Merge branch 'master' of github.com:pcdummy/saltstack-users-formula

Signed-off-by: René Jochum <rene@jochums.at>

Conflicts:
	pillar.example
	users/init.sls

LICENSE

-   Copyright (c) 2014 Salt Stack Formulas
+   Copyright (c) 2014-2015 Salt Stack Formulas
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-

README.rst

 
 Ensures the sudo group exists, the sudo package is installed and the sudo file
 is configured.
+
+``users.bashrc``
+----------------
+
+Ensures the bashrc file exists in the users home directory. Set manage_bashrc:
+True in pillar per user. Defaults to False
+
+``users.vimrc``
+---------------
+
+Ensures the vimrc file exists in the users home directory. Set manage_vimrc:
+True in pillar per user. Defaults to False
+This depends on the vim-formula to be installed
+

pillar.example

     password: $6$w.............
     home: /custom/buser
     createhome: True
+    manage_vimrc: False
+    manage_bashrc: False
     expire: 16426
     sudouser: True
+    # sudo_rules doesn't need the username as a prefix for the rule
+    # this is added automatically by the formula.
+    # ----------------------------------------------------------------------
+    # In case your sudo_rules have a colon please have in mind to not leave
+    # spaces around it. For example:
+    # ALL=(ALL) NOPASSWD: ALL    <--- THIS WILL NOT WORK (Besides syntax is ok)
+    # ALL=(ALL) NOPASSWD:ALL     <--- THIS WILL WORK
     sudo_rules:
-      - 'ALL=(root) /usr/bin/find'
-      - 'ALL=(otheruser) /usr/bin/script.sh'
+      - ALL=(root) /usr/bin/find
+      - ALL=(otheruser) /usr/bin/script.sh
+    sudo_defaults:
+      - '!requiretty'
     shell: /bin/bash
     prime_group:
       name: primarygroup
     groups:
       - users
     ssh_key_type: rsa
+    # You can inline the private keys ...
     ssh_keys:
       privkey: PRIVATEKEY
       pubkey: PUBLICKEY
+    # ... or you can pull them from a different pillar,
+    # for example one called "ssh_keys":
+    ssh_keys_pillar:
+      id_rsa: "ssh_keys"
+      another_key_pair: "ssh_keys"
     ssh_auth:
       - PUBLICKEY
     ssh_auth.absent:
       - PUBLICKEY_TO_BE_REMOVED
+    # Generates an authorized_keys file for the user
+    # with the given keys
+    ssh_auth_file:
+      - PUBLICKEY
+    # If you prefer to keep public keys as files rather
+    # than inline in pillar, this works.
+    ssh_auth_sources:
+      - salt://keys/buser.id_rsa.pub
+    # Manage the ~/.ssh/config file
+    ssh_config:
+      all:
+        hostname: "*"
+        options:
+          - "StrictHostKeyChecking no"
+          - "UserKnownHostsFile=/dev/null"
+      importanthost:
+        hostname: "needcheck.example.com"
+        options:
+          - "StrictHostKeyChecking yes"
+
+    google_2fa: True
     google_auth:
       ssh: |
         SOMEGAUTHHASHVAL

users/bashrc.sls

+{% from "users/map.jinja" import users with context %}
+include:
+  - users
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if user == None -%}
+{%- set user = {} -%}
+{%- endif -%}
+{%- set home = user.get('home', "/home/%s" % name) -%}
+{%- set manage = user.get('manage_bashrc', False) -%}
+{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
+{%- set user_group = user.prime_group.name -%}
+{%- else -%}
+{%- set user_group = name -%}
+{%- endif %}
+{%- if manage -%}
+users_{{ name }}_user_bashrc:
+  file.managed:
+    - name: {{ home }}/.bashrc
+    - user: {{ name }}
+    - group: {{ user_group }}
+    - mode: 644
+    - source: 
+      - salt://users/files/bashrc/{{ name }}/bashrc
+      - salt://users/files/bashrc/bashrc
+{% endif %}
+{% endfor %}

users/files/bashrc/bashrc

+#
+# ~/.bashrc
+#
+#
+# If not running interactively, don't do anything
+[[ $- != *i* ]] && return
+
+alias ls='ls --color=auto'
+PS1='[\u@\h \W]\$ '

