salt
/
users-formula
sforkowany z ExternalMirrors/users-formula
Obserwuj 1
Polub 0
Forkuj 0
Kod Wydania 0 Aktywność
Saltstack Official Users Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
152 Commity
2 Gałęzie
Drzewo: 60e94564d1
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '60e94564d1'
${ noResults }
users-formula/users/init.sls

init.sls 11KB
Czysty Zwykły widok Historia

Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
google auth package and config installation
10 lat temu
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
google auth package and config installation
10 lat temu
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
google auth package and config installation
10 lat temu
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
Don't add sudo group by default. This formula doesn't really require the sudo group (unless there are actually users in that group). Moreover, on FreeBSD the 'admin' group would be wheel and not sudo.
9 lat temu
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
Don't add sudo group by default. This formula doesn't really require the sudo group (unless there are actually users in that group). Moreover, on FreeBSD the 'admin' group would be wheel and not sudo.
9 lat temu
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
Add missing ssh_config test to create .ssh folder
9 lat temu
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
9 lat temu
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367 
  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. 

  6. {%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}

  7. {%- if user == None -%}

  8. {%- set user = {} -%}

  9. {%- endif -%}

  10. {%- if 'sudouser' in user and user['sudouser'] %}

  11. {%- do used_sudo.append(1) %}

  12. {%- endif %}

  13. {%- if 'google_auth' in user %}

  14. {%- do used_googleauth.append(1) %}

  15. {%- endif %}

  16. {%- endfor %}

  17. 

  18. {%- if used_sudo or used_googleauth %}

  19. include:

  20. {%- if used_sudo %}

  21.   - users.sudo

  22. {%- endif %}

  23. {%- if used_googleauth %}

  24.   - users.googleauth

  25. {%- endif %}

  26. {%- endif %}

  27. 

  28. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}

  29. {%- if user == None -%}

  30. {%- set user = {} -%}

  31. {%- endif -%}

  32. {%- set home = user.get('home', "/home/%s" % name) -%}

  33. 

  34. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  35. {%- set user_group = user.prime_group.name -%}

  36. {%- else -%}

  37. {%- set user_group = name -%}

  38. {%- endif %}

  39. 

  40. {% for group in user.get('groups', []) %}

  41. users_{{ name }}_{{ group }}_group:

  42.   group.present:

  43.     - name: {{ group }}

  44.     {% if group == 'sudo' %}

  45.     - system: True

  46.     {% endif %}

  47. {% endfor %}

  48. 

  49. users_{{ name }}_user:

  50.   {% if user.get('createhome', True) %}

  51.   file.directory:

  52.     - name: {{ home }}

  53.     - user: {{ name }}

  54.     - group: {{ user_group }}

  55.     - mode: {{ user.get('user_dir_mode', '0750') }}

  56.     - require:

  57.       - user: users_{{ name }}_user

  58.       - group: {{ user_group }}

  59.   {%- endif %}

  60.   group.present:

  61.     - name: {{ user_group }}

  62.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  63.     - gid: {{ user['prime_group']['gid'] }}

  64.     {%- elif 'uid' in user %}

  65.     - gid: {{ user['uid'] }}

  66.     {%- endif %}

  67.   user.present:

  68.     - name: {{ name }}

  69.     - home: {{ home }}

  70.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  71.     {% if 'uid' in user -%}

  72.     - uid: {{ user['uid'] }}

  73.     {% endif -%}

  74.     {% if 'password' in user -%}

  75.     - password: '{{ user['password'] }}'

  76.     {% endif -%}

  77.     {% if 'enforce_password' in user -%}

  78.     - enforce_password: {{ user['enforce_password'] }}

  79.     {% endif -%}

  80.     {% if user.get('system', False) -%}

  81.     - system: True

  82.     {% endif -%}

  83.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  84.     - gid: {{ user['prime_group']['gid'] }}

  85.     {% else -%}

  86.     - gid_from_name: True

  87.     {% endif -%}

  88.     {% if 'fullname' in user %}

  89.     - fullname: {{ user['fullname'] }}

  90.     {% endif -%}

  91.     {% if not user.get('createhome', True) %}

  92.     - createhome: False

  93.     {% endif %}

  94.     {% if 'expire' in user -%}

  95.     - expire: {{ user['expire'] }}

  96.     {% endif -%}

  97.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  98.     - groups:

  99.       - {{ user_group }}

  100.       {% for group in user.get('groups', []) -%}

  101.       - {{ group }}

  102.       {% endfor %}

  103.     - require:

  104.       - group: {{ user_group }}

  105.       {% for group in user.get('groups', []) -%}

  106.       - group: {{ group }}

  107.       {% endfor %}

  108. 

