Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

init.sls 7.1KB

11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
11 yıl önce
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  6. {%- if user == None -%}
  7. {%- set user = {} -%}
  8. {%- endif -%}
  9. {%- if 'sudouser' in user and user['sudouser'] %}
  10. {%- do used_sudo.append(1) %}
  11. {%- endif %}
  12. {%- if 'google_auth' in user %}
  13. {%- do used_googleauth.append(1) %}
  14. {%- endif %}
  15. {%- endfor %}
  16. {%- if used_sudo or used_googleauth %}
  17. include:
  18. {%- if used_sudo %}
  19. - users.sudo
  20. {%- endif %}
  21. {%- if used_googleauth %}
  22. - users.googleauth
  23. {%- endif %}
  24. {%- endif %}
  25. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  26. {%- if user == None -%}
  27. {%- set user = {} -%}
  28. {%- endif -%}
  29. {%- set home = user.get('home', "/home/%s" % name) -%}
  30. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  31. {%- set user_group = user.prime_group.name -%}
  32. {%- else -%}
  33. {%- set user_group = name -%}
  34. {%- endif %}
  35. {% for group in user.get('groups', []) %}
  36. {{ name }}_{{ group }}_group:
  37. group:
  38. - name: {{ group }}
  39. - present
  40. {% endfor %}
  41. {{ name }}_user:
  42. {% if user.get('createhome', True) %}
  43. file.directory:
  44. - name: {{ home }}
  45. - user: {{ name }}
  46. - group: {{ user_group }}
  47. - mode: {{ user.get('user_dir_mode', '0750') }}
  48. - require:
  49. - user: {{ name }}
  50. - group: {{ user_group }}
  51. {%- endif %}
  52. group.present:
  53. - name: {{ user_group }}
  54. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  55. - gid: {{ user['prime_group']['gid'] }}
  56. {%- elif 'uid' in user %}
  57. - gid: {{ user['uid'] }}
  58. {%- endif %}
  59. user.present:
  60. - name: {{ name }}
  61. - home: {{ home }}
  62. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  63. {% if 'uid' in user -%}
  64. - uid: {{ user['uid'] }}
  65. {% endif -%}
  66. {% if 'password' in user -%}
  67. - password: '{{ user['password'] }}'
  68. {% endif -%}
  69. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  70. - gid: {{ user['prime_group']['gid'] }}
  71. {% else -%}
  72. - gid_from_name: True
  73. {% endif -%}
  74. {% if 'fullname' in user %}
  75. - fullname: {{ user['fullname'] }}
  76. {% endif -%}
  77. {% if not user.get('createhome', True) %}
  78. - createhome: False
  79. {% endif %}
  80. {% if 'expire' in user -%}
  81. - expire: {{ user['expire'] }}
  82. {% endif -%}
  83. - remove_groups: {{ user.get('remove_groups', 'False') }}
  84. - groups:
  85. - {{ user_group }}
  86. {% for group in user.get('groups', []) -%}
  87. - {{ group }}
  88. {% endfor %}
  89. - require:
  90. - group: {{ user_group }}
  91. {% for group in user.get('groups', []) -%}
  92. - group: {{ group }}
  93. {% endfor %}
  94. user_keydir_{{ name }}:
  95. file.directory:
  96. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  97. - user: {{ name }}
  98. - group: {{ user_group }}
  99. - makedirs: True
  100. - mode: 700
  101. - require:
  102. - user: {{ name }}
  103. - group: {{ user_group }}
  104. {%- for group in user.get('groups', []) %}
  105. - group: {{ group }}
  106. {%- endfor %}
  107. {% if 'ssh_keys' in user %}
  108. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  109. user_{{ name }}_private_key:
  110. file.managed:
  111. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  112. - user: {{ name }}
  113. - group: {{ user_group }}
  114. - mode: 600
  115. - show_diff: False
  116. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  117. - require:
  118. - user: {{ name }}_user
  119. {% for group in user.get('groups', []) %}
  120. - group: {{ name }}_{{ group }}_group
  121. {% endfor %}
  122. user_{{ name }}_public_key:
  123. file.managed:
