Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

519 lines
15KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudouser' in user and user['sudouser'] %}
  12. {%- do used_sudo.append(1) %}
  13. {%- endif %}
  14. {%- if 'google_auth' in user %}
  15. {%- do used_googleauth.append(1) %}
  16. {%- endif %}
  17. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  18. {%- do used_user_files.append(1) %}
  19. {%- endif %}
  20. {%- endfor %}
  21. {%- if used_sudo or used_googleauth or used_user_files %}
  22. include:
  23. {%- if used_sudo %}
  24. - users.sudo
  25. {%- endif %}
  26. {%- if used_googleauth %}
  27. - users.googleauth
  28. {%- endif %}
  29. {%- if used_user_files %}
  30. - users.user_files
  31. {%- endif %}
  32. {%- endif %}
  33. {% for name, user in pillar.get('users', {}).items()
  34. if user.absent is not defined or not user.absent %}
  35. {%- if user == None -%}
  36. {%- set user = {} -%}
  37. {%- endif -%}
  38. {%- set current = salt.user.info(name) -%}
  39. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  40. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  41. {%- set user_group = user.prime_group.name -%}
  42. {%- else -%}
  43. {%- set user_group = name -%}
  44. {%- endif %}
  45. {% for group in user.get('groups', []) %}
  46. users_{{ name }}_{{ group }}_group:
  47. group.present:
  48. - name: {{ group }}
  49. {% if group == 'sudo' %}
  50. - system: True
  51. {% endif %}
  52. {% endfor %}
  53. users_{{ name }}_user:
  54. {% if user.get('createhome', True) %}
  55. file.directory:
  56. - name: {{ home }}
  57. - user: {{ user.get('homedir_owner', name) }}
  58. - group: {{ user.get('homedir_group', user_group) }}
  59. - mode: {{ user.get('user_dir_mode', '0750') }}
  60. - require:
  61. - user: users_{{ name }}_user
  62. - group: {{ user_group }}
  63. {%- endif %}
  64. group.present:
  65. - name: {{ user_group }}
  66. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  67. - gid: {{ user['prime_group']['gid'] }}
  68. {%- elif 'uid' in user %}
  69. - gid: {{ user['uid'] }}
  70. {%- endif %}
  71. {% if 'system' in user and user['system'] %}
  72. - system: True
  73. {% endif %}
  74. user.present:
  75. - name: {{ name }}
  76. - home: {{ home }}
  77. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  78. {% if 'uid' in user -%}
  79. - uid: {{ user['uid'] }}
  80. {% endif -%}
  81. {% if 'password' in user -%}
  82. - password: '{{ user['password'] }}'
  83. {% endif -%}
  84. {% if user.get('empty_password') -%}
  85. - empty_password: {{ user.get('empty_password') }}
  86. {% endif -%}
  87. {% if 'enforce_password' in user -%}
  88. - enforce_password: {{ user['enforce_password'] }}
  89. {% endif -%}
  90. {% if 'hash_password' in user -%}
  91. - hash_password: {{ user['hash_password'] }}
  92. {% endif -%}
  93. {% if user.get('system', False) -%}
  94. - system: True
  95. {% endif -%}
  96. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  97. - gid: {{ user['prime_group']['gid'] }}
  98. {% elif 'prime_group' in user and 'name' in user['prime_group'] %}
  99. - gid: {{ user['prime_group']['name'] }}
  100. {% else -%}
  101. - gid_from_name: True
  102. {% endif -%}
  103. {% if 'fullname' in user %}
  104. - fullname: {{ user['fullname'] }}
  105. {% endif -%}
  106. {% if 'roomnumber' in user %}
  107. - roomnumber: {{ user['roomnumber'] }}
  108. {% endif %}
  109. {% if 'workphone' in user %}
  110. - workphone: {{ user['workphone'] }}
  111. {% endif %}
  112. {% if 'homephone' in user %}
  113. - homephone: {{ user['workphone'] }}
  114. {% endif %}
  115. {% if not user.get('createhome', True) %}
  116. - createhome: False
  117. {% endif %}
  118. {% if 'expire' in user -%}
  119. {% if grains['kernel'].endswith('BSD') and
  120. user['expire'] < 157766400 %}
  121. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  122. - expire: {{ user['expire'] * 86400 }}
