Saltstack Official Users Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

init.sls 14KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudouser' in user and user['sudouser'] %}
  12. {%- do used_sudo.append(1) %}
  13. {%- endif %}
  14. {%- if 'google_auth' in user %}
  15. {%- do used_googleauth.append(1) %}
  16. {%- endif %}
  17. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  18. {%- do used_user_files.append(1) %}
  19. {%- endif %}
  20. {%- endfor %}
  21. {%- if used_sudo or used_googleauth or used_user_files %}
  22. include:
  23. {%- if used_sudo %}
  24. - users.sudo
  25. {%- endif %}
  26. {%- if used_googleauth %}
  27. - users.googleauth
  28. {%- endif %}
  29. {%- if used_user_files %}
  30. - users.user_files
  31. {%- endif %}
  32. {%- endif %}
  33. {% for name, user in pillar.get('users', {}).items()
  34. if user.absent is not defined or not user.absent %}
  35. {%- if user == None -%}
  36. {%- set user = {} -%}
  37. {%- endif -%}
  38. {%- set home = user.get('home', "/home/%s" % name) -%}
  39. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  40. {%- set user_group = user.prime_group.name -%}
  41. {%- else -%}
  42. {%- set user_group = name -%}
  43. {%- endif %}
  44. {% for group in user.get('groups', []) %}
  45. users_{{ name }}_{{ group }}_group:
  46. group.present:
  47. - name: {{ group }}
  48. {% if group == 'sudo' %}
  49. - system: True
  50. {% endif %}
  51. {% endfor %}
  52. users_{{ name }}_user:
  53. {% if user.get('createhome', True) %}
  54. file.directory:
  55. - name: {{ home }}
  56. - user: {{ name }}
  57. - group: {{ user_group }}
  58. - mode: {{ user.get('user_dir_mode', '0750') }}
  59. - require:
  60. - user: users_{{ name }}_user
  61. - group: {{ user_group }}
  62. {%- endif %}
  63. group.present:
  64. - name: {{ user_group }}
  65. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  66. - gid: {{ user['prime_group']['gid'] }}
  67. {%- elif 'uid' in user %}
  68. - gid: {{ user['uid'] }}
  69. {%- endif %}
  70. {% if 'system' in user and user['system'] %}
  71. - system: True
  72. {% endif %}
  73. user.present:
  74. - name: {{ name }}
  75. - home: {{ home }}
  76. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  77. {% if 'uid' in user -%}
  78. - uid: {{ user['uid'] }}
  79. {% endif -%}
  80. {% if 'password' in user -%}
  81. - password: '{{ user['password'] }}'
  82. {% endif -%}
  83. {% if user.get('empty_password') -%}
  84. - empty_password: {{ user.get('empty_password') }}
  85. {% endif -%}
  86. {% if 'enforce_password' in user -%}
  87. - enforce_password: {{ user['enforce_password'] }}
  88. {% endif -%}
  89. {% if user.get('system', False) -%}
  90. - system: True
  91. {% endif -%}
  92. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  93. - gid: {{ user['prime_group']['gid'] }}
  94. {% else -%}
  95. - gid_from_name: True
  96. {% endif -%}
  97. {% if 'fullname' in user %}
  98. - fullname: {{ user['fullname'] }}
  99. {% endif -%}
  100. {% if 'roomnumber' in user %}
  101. - roomnumber: {{ user['roomnumber'] }}
  102. {% endif %}
  103. {% if 'workphone' in user %}
  104. - workphone: {{ user['workphone'] }}
  105. {% endif %}
  106. {% if 'homephone' in user %}
  107. - homephone: {{ user['workphone'] }}
  108. {% endif %}
  109. {% if not user.get('createhome', True) %}
  110. - createhome: False
  111. {% endif %}
  112. {% if 'expire' in user -%}
  113. {% if grains['kernel'].endswith('BSD') and
  114. user['expire'] < 157766400 %}
  115. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  116. - expire: {{ user['expire'] * 86400 }}
  117. {% elif grains['kernel'] == 'Linux' and
  118. user['expire'] > 84006 %}
  119. {# 2932896 days since epoch equals 9999-12-31 #}
  120. - expire: {{ (user['expire'] / 86400) | int}}
  121. {% else %}
  122. - expire: {{ user['expire'] }}
