salt
/
users-formula
atdalīts no ExternalMirrors/users-formula
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Laidieni 0 Aktivitāte
Saltstack Official Users Formula
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
273 Revīzijas
2 Atzari
Koks: ad2ddd0265
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no 'ad2ddd0265'
${ noResults }
users-formula/users/init.sls

init.sls 15KB
Neapstrādāts Parastais skats Vēsture

Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added feature to allow syncing arbitrary sets of files per user.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
break some of those horribly long lines sry, could not resist.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added sudoonly switch. Usage implies setting sudouser to True
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Skips user if it's enabled without a specified source, and their directory does not exist.
pirms 9 gadiem
Added feature to allow syncing arbitrary sets of files per user.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added feature to allow syncing arbitrary sets of files per user.
pirms 9 gadiem
google auth package and config installation
pirms 10 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
google auth package and config installation
pirms 10 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
google auth package and config installation
pirms 10 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added feature to allow syncing arbitrary sets of files per user.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
break some of those horribly long lines sry, could not resist.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
use already available home variable for user's ssh-key configuration
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added sudoonly switch. Usage implies setting sudouser to True
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Don't add sudo group by default. This formula doesn't really require the sudo group (unless there are actually users in that group). Moreover, on FreeBSD the 'admin' group would be wheel and not sudo.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Don't add sudo group by default. This formula doesn't really require the sudo group (unless there are actually users in that group). Moreover, on FreeBSD the 'admin' group would be wheel and not sudo.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
renamed variables
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Create a system usergroup if user is a system user If the user to be created is a system user, it makes no sense to create him a primary group which is not a system group too.
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
use already available home variable for user's ssh-key configuration
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Fixed typo and 'empty_password' key check
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Changed 'empty_password' key retrieval method
pirms 9 gadiem
Adds 'empty_password' statement for states.user.present
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Add support for hash_password
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
add ability to configure prime_group without gid (#141) * add ability to configure prime_group without gid
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added ability to specify room number, home phone, and work phone as per https://docs.saltstack.com/en/develop/ref/states/all/salt.states.user.html
pirms 9 gadiem
Use correct pillar to set users homephone
pirms 7 gadiem
Added ability to specify room number, home phone, and work phone as per https://docs.saltstack.com/en/develop/ref/states/all/salt.states.user.html
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added unique switch
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Mitigate Salt issue #29004, fixes "expire" on *BSD Unreasonable values for 'expire' (after 9999-12-31 on Linux, before 1975-01-01 on *BSD) get divided by 86400 (number of seconds in a day) when too big or multiplied by 86400 when too small. Tested on CentOS 6 (Salt 2015.5.5) and FreeBSD 10.2 (Salt 2015.8.0) with following values: - 24854 (2038-01-18 in days since epoch) - 157766400 (1975-01-01 00:00:00 UTC in seconds since epoch) - 3313526400 (2075-01-01 00:00:00 UTC in seconds since epoch) - 16000 (2013-10-22 in days since epoch) - 18000 (2019-04-14 in days since epoch) (Sponsored by av.tu-berlin.de and fokus.fraunhofer.de)
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Mitigate Salt issue #29004, fixes "expire" on *BSD Unreasonable values for 'expire' (after 9999-12-31 on Linux, before 1975-01-01 on *BSD) get divided by 86400 (number of seconds in a day) when too big or multiplied by 86400 when too small. Tested on CentOS 6 (Salt 2015.5.5) and FreeBSD 10.2 (Salt 2015.8.0) with following values: - 24854 (2038-01-18 in days since epoch) - 157766400 (1975-01-01 00:00:00 UTC in seconds since epoch) - 3313526400 (2075-01-01 00:00:00 UTC in seconds since epoch) - 16000 (2013-10-22 in days since epoch) - 18000 (2019-04-14 in days since epoch) (Sponsored by av.tu-berlin.de and fokus.fraunhofer.de)
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Support for optional_groups
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
