salt
/
users-formula
geforkt von ExternalMirrors/users-formula
Beobachten 1
Favorisieren 0
Fork 0
Code Releases 0 Aktivität
Saltstack Official Users Formula
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
77 Commits
2 Branches
Struktur: 8e1d91b3f1
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „8e1d91b3f1“
${ noResults }
users-formula/users/init.sls

init.sls 5.7KB
Originalformat Normale Ansicht Verlauf

Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
Only include users.sudo when a user with sudouser is declared.
vor 10 Jahren
Initial commit
vor 11 Jahren
New format of user.absent support introduced. Old format still supported.
vor 10 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
SLS no longer fails for multiple groups
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
added option to specify user home directory mode
vor 10 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
Fix issue with bash binary location in FreeBSD
vor 10 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Add Password capabilities
vor 10 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Add 'createhome' option for 'user.present' state
vor 10 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
Change .ssh permissions to 700
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
Modified Private Keys and Sudoers Changed Private keys to have content within pillar rather than the salt file repository. Changes sudoers entry to get values from pillar rather than assuming all sudo users want root.
vor 11 Jahren
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
vor 11 Jahren
Initial commit
vor 11 Jahren
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
vor 11 Jahren
Initial commit
vor 11 Jahren
possibility to define alternate user`s prime group
vor 11 Jahren
Initial commit
vor 11 Jahren
Do not echo Public/Private keys to stdout when running the state
vor 10 Jahren
Changed 'contents' to 'contents_pillar' to correctly parse newlines for private/public SSH keys.
vor 11 Jahren
Initial commit
vor 11 Jahren
SLS no longer fails for multiple groups
vor 11 Jahren
Initial commit
vor 11 Jahren
Add and support ssh_key_type attribute to allow for dsa ssh key pairs
vor 11 Jahren
Initial commit
vor 11 Jahren
change pub key to use user_group if you set an alternate prime_group this would break, replaced {{ name }} with {{ user_group }}
vor 11 Jahren
Initial commit
vor 11 Jahren
Do not echo Public/Private keys to stdout when running the state
vor 10 Jahren
Fix pubkey privkey typo Fixes #22
vor 11 Jahren
Initial commit
vor 11 Jahren
SLS no longer fails for multiple groups
vor 11 Jahren
Initial commit
vor 11 Jahren
New format of user.absent support introduced. Old format still supported.
vor 10 Jahren
Initial commit
vor 11 Jahren
added option to remove ssh public keys from auth (ssh_auth.absent)
vor 10 Jahren
Initial commit
vor 11 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Only include users.sudo when a user with sudouser is declared.
vor 10 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
vor 11 Jahren
Validate user sudo rules before applying them
vor 10 Jahren
modified visudo to only report change in salt when there is an error.
vor 10 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
Validate user sudo rules before applying them
vor 10 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
Validate user sudo rules before applying them
vor 10 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
Overwrite a sudoer file rather than append to fix #21
vor 10 Jahren
Check for sudo_rules before text.append state. Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.
vor 11 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
Initial commit
vor 11 Jahren
New format of user.absent support introduced. Old format still supported.
vor 10 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
New format of user.absent support introduced. Old format still supported.
vor 10 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
New format of user.absent support introduced. Old format still supported.
vor 10 Jahren
Initial commit
vor 11 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
better sudoers support & default gid add support for sudouser being False. change to adding sudoers config to /etc/sudoers.d/<user> adding the removal of /etc/sudoers.d/<user> on user removal or switching to sudouser being removed or set to false
vor 11 Jahren
Add support FreeBSD using map.jinja (Tested on Freebsd10)
vor 10 Jahren
Initial commit
vor 11 Jahren
Add absent_groups pillar to remove groups.
vor 11 Jahren
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216 
  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = False %}

  4. 

  5. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  6. {%- if user == None -%}

  7. {%- set user = {} -%}

  8. {%- endif -%}

  9. {%- set home = user.get('home', "/home/%s" % name) -%}

  10. 

  11. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  12. {%- set user_group = user.prime_group.name -%}

  13. {%- else -%}

  14. {%- set user_group = name -%}

  15. {%- endif %}

  16. 

  17. {% for group in user.get('groups', []) %}

  18. {{ name }}_{{ group }}_group:

  19.   group:

  20.     - name: {{ group }}

  21.     - present

  22. {% endfor %}

  23. 

  24. {{ name }}_user:

  25.   file.directory:

  26.     - name: {{ home }}

  27.     - user: {{ name }}

  28.     - group: {{ user_group }}

  29.     - mode: {{ user.get('user_dir_mode', '0750') }}

  30.     - require:

  31.       - user: {{ name }}

  32.       - group: {{ user_group }}

  33.   group.present:

  34.     - name: {{ user_group }}

  35.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  36.     - gid: {{ user['prime_group']['gid'] }}

  37.     {%- elif 'uid' in user %}

  38.     - gid: {{ user['uid'] }}

  39.     {%- endif %}

  40.   user.present:

  41.     - name: {{ name }}

  42.     - home: {{ home }}

  43.     - shell: {{ users.get('visudo_shell', '/bin/bash') }}

  44.     {% if 'uid' in user -%}

  45.     - uid: {{ user['uid'] }}

  46.     {% endif -%}

  47.     {% if 'password' in user -%}

  48.     - password: {{ user['password'] }}

  49.     {% endif -%}

  50.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  51.     - gid: {{ user['prime_group']['gid'] }}

  52.     {% else -%}

  53.     - gid_from_name: True

  54.     {% endif -%}

  55.     {% if 'fullname' in user %}

  56.     - fullname: {{ user['fullname'] }}

  57.     {% endif -%}

  58.     {% if not user.get('createhome', True) %}

  59.     - createhome: False

  60.     {% endif %}

  61.     - groups:

  62.       - {{ user_group }}

  63.       {% for group in user.get('groups', []) -%}

  64.       - {{ group }}

  65.       {% endfor %}

  66.     - require:

  67.       - group: {{ user_group }}

  68.       {% for group in user.get('groups', []) -%}

  69.       - group: {{ group }}

  70.       {% endfor %}

  71. 