  123. {% elif grains['kernel'] == 'Linux' and
  124. user['expire'] > 84006 %}
  125. {# 2932896 days since epoch equals 9999-12-31 #}
  126. - expire: {{ (user['expire'] / 86400) | int}}
  127. {% else %}
  128. - expire: {{ user['expire'] }}
  129. {% endif %}
  130. {% endif -%}
  131. - remove_groups: {{ user.get('remove_groups', 'False') }}
  132. - groups:
  133. - {{ user_group }}
  134. {% for group in user.get('groups', []) -%}
  135. - {{ group }}
  136. {% endfor %}
  137. {% if 'optional_groups' in user %}
  138. - optional_groups:
  139. {% for optional_group in user['optional_groups'] -%}
  140. - {{optional_group}}
  141. {% endfor %}
  142. {% endif %}
  143. - require:
  144. - group: {{ user_group }}
  145. {% for group in user.get('groups', []) -%}
  146. - group: {{ group }}
  147. {% endfor %}
  148. {% if 'ssh_keys' in user or
  149. 'ssh_auth' in user or
  150. 'ssh_auth_file' in user or
  151. 'ssh_auth_pillar' in user or
  152. 'ssh_auth.absent' in user or
  153. 'ssh_config' in user %}
  154. user_keydir_{{ name }}:
  155. file.directory:
  156. - name: {{ home }}/.ssh
  157. - user: {{ name }}
  158. - group: {{ user_group }}
  159. - makedirs: True
  160. - mode: 700
  161. - require:
  162. - user: {{ name }}
  163. - group: {{ user_group }}
  164. {%- for group in user.get('groups', []) %}
  165. - group: {{ group }}
  166. {%- endfor %}
  167. {% endif %}
  168. {% if 'ssh_keys' in user %}
  169. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  170. users_user_{{ name }}_private_key:
  171. file.managed:
  172. - name: {{ home }}/.ssh/{{ key_type }}
  173. - user: {{ name }}
  174. - group: {{ user_group }}
  175. - mode: 600
  176. - show_diff: False
  177. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  178. - require:
  179. - user: users_{{ name }}_user
  180. {% for group in user.get('groups', []) %}
  181. - group: users_{{ name }}_{{ group }}_group
  182. {% endfor %}
  183. users_user_{{ name }}_public_key:
  184. file.managed:
  185. - name: {{ home }}/.ssh/{{ key_type }}.pub
  186. - user: {{ name }}
  187. - group: {{ user_group }}
  188. - mode: 644
  189. - show_diff: False
  190. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  191. - require:
  192. - user: users_{{ name }}_user
  193. {% for group in user.get('groups', []) %}
  194. - group: users_{{ name }}_{{ group }}_group
  195. {% endfor %}
  196. {% endif %}
  197. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  198. users_authorized_keys_{{ name }}:
  199. file.managed:
  200. - name: {{ home }}/.ssh/authorized_keys
  201. - user: {{ name }}
  202. - group: {{ user_group }}
  203. - mode: 600
  204. {% if 'ssh_auth_file' in user %}
  205. - contents: |
  206. {% for auth in user.ssh_auth_file -%}
  207. {{ auth }}
  208. {% endfor -%}
  209. {% else %}
  210. - contents: |
  211. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  212. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  213. {%- endfor %}
  214. {% endif %}
  215. {% endif %}
  216. {% if 'ssh_auth' in user %}
  217. {% for auth in user['ssh_auth'] %}
  218. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  219. ssh_auth.present:
  220. - user: {{ name }}
  221. - name: {{ auth }}
  222. - require:
  223. - file: user_keydir_{{ name }}
  224. - user: users_{{ name }}_user
  225. {% endfor %}
  226. {% endif %}
  227. {% if 'ssh_keys_pillar' in user %}
  228. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  229. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  230. file.managed:
  231. - name: {{ home }}/.ssh/{{ key_name }}
  232. - user: {{ name }}
  233. - group: {{ user_group }}
  234. - mode: 600
  235. - show_diff: False
  236. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  237. - require:
  238. - user: users_{{ name }}_user
  239. {% for group in user.get('groups', []) %}
  240. - group: users_{{ name }}_{{ group }}_group
  241. {% endfor %}