break some of those horribly long lines sry, could not resist.
pirms 9 gadiem
also load ssh keys from pillar data
pirms 9 gadiem
break some of those horribly long lines sry, could not resist.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
use already available home variable for user's ssh-key configuration
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
add support for multiple private and public keys
pirms 8 gadiem
i don't know what made me do this, maybe brainlag
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
add support for multiple private and public keys
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
adjust file permissions of public ssh-keys
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
adjust file permissions of public ssh-keys
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
adjust file permissions of public ssh-keys
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
add support for multiple private and public keys
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
add support for multiple private and public keys
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
add support for multiple private and public keys
pirms 8 gadiem
Added ability to provide pillar path for ssh_auth.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Use the primary group for the user when creating authorized_keys If a primary group is set on the user, and a authorized_keys is provied in ssh_auth_file, the formula fails. This solves that by using the user_group set earlier in the formula
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added ability to provide pillar path for ssh_auth.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Added ability to provide pillar path for ssh_auth.
pirms 9 gadiem
fixed insertion of multiple authorized keys via ssh_auth_pillar
pirms 7 gadiem
Use contents_pillar to work with multiple-line authorized_keys file
pirms 9 gadiem
fixed insertion of multiple authorized keys via ssh_auth_pillar
pirms 7 gadiem
Fixed indentation in key contents for authorized_keys
pirms 9 gadiem
Added ability to provide pillar path for ssh_auth.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Properly handle dependencies on ssh_auth when home is not create with the formula.
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
use already available home variable for user's ssh-key configuration
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
use already available home variable for user's ssh-key configuration
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Add support for ssh_auth_sources.absent Fixes: 150
pirms 7 gadiem
Fixing Conflicting ID Fixing my previous change which errors in a particular scenario. Error: Conflicting ID 'users_ssh_auth_source_username_0' when keys are added and removed simultaneously.
pirms 7 gadiem
Add support for ssh_auth_sources.absent Fixes: 150
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Add possibility to manage ssh's known_hosts file.
pirms 9 gadiem
Fix minor bug for ssh known_hosts management with salt >= 2015.5.5. This version complains that "argument port can not be used in conjunction with argument hash_hostname", so add hash_hostname to the fields we handle in the formula so we can override it if needed.
pirms 9 gadiem
Add possibility to manage ssh's known_hosts file.
pirms 9 gadiem
Added sudoonly switch. Usage implies setting sudouser to True
pirms 7 gadiem
Add possibility to manage ssh's known_hosts file.
pirms 9 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
fix warning on managed file state for /etc/sudoers.d/username
pirms 8 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
changing visudo checking to avoid wrong reporting when launched with test=true
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
changing visudo checking to avoid wrong reporting when launched with test=true
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
fix warning on managed file state for /etc/sudoers.d/username
pirms 8 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Display "managed by Salt" header in user sudoers files
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Display "managed by Salt" header in user sudoers files
pirms 9 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Display "managed by Salt" header in user sudoers files
pirms 9 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
pirms 7 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
temp fix on git executable
pirms 8 gadiem
Add possibility to manage the user's global git configuration.
pirms 9 gadiem
corrected saltversioninfo check expression
pirms 7 gadiem
Add possibility to manage the user's global git configuration.
pirms 9 gadiem
corrected saltversioninfo check expression
pirms 7 gadiem
Add possibility to manage the user's global git configuration.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
break some of those horribly long lines sry, could not resist.
pirms 9 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
fixing removing of users based on pillar['absent_users'], fix #126
pirms 8 gadiem
fix wrong variable name in absent_users
pirms 8 gadiem
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
pirms 9 gadiem
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526 
  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudoonly' in user and user['sudoonly'] %}

