salt
/
users-formula
rozštěpen z ExternalMirrors/users-formula
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Vydání 0 Aktivita
Saltstack Official Users Formula
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
271 Revize
2 Větve
Strom: c8922bfdb5
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „c8922bfdb5“
${ noResults }
users-formula/users/init.sls

init.sls 15KB
Surový Normální zobrazení Historie

Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Added feature to allow syncing arbitrary sets of files per user.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
break some of those horribly long lines sry, could not resist.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Skips user if it's enabled without a specified source, and their directory does not exist.
před 9 roky
Added feature to allow syncing arbitrary sets of files per user.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Added feature to allow syncing arbitrary sets of files per user.
před 9 roky
google auth package and config installation
před 10 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
google auth package and config installation
před 10 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
google auth package and config installation
před 10 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Added feature to allow syncing arbitrary sets of files per user.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
break some of those horribly long lines sry, could not resist.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
use already available home variable for user's ssh-key configuration
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Don't add sudo group by default. This formula doesn't really require the sudo group (unless there are actually users in that group). Moreover, on FreeBSD the 'admin' group would be wheel and not sudo.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Don't add sudo group by default. This formula doesn't really require the sudo group (unless there are actually users in that group). Moreover, on FreeBSD the 'admin' group would be wheel and not sudo.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
renamed variables
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
[init] add makedirs to home directory creation
před 6 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Create a system usergroup if user is a system user If the user to be created is a system user, it makes no sense to create him a primary group which is not a system group too.
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
use already available home variable for user's ssh-key configuration
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Fixed typo and 'empty_password' key check
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Changed 'empty_password' key retrieval method
před 9 roky
Adds 'empty_password' statement for states.user.present
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Add support for hash_password
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
add ability to configure prime_group without gid (#141) * add ability to configure prime_group without gid
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Added ability to specify room number, home phone, and work phone as per https://docs.saltstack.com/en/develop/ref/states/all/salt.states.user.html
před 9 roky
Use correct pillar to set users homephone
před 7 roky
Added ability to specify room number, home phone, and work phone as per https://docs.saltstack.com/en/develop/ref/states/all/salt.states.user.html
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Mitigate Salt issue #29004, fixes "expire" on *BSD Unreasonable values for 'expire' (after 9999-12-31 on Linux, before 1975-01-01 on *BSD) get divided by 86400 (number of seconds in a day) when too big or multiplied by 86400 when too small. Tested on CentOS 6 (Salt 2015.5.5) and FreeBSD 10.2 (Salt 2015.8.0) with following values: - 24854 (2038-01-18 in days since epoch) - 157766400 (1975-01-01 00:00:00 UTC in seconds since epoch) - 3313526400 (2075-01-01 00:00:00 UTC in seconds since epoch) - 16000 (2013-10-22 in days since epoch) - 18000 (2019-04-14 in days since epoch) (Sponsored by av.tu-berlin.de and fokus.fraunhofer.de)
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Mitigate Salt issue #29004, fixes "expire" on *BSD Unreasonable values for 'expire' (after 9999-12-31 on Linux, before 1975-01-01 on *BSD) get divided by 86400 (number of seconds in a day) when too big or multiplied by 86400 when too small. Tested on CentOS 6 (Salt 2015.5.5) and FreeBSD 10.2 (Salt 2015.8.0) with following values: - 24854 (2038-01-18 in days since epoch) - 157766400 (1975-01-01 00:00:00 UTC in seconds since epoch) - 3313526400 (2075-01-01 00:00:00 UTC in seconds since epoch) - 16000 (2013-10-22 in days since epoch) - 18000 (2019-04-14 in days since epoch) (Sponsored by av.tu-berlin.de and fokus.fraunhofer.de)
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Support for optional_groups
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
break some of those horribly long lines sry, could not resist.
před 9 roky
also load ssh keys from pillar data