  123. {% endif %}
  124. {% endif -%}
  125. - remove_groups: {{ user.get('remove_groups', 'False') }}
  126. - groups:
  127. - {{ user_group }}
  128. {% for group in user.get('groups', []) -%}
  129. - {{ group }}
  130. {% endfor %}
  131. - require:
  132. - group: {{ user_group }}
  133. {% for group in user.get('groups', []) -%}
  134. - group: {{ group }}
  135. {% endfor %}
  136. {% if 'ssh_keys' in user or
  137. 'ssh_auth' in user or
  138. 'ssh_auth_file' in user or
  139. 'ssh_auth_pillar' in user or
  140. 'ssh_auth.absent' in user or
  141. 'ssh_config' in user %}
  142. user_keydir_{{ name }}:
  143. file.directory:
  144. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  145. - user: {{ name }}
  146. - group: {{ user_group }}
  147. - makedirs: True
  148. - mode: 700
  149. - require:
  150. - user: {{ name }}
  151. - group: {{ user_group }}
  152. {%- for group in user.get('groups', []) %}
  153. - group: {{ group }}
  154. {%- endfor %}
  155. {% endif %}
  156. {% if 'ssh_keys' in user %}
  157. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  158. users_user_{{ name }}_private_key:
  159. file.managed:
  160. - name: {{ user.get('home',
  161. '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  162. - user: {{ name }}
  163. - group: {{ user_group }}
  164. - mode: 600
  165. - show_diff: False
  166. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  167. - require:
  168. - user: users_{{ name }}_user
  169. {% for group in user.get('groups', []) %}
  170. - group: users_{{ name }}_{{ group }}_group
  171. {% endfor %}
  172. users_user_{{ name }}_public_key:
  173. file.managed:
  174. - name: {{ user.get('home',
  175. '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  176. - user: {{ name }}
  177. - group: {{ user_group }}
  178. - mode: 644
  179. - show_diff: False
  180. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  181. - require:
  182. - user: users_{{ name }}_user
  183. {% for group in user.get('groups', []) %}
  184. - group: users_{{ name }}_{{ group }}_group
  185. {% endfor %}
  186. {% endif %}
  187. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  188. users_authorized_keys_{{ name }}:
  189. file.managed:
  190. - name: {{ home }}/.ssh/authorized_keys
  191. - user: {{ name }}
  192. - group: {{ user_group }}
  193. - mode: 600
  194. {% if 'ssh_auth_file' in user %}
  195. - contents: |
  196. {% for auth in user.ssh_auth_file -%}
  197. {{ auth }}
  198. {% endfor -%}
  199. {% else %}
  200. - contents: |
  201. {%- for key_name, pillar_name in user['ssh_auth_pillar'].iteritems() %}
  202. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  203. {%- endfor %}
  204. {% endif %}
  205. {% endif %}
  206. {% if 'ssh_auth' in user %}
  207. {% for auth in user['ssh_auth'] %}
  208. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  209. ssh_auth.present:
  210. - user: {{ name }}
  211. - name: {{ auth }}
  212. - require:
  213. - file: user_keydir_{{ name }}
  214. - user: users_{{ name }}_user
  215. {% endfor %}
  216. {% endif %}
  217. {% if 'ssh_keys_pillar' in user %}
  218. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  219. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  220. file.managed:
  221. - name: {{ user.get('home',
  222. '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
  223. - user: {{ name }}
  224. - group: {{ user_group }}
  225. - mode: 600
  226. - show_diff: False
  227. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  228. - require:
  229. - user: users_{{ name }}_user
  230. {% for group in user.get('groups', []) %}
  231. - group: users_{{ name }}_{{ group }}_group
  232. {% endfor %}
  233. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  234. file.managed:
  235. - name: {{ user.get('home',
  236. '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
  237. - user: {{ name }}