  13. {%- set _dummy=user.update({'sudouser': True}) %}

  14. {%- endif %}

  15. {%- if 'sudouser' in user and user['sudouser'] %}

  16. {%- do used_sudo.append(1) %}

  17. {%- endif %}

  18. {%- if 'google_auth' in user %}

  19. {%- do used_googleauth.append(1) %}

  20. {%- endif %}

  21. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  22. {%- do used_user_files.append(1) %}

  23. {%- endif %}

  24. {%- endfor %}

  25. 

  26. {%- if used_sudo or used_googleauth or used_user_files %}

  27. include:

  28. {%- if used_sudo %}

  29.   - users.sudo

  30. {%- endif %}

  31. {%- if used_googleauth %}

  32.   - users.googleauth

  33. {%- endif %}

  34. {%- if used_user_files %}

  35.   - users.user_files

  36. {%- endif %}

  37. {%- endif %}

  38. 

  39. {% for name, user in pillar.get('users', {}).items()

  40.         if user.absent is not defined or not user.absent %}

  41. {%- if user == None -%}

  42. {%- set user = {} -%}

  43. {%- endif -%}

  44. {%- set current = salt.user.info(name) -%}

  45. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  46. 

  47. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  48. {%- set user_group = user.prime_group.name -%}

  49. {%- else -%}

  50. {%- set user_group = name -%}

  51. {%- endif %}

  52. 

  53. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}

  54. {% for group in user.get('groups', []) %}

  55. users_{{ name }}_{{ group }}_group:

  56.   group.present:

  57.     - name: {{ group }}

  58.     {% if group == 'sudo' %}

  59.     - system: True

  60.     {% endif %}

  61. {% endfor %}

  62. 

  63. users_{{ name }}_user:

  64.   {% if user.get('createhome', True) %}

  65.   file.directory:

  66.     - name: {{ home }}

  67.     - user: {{ user.get('homedir_owner', name) }}

  68.     - group: {{ user.get('homedir_group', user_group) }}

  69.     - mode: {{ user.get('user_dir_mode', '0750') }}

  70.     - require:

  71.       - user: users_{{ name }}_user

  72.       - group: {{ user_group }}

  73.   {%- endif %}

  74.   group.present:

  75.     - name: {{ user_group }}

  76.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  77.     - gid: {{ user['prime_group']['gid'] }}

  78.     {%- elif 'uid' in user %}

  79.     - gid: {{ user['uid'] }}

  80.     {%- endif %}

  81.     {% if 'system' in user and user['system'] %}

  82.     - system: True

  83.     {% endif %}

  84.   user.present:

  85.     - name: {{ name }}

  86.     - home: {{ home }}

  87.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  88.     {% if 'uid' in user -%}

  89.     - uid: {{ user['uid'] }}

  90.     {% endif -%}

  91.     {% if 'password' in user -%}

  92.     - password: '{{ user['password'] }}'

  93.     {% endif -%}

  94.     {% if user.get('empty_password') -%}

  95.     - empty_password: {{ user.get('empty_password') }}

  96.     {% endif -%}

  97.     {% if 'enforce_password' in user -%}

  98.     - enforce_password: {{ user['enforce_password'] }}

  99.     {% endif -%}

  100.     {% if 'hash_password' in user -%}

  101.     - hash_password: {{ user['hash_password'] }}

  102.     {% endif -%}

  103.     {% if user.get('system', False) -%}

  104.     - system: True

  105.     {% endif -%}

  106.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  107.     - gid: {{ user['prime_group']['gid'] }}

  108.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  109.     - gid: {{ user['prime_group']['name'] }}

  110.     {% else -%}

  111.     - gid_from_name: True

  112.     {% endif -%}

  113.     {% if 'fullname' in user %}

  114.     - fullname: {{ user['fullname'] }}

  115.     {% endif -%}

  116.     {% if 'roomnumber' in user %}

  117.     - roomnumber: {{ user['roomnumber'] }}

  118.     {% endif %}

  119.     {% if 'workphone' in user %}

  120.     - workphone: {{ user['workphone'] }}

  121.     {% endif %}

  122.     {% if 'homephone' in user %}

  123.     - homephone: {{ user['homephone'] }}

  124.     {% endif %}

  125.     {% if not user.get('createhome', True) %}

  126.     - createhome: False

  127.     {% endif %}

  128.     {% if not user.get('unique', True) %}

  129.     - unique: False

  130.     {% endif %}

  131.     {% if 'expire' in user -%}

  132.         {% if grains['kernel'].endswith('BSD') and

  133.             user['expire'] < 157766400 %}

  134.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  135.     - expire: {{ user['expire'] * 86400 }}

  136.         {% elif grains['kernel'] == 'Linux' and

  137.             user['expire'] > 84006 %}

  138.         {# 2932896 days since epoch equals 9999-12-31 #}

  139.     - expire: {{ (user['expire'] / 86400) | int}}

  140.         {% else %}

  141.     - expire: {{ user['expire'] }}

  142.         {% endif %}

  143.     {% endif -%}

  144.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  145.     - groups:

  146.       - {{ user_group }}

  147.       {% for group in user.get('groups', []) -%}

  148.       - {{ group }}

  149.       {% endfor %}

  150.     {% if 'optional_groups' in user %}

  151.     - optional_groups:

  152.       {% for optional_group in user['optional_groups'] -%}

  153.       - {{optional_group}}

  154.       {% endfor %}

  155.     {% endif %}

  156.     - require:

  157.       - group: {{ user_group }}

  158.       {% for group in user.get('groups', []) -%}

  159.       - group: {{ group }}

  160.       {% endfor %}

  161. 