users/files/vimrc/vimrc

+" URL: http://vim.wikia.com/wiki/Example_vimrc
+" Authors: http://vim.wikia.com/wiki/Vim_on_Freenode
+" Description: A minimal, but feature rich, example .vimrc. If you are a
+"              newbie, basing your first .vimrc on this file is a good choice.
+"              If you're a more advanced user, building your own .vimrc based
+"              on this file is still a good idea.
+
+"------------------------------------------------------------
+" Features {{{1
+"
+" These options and commands enable some very useful features in Vim, that
+" no user should have to live without.
+
+" Set 'nocompatible' to ward off unexpected things that your distro might
+" have made, as well as sanely reset options when re-sourcing .vimrc
+set nocompatible
+
+" Attempt to determine the type of a file based on its name and possibly its
+" contents. Use this to allow intelligent auto-indenting for each filetype,
+" and for plugins that are filetype specific.
+filetype indent plugin on
+
+" Enable syntax highlighting
+syntax on
+
+
+"------------------------------------------------------------
+" Must have options {{{1
+"
+" These are highly recommended options.
+
+" Vim with default settings does not allow easy switching between multiple files
+" in the same editor window. Users can use multiple split windows or multiple
+" tab pages to edit multiple files, but it is still best to enable an option to
+" allow easier switching between files.
+"
+" One such option is the 'hidden' option, which allows you to re-use the same
+" window and switch from an unsaved buffer without saving it first. Also allows
+" you to keep an undo history for multiple files when re-using the same window
+" in this way. Note that using persistent undo also lets you undo in multiple
+" files even in the same window, but is less efficient and is actually designed
+" for keeping undo history after closing Vim entirely. Vim will complain if you
+" try to quit without saving, and swap files will keep you safe if your computer
+" crashes.
+set hidden
+
+" Note that not everyone likes working this way (with the hidden option).
+" Alternatives include using tabs or split windows instead of re-using the same
+" window as mentioned above, and/or either of the following options:
+" set confirm
+" set autowriteall
+
+" Better command-line completion
+set wildmenu
+
+" Show partial commands in the last line of the screen
+set showcmd
+
+" Highlight searches (use <C-L> to temporarily turn off highlighting; see the
+" mapping of <C-L> below)
+set hlsearch
+
+" Modelines have historically been a source of security vulnerabilities. As
+" such, it may be a good idea to disable them and use the securemodelines
+" script, <http://www.vim.org/scripts/script.php?script_id=1876>.
+" set nomodeline
+
+
+"------------------------------------------------------------
+" Usability options {{{1
+"
+" These are options that users frequently set in their .vimrc. Some of them
+" change Vim's behaviour in ways which deviate from the true Vi way, but
+" which are considered to add usability. Which, if any, of these options to
+" use is very much a personal preference, but they are harmless.
+
+" Use case insensitive search, except when using capital letters
+set ignorecase
+set smartcase
+
+" Allow backspacing over autoindent, line breaks and start of insert action
+set backspace=indent,eol,start
+
+" When opening a new line and no filetype-specific indenting is enabled, keep
+" the same indent as the line you're currently on. Useful for READMEs, etc.
+set autoindent
+
+" Stop certain movements from always going to the first character of a line.
+" While this behaviour deviates from that of Vi, it does what most users
+" coming from other editors would expect.
+set nostartofline
+
+" Display the cursor position on the last line of the screen or in the status
+" line of a window
+set ruler
+
+" Always display the status line, even if only one window is displayed
+set laststatus=2
+
+" Instead of failing a command because of unsaved changes, instead raise a
+" dialogue asking if you wish to save changed files.
+set confirm
+
+" Use visual bell instead of beeping when doing something wrong
+set visualbell
+
+" And reset the terminal code for the visual bell. If visualbell is set, and
+" this line is also included, vim will neither flash nor beep. If visualbell
+" is unset, this does nothing.
+set t_vb=
+
+" Enable use of the mouse for all modes
+set mouse=a
+
+" Set the command window height to 2 lines, to avoid many cases of having to
+" "press <Enter> to continue"
+set cmdheight=2
+
+" Display line numbers on the left
+set number
+
+" Quickly time out on keycodes, but never time out on mappings
+set notimeout ttimeout ttimeoutlen=200
+
+" Use <F11> to toggle between 'paste' and 'nopaste'
+set pastetoggle=<F11>
+
+
+"------------------------------------------------------------
+" Indentation options {{{1
+"
+" Indentation settings according to personal preference.
+
+" Indentation settings for using 4 spaces instead of tabs.
+" Do not change 'tabstop' from its default value of 8 with this setup.
+set shiftwidth=4
+set softtabstop=4
+set expandtab
+
+" Indentation settings for using hard tabs for indent. Display tabs as
+" four characters wide.
+"set shiftwidth=4
+"set tabstop=4
+
+
+"------------------------------------------------------------
+" Mappings {{{1
+"
+" Useful mappings
+
+" Map Y to act like D and C, i.e. to yank until EOL, rather than act as yy,
+" which is the default
+map Y y$
+
+" Map <C-L> (redraw screen) to also turn off search highlighting until the
+" next search
+nnoremap <C-L> :nohl<CR><C-L>
+
+
+"------------------------------------------------------------