před 8 roky
break some of those horribly long lines sry, could not resist.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
use already available home variable for user's ssh-key configuration
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
add support for multiple private and public keys
před 8 roky
i don't know what made me do this, maybe brainlag
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
add support for multiple private and public keys
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
adjust file permissions of public ssh-keys
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
adjust file permissions of public ssh-keys
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
adjust file permissions of public ssh-keys
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
add support for multiple private and public keys
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
add support for multiple private and public keys
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
add support for multiple private and public keys
před 8 roky
Added ability to provide pillar path for ssh_auth.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Use the primary group for the user when creating authorized_keys If a primary group is set on the user, and a authorized_keys is provied in ssh_auth_file, the formula fails. This solves that by using the user_group set earlier in the formula
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Added ability to provide pillar path for ssh_auth.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Added ability to provide pillar path for ssh_auth.
před 9 roky
fixed insertion of multiple authorized keys via ssh_auth_pillar
před 7 roky
Use contents_pillar to work with multiple-line authorized_keys file
před 9 roky
fixed insertion of multiple authorized keys via ssh_auth_pillar
před 7 roky
Fixed indentation in key contents for authorized_keys
před 9 roky
Added ability to provide pillar path for ssh_auth.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Properly handle dependencies on ssh_auth when home is not create with the formula.
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
use already available home variable for user's ssh-key configuration
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
use already available home variable for user's ssh-key configuration
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Add support for ssh_auth_sources.absent Fixes: 150
před 7 roky
Fixing Conflicting ID Fixing my previous change which errors in a particular scenario. Error: Conflicting ID 'users_ssh_auth_source_username_0' when keys are added and removed simultaneously.
před 7 roky
Add support for ssh_auth_sources.absent Fixes: 150
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Add possibility to manage ssh's known_hosts file.
před 9 roky
Fix minor bug for ssh known_hosts management with salt >= 2015.5.5. This version complains that "argument port can not be used in conjunction with argument hash_hostname", so add hash_hostname to the fields we handle in the formula so we can override it if needed.
před 9 roky
Add possibility to manage ssh's known_hosts file.
před 9 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
fix warning on managed file state for /etc/sudoers.d/username
před 8 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
changing visudo checking to avoid wrong reporting when launched with test=true
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
changing visudo checking to avoid wrong reporting when launched with test=true
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
fix warning on managed file state for /etc/sudoers.d/username
před 8 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Display "managed by Salt" header in user sudoers files
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Display "managed by Salt" header in user sudoers files
před 9 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Display "managed by Salt" header in user sudoers files
před 9 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
Replace periods in username with underscores Fixing the conflict and sending a new pull request Fixes #118 Duplicate of #120
před 7 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
temp fix on git executable
před 8 roky
Add possibility to manage the user's global git configuration.
před 9 roky
corrected saltversioninfo check expression
před 7 roky
Add possibility to manage the user's global git configuration.
před 9 roky
corrected saltversioninfo check expression
před 7 roky
Add possibility to manage the user's global git configuration.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
break some of those horribly long lines sry, could not resist.
před 9 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
fixing removing of users based on pillar['absent_users'], fix #126
před 8 roky
fix wrong variable name in absent_users
před 8 roky
Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8.
před 9 roky
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519 
  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudouser' in user and user['sudouser'] %}