  242. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  243. file.managed:
  244. - name: {{ home }}/.ssh/{{ key_name }}.pub
  245. - user: {{ name }}
  246. - group: {{ user_group }}
  247. - mode: 644
  248. - show_diff: False
  249. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  250. - require:
  251. - user: users_{{ name }}_user
  252. {% for group in user.get('groups', []) %}
  253. - group: users_{{ name }}_{{ group }}_group
  254. {% endfor %}
  255. {% endfor %}
  256. {% endif %}
  257. {% if 'ssh_auth_sources' in user %}
  258. {% for pubkey_file in user['ssh_auth_sources'] %}
  259. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  260. ssh_auth.present:
  261. - user: {{ name }}
  262. - source: {{ pubkey_file }}
  263. - require:
  264. - file: users_{{ name }}_user
  265. - user: users_{{ name }}_user
  266. {% endfor %}
  267. {% endif %}
  268. {% if 'ssh_auth_sources.absent' in user %}
  269. {% for pubkey_file in user['ssh_auth_sources.absent'] %}
  270. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
  271. ssh_auth.absent:
  272. - user: {{ name }}
  273. - source: {{ pubkey_file }}
  274. - require:
  275. - file: users_{{ name }}_user
  276. - user: users_{{ name }}_user
  277. {% endfor %}
  278. {% endif %}
  279. {% if 'ssh_auth.absent' in user %}
  280. {% for auth in user['ssh_auth.absent'] %}
  281. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  282. ssh_auth.absent:
  283. - user: {{ name }}
  284. - name: {{ auth }}
  285. - require:
  286. - file: users_{{ name }}_user
  287. - user: users_{{ name }}_user
  288. {% endfor %}
  289. {% endif %}
  290. {% if 'ssh_config' in user %}
  291. users_ssh_config_{{ name }}:
  292. file.managed:
  293. - name: {{ home }}/.ssh/config
  294. - user: {{ name }}
  295. - group: {{ user_group }}
  296. - mode: 640
  297. - contents: |
  298. # Managed by Saltstack
  299. # Do Not Edit
  300. {% for label, setting in user.ssh_config.items() %}
  301. # {{ label }}
  302. Host {{ setting.get('hostname') }}
  303. {%- for opts in setting.get('options') %}
  304. {{ opts }}
  305. {%- endfor %}
  306. {% endfor -%}
  307. {% endif %}
  308. {% if 'ssh_known_hosts' in user %}
  309. {% for hostname, host in user['ssh_known_hosts'].items() %}
  310. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  311. ssh_known_hosts.present:
  312. - user: {{ name }}
  313. - name: {{ hostname }}
  314. {% if 'port' in host %}
  315. - port: {{ host['port'] }}
  316. {% endif -%}
  317. {% if 'fingerprint' in host %}
  318. - fingerprint: {{ host['fingerprint'] }}
  319. {% endif -%}
  320. {% if 'key' in host %}
  321. - key: {{ host['key'] }}
  322. {% endif -%}
  323. {% if 'enc' in host %}
  324. - enc: {{ host['enc'] }}
  325. {% endif -%}
  326. {% if 'hash_hostname' in host %}
  327. - hash_hostname: {{ host['hash_hostname'] }}
  328. {% endif -%}
  329. {% endfor %}
  330. {% endif %}
  331. {% if 'ssh_known_hosts.absent' in user %}
  332. {% for host in user['ssh_known_hosts.absent'] %}
  333. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  334. ssh_known_hosts.absent:
  335. - user: {{ name }}
  336. - name: {{ host }}
  337. {% endfor %}
  338. {% endif %}
  339. {% set sudoers_d_filename = name|replace('.','_') %}
  340. {% if 'sudouser' in user and user['sudouser'] %}
  341. users_sudoer-{{ name }}:
  342. file.managed:
  343. - replace: False
  344. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  345. - user: root
  346. - group: {{ users.root_group }}
  347. - mode: '0440'
  348. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  349. #{#%
  350. {% if 'sudo_rules' in user %}
  351. {% for rule in user['sudo_rules'] %}
  352. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  353. cmd.run:
  354. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  355. - stateful: True
  356. - shell: {{ users.visudo_shell }}
  357. - env:
  358. # Specify the rule via an env var to avoid shell quoting issues.
