salt
/
users-formula
atdalīts no ExternalMirrors/users-formula
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Laidieni 0 Aktivitāte
Saltstack Official Users Formula
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
60 Revīzijas
2 Atzari
Koks: 2032369f0b
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '2032369f0b'
${ noResults }
users-formula/users/init.sls

init.sls 4.9KB
Neapstrādāts Parastais skats Vēsture

Initial commit
pirms 11 gadiem
New format of user.absent support introduced. Old format still supported.
pirms 10 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
SLS no longer fails for multiple groups
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
Fixed user default shell source Pulling 'shell' from pillar globally makes no sense, probably a mistake; pulling it from user instead.
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Add Password capabilities
pirms 10 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
Change .ssh permissions to 700
pirms 10 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
Modified Private Keys and Sudoers Changed Private keys to have content within pillar rather than the salt file repository. Changes sudoers entry to get values from pillar rather than assuming all sudo users want root.
pirms 10 gadiem
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
pirms 10 gadiem
Initial commit
pirms 11 gadiem
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
pirms 10 gadiem
Initial commit
pirms 11 gadiem
possibility to define alternate user`s prime group
pirms 11 gadiem
Initial commit
pirms 11 gadiem
Do not echo Public/Private keys to stdout when running the state
pirms 10 gadiem
Changed 'contents' to 'contents_pillar' to correctly parse newlines for private/public SSH keys.
pirms 10 gadiem
Initial commit
pirms 11 gadiem
SLS no longer fails for multiple groups
pirms 11 gadiem
Initial commit
pirms 11 gadiem
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
pirms 10 gadiem
Initial commit
pirms 11 gadiem
change pub key to use user_group if you set an alternate prime_group this would break, replaced {{ name }} with {{ user_group }}
pirms 10 gadiem
Initial commit
pirms 11 gadiem
Do not echo Public/Private keys to stdout when running the state
pirms 10 gadiem
Fix pubkey privkey typo Fixes #22
pirms 10 gadiem
Initial commit
pirms 11 gadiem
SLS no longer fails for multiple groups
pirms 11 gadiem
Initial commit
pirms 11 gadiem
New format of user.absent support introduced. Old format still supported.
pirms 10 gadiem
Initial commit
pirms 11 gadiem
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
pirms 11 gadiem
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
pirms 10 gadiem
Validate user sudo rules before applying them
pirms 10 gadiem
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
pirms 11 gadiem
Overwrite a sudoer file rather than append to fix #21
pirms 10 gadiem
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
pirms 10 gadiem
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
pirms 11 gadiem
Initial commit
pirms 11 gadiem
New format of user.absent support introduced. Old format still supported.
pirms 10 gadiem
Initial commit
pirms 11 gadiem
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
pirms 11 gadiem
Initial commit
pirms 11 gadiem
Add absent_groups pillar to remove groups.
pirms 10 gadiem
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193 
  1. include:

  2.   - users.sudo

  3. 

  4. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  5. {%- if user == None -%}

  6. {%- set user = {} -%}

  7. {%- endif -%}

  8. {%- set home = user.get('home', "/home/%s" % name) -%}

  9. 

  10. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  11. {%- set user_group = user.prime_group.name -%}

  12. {%- else -%}

  13. {%- set user_group = name -%}

  14. {%- endif %}

  15. 

  16. {% for group in user.get('groups', []) %}

  17. {{ name }}_{{ group }}_group:

  18.   group:

  19.     - name: {{ group }}

  20.     - present

  21. {% endfor %}

  22. 

  23. {{ name }}_user:

  24.   file.directory:

  25.     - name: {{ home }}

  26.     - user: {{ name }}

  27.     - group: {{ user_group }}

  28.     - mode: 0755

  29.     - require:

  30.       - user: {{ name }}

  31.       - group: {{ user_group }}

  32.   group.present:

  33.     - name: {{ user_group }}

  34.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  35.     - gid: {{ user['prime_group']['gid'] }}

  36.     {%- elif 'uid' in user %}

  37.     - gid: {{ user['uid'] }}

  38.     {%- endif %}

  39.   user.present:

  40.     - name: {{ name }}

  41.     - home: {{ home }}

  42.     - shell: {{ user.get('shell', '/bin/bash') }}

  43.     {% if 'uid' in user -%}

  44.     - uid: {{ user['uid'] }}

  45.     {% endif -%}

  46.     {% if 'password' in user -%}

  47.     - password: {{ user['password'] }}

  48.     {% endif -%}

  49.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  50.     - gid: {{ user['prime_group']['gid'] }}

  51.     {% else -%}

  52.     - gid_from_name: True

  53.     {% endif -%}

  54.     {% if 'fullname' in user %}

  55.     - fullname: {{ user['fullname'] }}

  56.     {% endif -%}

  57.     - groups:

  58.       - {{ user_group }}

  59.       {% for group in user.get('groups', []) -%}

  60.       - {{ group }}

  61.       {% endfor %}

  62.     - require:

  63.       - group: {{ user_group }}

  64.       {% for group in user.get('groups', []) -%}

  65.       - group: {{ group }}

  66.       {% endfor %}

  67. 