  109. 

  110.   {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user or 'ssh_config' in user %}

  111. user_keydir_{{ name }}:

  112.   file.directory:

  113.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  114.     - user: {{ name }}

  115.     - group: {{ user_group }}

  116.     - makedirs: True

  117.     - mode: 700

  118.     - require:

  119.       - user: {{ name }}

  120.       - group: {{ user_group }}

  121.       {%- for group in user.get('groups', []) %}

  122.       - group: {{ group }}

  123.       {%- endfor %}

  124.   {% endif %}

  125. 

  126.   {% if 'ssh_keys' in user %}

  127.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  128. users_user_{{ name }}_private_key:

  129.   file.managed:

  130.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  131.     - user: {{ name }}

  132.     - group: {{ user_group }}

  133.     - mode: 600

  134.     - show_diff: False

  135.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  136.     - require:

  137.       - user: users_{{ name }}_user

  138.       {% for group in user.get('groups', []) %}

  139.       - group: users_{{ name }}_{{ group }}_group

  140.       {% endfor %}

  141. users_user_{{ name }}_public_key:

  142.   file.managed:

  143.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  144.     - user: {{ name }}

  145.     - group: {{ user_group }}

  146.     - mode: 644

  147.     - show_diff: False

  148.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  149.     - require:

  150.       - user: users_{{ name }}_user

  151.       {% for group in user.get('groups', []) %}

  152.       - group: users_{{ name }}_{{ group }}_group

  153.       {% endfor %}

  154.   {% endif %}

  155. 

  156. {% if 'ssh_auth_file' in user %}

  157. users_authorized_keys_{{ name }}:

  158.   file.managed:

  159.     - name: {{ home }}/.ssh/authorized_keys

  160.     - user: {{ name }}

  161.     - group: {{ name }}

  162.     - mode: 600

  163.     - contents: |

  164.         {% for auth in user.ssh_auth_file -%}

  165.         {{ auth }}

  166.         {% endfor -%}

  167. {% endif %}

  168. 

  169. {% if 'ssh_auth' in user %}

  170. {% for auth in user['ssh_auth'] %}

  171. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  172.   ssh_auth.present:

  173.     - user: {{ name }}

  174.     - name: {{ auth }}

  175.     - require:

  176.         - file: users_{{ name }}_user

  177.         - user: users_{{ name }}_user

  178. {% endfor %}

  179. {% endif %}

  180. 

  181. {% if 'ssh_keys_pillar' in user %}

  182. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  183. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  184.   file.managed:

  185.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}

  186.     - user: {{ name }}

  187.     - group: {{ user_group }}

  188.     - mode: 600

  189.     - show_diff: False

  190.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  191.     - require:

  192.       - user: users_{{ name }}_user

  193.       {% for group in user.get('groups', []) %}

  194.       - group: users_{{ name }}_{{ group }}_group

  195.       {% endfor %}

  196. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  197.   file.managed:

  198.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub

  199.     - user: {{ name }}

  200.     - group: {{ user_group }}

  201.     - mode: 644

  202.     - show_diff: False

  203.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  204.     - require:

  205.       - user: users_{{ name }}_user

  206.       {% for group in user.get('groups', []) %}

  207.       - group: users_{{ name }}_{{ group }}_group

  208.       {% endfor %}

  209. {% endfor %}

  210. {% endif %}

  211. 

  212. {% if 'ssh_auth_sources' in user %}

  213. {% for pubkey_file in user['ssh_auth_sources'] %}

  214. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  215.   ssh_auth.present:

  216.     - user: {{ name }}

  217.     - source: {{ pubkey_file }}

  218.     - require:

  219.         - file: users_{{ name }}_user

  220.         - user: users_{{ name }}_user

  221. {% endfor %}

  222. {% endif %}

  223. 

  224. {% if 'ssh_auth.absent' in user %}

  225. {% for auth in user['ssh_auth.absent'] %}

  226. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  227.   ssh_auth.absent:

  228.     - user: {{ name }}

  229.     - name: {{ auth }}

  230.     - require:

  231.         - file: users_{{ name }}_user

  232.         - user: users_{{ name }}_user

  233. {% endfor %}

  234. {% endif %}

  235. 