users/googleauth.sls

 # vim: sts=2 ts=2 sw=2 et ai
 {% from "users/map.jinja" import users with context %}
 
-googleauth-package:
+users_googleauth-package:
   pkg.installed:
     - name: {{ users.googleauth_package }}
     - require:
       - file: {{ users.googleauth_dir }} 
 
-{{ users.googleauth_dir }}:
-  file:
-    - directory
+users_{{ users.googleauth_dir }}:
+  file.directory:
+    - name: {{ users.googleauth_dir }}
     - user: root
     - group: {{ users.root_group }}
     - mode: 600
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+{%- if user.get('google_2fa', True) %}
+users_googleauth-pam-{{ svc }}-{{ name }}:
+  file.replace:
+    - name: /etc/pam.d/{{ svc }}
+    - pattern: "^@include common-auth"
+    - repl: "auth       [success=done new_authtok_reqd=done default=die]   pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
+    - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
+    - backup: .bak
+{%- endif %}
+{%- endfor %}
+{%- endif %}
+{%- endfor %}

users/init.sls

 {%- endif %}
 
 {% for group in user.get('groups', []) %}
-{{ name }}_{{ group }}_group:
+users_{{ name }}_{{ group }}_group:
   group:
     - name: {{ group }}
     - present
 {% endfor %}
 
-{{ name }}_user:
+users_{{ name }}_user:
   {% if user.get('createhome', True) %}
   file.directory:
     - name: {{ home }}
       - group: {{ group }}
       {% endfor %}
 
+
   {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth.absent' in user %}
 user_keydir_{{ name }}:
   file.directory:
 
   {% if 'ssh_keys' in user %}
   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
-user_{{ name }}_private_key:
+users_user_{{ name }}_private_key:
   file.managed:
     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
     - user: {{ name }}
     - show_diff: False
     - contents_pillar: users:{{ name }}:ssh_keys:privkey
     - require:
-      - user: {{ name }}_user
+      - user: users_{{ name }}_user
       {% for group in user.get('groups', []) %}
-      - group: {{ name }}_{{ group }}_group
+      - group: users_{{ name }}_{{ group }}_group
       {% endfor %}
-user_{{ name }}_public_key:
+users_user_{{ name }}_public_key:
   file.managed:
     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
     - user: {{ name }}
     - show_diff: False
     - contents_pillar: users:{{ name }}:ssh_keys:pubkey
     - require:
-      - user: {{ name }}_user
+      - user: users_{{ name }}_user
       {% for group in user.get('groups', []) %}
-      - group: {{ name }}_{{ group }}_group
+      - group: users_{{ name }}_{{ group }}_group
       {% endfor %}
   {% endif %}
 
+{% if 'ssh_auth_file' in user %}
+users_authorized_keys_{{ name }}:
+  file.managed:
+    - name: {{ home }}/.ssh/authorized_keys
+    - user: {{ name }}
+    - group: {{ name }}
+    - mode: 600
+    - contents: |
+        {% for auth in user.ssh_auth_file -%}
+        {{ auth }}
+        {% endfor -%}
+{% endif %}
 