  124. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  125. - user: {{ name }}
  126. - group: {{ user_group }}
  127. - mode: 644
  128. - show_diff: False
  129. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  130. - require:
  131. - user: {{ name }}_user
  132. {% for group in user.get('groups', []) %}
  133. - group: {{ name }}_{{ group }}_group
  134. {% endfor %}
  135. {% endif %}
  136. {% if 'ssh_auth_file' in user %}
  137. {{ home }}/.ssh/authorized_keys:
  138. file.managed:
  139. - user: {{ name }}
  140. - group: {{ name }}
  141. - mode: 600
  142. - contents: |
  143. {% for auth in user.ssh_auth_file -%}
  144. {{ auth }}
  145. {% endfor -%}
  146. {% endif %}
  147. {% if 'ssh_auth' in user %}
  148. {% for auth in user['ssh_auth'] %}
  149. ssh_auth_{{ name }}_{{ loop.index0 }}:
  150. ssh_auth.present:
  151. - user: {{ name }}
  152. - name: {{ auth }}
  153. - require:
  154. - file: {{ name }}_user
  155. - user: {{ name }}_user
  156. {% endfor %}
  157. {% endif %}
  158. {% if 'ssh_auth.absent' in user %}
  159. {% for auth in user['ssh_auth.absent'] %}
  160. ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  161. ssh_auth.absent:
  162. - user: {{ name }}
  163. - name: {{ auth }}
  164. - require:
  165. - file: {{ name }}_user
  166. - user: {{ name }}_user
  167. {% endfor %}
  168. {% endif %}
  169. {% if 'sudouser' in user and user['sudouser'] %}
  170. sudoer-{{ name }}:
  171. file.managed:
  172. - name: {{ users.sudoers_dir }}/{{ name }}
  173. - user: root
  174. - group: {{ users.root_group }}
  175. - mode: '0440'
  176. {% if 'sudo_rules' in user %}
  177. {% for rule in user['sudo_rules'] %}
  178. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  179. cmd.run:
  180. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  181. - stateful: True
  182. - shell: {{ users.visudo_shell }}
  183. - env:
  184. # Specify the rule via an env var to avoid shell quoting issues.
  185. - rule: "{{ name }} {{ rule }}"
  186. - require_in:
  187. - file: {{ users.sudoers_dir }}/{{ name }}
  188. {% endfor %}
  189. {{ users.sudoers_dir }}/{{ name }}:
  190. file.managed:
  191. - contents: |
  192. {%- for rule in user['sudo_rules'] %}
  193. {{ name }} {{ rule }}
  194. {%- endfor %}
  195. - require:
  196. - file: sudoer-defaults
  197. - file: sudoer-{{ name }}
  198. {% endif %}
  199. {% else %}
  200. {{ users.sudoers_dir }}/{{ name }}:
  201. file.absent:
  202. - name: {{ users.sudoers_dir }}/{{ name }}
  203. {% endif %}
  204. {%- if 'google_auth' in user %}
  205. {%- for svc in user['google_auth'] %}
  206. googleauth-{{ svc }}-{{ name }}:
  207. file.managed:
  208. - replace: false
  209. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  210. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  211. - user: root
  212. - group: {{ users.root_group }}
  213. - mode: 600
  214. - require:
  215. - pkg: googleauth-package
  216. {%- endfor %}
  217. {%- endif %}
  218. {% endfor %}
  219. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}
  220. {{ name }}:
  221. {% if 'purge' in user or 'force' in user %}
  222. user.absent:
  223. {% if 'purge' in user %}
  224. - purge: {{ user['purge'] }}
  225. {% endif %}
  226. {% if 'force' in user %}
  227. - force: {{ user['force'] }}
  228. {% endif %}
  229. {% else %}
  230. user.absent
  231. {% endif -%}
  232. {{ users.sudoers_dir }}/{{ name }}:
  233. file.absent:
  234. - name: {{ users.sudoers_dir }}/{{ name }}
  235. {% endfor %}
  236. {% for user in pillar.get('absent_users', []) %}
  237. {{ user }}:
  238. user.absent
  239. {{ users.sudoers_dir }}/{{ user }}:
  240. file.absent:
  241. - name: {{ users.sudoers_dir }}/{{ user }}
  242. {% endfor %}
  243. {% for group in pillar.get('absent_groups', []) %}
  244. {{ group }}:
  245. group.absent
  246. {% endfor %}