  238. - group: {{ user_group }}
  239. - mode: 644
  240. - show_diff: False
  241. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  242. - require:
  243. - user: users_{{ name }}_user
  244. {% for group in user.get('groups', []) %}
  245. - group: users_{{ name }}_{{ group }}_group
  246. {% endfor %}
  247. {% endfor %}
  248. {% endif %}
  249. {% if 'ssh_auth_sources' in user %}
  250. {% for pubkey_file in user['ssh_auth_sources'] %}
  251. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  252. ssh_auth.present:
  253. - user: {{ name }}
  254. - source: {{ pubkey_file }}
  255. - require:
  256. - file: users_{{ name }}_user
  257. - user: users_{{ name }}_user
  258. {% endfor %}
  259. {% endif %}
  260. {% if 'ssh_auth.absent' in user %}
  261. {% for auth in user['ssh_auth.absent'] %}
  262. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  263. ssh_auth.absent:
  264. - user: {{ name }}
  265. - name: {{ auth }}
  266. - require:
  267. - file: users_{{ name }}_user
  268. - user: users_{{ name }}_user
  269. {% endfor %}
  270. {% endif %}
  271. {% if 'ssh_config' in user %}
  272. users_ssh_config_{{ name }}:
  273. file.managed:
  274. - name: {{ home }}/.ssh/config
  275. - user: {{ name }}
  276. - group: {{ user_group }}
  277. - mode: 640
  278. - contents: |
  279. # Managed by Saltstack
  280. # Do Not Edit
  281. {% for label, setting in user.ssh_config.items() %}
  282. # {{ label }}
  283. Host {{ setting.get('hostname') }}
  284. {%- for opts in setting.get('options') %}
  285. {{ opts }}
  286. {%- endfor %}
  287. {% endfor -%}
  288. {% endif %}
  289. {% if 'ssh_known_hosts' in user %}
  290. {% for hostname, host in user['ssh_known_hosts'].items() %}
  291. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  292. ssh_known_hosts.present:
  293. - user: {{ name }}
  294. - name: {{ hostname }}
  295. {% if 'port' in host %}
  296. - port: {{ host['port'] }}
  297. {% endif -%}
  298. {% if 'fingerprint' in host %}
  299. - fingerprint: {{ host['fingerprint'] }}
  300. {% endif -%}
  301. {% if 'key' in host %}
  302. - key: {{ host['key'] }}
  303. {% endif -%}
  304. {% if 'enc' in host %}
  305. - enc: {{ host['enc'] }}
  306. {% endif -%}
  307. {% if 'hash_hostname' in host %}
  308. - hash_hostname: {{ host['hash_hostname'] }}
  309. {% endif -%}
  310. {% endfor %}
  311. {% endif %}
  312. {% if 'ssh_known_hosts.absent' in user %}
  313. {% for host in user['ssh_known_hosts.absent'] %}
  314. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  315. ssh_known_hosts.absent:
  316. - user: {{ name }}
  317. - name: {{ host }}
  318. {% endfor %}
  319. {% endif %}
  320. {% if 'sudouser' in user and user['sudouser'] %}
  321. users_sudoer-{{ name }}:
  322. file.managed:
  323. - name: {{ users.sudoers_dir }}/{{ name }}
  324. - user: root
  325. - group: {{ users.root_group }}
  326. - mode: '0440'
  327. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  328. #{#%
  329. {% if 'sudo_rules' in user %}
  330. {% for rule in user['sudo_rules'] %}
  331. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  332. cmd.run:
  333. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  334. - stateful: True
  335. - shell: {{ users.visudo_shell }}
  336. - env:
  337. # Specify the rule via an env var to avoid shell quoting issues.
  338. - rule: "{{ name }} {{ rule }}"
  339. - require_in:
  340. - file: users_{{ users.sudoers_dir }}/{{ name }}
  341. {% endfor %}
  342. {% endif %}
  343. {% if 'sudo_defaults' in user %}
  344. {% for entry in user['sudo_defaults'] %}
  345. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  346. cmd.run:
  347. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  348. - stateful: True
  349. - shell: {{ users.visudo_shell }}
  350. - env:
  351. # Specify the rule via an env var to avoid shell quoting issues.
