Saltstack Official Users Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
10 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = False %}
  4. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  5. {%- if user == None -%}
  6. {%- set user = {} -%}
  7. {%- endif -%}
  8. {%- set home = user.get('home', "/home/%s" % name) -%}
  9. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  10. {%- set user_group = user.prime_group.name -%}
  11. {%- else -%}
  12. {%- set user_group = name -%}
  13. {%- endif %}
  14. {% for group in user.get('groups', []) %}
  15. {{ name }}_{{ group }}_group:
  16. group:
  17. - name: {{ group }}
  18. - present
  19. {% endfor %}
  20. {{ name }}_user:
  21. file.directory:
  22. - name: {{ home }}
  23. - user: {{ name }}
  24. - group: {{ user_group }}
  25. - mode: {{ user.get('user_dir_mode', '0750') }}
  26. - require:
  27. - user: {{ name }}
  28. - group: {{ user_group }}
  29. group.present:
  30. - name: {{ user_group }}
  31. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  32. - gid: {{ user['prime_group']['gid'] }}
  33. {%- elif 'uid' in user %}
  34. - gid: {{ user['uid'] }}
  35. {%- endif %}
  36. user.present:
  37. - name: {{ name }}
  38. - home: {{ home }}
  39. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  40. {% if 'uid' in user -%}
  41. - uid: {{ user['uid'] }}
  42. {% endif -%}
  43. {% if 'password' in user -%}
  44. - password: {{ user['password'] }}
  45. {% endif -%}
  46. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  47. - gid: {{ user['prime_group']['gid'] }}
  48. {% else -%}
  49. - gid_from_name: True
  50. {% endif -%}
  51. {% if 'fullname' in user %}
  52. - fullname: {{ user['fullname'] }}
  53. {% endif -%}
  54. {% if not user.get('createhome', True) %}
  55. - createhome: False
  56. {% endif %}
  57. {% if user.get('remove_groups', True) %}
  58. - remove_groups: True
  59. {% else %}
  60. - remove_groups: False
  61. {% endif %}
  62. - groups:
  63. - {{ user_group }}
  64. {% for group in user.get('groups', []) -%}
  65. - {{ group }}
  66. {% endfor %}
  67. - require:
  68. - group: {{ user_group }}
  69. {% for group in user.get('groups', []) -%}
  70. - group: {{ group }}
  71. {% endfor %}
  72. user_keydir_{{ name }}:
  73. file.directory:
  74. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  75. - user: {{ name }}
  76. - group: {{ user_group }}
  77. - makedirs: True
  78. - mode: 700
  79. - require:
  80. - user: {{ name }}
  81. - group: {{ user_group }}
  82. {%- for group in user.get('groups', []) %}
  83. - group: {{ group }}
  84. {%- endfor %}
  85. {% if 'ssh_keys' in user %}
  86. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  87. user_{{ name }}_private_key:
  88. file.managed:
  89. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  90. - user: {{ name }}
  91. - group: {{ user_group }}
  92. - mode: 600
  93. - show_diff: False
  94. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  95. - require:
  96. - user: {{ name }}_user
  97. {% for group in user.get('groups', []) %}
  98. - group: {{ name }}_{{ group }}_group
  99. {% endfor %}
  100. user_{{ name }}_public_key:
  101. file.managed:
  102. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  103. - user: {{ name }}
  104. - group: {{ user_group }}
  105. - mode: 644
  106. - show_diff: False
  107. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  108. - require:
  109. - user: {{ name }}_user
  110. {% for group in user.get('groups', []) %}
  111. - group: {{ name }}_{{ group }}_group
  112. {% endfor %}
  113. {% endif %}
  114. {% if 'ssh_auth' in user %}
  115. {% for auth in user['ssh_auth'] %}
  116. ssh_auth_{{ name }}_{{ loop.index0 }}:
  117. ssh_auth.present:
  118. - user: {{ name }}
  119. - name: {{ auth }}
  120. - require:
  121. - file: {{ name }}_user
  122. - user: {{ name }}_user
  123. {% endfor %}
  124. {% endif %}
  125. {% if 'ssh_auth.absent' in user %}
  126. {% for auth in user['ssh_auth.absent'] %}
  127. ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  128. ssh_auth.absent:
  129. - user: {{ name }}
  130. - name: {{ auth }}
  131. - require:
  132. - file: {{ name }}_user
  133. - user: {{ name }}_user
  134. {% endfor %}
  135. {% endif %}
  136. {% if 'sudouser' in user and user['sudouser'] %}
  137. {% if not used_sudo %}
  138. {% set used_sudo = True %}
  139. include:
  140. - users.sudo
  141. {% endif %}
  142. sudoer-{{ name }}:
  143. file.managed:
  144. - name: {{ users.sudoers_dir }}{{ name }}
  145. - user: root
  146. - group: {{ users.root_group }}
  147. - mode: '0440'
  148. {% if 'sudo_rules' in user %}
  149. {% for rule in user['sudo_rules'] %}
  150. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  151. cmd.run:
  152. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  153. - stateful: True
  154. - shell: {{ users.visudo_shell }}
  155. - env:
  156. # Specify the rule via an env var to avoid shell quoting issues.
  157. - rule: "{{ name }} {{ rule }}"
  158. - require_in:
  159. - file: {{ users.sudoers_dir }}{{ name }}
  160. {% endfor %}
  161. {{ users.sudoers_dir }}{{ name }}:
  162. file.managed:
  163. - contents: |
  164. {%- for rule in user['sudo_rules'] %}
  165. {{ name }} {{ rule }}
  166. {%- endfor %}
  167. - require:
  168. - file: sudoer-defaults
  169. - file: sudoer-{{ name }}
  170. {% endif %}
  171. {% else %}
  172. {{ users.sudoers_dir }}{{ name }}:
  173. file.absent:
  174. - name: {{ users.sudoers_dir }}{{ name }}
  175. {% endif %}
  176. {% endfor %}
  177. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}
  178. {{ name }}:
  179. {% if 'purge' in user or 'force' in user %}
  180. user.absent:
  181. {% if 'purge' in user %}
  182. - purge: {{ user['purge'] }}
  183. {% endif %}
  184. {% if 'force' in user %}
  185. - force: {{ user['force'] }}
  186. {% endif %}
  187. {% else %}
  188. user.absent
  189. {% endif -%}
  190. {{ users.sudoers_dir }}{{ name }}:
  191. file.absent:
  192. - name: {{ users.sudoers_dir }}{{ name }}
  193. {% endfor %}
  194. {% for user in pillar.get('absent_users', []) %}
  195. {{ user }}:
  196. user.absent
  197. {{ users.sudoers_dir }}{{ user }}:
  198. file.absent:
  199. - name: {{ users.sudoers_dir }}{{ user }}
  200. {% endfor %}
  201. {% for group in pillar.get('absent_groups', []) %}
  202. {{ group }}:
  203. group.absent
  204. {% endfor %}