  68. user_keydir_{{ name }}:

  69.   file.directory:

  70.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  71.     - user: {{ name }}

  72.     - group: {{ user_group }}

  73.     - makedirs: True

  74.     - mode: 700

  75.     - require:

  76.       - user: {{ name }}

  77.       - group: {{ user_group }}

  78.       {%- for group in user.get('groups', []) %}

  79.       - group: {{ group }}

  80.       {%- endfor %}

  81. 

  82.   {% if 'ssh_keys' in user %}

  83.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  84. user_{{ name }}_private_key:

  85.   file.managed:

  86.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  87.     - user: {{ name }}

  88.     - group: {{ user_group }}

  89.     - mode: 600

  90.     - show_diff: False

  91.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  92.     - require:

  93.       - user: {{ name }}_user

  94.       {% for group in user.get('groups', []) %}

  95.       - group: {{ name }}_{{ group }}_group

  96.       {% endfor %}

  97. user_{{ name }}_public_key:

  98.   file.managed:

  99.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  100.     - user: {{ name }}

  101.     - group: {{ user_group }}

  102.     - mode: 644

  103.     - show_diff: False

  104.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  105.     - require:

  106.       - user: {{ name }}_user

  107.       {% for group in user.get('groups', []) %}

  108.       - group: {{ name }}_{{ group }}_group

  109.       {% endfor %}

  110.   {% endif %}

  111. 

  112. 

  113. {% if 'ssh_auth' in user %}

  114. {% for auth in user['ssh_auth'] %}

  115. ssh_auth_{{ name }}_{{ loop.index0 }}:

  116.   ssh_auth.present:

  117.     - user: {{ name }}

  118.     - name: {{ auth }}

  119.     - require:

  120.         - file: {{ name }}_user

  121.         - user: {{ name }}_user

  122. {% endfor %}

  123. {% endif %}

  124. 

  125. 

  126. {% if 'sudouser' in user and user['sudouser'] %}

  127. sudoer-{{ name }}:

  128.   file.managed:

  129.     - name: /etc/sudoers.d/{{ name }}

  130.     - user: root

  131.     - group: root

  132.     - mode: '0440'

  133. {% if 'sudo_rules' in user %}

  134. {% for rule in user['sudo_rules'] %}

  135. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  136.   cmd.run:

  137.     - name: 'visudo -cf - <<<"$rule"'

  138.     - env:

  139.       # Specify the rule via an env var to avoid shell quoting issues.

  140.       - rule: "{{ name }} {{ rule }}"

  141.     - require_in:

  142.       - file: /etc/sudoers.d/{{ name }}

  143. {% endfor %}

  144. 

  145. /etc/sudoers.d/{{ name }}:

  146.   file.managed:

  147.     - contents: |

  148.       {%- for rule in user['sudo_rules'] %}

  149.         {{ name }} {{ rule }}

  150.       {%- endfor %}

  151.     - require:

  152.       - file: sudoer-defaults

  153.       - file: sudoer-{{ name }}

  154. {% endif %}

  155. {% else %}

  156. /etc/sudoers.d/{{ name }}:

  157.   file.absent:

  158.     - name: /etc/sudoers.d/{{ name }}

  159. {% endif %}

  160. 

  161. {% endfor %}

  162. 

  163. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

  164. {{ name }}:

  165. {% if 'purge' in user or 'force' in user %}

  166.   user.absent:

  167.     {% if 'purge' in user %}

  168.     - purge: {{ user['purge'] }}

  169.     {% endif %}

  170.     {% if 'force' in user %}

  171.     - force: {{ user['force'] }}

  172.     {% endif %}

  173. {% else %}

  174.   user.absent

  175. {% endif -%}

  176. /etc/sudoers.d/{{ name }}:

  177.   file.absent:

  178.     - name: /etc/sudoers.d/{{ name }}

  179. {% endfor %}

  180. 

  181. {% for user in pillar.get('absent_users', []) %}

  182. {{ user }}:

  183.   user.absent

  184. /etc/sudoers.d/{{ user }}:

  185.   file.absent:

  186.     - name: /etc/sudoers.d/{{ user }}

  187. {% endfor %}

  188. 

  189. {% for group in pillar.get('absent_groups', []) %}

  190. {{ group }}:

  191.   group.absent

  192. {% endfor %}

  193.