Saltstack Official Users Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.

init.sls 10.0KB

11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
11 lat temu
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
  6. {%- if user == None -%}
  7. {%- set user = {} -%}
  8. {%- endif -%}
  9. {%- if 'sudouser' in user and user['sudouser'] %}
  10. {%- do used_sudo.append(1) %}
  11. {%- endif %}
  12. {%- if 'google_auth' in user %}
  13. {%- do used_googleauth.append(1) %}
  14. {%- endif %}
  15. {%- endfor %}
  16. {%- if used_sudo or used_googleauth %}
  17. include:
  18. {%- if used_sudo %}
  19. - users.sudo
  20. {%- endif %}
  21. {%- if used_googleauth %}
  22. - users.googleauth
  23. {%- endif %}
  24. {%- endif %}
  25. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
  26. {%- if user == None -%}
  27. {%- set user = {} -%}
  28. {%- endif -%}
  29. {%- set home = user.get('home', "/home/%s" % name) -%}
  30. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  31. {%- set user_group = user.prime_group.name -%}
  32. {%- else -%}
  33. {%- set user_group = name -%}
  34. {%- endif %}
  35. {% for group in user.get('groups', []) %}
  36. users_{{ name }}_{{ group }}_group:
  37. group:
  38. - name: {{ group }}
  39. - present
  40. {% endfor %}
  41. users_{{ name }}_user:
  42. {% if user.get('createhome', True) %}
  43. file.directory:
  44. - name: {{ home }}
  45. - user: {{ name }}
  46. - group: {{ user_group }}
  47. - mode: {{ user.get('user_dir_mode', '0750') }}
  48. - require:
  49. - user: users_{{ name }}_user
  50. - group: {{ user_group }}
  51. {%- endif %}
  52. group.present:
  53. - name: {{ user_group }}
  54. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  55. - gid: {{ user['prime_group']['gid'] }}
  56. {%- elif 'uid' in user %}
  57. - gid: {{ user['uid'] }}
  58. {%- endif %}
  59. user.present:
  60. - name: {{ name }}
  61. - home: {{ home }}
  62. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  63. {% if 'uid' in user -%}
  64. - uid: {{ user['uid'] }}
  65. {% endif -%}
  66. {% if 'password' in user -%}
  67. - password: '{{ user['password'] }}'
  68. {% endif -%}
  69. {% if 'enforce_password' in user -%}
  70. - enforce_password: '{{ user['enforce_password'] }}'
  71. {% endif -%}
  72. {% if user.get('system', False) -%}
  73. - system: True
  74. {% endif -%}
  75. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  76. - gid: {{ user['prime_group']['gid'] }}
  77. {% else -%}
  78. - gid_from_name: True
  79. {% endif -%}
  80. {% if 'fullname' in user %}
  81. - fullname: {{ user['fullname'] }}
  82. {% endif -%}
  83. {% if not user.get('createhome', True) %}
  84. - createhome: False
  85. {% endif %}
  86. {% if 'expire' in user -%}
  87. - expire: {{ user['expire'] }}
  88. {% endif -%}
  89. - remove_groups: {{ user.get('remove_groups', 'False') }}
  90. - groups:
  91. - {{ user_group }}
  92. {% for group in user.get('groups', []) -%}
  93. - {{ group }}
  94. {% endfor %}
  95. - require:
  96. - group: {{ user_group }}
  97. {% for group in user.get('groups', []) -%}
  98. - group: {{ group }}
  99. {% endfor %}
  100. {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %}
  101. user_keydir_{{ name }}:
  102. file.directory:
  103. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  104. - user: {{ name }}
  105. - group: {{ user_group }}
  106. - makedirs: True
  107. - mode: 700
  108. - require:
  109. - user: {{ name }}
  110. - group: {{ user_group }}
  111. {%- for group in user.get('groups', []) %}
  112. - group: {{ group }}
  113. {%- endfor %}
  114. {% endif %}
  115. {% if 'ssh_keys' in user %}
  116. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  117. users_user_{{ name }}_private_key:
  118. file.managed:
  119. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  120. - user: {{ name }}
  121. - group: {{ user_group }}
  122. - mode: 600
  123. - show_diff: False