  72. user_keydir_{{ name }}:

  73.   file.directory:

  74.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  75.     - user: {{ name }}

  76.     - group: {{ user_group }}

  77.     - makedirs: True

  78.     - mode: 700

  79.     - require:

  80.       - user: {{ name }}

  81.       - group: {{ user_group }}

  82.       {%- for group in user.get('groups', []) %}

  83.       - group: {{ group }}

  84.       {%- endfor %}

  85. 

  86.   {% if 'ssh_keys' in user %}

  87.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  88. user_{{ name }}_private_key:

  89.   file.managed:

  90.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  91.     - user: {{ name }}

  92.     - group: {{ user_group }}

  93.     - mode: 600

  94.     - show_diff: False

  95.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  96.     - require:

  97.       - user: {{ name }}_user

  98.       {% for group in user.get('groups', []) %}

  99.       - group: {{ name }}_{{ group }}_group

  100.       {% endfor %}

  101. user_{{ name }}_public_key:

  102.   file.managed:

  103.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  104.     - user: {{ name }}

  105.     - group: {{ user_group }}

  106.     - mode: 644

  107.     - show_diff: False

  108.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  109.     - require:

  110.       - user: {{ name }}_user

  111.       {% for group in user.get('groups', []) %}

  112.       - group: {{ name }}_{{ group }}_group

  113.       {% endfor %}

  114.   {% endif %}

  115. 

  116. 

  117. {% if 'ssh_auth' in user %}

  118. {% for auth in user['ssh_auth'] %}

  119. ssh_auth_{{ name }}_{{ loop.index0 }}:

  120.   ssh_auth.present:

  121.     - user: {{ name }}

  122.     - name: {{ auth }}

  123.     - require:

  124.         - file: {{ name }}_user

  125.         - user: {{ name }}_user

  126. {% endfor %}

  127. {% endif %}

  128. 

  129. {% if 'ssh_auth.absent' in user %}

  130. {% for auth in user['ssh_auth.absent'] %}

  131. ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  132.   ssh_auth.absent:

  133.     - user: {{ name }}

  134.     - name: {{ auth }}

  135.     - require:

  136.         - file: {{ name }}_user

  137.         - user: {{ name }}_user

  138. {% endfor %}

  139. {% endif %}

  140. 

  141. {% if 'sudouser' in user and user['sudouser'] %}

  142. {% if not used_sudo %}

  143. {% set used_sudo = True %}

  144. include:

  145.   - users.sudo

  146. {% endif %}

  147. 

  148. sudoer-{{ name }}:

  149.   file.managed:

  150.     - name: {{ users.sudoers_dir }}{{ name }}

  151.     - user: root

  152.     - group: {{ users.root_group }} 

  153.     - mode: '0440'

  154. {% if 'sudo_rules' in user %}

  155. {% for rule in user['sudo_rules'] %}

  156. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  157.   cmd.run:

  158.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  159.     - stateful: True

  160.     - shell: {{ users.visudo_shell }} 

  161.     - env:

  162.       # Specify the rule via an env var to avoid shell quoting issues.

  163.       - rule: "{{ name }} {{ rule }}"

  164.     - require_in:

  165.       - file: {{ users.sudoers_dir }}{{ name }}

  166. {% endfor %}

  167. 

  168. {{ users.sudoers_dir }}{{ name }}:

  169.   file.managed:

  170.     - contents: |

  171.       {%- for rule in user['sudo_rules'] %}

  172.         {{ name }} {{ rule }}

  173.       {%- endfor %}

  174.     - require:

  175.       - file: sudoer-defaults

  176.       - file: sudoer-{{ name }}

  177. {% endif %}

  178. {% else %}

  179. {{ users.sudoers_dir }}{{ name }}:

  180.   file.absent:

  181.     - name: {{ users.sudoers_dir }}{{ name }}

  182. {% endif %}

  183. 

  184. {% endfor %}

  185. 

  186. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

  187. {{ name }}:

  188. {% if 'purge' in user or 'force' in user %}

  189.   user.absent:

  190.     {% if 'purge' in user %}

  191.     - purge: {{ user['purge'] }}

  192.     {% endif %}

  193.     {% if 'force' in user %}

  194.     - force: {{ user['force'] }}

  195.     {% endif %}

  196. {% else %}

  197.   user.absent

  198. {% endif -%}

  199. {{ users.sudoers_dir }}{{ name }}:

  200.   file.absent:

  201.     - name: {{ users.sudoers_dir }}{{ name }}

  202. {% endfor %}

  203. 

  204. {% for user in pillar.get('absent_users', []) %}

  205. {{ user }}:

  206.   user.absent

  207. {{ users.sudoers_dir }}{{ user }}:

  208.   file.absent:

  209.     - name: {{ users.sudoers_dir }}{{ user }}

  210. {% endfor %}

  211. 

  212. {% for group in pillar.get('absent_groups', []) %}

  213. {{ group }}:

  214.   group.absent

  215. {% endfor %}

  216.