  162. 

  163.   {% if 'ssh_keys' in user or

  164.       'ssh_auth' in user or

  165.       'ssh_auth_file' in user or

  166.       'ssh_auth_pillar' in user or

  167.       'ssh_auth.absent' in user or

  168.       'ssh_config' in user %}

  169. user_keydir_{{ name }}:

  170.   file.directory:

  171.     - name: {{ home }}/.ssh

  172.     - user: {{ name }}

  173.     - group: {{ user_group }}

  174.     - makedirs: True

  175.     - mode: 700

  176.     - require:

  177.       - user: {{ name }}

  178.       - group: {{ user_group }}

  179.       {%- for group in user.get('groups', []) %}

  180.       - group: {{ group }}

  181.       {%- endfor %}

  182.   {% endif %}

  183. 

  184.   {% if 'ssh_keys' in user %}

  185.     {% for _key in user.ssh_keys.keys() %}

  186.       {% if _key == 'privkey' %}

  187.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}

  188.       {% elif _key ==  'pubkey' %}

  189.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}

  190.       {% else %}

  191.         {% set key_name = _key %}

  192.       {% endif %}

  193. users_{{ name }}_{{ key_name }}_key:

  194.   file.managed:

  195.     - name: {{ home }}/.ssh/{{ key_name }}

  196.     - user: {{ name }}

  197.     - group: {{ user_group }}

  198.       {% if key_name.endswith(".pub") %}

  199.     - mode: 644

  200.       {% else %}

  201.     - mode: 600

  202.       {% endif %}

  203.     - show_diff: False

  204.     - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}

  205.     - require:

  206.       - user: users_{{ name }}_user

  207.       {% for group in user.get('groups', []) %}

  208.       - group: users_{{ name }}_{{ group }}_group

  209.       {% endfor %}

  210.     {% endfor %}

  211.   {% endif %}

  212. 

  213. 

  214. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  215. users_authorized_keys_{{ name }}:

  216.   file.managed:

  217.     - name: {{ home }}/.ssh/authorized_keys

  218.     - user: {{ name }}

  219.     - group: {{ user_group }}

  220.     - mode: 600

  221. {% if 'ssh_auth_file' in user %}

  222.     - contents: |

  223.         {% for auth in user.ssh_auth_file -%}

  224.         {{ auth }}

  225.         {% endfor -%}

  226. {% else %}

  227.     - contents: |

  228.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  229.         {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}

  230.         {%- endfor %}

  231. {% endif %}

  232. {% endif %}

  233. 

  234. {% if 'ssh_auth' in user %}

  235. {% for auth in user['ssh_auth'] %}

  236. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  237.   ssh_auth.present:

  238.     - user: {{ name }}

  239.     - name: {{ auth }}

  240.     - require:

  241.         - file: user_keydir_{{ name }}

  242.         - user: users_{{ name }}_user

  243. {% endfor %}

  244. {% endif %}

  245. 

  246. {% if 'ssh_keys_pillar' in user %}

  247. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  248. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  249.   file.managed:

  250.     - name: {{ home }}/.ssh/{{ key_name }}

  251.     - user: {{ name }}

  252.     - group: {{ user_group }}

  253.     - mode: 600

  254.     - show_diff: False

  255.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  256.     - require:

  257.       - user: users_{{ name }}_user

  258.       {% for group in user.get('groups', []) %}

  259.       - group: users_{{ name }}_{{ group }}_group

  260.       {% endfor %}

  261. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  262.   file.managed:

  263.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  264.     - user: {{ name }}

  265.     - group: {{ user_group }}

  266.     - mode: 644

  267.     - show_diff: False

  268.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  269.     - require:

  270.       - user: users_{{ name }}_user

  271.       {% for group in user.get('groups', []) %}

  272.       - group: users_{{ name }}_{{ group }}_group

  273.       {% endfor %}

  274. {% endfor %}

  275. {% endif %}

  276. 