 {% if 'ssh_auth' in user %}
 {% for auth in user['ssh_auth'] %}
-ssh_auth_{{ name }}_{{ loop.index0 }}:
+users_ssh_auth_{{ name }}_{{ loop.index0 }}:
   ssh_auth.present:
     - user: {{ name }}
     - name: {{ auth }}
     - require:
-        - file: {{ name }}_user
-        - user: {{ name }}_user
+        - file: users_{{ name }}_user
+        - user: users_{{ name }}_user
+{% endfor %}
+{% endif %}
+
+{% if 'ssh_keys_pillar' in user %}
+{% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems()  %}
+users_ssh_keys_files_{{ name }}_{{ key_name }}_pub:
+  file.managed:
+    - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
+    }}.pub
+    - contents: |
+        {{ pillar[pillar_name][key_name]['pubkey'] }}
+users_ssh_keys_files_{{ name }}_{{ key_name }}_priv:
+  file.managed:
+    - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
+    }}
+    - contents: |
+        {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}
+{% endfor %}
+{% endif %}
+
+{% if 'ssh_auth_sources' in user %}
+{% for pubkey_file in user['ssh_auth_sources'] %}
+users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
+  ssh_auth.present:
+    - user: {{ name }}
+    - source: {{ pubkey_file }}
+    - require:
+        - file: users_{{ name }}_user
+        - user: users_{{ name }}_user
 {% endfor %}
 {% endif %}
 
 {% if 'ssh_auth.absent' in user %}
 {% for auth in user['ssh_auth.absent'] %}
-ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
+users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
   ssh_auth.absent:
     - user: {{ name }}
     - name: {{ auth }}
     - require:
-        - file: {{ name }}_user
-        - user: {{ name }}_user
+        - file: users_{{ name }}_user
+        - user: users_{{ name }}_user
 {% endfor %}
 {% endif %}
 
+{% if 'ssh_config' in user %}
+users_ssh_config_{{ name }}:
+  file.managed:
+    - name: {{ home }}/.ssh/config
+    - user: {{ name }}
+    - group: {{ user_group }}
+    - mode: 640
+    - contents: |
+        # Managed by Saltstack
+        # Do Not Edit
+        {% for label, setting in user.ssh_config.items() %}
+        # {{ label }}
+        Host {{ setting.get('hostname') }}
+          {%- for opts in setting.get('options') %}
+          {{ opts }}
+          {%- endfor %}
+        {% endfor -%}
+{% endif %}
+
 {% if 'sudouser' in user and user['sudouser'] %}
 
-sudoer-{{ name }}:
+users_sudoer-{{ name }}:
   file.managed:
     - name: {{ users.sudoers_dir }}/{{ name }}
     - user: root
     - group: {{ users.root_group }}
     - mode: '0440'
+{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
 {% if 'sudo_rules' in user %}
 {% for rule in user['sudo_rules'] %}
 "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
       # Specify the rule via an env var to avoid shell quoting issues.
       - rule: "{{ name }} {{ rule }}"
     - require_in:
-      - file: {{ users.sudoers_dir }}/{{ name }}
+      - file: users_{{ users.sudoers_dir }}/{{ name }}
 {% endfor %}
+{% endif %}
+{% if 'sudo_defaults' in user %}
+{% for entry in user['sudo_defaults'] %}
+"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
+  cmd.run:
+    - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
+    - stateful: True
+    - shell: {{ users.visudo_shell }}
+    - env:
+      # Specify the rule via an env var to avoid shell quoting issues.
+      - rule: "Defaults:{{ name }} {{ entry }}"
+    - require_in:
+      - file: users_{{ users.sudoers_dir }}/{{ name }}
+{% endfor %}
+{% endif %}
 
