sudo
  25. {%- endif %}
  26. {%- if used_googleauth %}
  27. - users.googleauth
  28. {%- endif %}
  29. {%- if used_user_files %}
  30. - users.user_files
  31. {%- endif %}
  32. {%- endif %}
  33. {% for name, user in pillar.get('users', {}).items()
  34. if user.absent is not defined or not user.absent %}
  35. {%- if user == None -%}
  36. {%- set user = {} -%}
  37. {%- endif -%}
  38. {%- set current = salt.user.info(name) -%}
  39. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  40. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  41. {%- set user_group = user.prime_group.name -%}
  42. {%- else -%}
  43. {%- set user_group = name -%}
  44. {%- endif %}
  45. {% for group in user.get('groups', []) %}
  46. users_{{ name }}_{{ group }}_group:
  47. group.present:
  48. - name: {{ group }}
  49. {% if group == 'sudo' %}
  50. - system: True
  51. {% endif %}
  52. {% endfor %}
  53. users_{{ name }}_user:
  54. {% if user.get('createhome', True) %}
  55. file.directory:
  56. - name: {{ home }}
  57. - user: {{ user.get('homedir_owner', name) }}
  58. - group: {{ user.get('homedir_group', user_group) }}
  59. - mode: {{ user.get('user_dir_mode', '0750') }}
  60. - makedirs: True
  61. - require:
  62. - user: users_{{ name }}_user
  63. - group: {{ user_group }}
  64. {%- endif %}
  65. group.present:
  66. - name: {{ user_group }}
  67. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  68. - gid: {{ user['prime_group']['gid'] }}
  69. {%- elif 'uid' in user %}
  70. - gid: {{ user['uid'] }}
  71. {%- endif %}
  72. {% if 'system' in user and user['system'] %}
  73. - system: True
  74. {% endif %}
  75. user.present:
  76. - name: {{ name }}
  77. - home: {{ home }}
  78. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  79. {% if 'uid' in user -%}
  80. - uid: {{ user['uid'] }}
  81. {% endif -%}
  82. {% if 'password' in user -%}
  83. - password: '{{ user['password'] }}'
  84. {% endif -%}
  85. {% if user.get('empty_password') -%}
  86. - empty_password: {{ user.get('empty_password') }}
  87. {% endif -%}
  88. {% if 'enforce_password' in user -%}
  89. - enforce_password: {{ user['enforce_password'] }}
  90. {% endif -%}
  91. {% if 'hash_password' in user -%}
  92. - hash_password: {{ user['hash_password'] }}
  93. {% endif -%}
  94. {% if user.get('system', False) -%}
  95. - system: True
  96. {% endif -%}
  97. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  98. - gid: {{ user['prime_group']['gid'] }}
  99. {% elif 'prime_group' in user and 'name' in user['prime_group'] %}
  100. - gid: {{ user['prime_group']['name'] }}
  101. {% else -%}
  102. - gid_from_name: True
  103. {% endif -%}
  104. {% if 'fullname' in user %}
  105. - fullname: {{ user['fullname'] }}
  106. {% endif -%}
  107. {% if 'roomnumber' in user %}
  108. - roomnumber: {{ user['roomnumber'] }}
  109. {% endif %}
  110. {% if 'workphone' in user %}
  111. - workphone: {{ user['workphone'] }}
  112. {% endif %}
  113. {% if 'homephone' in user %}
  114. - homephone: {{ user['homephone'] }}
  115. {% endif %}
  116. {% if not user.get('createhome', True) %}
  117. - createhome: False
  118. {% endif %}
  119. {% if 'expire' in user -%}
  120. {% if grains['kernel'].endswith('BSD') and
  121. user['expire'] < 157766400 %}
  122. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  123. - expire: {{ user['expire'] * 86400 }}
  124. {% elif grains['kernel'] == 'Linux' and
  125. user['expire'] > 84006 %}
  126. {# 2932896 days since epoch equals 9999-12-31 #}
  127. - expire: {{ (user['expire'] / 86400) | int}}
  128. {% else %}
  129. - expire: {{ user['expire'] }}
  130. {% endif %}
  131. {% endif -%}
  132. - remove_groups: {{ user.get('remove_groups', 'False') }}
  133. - groups:
  134. - {{ user_group }}