  13. {%- do used_sudo.append(1) %}

  14. {%- endif %}

  15. {%- if 'google_auth' in user %}

  16. {%- do used_googleauth.append(1) %}

  17. {%- endif %}

  18. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  19. {%- do used_user_files.append(1) %}

  20. {%- endif %}

  21. {%- endfor %}

  22. 

  23. {%- if used_sudo or used_googleauth or used_user_files %}

  24. include:

  25. {%- if used_sudo %}

  26.   - users.sudo

  27. {%- endif %}

  28. {%- if used_googleauth %}

  29.   - users.googleauth

  30. {%- endif %}

  31. {%- if used_user_files %}

  32.   - users.user_files

  33. {%- endif %}

  34. {%- endif %}

  35. 

  36. {% for name, user in pillar.get('users', {}).items()

  37.         if user.absent is not defined or not user.absent %}

  38. {%- if user == None -%}

  39. {%- set user = {} -%}

  40. {%- endif -%}

  41. {%- set current = salt.user.info(name) -%}

  42. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  43. 

  44. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  45. {%- set user_group = user.prime_group.name -%}

  46. {%- else -%}

  47. {%- set user_group = name -%}

  48. {%- endif %}

  49. 

  50. {% for group in user.get('groups', []) %}

  51. users_{{ name }}_{{ group }}_group:

  52.   group.present:

  53.     - name: {{ group }}

  54.     {% if group == 'sudo' %}

  55.     - system: True

  56.     {% endif %}

  57. {% endfor %}

  58. 

  59. users_{{ name }}_user:

  60.   {% if user.get('createhome', True) %}

  61.   file.directory:

  62.     - name: {{ home }}

  63.     - user: {{ user.get('homedir_owner', name) }}

  64.     - group: {{ user.get('homedir_group', user_group) }}

  65.     - mode: {{ user.get('user_dir_mode', '0750') }}

  66.     - makedirs: True

  67.     - require:

  68.       - user: users_{{ name }}_user

  69.       - group: {{ user_group }}

  70.   {%- endif %}

  71.   group.present:

  72.     - name: {{ user_group }}

  73.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  74.     - gid: {{ user['prime_group']['gid'] }}

  75.     {%- elif 'uid' in user %}

  76.     - gid: {{ user['uid'] }}

  77.     {%- endif %}

  78.     {% if 'system' in user and user['system'] %}

  79.     - system: True

  80.     {% endif %}

  81.   user.present:

  82.     - name: {{ name }}

  83.     - home: {{ home }}

  84.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  85.     {% if 'uid' in user -%}

  86.     - uid: {{ user['uid'] }}

  87.     {% endif -%}

  88.     {% if 'password' in user -%}

  89.     - password: '{{ user['password'] }}'

  90.     {% endif -%}

  91.     {% if user.get('empty_password') -%}

  92.     - empty_password: {{ user.get('empty_password') }}

  93.     {% endif -%}

  94.     {% if 'enforce_password' in user -%}

  95.     - enforce_password: {{ user['enforce_password'] }}

  96.     {% endif -%}

  97.     {% if 'hash_password' in user -%}

  98.     - hash_password: {{ user['hash_password'] }}

  99.     {% endif -%}

  100.     {% if user.get('system', False) -%}

  101.     - system: True

  102.     {% endif -%}

  103.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  104.     - gid: {{ user['prime_group']['gid'] }}

  105.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  106.     - gid: {{ user['prime_group']['name'] }}

  107.     {% else -%}

  108.     - gid_from_name: True

  109.     {% endif -%}

  110.     {% if 'fullname' in user %}

  111.     - fullname: {{ user['fullname'] }}

  112.     {% endif -%}

  113.     {% if 'roomnumber' in user %}

  114.     - roomnumber: {{ user['roomnumber'] }}

  115.     {% endif %}

  116.     {% if 'workphone' in user %}

  117.     - workphone: {{ user['workphone'] }}

  118.     {% endif %}

  119.     {% if 'homephone' in user %}

  120.     - homephone: {{ user['homephone'] }}

  121.     {% endif %}

  122.     {% if not user.get('createhome', True) %}

  123.     - createhome: False

  124.     {% endif %}

  125.     {% if 'expire' in user -%}

  126.         {% if grains['kernel'].endswith('BSD') and

  127.             user['expire'] < 157766400 %}

  128.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  129.     - expire: {{ user['expire'] * 86400 }}

  130.         {% elif grains['kernel'] == 'Linux' and

  131.             user['expire'] > 84006 %}

  132.         {# 2932896 days since epoch equals 9999-12-31 #}

  133.     - expire: {{ (user['expire'] / 86400) | int}}

  134.         {% else %}

  135.     - expire: {{ user['expire'] }}

  136.         {% endif %}

  137.     {% endif -%}

  138.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  139.     - groups:

  140.       - {{ user_group }}

  141.       {% for group in user.get('groups', []) -%}

  142.       - {{ group }}

  143.       {% endfor %}

  144.     {% if 'optional_groups' in user %}

  145.     - optional_groups:

  146.       {% for optional_group in user['optional_groups'] -%}

  147.       - {{optional_group}}

  148.       {% endfor %}

  149.     {% endif %}

  150.     - require:

  151.       - group: {{ user_group }}

  152.       {% for group in user.get('groups', []) -%}

  153.       - group: {{ group }}

  154.       {% endfor %}

  155. 

  156. 