  359. - rule: "{{ name }} {{ rule }}"
  360. - require_in:
  361. - file: users_{{ users.sudoers_dir }}/{{ name }}
  362. {% endfor %}
  363. {% endif %}
  364. {% if 'sudo_defaults' in user %}
  365. {% for entry in user['sudo_defaults'] %}
  366. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  367. cmd.run:
  368. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  369. - stateful: True
  370. - shell: {{ users.visudo_shell }}
  371. - env:
  372. # Specify the rule via an env var to avoid shell quoting issues.
  373. - rule: "Defaults:{{ name }} {{ entry }}"
  374. - require_in:
  375. - file: users_{{ users.sudoers_dir }}/{{ name }}
  376. {% endfor %}
  377. {% endif %}
  378. #%#}
  379. users_{{ users.sudoers_dir }}/{{ name }}:
  380. file.managed:
  381. - replace: True
  382. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  383. - contents: |
  384. {%- if 'sudo_defaults' in user %}
  385. {%- for entry in user['sudo_defaults'] %}
  386. Defaults:{{ name }} {{ entry }}
  387. {%- endfor %}
  388. {%- endif %}
  389. {%- if 'sudo_rules' in user %}
  390. ########################################################################
  391. # File managed by Salt (users-formula).
  392. # Your changes will be overwritten.
  393. ########################################################################
  394. #
  395. {%- for rule in user['sudo_rules'] %}
  396. {{ name }} {{ rule }}
  397. {%- endfor %}
  398. {%- endif %}
  399. - require:
  400. - file: users_sudoer-defaults
  401. - file: users_sudoer-{{ name }}
  402. cmd.wait:
  403. - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
  404. - watch:
  405. - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  406. {% endif %}
  407. {% else %}
  408. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
  409. file.absent:
  410. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  411. {% endif %}
  412. {%- if 'google_auth' in user %}
  413. {%- for svc in user['google_auth'] %}
  414. users_googleauth-{{ svc }}-{{ name }}:
  415. file.managed:
  416. - replace: false
  417. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  418. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  419. - user: root
  420. - group: {{ users.root_group }}
  421. - mode: 400
  422. - require:
  423. - pkg: users_googleauth-package
  424. {%- endfor %}
  425. {%- endif %}
  426. #
  427. # if not salt['cmd.has_exec']('git')
  428. # fails even if git is installed
  429. #
  430. # this doesn't work (Salt bug), therefore need to run state.apply twice
  431. #include:
  432. # - users
  433. #
  434. #git:
  435. # pkg.installed:
  436. # - require_in:
  437. # - sls: users
  438. #
  439. {% if 'gitconfig' in user %}
  440. {% for key, value in user['gitconfig'].items() %}
  441. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  442. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  443. git.config_set:
  444. {% else %}
  445. git.config:
  446. {% endif %}
  447. - name: {{ key }}
  448. - value: "{{ value }}"
  449. - user: {{ name }}
  450. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  451. - global: True
  452. {% else %}
  453. - is_global: True
  454. {% endif %}
  455. {% endfor %}
  456. {% endif %}
  457. {% endfor %}
  458. {% for name, user in pillar.get('users', {}).items()
  459. if user.absent is defined and user.absent %}
  460. users_absent_user_{{ name }}:
  461. {% if 'purge' in user or 'force' in user %}
  462. user.absent:
  463. - name: {{ name }}
  464. {% if 'purge' in user %}
  465. - purge: {{ user['purge'] }}
  466. {% endif %}
  467. {% if 'force' in user %}
  468. - force: {{ user['force'] }}
  469. {% endif %}
  470. {% else %}
  471. user.absent:
  472. - name: {{ name }}
  473. {% endif -%}
  474. users_{{ users.sudoers_dir }}/{{ name }}:
  475. file.absent:
  476. - name: {{ users.sudoers_dir }}/{{ name }}
  477. {% endfor %}
  478. {% for user in pillar.get('absent_users', []) %}
  479. users_absent_user_2_{{ user }}:
  480. user.absent:
  481. - name: {{ user }}
  482. users_2_{{ users.sudoers_dir }}/{{ user }}:
  483. file.absent:
  484. - name: {{ users.sudoers_dir }}/{{ user }}
  485. {% endfor %}
  486. {% for group in pillar.get('absent_groups', []) %}
  487. users_absent_group_{{ group }}:
  488. group.absent:
  489. - name: {{ group }}
  490. {% endfor %}