  124. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  125. - require:
  126. - user: users_{{ name }}_user
  127. {% for group in user.get('groups', []) %}
  128. - group: users_{{ name }}_{{ group }}_group
  129. {% endfor %}
  130. users_user_{{ name }}_public_key:
  131. file.managed:
  132. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  133. - user: {{ name }}
  134. - group: {{ user_group }}
  135. - mode: 644
  136. - show_diff: False
  137. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  138. - require:
  139. - user: users_{{ name }}_user
  140. {% for group in user.get('groups', []) %}
  141. - group: users_{{ name }}_{{ group }}_group
  142. {% endfor %}
  143. {% endif %}
  144. {% if 'ssh_auth_file' in user %}
  145. users_authorized_keys_{{ name }}:
  146. file.managed:
  147. - name: {{ home }}/.ssh/authorized_keys
  148. - user: {{ name }}
  149. - group: {{ name }}
  150. - mode: 600
  151. - contents: |
  152. {% for auth in user.ssh_auth_file -%}
  153. {{ auth }}
  154. {% endfor -%}
  155. {% endif %}
  156. {% if 'ssh_auth' in user %}
  157. {% for auth in user['ssh_auth'] %}
  158. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  159. ssh_auth.present:
  160. - user: {{ name }}
  161. - name: {{ auth }}
  162. - require:
  163. - file: users_{{ name }}_user
  164. - user: users_{{ name }}_user
  165. {% endfor %}
  166. {% endif %}
  167. {% if 'ssh_keys_pillar' in user %}
  168. {% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %}
  169. users_ssh_keys_files_{{ name }}_{{ key_name }}_pub:
  170. file.managed:
  171. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
  172. }}.pub
  173. - contents: |
  174. {{ pillar[pillar_name][key_name]['pubkey'] }}
  175. users_ssh_keys_files_{{ name }}_{{ key_name }}_priv:
  176. file.managed:
  177. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
  178. }}
  179. - contents: |
  180. {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}
  181. {% endfor %}
  182. {% endif %}
  183. {% if 'ssh_auth_sources' in user %}
  184. {% for pubkey_file in user['ssh_auth_sources'] %}
  185. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  186. ssh_auth.present:
  187. - user: {{ name }}
  188. - source: {{ pubkey_file }}
  189. - require:
  190. - file: users_{{ name }}_user
  191. - user: users_{{ name }}_user
  192. {% endfor %}
  193. {% endif %}
  194. {% if 'ssh_auth.absent' in user %}
  195. {% for auth in user['ssh_auth.absent'] %}
  196. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  197. ssh_auth.absent:
  198. - user: {{ name }}
  199. - name: {{ auth }}
  200. - require:
  201. - file: users_{{ name }}_user
  202. - user: users_{{ name }}_user
  203. {% endfor %}
  204. {% endif %}
  205. {% if 'ssh_config' in user %}
  206. users_ssh_config_{{ name }}:
  207. file.managed:
  208. - name: {{ home }}/.ssh/config
  209. - user: {{ name }}
  210. - group: {{ user_group }}
  211. - mode: 640
  212. - contents: |
  213. # Managed by Saltstack
  214. # Do Not Edit
  215. {% for label, setting in user.ssh_config.items() %}
  216. # {{ label }}
  217. Host {{ setting.get('hostname') }}
  218. {%- for opts in setting.get('options') %}
  219. {{ opts }}
  220. {%- endfor %}
  221. {% endfor -%}
  222. {% endif %}
  223. {% if 'sudouser' in user and user['sudouser'] %}
  224. users_sudoer-{{ name }}:
  225. file.managed:
  226. - name: {{ users.sudoers_dir }}/{{ name }}
  227. - user: root
  228. - group: {{ users.root_group }}
  229. - mode: '0440'
  230. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  231. {% if 'sudo_rules' in user %}
  232. {% for rule in user['sudo_rules'] %}
  233. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  234. cmd.run:
  235. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  236. - stateful: True
  237. - shell: {{ users.visudo_shell }}
  238. - env:
  239. # Specify the rule via an env var to avoid shell quoting issues.
