Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

572 line
17KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {% for group, setting in salt['pillar.get']('groups', {}).items() %}
  7. users_group_{{ setting.get('state', "present") }}_{{ group }}:
  8. group.{{ setting.get('state', "present") }}:
  9. - name: {{ group }}
  10. {%- if setting.get('gid') %}
  11. - gid: {{setting.get('gid') }}
  12. {%- endif %}
  13. - system: {{ setting.get('system',"False") }}
  14. {% endfor %}
  15. {%- for name, user in pillar.get('users', {}).items()
  16. if user.absent is not defined or not user.absent %}
  17. {%- if user == None -%}
  18. {%- set user = {} -%}
  19. {%- endif -%}
  20. {%- if 'sudoonly' in user and user['sudoonly'] %}
  21. {%- set _dummy=user.update({'sudouser': True}) %}
  22. {%- endif %}
  23. {%- if 'sudouser' in user and user['sudouser'] %}
  24. {%- do used_sudo.append(1) %}
  25. {%- endif %}
  26. {%- if 'google_auth' in user %}
  27. {%- do used_googleauth.append(1) %}
  28. {%- endif %}
  29. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  30. {%- do used_user_files.append(1) %}
  31. {%- endif %}
  32. {%- endfor %}
  33. {%- if used_sudo or used_googleauth or used_user_files %}
  34. include:
  35. {%- if used_sudo %}
  36. - users.sudo
  37. {%- endif %}
  38. {%- if used_googleauth %}
  39. - users.googleauth
  40. {%- endif %}
  41. {%- if used_user_files %}
  42. - users.user_files
  43. {%- endif %}
  44. {%- endif %}
  45. {% for name, user in pillar.get('users', {}).items()
  46. if user.absent is not defined or not user.absent %}
  47. {%- if user == None -%}
  48. {%- set user = {} -%}
  49. {%- endif -%}
  50. {%- set current = salt.user.info(name) -%}
  51. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  52. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  53. {%- set user_group = user.prime_group.name -%}
  54. {%- else -%}
  55. {%- set user_group = name -%}
  56. {%- endif %}
  57. {%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}
  58. {% for group in user.get('groups', []) %}
  59. users_{{ name }}_{{ group }}_group:
  60. group.present:
  61. - name: {{ group }}
  62. {% if group == 'sudo' %}
  63. - system: True
  64. {% endif %}
  65. {% endfor %}
  66. {# in case home subfolder doesn't exist, create it before the user exists #}
  67. {% if user.get('createhome', True) %}
  68. users_{{ name }}_user_prereq:
  69. file.directory:
  70. - name: {{ salt['file.dirname'](home) }}
  71. - makedirs: True
  72. - prereq:
  73. - user: users_{{ name }}_user
  74. {%- endif %}
  75. users_{{ name }}_user:
  76. {% if user.get('createhome', True) %}
  77. file.directory:
  78. - name: {{ home }}
  79. - user: {{ user.get('homedir_owner', name) }}
  80. - group: {{ user.get('homedir_group', user_group) }}
  81. - mode: {{ user.get('user_dir_mode', '0750') }}
  82. - makedirs: True
  83. - require:
  84. - user: users_{{ name }}_user
  85. - group: {{ user_group }}
  86. {%- endif %}
  87. group.present:
  88. - name: {{ user_group }}
  89. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  90. - gid: {{ user['prime_group']['gid'] }}
  91. {%- elif 'uid' in user %}
  92. - gid: {{ user['uid'] }}
  93. {%- endif %}
  94. {% if 'system' in user and user['system'] %}
  95. - system: True
  96. {% endif %}
  97. user.present:
  98. - name: {{ name }}
  99. {% if user.get('createhome', True) -%}
  100. - home: {{ home }}
  101. {% endif -%}
  102. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  103. {% if 'uid' in user -%}
  104. - uid: {{ user['uid'] }}
  105. {% endif -%}
  106. {% if 'password' in user -%}
  107. - password: '{{ user['password'] }}'
  108. {% endif -%}
  109. {% if user.get('empty_password') -%}
  110. - empty_password: {{ user.get('empty_password') }}
  111. {% endif -%}
  112. {% if 'enforce_password' in user -%}
  113. - enforce_password: {{ user['enforce_password'] }}
  114. {% endif -%}
  115. {% if 'hash_password' in user -%}
  116. - hash_password: {{ user['hash_password'] }}
  117. {% endif -%}