-{{ users.sudoers_dir }}/{{ name }}:
+users_{{ users.sudoers_dir }}/{{ name }}:
   file.managed:
+    - name: {{ users.sudoers_dir }}/{{ name }}
     - contents: |
+      {%- if 'sudo_defaults' in user %}
+      {%- for entry in user['sudo_defaults'] %}
+        Defaults:{{ name }} {{ entry }}
+      {%- endfor %}
+      {%- endif %}
+      {%- if 'sudo_rules' in user %}
       {%- for rule in user['sudo_rules'] %}
         {{ name }} {{ rule }}
       {%- endfor %}
+      {%- endif %}
     - require:
-      - file: sudoer-defaults
-      - file: sudoer-{{ name }}
+      - file: users_sudoer-defaults
+      - file: users_sudoer-{{ name }}
 {% endif %}
 {% else %}
-{{ users.sudoers_dir }}/{{ name }}:
+users_{{ users.sudoers_dir }}/{{ name }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ name }}
 {% endif %}
 
 {%- if 'google_auth' in user %}
 {%- for svc in user['google_auth'] %}
-googleauth-{{ svc }}-{{ name }}:
+users_googleauth-{{ svc }}-{{ name }}:
   file.managed:
     - replace: false
     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
     - user: root
     - group: {{ users.root_group }}
-    - mode: 600
+    - mode: 400
     - require:
-      - pkg: googleauth-package
+      - pkg: users_googleauth-package
 {%- endfor %}
 {%- endif %}
 
 {% endfor %}
 
+
 {% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}
-{{ name }}:
+users_absent_user_{{ name }}:
 {% if 'purge' in user or 'force' in user %}
   user.absent:
+    - name: {{ name }}
     {% if 'purge' in user %}
     - purge: {{ user['purge'] }}
     {% endif %}
     - force: {{ user['force'] }}
     {% endif %}
 {% else %}
-  user.absent
+  user.absent:
+    - name: {{ name }}
 {% endif -%}
-{{ users.sudoers_dir }}/{{ name }}:
+users_{{ users.sudoers_dir }}/{{ name }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ name }}
 {% endfor %}
 
 {% for user in pillar.get('absent_users', []) %}
-{{ user }}:
+users_absent_user_2_{{ user }}:
   user.absent
-{{ users.sudoers_dir }}/{{ user }}:
+users_2_{{ users.sudoers_dir }}/{{ user }}:
   file.absent:
     - name: {{ users.sudoers_dir }}/{{ user }}
 {% endfor %}
 
 {% for group in pillar.get('absent_groups', []) %}
-{{ group }}:
-  group.absent
+users_absent_group_{{ group }}:
+  group.absent:
+    - name: {{ group }}
 {% endfor %}

users/sudo.sls

 {% from "users/map.jinja" import users with context %}
 
 # Ensure availability of bash
-bash-package:
+users_bash-package:
   pkg.installed:
     - name: {{ users.bash_package }}
 
-sudo-group:
+users_sudo-group:
   group.present:
     - name: sudo
     - system: True
 
-sudo-package:
+users_sudo-package:
   pkg.installed:
     - name: {{ users.sudo_package }}
     - require:
-      - group: sudo-group
+      - group: users_sudo-group
       - file: {{ users.sudoers_dir }} 
 
-{{ users.sudoers_dir }}:
-  file:
-    - directory
+users_{{ users.sudoers_dir }}:
+  file.directory:
+    - name: {{ users.sudoers_dir }}
 
-sudoer-defaults:
+users_sudoer-defaults:
     file.append:
         - name: {{ users.sudoers_file }} 
         - require:
-          - pkg: sudo-package
+          - pkg: users_sudo-package
         - text:
           - Defaults   env_reset
           - Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

users/vimrc.sls

+{% from "users/map.jinja" import users with context %}
+include:
+  - users
+  - vim
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if user == None -%}
+{%- set user = {} -%}
+{%- endif -%}
+{%- set home = user.get('home', "/home/%s" % name) -%}
+{%- set manage = user.get('manage_vimrc', False) -%}
+{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
+{%- set user_group = user.prime_group.name -%}
+{%- else -%}
+{%- set user_group = name -%}
+{%- endif %}
+{%- if manage -%}
+users_{{ name }}_user_vimrc:
+  file.managed:
+    - name: {{ home }}/.vimrc
+    - user: {{ name }}
+    - group: {{ user_group }}
+    - mode: 644
+    - source: 
+      - salt://users/files/vimrc/{{ name }}/vimrc
+      - salt://users/files/vimrc/vimrc
+{% endif %}
+{% endfor %}