  277. {% if 'ssh_auth_sources' in user %}

  278. {% for pubkey_file in user['ssh_auth_sources'] %}

  279. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  280.   ssh_auth.present:

  281.     - user: {{ name }}

  282.     - source: {{ pubkey_file }}

  283.     - require:

  284.         - file: users_{{ name }}_user

  285.         - user: users_{{ name }}_user

  286. {% endfor %}

  287. {% endif %}

  288. 

  289. {% if 'ssh_auth_sources.absent' in user %}

  290. {% for pubkey_file in user['ssh_auth_sources.absent'] %}

  291. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:

  292.   ssh_auth.absent:

  293.     - user: {{ name }}

  294.     - source: {{ pubkey_file }}

  295.     - require:

  296.         - file: users_{{ name }}_user

  297.         - user: users_{{ name }}_user

  298. {% endfor %}

  299. {% endif %}

  300. 

  301. {% if 'ssh_auth.absent' in user %}

  302. {% for auth in user['ssh_auth.absent'] %}

  303. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  304.   ssh_auth.absent:

  305.     - user: {{ name }}

  306.     - name: {{ auth }}

  307.     - require:

  308.         - file: users_{{ name }}_user

  309.         - user: users_{{ name }}_user

  310. {% endfor %}

  311. {% endif %}

  312. 

  313. {% if 'ssh_config' in user %}

  314. users_ssh_config_{{ name }}:

  315.   file.managed:

  316.     - name: {{ home }}/.ssh/config

  317.     - user: {{ name }}

  318.     - group: {{ user_group }}

  319.     - mode: 640

  320.     - contents: |

  321.         # Managed by Saltstack

  322.         # Do Not Edit

  323.         {% for label, setting in user.ssh_config.items() %}

  324.         # {{ label }}

  325.         Host {{ setting.get('hostname') }}

  326.           {%- for opts in setting.get('options') %}

  327.           {{ opts }}

  328.           {%- endfor %}

  329.         {% endfor -%}

  330. {% endif %}

  331. 

  332. {% if 'ssh_known_hosts' in user %}

  333. {% for hostname, host in user['ssh_known_hosts'].items() %}

  334. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  335.   ssh_known_hosts.present:

  336.     - user: {{ name }}

  337.     - name: {{ hostname }}

  338.     {% if 'port' in host %}

  339.     - port: {{ host['port'] }}

  340.     {% endif -%}

  341.     {% if 'fingerprint' in host %}

  342.     - fingerprint: {{ host['fingerprint'] }}

  343.     {% endif -%}

  344.     {% if 'key' in host %}

  345.     - key: {{ host['key'] }}

  346.     {% endif -%}

  347.     {% if 'enc' in host %}

  348.     - enc: {{ host['enc'] }}

  349.     {% endif -%}

  350.     {% if 'hash_hostname' in host %}

  351.     - hash_hostname: {{ host['hash_hostname'] }}

  352.     {% endif -%}

  353. {% endfor %}

  354. {% endif %}

  355. 

  356. {% if 'ssh_known_hosts.absent' in user %}

  357. {% for host in user['ssh_known_hosts.absent'] %}

  358. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  359.   ssh_known_hosts.absent:

  360.     - user: {{ name }}

  361.     - name: {{ host }}

  362. {% endfor %}

  363. {% endif %}

  364. {% endif %}

  365. 

  366. {% set sudoers_d_filename = name|replace('.','_') %}

  367. {% if 'sudouser' in user and user['sudouser'] %}

  368. 

  369. users_sudoer-{{ name }}:

  370.   file.managed:

  371.     - replace: False

  372.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  373.     - user: root

  374.     - group: {{ users.root_group }}

  375.     - mode: '0440'

  376. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  377. #{#%

  378. {% if 'sudo_rules' in user %}

  379. {% for rule in user['sudo_rules'] %}

  380. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  381.   cmd.run:

  382.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  383.     - stateful: True

  384.     - shell: {{ users.visudo_shell }}

  385.     - env:

  386.       # Specify the rule via an env var to avoid shell quoting issues.

  387.       - rule: "{{ name }} {{ rule }}"

  388.     - require_in:

  389.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  390. {% endfor %}

  391. {% endif %}

  392. {% if 'sudo_defaults' in user %}

  393. {% for entry in user['sudo_defaults'] %}

  394. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  395.   cmd.run:

  396.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  397.     - stateful: True

  398.     - shell: {{ users.visudo_shell }}

  399.     - env:

  400.       # Specify the rule via an env var to avoid shell quoting issues.