  135. {% for group in user.get('groups', []) -%}
  136. - {{ group }}
  137. {% endfor %}
  138. {% if 'optional_groups' in user %}
  139. - optional_groups:
  140. {% for optional_group in user['optional_groups'] -%}
  141. - {{optional_group}}
  142. {% endfor %}
  143. {% endif %}
  144. - require:
  145. - group: {{ user_group }}
  146. {% for group in user.get('groups', []) -%}
  147. - group: {{ group }}
  148. {% endfor %}
  149. {% if 'ssh_keys' in user or
  150. 'ssh_auth' in user or
  151. 'ssh_auth_file' in user or
  152. 'ssh_auth_pillar' in user or
  153. 'ssh_auth.absent' in user or
  154. 'ssh_config' in user %}
  155. user_keydir_{{ name }}:
  156. file.directory:
  157. - name: {{ home }}/.ssh
  158. - user: {{ name }}
  159. - group: {{ user_group }}
  160. - makedirs: True
  161. - mode: 700
  162. - require:
  163. - user: {{ name }}
  164. - group: {{ user_group }}
  165. {%- for group in user.get('groups', []) %}
  166. - group: {{ group }}
  167. {%- endfor %}
  168. {% endif %}
  169. {% if 'ssh_keys' in user %}
  170. {% for _key in user.ssh_keys.keys() %}
  171. {% if _key == 'privkey' %}
  172. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}
  173. {% elif _key == 'pubkey' %}
  174. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}
  175. {% else %}
  176. {% set key_name = _key %}
  177. {% endif %}
  178. users_{{ name }}_{{ key_name }}_key:
  179. file.managed:
  180. - name: {{ home }}/.ssh/{{ key_name }}
  181. - user: {{ name }}
  182. - group: {{ user_group }}
  183. {% if key_name.endswith(".pub") %}
  184. - mode: 644
  185. {% else %}
  186. - mode: 600
  187. {% endif %}
  188. - show_diff: False
  189. {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}
  190. {%- if 'salt://' in key_value[:7] %}
  191. - source: {{ key_value }}
  192. {%- else %}
  193. - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}
  194. {%- endif %}
  195. - require:
  196. - user: users_{{ name }}_user
  197. {% for group in user.get('groups', []) %}
  198. - group: users_{{ name }}_{{ group }}_group
  199. {% endfor %}
  200. {% endfor %}
  201. {% endif %}
  202. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  203. users_authorized_keys_{{ name }}:
  204. file.managed:
  205. - name: {{ home }}/.ssh/authorized_keys
  206. - user: {{ name }}
  207. - group: {{ user_group }}
  208. - mode: 600
  209. {% if 'ssh_auth_file' in user %}
  210. - contents: |
  211. {% for auth in user.ssh_auth_file -%}
  212. {{ auth }}
  213. {% endfor -%}
  214. {% else %}
  215. - contents: |
  216. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  217. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  218. {%- endfor %}
  219. {% endif %}
  220. {% endif %}
  221. {% if 'ssh_auth' in user %}
  222. {% for auth in user['ssh_auth'] %}
  223. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  224. ssh_auth.present:
  225. - user: {{ name }}
  226. - name: {{ auth }}
  227. - require:
  228. - file: user_keydir_{{ name }}
  229. - user: users_{{ name }}_user
  230. {% endfor %}
  231. {% endif %}
  232. {% if 'ssh_keys_pillar' in user %}
  233. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  234. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  235. file.managed:
  236. - name: {{ home }}/.ssh/{{ key_name }}
  237. - user: {{ name }}
  238. - group: {{ user_group }}
  239. - mode: 600
  240. - show_diff: False
  241. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  242. - require:
  243. - user: users_{{ name }}_user
  244. {% for group in user.get('groups', []) %}
  245. - group: users_{{ name }}_{{ group }}_group
  246. {% endfor %}
  247. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  248. file.managed:
  249. - name: {{ home }}/.ssh/{{ key_name }}.pub
  250. - user: {{ name }}
  251. - group: {{ user_group }}