  157.   {% if 'ssh_keys' in user or

  158.       'ssh_auth' in user or

  159.       'ssh_auth_file' in user or

  160.       'ssh_auth_pillar' in user or

  161.       'ssh_auth.absent' in user or

  162.       'ssh_config' in user %}

  163. user_keydir_{{ name }}:

  164.   file.directory:

  165.     - name: {{ home }}/.ssh

  166.     - user: {{ name }}

  167.     - group: {{ user_group }}

  168.     - makedirs: True

  169.     - mode: 700

  170.     - require:

  171.       - user: {{ name }}

  172.       - group: {{ user_group }}

  173.       {%- for group in user.get('groups', []) %}

  174.       - group: {{ group }}

  175.       {%- endfor %}

  176.   {% endif %}

  177. 

  178.   {% if 'ssh_keys' in user %}

  179.     {% for _key in user.ssh_keys.keys() %}

  180.       {% if _key == 'privkey' %}

  181.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}

  182.       {% elif _key ==  'pubkey' %}

  183.         {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}

  184.       {% else %}

  185.         {% set key_name = _key %}

  186.       {% endif %}

  187. users_{{ name }}_{{ key_name }}_key:

  188.   file.managed:

  189.     - name: {{ home }}/.ssh/{{ key_name }}

  190.     - user: {{ name }}

  191.     - group: {{ user_group }}

  192.       {% if key_name.endswith(".pub") %}

  193.     - mode: 644

  194.       {% else %}

  195.     - mode: 600

  196.       {% endif %}

  197.     - show_diff: False

  198.     - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}

  199.     - require:

  200.       - user: users_{{ name }}_user

  201.       {% for group in user.get('groups', []) %}

  202.       - group: users_{{ name }}_{{ group }}_group

  203.       {% endfor %}

  204.     {% endfor %}

  205.   {% endif %}

  206. 

  207. 

  208. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  209. users_authorized_keys_{{ name }}:

  210.   file.managed:

  211.     - name: {{ home }}/.ssh/authorized_keys

  212.     - user: {{ name }}

  213.     - group: {{ user_group }}

  214.     - mode: 600

  215. {% if 'ssh_auth_file' in user %}

  216.     - contents: |

  217.         {% for auth in user.ssh_auth_file -%}

  218.         {{ auth }}

  219.         {% endfor -%}

  220. {% else %}

  221.     - contents: |

  222.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  223.         {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}

  224.         {%- endfor %}

  225. {% endif %}

  226. {% endif %}

  227. 

  228. {% if 'ssh_auth' in user %}

  229. {% for auth in user['ssh_auth'] %}

  230. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  231.   ssh_auth.present:

  232.     - user: {{ name }}

  233.     - name: {{ auth }}

  234.     - require:

  235.         - file: user_keydir_{{ name }}

  236.         - user: users_{{ name }}_user

  237. {% endfor %}

  238. {% endif %}

  239. 

  240. {% if 'ssh_keys_pillar' in user %}

  241. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  242. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  243.   file.managed:

  244.     - name: {{ home }}/.ssh/{{ key_name }}

  245.     - user: {{ name }}

  246.     - group: {{ user_group }}

  247.     - mode: 600

  248.     - show_diff: False

  249.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  250.     - require:

  251.       - user: users_{{ name }}_user

  252.       {% for group in user.get('groups', []) %}

  253.       - group: users_{{ name }}_{{ group }}_group

  254.       {% endfor %}

  255. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  256.   file.managed:

  257.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  258.     - user: {{ name }}

  259.     - group: {{ user_group }}

  260.     - mode: 644

  261.     - show_diff: False

  262.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  263.     - require:

  264.       - user: users_{{ name }}_user

  265.       {% for group in user.get('groups', []) %}

  266.       - group: users_{{ name }}_{{ group }}_group

  267.       {% endfor %}

  268. {% endfor %}

  269. {% endif %}

  270. 

  271. {% if 'ssh_auth_sources' in user %}

  272. {% for pubkey_file in user['ssh_auth_sources'] %}

  273. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  274.   ssh_auth.present:

  275.     - user: {{ name }}

  276.     - source: {{ pubkey_file }}

  277.     - require:

  278.         - file: users_{{ name }}_user

  279.         - user: users_{{ name }}_user

  280. {% endfor %}

  281. {% endif %}

  282. 