  240. - rule: "{{ name }} {{ rule }}"
  241. - require_in:
  242. - file: users_{{ users.sudoers_dir }}/{{ name }}
  243. {% endfor %}
  244. {% endif %}
  245. {% if 'sudo_defaults' in user %}
  246. {% for entry in user['sudo_defaults'] %}
  247. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  248. cmd.run:
  249. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  250. - stateful: True
  251. - shell: {{ users.visudo_shell }}
  252. - env:
  253. # Specify the rule via an env var to avoid shell quoting issues.
  254. - rule: "Defaults:{{ name }} {{ entry }}"
  255. - require_in:
  256. - file: users_{{ users.sudoers_dir }}/{{ name }}
  257. {% endfor %}
  258. {% endif %}
  259. users_{{ users.sudoers_dir }}/{{ name }}:
  260. file.managed:
  261. - name: {{ users.sudoers_dir }}/{{ name }}
  262. - contents: |
  263. {%- if 'sudo_defaults' in user %}
  264. {%- for entry in user['sudo_defaults'] %}
  265. Defaults:{{ name }} {{ entry }}
  266. {%- endfor %}
  267. {%- endif %}
  268. {%- if 'sudo_rules' in user %}
  269. {%- for rule in user['sudo_rules'] %}
  270. {{ name }} {{ rule }}
  271. {%- endfor %}
  272. {%- endif %}
  273. - require:
  274. - file: users_sudoer-defaults
  275. - file: users_sudoer-{{ name }}
  276. {% endif %}
  277. {% else %}
  278. users_{{ users.sudoers_dir }}/{{ name }}:
  279. file.absent:
  280. - name: {{ users.sudoers_dir }}/{{ name }}
  281. {% endif %}
  282. {%- if 'google_auth' in user %}
  283. {%- for svc in user['google_auth'] %}
  284. users_googleauth-{{ svc }}-{{ name }}:
  285. file.managed:
  286. - replace: false
  287. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  288. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  289. - user: root
  290. - group: {{ users.root_group }}
  291. - mode: 400
  292. - require:
  293. - pkg: users_googleauth-package
  294. {%- endfor %}
  295. {%- endif %}
  296. {% endfor %}
  297. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}
  298. users_absent_user_{{ name }}:
  299. {% if 'purge' in user or 'force' in user %}
  300. user.absent:
  301. - name: {{ name }}
  302. {% if 'purge' in user %}
  303. - purge: {{ user['purge'] }}
  304. {% endif %}
  305. {% if 'force' in user %}
  306. - force: {{ user['force'] }}
  307. {% endif %}
  308. {% else %}
  309. user.absent:
  310. - name: {{ name }}
  311. {% endif -%}
  312. users_{{ users.sudoers_dir }}/{{ name }}:
  313. file.absent:
  314. - name: {{ users.sudoers_dir }}/{{ name }}
  315. {% endfor %}
  316. {% for user in pillar.get('absent_users', []) %}
  317. users_absent_user_2_{{ user }}:
  318. user.absent
  319. users_2_{{ users.sudoers_dir }}/{{ user }}:
  320. file.absent:
  321. - name: {{ users.sudoers_dir }}/{{ user }}
  322. {% endfor %}
  323. {% for group in pillar.get('absent_groups', []) %}
  324. users_absent_group_{{ group }}:
  325. group.absent:
  326. - name: {{ group }}
  327. {% endfor %}