  252. - mode: 644
  253. - show_diff: False
  254. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  255. - require:
  256. - user: users_{{ name }}_user
  257. {% for group in user.get('groups', []) %}
  258. - group: users_{{ name }}_{{ group }}_group
  259. {% endfor %}
  260. {% endfor %}
  261. {% endif %}
  262. {% if 'ssh_auth_sources' in user %}
  263. {% for pubkey_file in user['ssh_auth_sources'] %}
  264. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  265. ssh_auth.present:
  266. - user: {{ name }}
  267. - source: {{ pubkey_file }}
  268. - require:
  269. - file: users_{{ name }}_user
  270. - user: users_{{ name }}_user
  271. {% endfor %}
  272. {% endif %}
  273. {% if 'ssh_auth_sources.absent' in user %}
  274. {% for pubkey_file in user['ssh_auth_sources.absent'] %}
  275. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
  276. ssh_auth.absent:
  277. - user: {{ name }}
  278. - source: {{ pubkey_file }}
  279. - require:
  280. - file: users_{{ name }}_user
  281. - user: users_{{ name }}_user
  282. {% endfor %}
  283. {% endif %}
  284. {% if 'ssh_auth.absent' in user %}
  285. {% for auth in user['ssh_auth.absent'] %}
  286. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  287. ssh_auth.absent:
  288. - user: {{ name }}
  289. - name: {{ auth }}
  290. - require:
  291. - file: users_{{ name }}_user
  292. - user: users_{{ name }}_user
  293. {% endfor %}
  294. {% endif %}
  295. {% if 'ssh_config' in user %}
  296. users_ssh_config_{{ name }}:
  297. file.managed:
  298. - name: {{ home }}/.ssh/config
  299. - user: {{ name }}
  300. - group: {{ user_group }}
  301. - mode: 640
  302. - contents: |
  303. # Managed by Saltstack
  304. # Do Not Edit
  305. {% for label, setting in user.ssh_config.items() %}
  306. # {{ label }}
  307. Host {{ setting.get('hostname') }}
  308. {%- for opts in setting.get('options') %}
  309. {{ opts }}
  310. {%- endfor %}
  311. {% endfor -%}
  312. {% endif %}
  313. {% if 'ssh_known_hosts' in user %}
  314. {% for hostname, host in user['ssh_known_hosts'].items() %}
  315. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  316. ssh_known_hosts.present:
  317. - user: {{ name }}
  318. - name: {{ hostname }}
  319. {% if 'port' in host %}
  320. - port: {{ host['port'] }}
  321. {% endif -%}
  322. {% if 'fingerprint' in host %}
  323. - fingerprint: {{ host['fingerprint'] }}
  324. {% endif -%}
  325. {% if 'key' in host %}
  326. - key: {{ host['key'] }}
  327. {% endif -%}
  328. {% if 'enc' in host %}
  329. - enc: {{ host['enc'] }}
  330. {% endif -%}
  331. {% if 'hash_hostname' in host %}
  332. - hash_hostname: {{ host['hash_hostname'] }}
  333. {% endif -%}
  334. {% endfor %}
  335. {% endif %}
  336. {% if 'ssh_known_hosts.absent' in user %}
  337. {% for host in user['ssh_known_hosts.absent'] %}
  338. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  339. ssh_known_hosts.absent:
  340. - user: {{ name }}
  341. - name: {{ host }}
  342. {% endfor %}
  343. {% endif %}
  344. {% set sudoers_d_filename = name|replace('.','_') %}
  345. {% if 'sudouser' in user and user['sudouser'] %}
  346. users_sudoer-{{ name }}:
  347. file.managed:
  348. - replace: False
  349. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  350. - user: root
  351. - group: {{ users.root_group }}
  352. - mode: '0440'
  353. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  354. #{#%
  355. {% if 'sudo_rules' in user %}
  356. {% for rule in user['sudo_rules'] %}
  357. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  358. cmd.run:
  359. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  360. - stateful: True
  361. - shell: {{ users.visudo_shell }}
  362. - env:
  363. # Specify the rule via an env var to avoid shell quoting issues.