  236. {% if 'ssh_config' in user %}

  237. users_ssh_config_{{ name }}:

  238.   file.managed:

  239.     - name: {{ home }}/.ssh/config

  240.     - user: {{ name }}

  241.     - group: {{ user_group }}

  242.     - mode: 640

  243.     - contents: |

  244.         # Managed by Saltstack

  245.         # Do Not Edit

  246.         {% for label, setting in user.ssh_config.items() %}

  247.         # {{ label }}

  248.         Host {{ setting.get('hostname') }}

  249.           {%- for opts in setting.get('options') %}

  250.           {{ opts }}

  251.           {%- endfor %}

  252.         {% endfor -%}

  253. {% endif %}

  254. 

  255. {% if 'sudouser' in user and user['sudouser'] %}

  256. 

  257. users_sudoer-{{ name }}:

  258.   file.managed:

  259.     - name: {{ users.sudoers_dir }}/{{ name }}

  260.     - user: root

  261.     - group: {{ users.root_group }}

  262.     - mode: '0440'

  263. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  264. {% if 'sudo_rules' in user %}

  265. {% for rule in user['sudo_rules'] %}

  266. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  267.   cmd.run:

  268.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  269.     - stateful: True

  270.     - shell: {{ users.visudo_shell }}

  271.     - env:

  272.       # Specify the rule via an env var to avoid shell quoting issues.

  273.       - rule: "{{ name }} {{ rule }}"

  274.     - require_in:

  275.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  276. {% endfor %}

  277. {% endif %}

  278. {% if 'sudo_defaults' in user %}

  279. {% for entry in user['sudo_defaults'] %}

  280. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  281.   cmd.run:

  282.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  283.     - stateful: True

  284.     - shell: {{ users.visudo_shell }}

  285.     - env:

  286.       # Specify the rule via an env var to avoid shell quoting issues.

  287.       - rule: "Defaults:{{ name }} {{ entry }}"

  288.     - require_in:

  289.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  290. {% endfor %}

  291. {% endif %}

  292. 

  293. users_{{ users.sudoers_dir }}/{{ name }}:

  294.   file.managed:

  295.     - name: {{ users.sudoers_dir }}/{{ name }}

  296.     - contents: |

  297.       {%- if 'sudo_defaults' in user %}

  298.       {%- for entry in user['sudo_defaults'] %}

  299.         Defaults:{{ name }} {{ entry }}

  300.       {%- endfor %}

  301.       {%- endif %}

  302.       {%- if 'sudo_rules' in user %}

  303.       {%- for rule in user['sudo_rules'] %}

  304.         {{ name }} {{ rule }}

  305.       {%- endfor %}

  306.       {%- endif %}

  307.     - require:

  308.       - file: users_sudoer-defaults

  309.       - file: users_sudoer-{{ name }}

  310. {% endif %}

  311. {% else %}

  312. users_{{ users.sudoers_dir }}/{{ name }}:

  313.   file.absent:

  314.     - name: {{ users.sudoers_dir }}/{{ name }}

  315. {% endif %}

  316. 

  317. {%- if 'google_auth' in user %}

  318. {%- for svc in user['google_auth'] %}

  319. users_googleauth-{{ svc }}-{{ name }}:

  320.   file.managed:

  321.     - replace: false

  322.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  323.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  324.     - user: root

  325.     - group: {{ users.root_group }}

  326.     - mode: 400

  327.     - require:

  328.       - pkg: users_googleauth-package

  329. {%- endfor %}

  330. {%- endif %}

  331. 

  332. {% endfor %}

  333. 

  334. 

  335. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}

  336. users_absent_user_{{ name }}:

  337. {% if 'purge' in user or 'force' in user %}

  338.   user.absent:

  339.     - name: {{ name }}

  340.     {% if 'purge' in user %}

  341.     - purge: {{ user['purge'] }}

  342.     {% endif %}

  343.     {% if 'force' in user %}

  344.     - force: {{ user['force'] }}

  345.     {% endif %}

  346. {% else %}

  347.   user.absent:

  348.     - name: {{ name }}

  349. {% endif -%}

  350. users_{{ users.sudoers_dir }}/{{ name }}:

  351.   file.absent:

  352.     - name: {{ users.sudoers_dir }}/{{ name }}

  353. {% endfor %}

  354. 

  355. {% for user in pillar.get('absent_users', []) %}

  356. users_absent_user_2_{{ user }}:

  357.   user.absent

  358. users_2_{{ users.sudoers_dir }}/{{ user }}:

  359.   file.absent:

  360.     - name: {{ users.sudoers_dir }}/{{ user }}

  361. {% endfor %}

  362. 

  363. {% for group in pillar.get('absent_groups', []) %}

  364. users_absent_group_{{ group }}:

  365.   group.absent:

  366.     - name: {{ group }}

  367. {% endfor %}