  352. - rule: "Defaults:{{ name }} {{ entry }}"
  353. - require_in:
  354. - file: users_{{ users.sudoers_dir }}/{{ name }}
  355. {% endfor %}
  356. {% endif %}
  357. #%#}
  358. users_{{ users.sudoers_dir }}/{{ name }}:
  359. file.managed:
  360. - name: {{ users.sudoers_dir }}/{{ name }}
  361. - contents: |
  362. {%- if 'sudo_defaults' in user %}
  363. {%- for entry in user['sudo_defaults'] %}
  364. Defaults:{{ name }} {{ entry }}
  365. {%- endfor %}
  366. {%- endif %}
  367. {%- if 'sudo_rules' in user %}
  368. {%- for rule in user['sudo_rules'] %}
  369. {{ name }} {{ rule }}
  370. {%- endfor %}
  371. {%- endif %}
  372. - require:
  373. - file: users_sudoer-defaults
  374. - file: users_sudoer-{{ name }}
  375. cmd.wait:
  376. - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )
  377. - watch:
  378. - file: {{ users.sudoers_dir }}/{{ name }}
  379. {% endif %}
  380. {% else %}
  381. users_{{ users.sudoers_dir }}/{{ name }}:
  382. file.absent:
  383. - name: {{ users.sudoers_dir }}/{{ name }}
  384. {% endif %}
  385. {%- if 'google_auth' in user %}
  386. {%- for svc in user['google_auth'] %}
  387. users_googleauth-{{ svc }}-{{ name }}:
  388. file.managed:
  389. - replace: false
  390. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  391. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  392. - user: root
  393. - group: {{ users.root_group }}
  394. - mode: 400
  395. - require:
  396. - pkg: users_googleauth-package
  397. {%- endfor %}
  398. {%- endif %}
  399. {% if 'gitconfig' in user %}
  400. {% if not salt['cmd.has_exec']('git') %}
  401. skip_{{ name }}_gitconfig_since_git_not_installed:
  402. test.fail_without_changes:
  403. - name: "Git configuration for user {{ name }} has been skipped because Git is not installed."
  404. {% else %}
  405. {% for key, value in user['gitconfig'].items() %}
  406. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  407. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  408. git.config_set:
  409. {% else %}
  410. git.config:
  411. {% endif %}
  412. - name: {{ key }}
  413. - value: "{{ value }}"
  414. - user: {{ name }}
  415. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  416. - global: True
  417. {% else %}
  418. - is_global: True
  419. {% endif %}
  420. {% endfor %}
  421. {% endif %}
  422. {% endif %}
  423. {% endfor %}
  424. {% for name, user in pillar.get('users', {}).items()
  425. if user.absent is defined and user.absent %}
  426. users_absent_user_{{ name }}:
  427. {% if 'purge' in user or 'force' in user %}
  428. user.absent:
  429. - name: {{ name }}
  430. {% if 'purge' in user %}
  431. - purge: {{ user['purge'] }}
  432. {% endif %}
  433. {% if 'force' in user %}
  434. - force: {{ user['force'] }}
  435. {% endif %}
  436. {% else %}
  437. user.absent:
  438. - name: {{ name }}
  439. {% endif -%}
  440. users_{{ users.sudoers_dir }}/{{ name }}:
  441. file.absent:
  442. - name: {{ users.sudoers_dir }}/{{ name }}
  443. {% endfor %}
  444. {% for user in pillar.get('absent_users', []) %}
  445. users_absent_user_2_{{ user }}:
  446. user.absent
  447. users_2_{{ users.sudoers_dir }}/{{ user }}:
  448. file.absent:
  449. - name: {{ users.sudoers_dir }}/{{ user }}
  450. {% endfor %}
  451. {% for group in pillar.get('absent_groups', []) %}
  452. users_absent_group_{{ group }}:
  453. group.absent:
  454. - name: {{ group }}
  455. {% endfor %}