  364. - rule: "{{ name }} {{ rule }}"
  365. - require_in:
  366. - file: users_{{ users.sudoers_dir }}/{{ name }}
  367. {% endfor %}
  368. {% endif %}
  369. {% if 'sudo_defaults' in user %}
  370. {% for entry in user['sudo_defaults'] %}
  371. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  372. cmd.run:
  373. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  374. - stateful: True
  375. - shell: {{ users.visudo_shell }}
  376. - env:
  377. # Specify the rule via an env var to avoid shell quoting issues.
  378. - rule: "Defaults:{{ name }} {{ entry }}"
  379. - require_in:
  380. - file: users_{{ users.sudoers_dir }}/{{ name }}
  381. {% endfor %}
  382. {% endif %}
  383. #%#}
  384. users_{{ users.sudoers_dir }}/{{ name }}:
  385. file.managed:
  386. - replace: True
  387. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  388. - contents: |
  389. {%- if 'sudo_defaults' in user %}
  390. {%- for entry in user['sudo_defaults'] %}
  391. Defaults:{{ name }} {{ entry }}
  392. {%- endfor %}
  393. {%- endif %}
  394. {%- if 'sudo_rules' in user %}
  395. ########################################################################
  396. # File managed by Salt (users-formula).
  397. # Your changes will be overwritten.
  398. ########################################################################
  399. #
  400. {%- for rule in user['sudo_rules'] %}
  401. {{ name }} {{ rule }}
  402. {%- endfor %}
  403. {%- endif %}
  404. - require:
  405. - file: users_sudoer-defaults
  406. - file: users_sudoer-{{ name }}
  407. cmd.wait:
  408. - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
  409. - watch:
  410. - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  411. {% endif %}
  412. {% else %}
  413. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
  414. file.absent:
  415. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  416. {% endif %}
  417. {%- if 'google_auth' in user %}
  418. {%- for svc in user['google_auth'] %}
  419. users_googleauth-{{ svc }}-{{ name }}:
  420. file.managed:
  421. - replace: false
  422. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  423. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  424. - user: root
  425. - group: {{ users.root_group }}
  426. - mode: 400
  427. - require:
  428. - pkg: users_googleauth-package
  429. {%- endfor %}
  430. {%- endif %}
  431. # this doesn't work (Salt bug), therefore need to run state.apply twice
  432. #include:
  433. # - users
  434. #
  435. #git:
  436. # pkg.installed:
  437. # - require_in:
  438. # - sls: users
  439. #
  440. {% if 'gitconfig' in user %}
  441. {% if salt['cmd.has_exec']('git') %}
  442. {% for key, value in user['gitconfig'].items() %}
  443. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  444. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  445. git.config_set:
  446. {% else %}
  447. git.config:
  448. {% endif %}
  449. - name: {{ key }}
  450. - value: "{{ value }}"
  451. - user: {{ name }}
  452. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  453. - global: True
  454. {% else %}
  455. - is_global: True
  456. {% endif %}
  457. {% endfor %}
  458. {% endif %}
  459. {% endif %}
  460. {% endfor %}
  461. {% for name, user in pillar.get('users', {}).items()
  462. if user.absent is defined and user.absent %}
  463. users_absent_user_{{ name }}:
  464. {% if 'purge' in user or 'force' in user %}
  465. user.absent:
  466. - name: {{ name }}
  467. {% if 'purge' in user %}
  468. - purge: {{ user['purge'] }}
  469. {% endif %}
  470. {% if 'force' in user %}
  471. - force: {{ user['force'] }}
  472. {% endif %}
  473. {% else %}
  474. user.absent:
  475. - name: {{ name }}
  476. {% endif -%}
  477. users_{{ users.sudoers_dir }}/{{ name }}:
  478. file.absent:
  479. - name: {{ users.sudoers_dir }}/{{ name }}
  480. {% endfor %}
  481. {% for user in pillar.get('absent_users', []) %}
  482. users_absent_user_2_{{ user }}:
  483. user.absent:
  484. - name: {{ user }}
  485. users_2_{{ users.sudoers_dir }}/{{ user }}:
  486. file.absent:
  487. - name: {{ users.sudoers_dir }}/{{ user }}
  488. {% endfor %}
  489. {% for group in pillar.get('absent_groups', []) %}
  490. users_absent_group_{{ group }}:
  491. group.absent:
  492. - name: {{ group }}
  493. {% endfor %}