  401.       - rule: "Defaults:{{ name }} {{ entry }}"

  402.     - require_in:

  403.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  404. {% endfor %}

  405. {% endif %}

  406. #%#}

  407. 

  408. users_{{ users.sudoers_dir }}/{{ name }}:

  409.   file.managed:

  410.     - replace: True

  411.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  412.     - contents: |

  413.       {%- if 'sudo_defaults' in user %}

  414.       {%- for entry in user['sudo_defaults'] %}

  415.         Defaults:{{ name }} {{ entry }}

  416.       {%- endfor %}

  417.       {%- endif %}

  418.       {%- if 'sudo_rules' in user %}

  419.         ########################################################################

  420.         # File managed by Salt (users-formula).

  421.         # Your changes will be overwritten.

  422.         ########################################################################

  423.         #

  424.       {%- for rule in user['sudo_rules'] %}

  425.         {{ name }} {{ rule }}

  426.       {%- endfor %}

  427.       {%- endif %}

  428.     - require:

  429.       - file: users_sudoer-defaults

  430.       - file: users_sudoer-{{ name }}

  431.   cmd.wait:

  432.     - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )

  433.     - watch:

  434.       - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  435. {% endif %}

  436. {% else %}

  437. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:

  438.   file.absent:

  439.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  440. {% endif %}

  441. 

  442. {%- if 'google_auth' in user %}

  443. {%- for svc in user['google_auth'] %}

  444. users_googleauth-{{ svc }}-{{ name }}:

  445.   file.managed:

  446.     - replace: false

  447.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  448.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  449.     - user: root

  450.     - group: {{ users.root_group }}

  451.     - mode: 400

  452.     - require:

  453.       - pkg: users_googleauth-package

  454. {%- endfor %}

  455. {%- endif %}

  456. 

  457. #

  458. # if not salt['cmd.has_exec']('git')

  459. # fails even if git is installed

  460. #

  461. # this doesn't work (Salt bug), therefore need to run state.apply twice

  462. #include:

  463. #  - users

  464. #

  465. #git:

  466. #  pkg.installed:

  467. #    - require_in:

  468. #      - sls: users

  469. #

  470. {% if 'gitconfig' in user %}

  471. {% for key, value in user['gitconfig'].items() %}

  472. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  473.   {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  474.   git.config_set:

  475.   {% else %}

  476.   git.config:

  477.   {% endif %}

  478.     - name: {{ key }}

  479.     - value: "{{ value }}"

  480.     - user: {{ name }}

  481.     {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  482.     - global: True

  483.     {% else %}

  484.     - is_global: True

  485.     {% endif %}

  486. {% endfor %}

  487. {% endif %}

  488. 

  489. {% endfor %}

  490. 

  491. 

  492. {% for name, user in pillar.get('users', {}).items()

  493.         if user.absent is defined and user.absent %}

  494. users_absent_user_{{ name }}:

  495. {% if 'purge' in user or 'force' in user %}

  496.   user.absent:

  497.     - name: {{ name }}

  498.     {% if 'purge' in user %}

  499.     - purge: {{ user['purge'] }}

  500.     {% endif %}

  501.     {% if 'force' in user %}

  502.     - force: {{ user['force'] }}

  503.     {% endif %}

  504. {% else %}

  505.   user.absent:

  506.     - name: {{ name }}

  507. {% endif -%}

  508. users_{{ users.sudoers_dir }}/{{ name }}:

  509.   file.absent:

  510.     - name: {{ users.sudoers_dir }}/{{ name }}

  511. {% endfor %}

  512. 

  513. {% for user in pillar.get('absent_users', []) %}

  514. users_absent_user_2_{{ user }}:

  515.   user.absent:

  516.     - name: {{ user }}

  517. users_2_{{ users.sudoers_dir }}/{{ user }}:

  518.   file.absent:

  519.     - name: {{ users.sudoers_dir }}/{{ user }}

  520. {% endfor %}

  521. 

  522. {% for group in pillar.get('absent_groups', []) %}

  523. users_absent_group_{{ group }}:

  524.   group.absent:

  525.     - name: {{ group }}

  526. {% endfor %}