  283. {% if 'ssh_auth_sources.absent' in user %}

  284. {% for pubkey_file in user['ssh_auth_sources.absent'] %}

  285. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:

  286.   ssh_auth.absent:

  287.     - user: {{ name }}

  288.     - source: {{ pubkey_file }}

  289.     - require:

  290.         - file: users_{{ name }}_user

  291.         - user: users_{{ name }}_user

  292. {% endfor %}

  293. {% endif %}

  294. 

  295. {% if 'ssh_auth.absent' in user %}

  296. {% for auth in user['ssh_auth.absent'] %}

  297. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  298.   ssh_auth.absent:

  299.     - user: {{ name }}

  300.     - name: {{ auth }}

  301.     - require:

  302.         - file: users_{{ name }}_user

  303.         - user: users_{{ name }}_user

  304. {% endfor %}

  305. {% endif %}

  306. 

  307. {% if 'ssh_config' in user %}

  308. users_ssh_config_{{ name }}:

  309.   file.managed:

  310.     - name: {{ home }}/.ssh/config

  311.     - user: {{ name }}

  312.     - group: {{ user_group }}

  313.     - mode: 640

  314.     - contents: |

  315.         # Managed by Saltstack

  316.         # Do Not Edit

  317.         {% for label, setting in user.ssh_config.items() %}

  318.         # {{ label }}

  319.         Host {{ setting.get('hostname') }}

  320.           {%- for opts in setting.get('options') %}

  321.           {{ opts }}

  322.           {%- endfor %}

  323.         {% endfor -%}

  324. {% endif %}

  325. 

  326. {% if 'ssh_known_hosts' in user %}

  327. {% for hostname, host in user['ssh_known_hosts'].items() %}

  328. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  329.   ssh_known_hosts.present:

  330.     - user: {{ name }}

  331.     - name: {{ hostname }}

  332.     {% if 'port' in host %}

  333.     - port: {{ host['port'] }}

  334.     {% endif -%}

  335.     {% if 'fingerprint' in host %}

  336.     - fingerprint: {{ host['fingerprint'] }}

  337.     {% endif -%}

  338.     {% if 'key' in host %}

  339.     - key: {{ host['key'] }}

  340.     {% endif -%}

  341.     {% if 'enc' in host %}

  342.     - enc: {{ host['enc'] }}

  343.     {% endif -%}

  344.     {% if 'hash_hostname' in host %}

  345.     - hash_hostname: {{ host['hash_hostname'] }}

  346.     {% endif -%}

  347. {% endfor %}

  348. {% endif %}

  349. 

  350. {% if 'ssh_known_hosts.absent' in user %}

  351. {% for host in user['ssh_known_hosts.absent'] %}

  352. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  353.   ssh_known_hosts.absent:

  354.     - user: {{ name }}

  355.     - name: {{ host }}

  356. {% endfor %}

  357. {% endif %}

  358. 

  359. {% set sudoers_d_filename = name|replace('.','_') %}

  360. {% if 'sudouser' in user and user['sudouser'] %}

  361. 

  362. users_sudoer-{{ name }}:

  363.   file.managed:

  364.     - replace: False

  365.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  366.     - user: root

  367.     - group: {{ users.root_group }}

  368.     - mode: '0440'

  369. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  370. #{#%

  371. {% if 'sudo_rules' in user %}

  372. {% for rule in user['sudo_rules'] %}

  373. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  374.   cmd.run:

  375.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  376.     - stateful: True

  377.     - shell: {{ users.visudo_shell }}

  378.     - env:

  379.       # Specify the rule via an env var to avoid shell quoting issues.

  380.       - rule: "{{ name }} {{ rule }}"

  381.     - require_in:

  382.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  383. {% endfor %}

  384. {% endif %}

  385. {% if 'sudo_defaults' in user %}

  386. {% for entry in user['sudo_defaults'] %}

  387. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  388.   cmd.run:

  389.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  390.     - stateful: True

  391.     - shell: {{ users.visudo_shell }}

  392.     - env:

  393.       # Specify the rule via an env var to avoid shell quoting issues.

  394.       - rule: "Defaults:{{ name }} {{ entry }}"

  395.     - require_in:

  396.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  397. {% endfor %}

  398. {% endif %}

  399. #%#}

  400. 

  401. users_{{ users.sudoers_dir }}/{{ name }}:

  402.   file.managed:

  403.     - replace: True

  404.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  405.     - contents: |

  406.       {%- if 'sudo_defaults' in user %}

  407.       {%- for entry in user['sudo_defaults'] %}

  408.         Defaults:{{ name }} {{ entry }}

  409.       {%- endfor %}

  410.       {%- endif %}

  411.       {%- if 'sudo_rules' in user %}

  412.         ########################################################################

  413.         # File managed by Salt (users-formula).

  414.         # Your changes will be overwritten.

  415.         ########################################################################

  416.         #

  417.       {%- for rule in user['sudo_rules'] %}

  418.         {{ name }} {{ rule }}

  419.       {%- endfor %}

  420.       {%- endif %}

  421.     - require:

  422.       - file: users_sudoer-defaults

  423.       - file: users_sudoer-{{ name }}

  424.   cmd.wait:

  425.     - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )

  426.     - watch:

  427.       - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  428. {% endif %}

  429. {% else %}

  430. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:

  431.   file.absent:

  432.     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}

  433. {% endif %}

  434. 

  435. {%- if 'google_auth' in user %}

  436. {%- for svc in user['google_auth'] %}

  437. users_googleauth-{{ svc }}-{{ name }}:

  438.   file.managed:

  439.     - replace: false

  440.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  441.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  442.     - user: root

  443.     - group: {{ users.root_group }}

  444.     - mode: 400

  445.     - require:

  446.       - pkg: users_googleauth-package

  447. {%- endfor %}

  448. {%- endif %}

  449. 

  450. #

  451. # if not salt['cmd.has_exec']('git')

  452. # fails even if git is installed

  453. #

  454. # this doesn't work (Salt bug), therefore need to run state.apply twice

  455. #include:

  456. #  - users

  457. #

  458. #git:

  459. #  pkg.installed:

  460. #    - require_in:

  461. #      - sls: users

  462. #

  463. {% if 'gitconfig' in user %}

  464. {% for key, value in user['gitconfig'].items() %}

  465. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  466.   {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  467.   git.config_set:

  468.   {% else %}

  469.   git.config:

  470.   {% endif %}

  471.     - name: {{ key }}

  472.     - value: "{{ value }}"

  473.     - user: {{ name }}

  474.     {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}

  475.     - global: True

  476.     {% else %}

  477.     - is_global: True

  478.     {% endif %}

  479. {% endfor %}

  480. {% endif %}

  481. 

  482. {% endfor %}

  483. 

  484. 

  485. {% for name, user in pillar.get('users', {}).items()

  486.         if user.absent is defined and user.absent %}

  487. users_absent_user_{{ name }}:

  488. {% if 'purge' in user or 'force' in user %}

  489.   user.absent:

  490.     - name: {{ name }}

  491.     {% if 'purge' in user %}

  492.     - purge: {{ user['purge'] }}

  493.     {% endif %}

  494.     {% if 'force' in user %}

  495.     - force: {{ user['force'] }}

  496.     {% endif %}

  497. {% else %}

  498.   user.absent:

  499.     - name: {{ name }}

  500. {% endif -%}

  501. users_{{ users.sudoers_dir }}/{{ name }}:

  502.   file.absent:

  503.     - name: {{ users.sudoers_dir }}/{{ name }}

  504. {% endfor %}

  505. 

  506. {% for user in pillar.get('absent_users', []) %}

  507. users_absent_user_2_{{ user }}:

  508.   user.absent:

  509.     - name: {{ user }}

  510. users_2_{{ users.sudoers_dir }}/{{ user }}:

  511.   file.absent:

  512.     - name: {{ users.sudoers_dir }}/{{ user }}

  513. {% endfor %}

  514. 

  515. {% for group in pillar.get('absent_groups', []) %}

  516. users_absent_group_{{ group }}:

  517.   group.absent:

  518.     - name: {{ group }}

  519. {% endfor %}