  118. {% if user.get('system', False) -%}
  119. - system: True
  120. {% endif -%}
  121. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  122. - gid: {{ user['prime_group']['gid'] }}
  123. {% elif 'prime_group' in user and 'name' in user['prime_group'] %}
  124. - gid: {{ user['prime_group']['name'] }}
  125. {% else -%}
  126. - gid_from_name: True
  127. {% endif -%}
  128. {% if 'fullname' in user %}
  129. - fullname: {{ user['fullname'] }}
  130. {% endif -%}
  131. {% if 'roomnumber' in user %}
  132. - roomnumber: {{ user['roomnumber'] }}
  133. {% endif %}
  134. {% if 'workphone' in user %}
  135. - workphone: {{ user['workphone'] }}
  136. {% endif %}
  137. {% if 'homephone' in user %}
  138. - homephone: {{ user['homephone'] }}
  139. {% endif %}
  140. {% if not user.get('createhome', True) %}
  141. - createhome: False
  142. {% endif %}
  143. {% if not user.get('unique', True) %}
  144. - unique: False
  145. {% endif %}
  146. {% if 'expire' in user -%}
  147. {% if grains['kernel'].endswith('BSD') and
  148. user['expire'] < 157766400 %}
  149. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  150. - expire: {{ user['expire'] * 86400 }}
  151. {% elif grains['kernel'] == 'Linux' and
  152. user['expire'] > 84006 %}
  153. {# 2932896 days since epoch equals 9999-12-31 #}
  154. - expire: {{ (user['expire'] / 86400) | int}}
  155. {% else %}
  156. - expire: {{ user['expire'] }}
  157. {% endif %}
  158. {% endif -%}
  159. - remove_groups: {{ user.get('remove_groups', 'False') }}
  160. - groups:
  161. - {{ user_group }}
  162. {% for group in user.get('groups', []) -%}
  163. - {{ group }}
  164. {% endfor %}
  165. {% if 'optional_groups' in user %}
  166. - optional_groups:
  167. {% for optional_group in user['optional_groups'] -%}
  168. - {{optional_group}}
  169. {% endfor %}
  170. {% endif %}
  171. - require:
  172. - group: {{ user_group }}
  173. {% for group in user.get('groups', []) -%}
  174. - group: {{ group }}
  175. {% endfor %}
  176. {% if 'ssh_keys' in user or
  177. 'ssh_auth' in user or
  178. 'ssh_auth_file' in user or
  179. 'ssh_auth_pillar' in user or
  180. 'ssh_auth.absent' in user or
  181. 'ssh_config' in user %}
  182. user_keydir_{{ name }}:
  183. file.directory:
  184. - name: {{ home }}/.ssh
  185. - user: {{ name }}
  186. - group: {{ user_group }}
  187. - makedirs: True
  188. - mode: 700
  189. - require:
  190. - user: {{ name }}
  191. - group: {{ user_group }}
  192. {%- for group in user.get('groups', []) %}
  193. - group: {{ group }}
  194. {%- endfor %}
  195. {% endif %}
  196. {% if 'ssh_keys' in user %}
  197. {% for _key in user.ssh_keys.keys() %}
  198. {% if _key == 'privkey' %}
  199. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}
  200. {% elif _key == 'pubkey' %}
  201. {% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}
  202. {% else %}
  203. {% set key_name = _key %}
  204. {% endif %}
  205. users_{{ name }}_{{ key_name }}_key:
  206. file.managed:
  207. - name: {{ home }}/.ssh/{{ key_name }}
  208. - user: {{ name }}
  209. - group: {{ user_group }}
  210. {% if key_name.endswith(".pub") %}
  211. - mode: 644
  212. {% else %}
  213. - mode: 600
  214. {% endif %}
  215. - show_diff: False
  216. {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}
  217. {%- if 'salt://' in key_value[:7] %}
  218. - source: {{ key_value }}
  219. {%- else %}
  220. - contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}
  221. {%- endif %}
  222. - require:
  223. - user: users_{{ name }}_user
  224. {% for group in user.get('groups', []) %}
  225. - group: users_{{ name }}_{{ group }}_group
  226. {% endfor %}
  227. {% endfor %}
  228. {% endif %}
  229. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  230. users_authorized_keys_{{ name }}:
  231. file.managed:
  232. - name: {{ home }}/.ssh/authorized_keys
  233. - user: {{ name }}
  234. - group: {{ user_group }}
  235. - mode: 600
  236. {% if 'ssh_auth_file' in user %}
  237. - contents: |
  238. {% for auth in user.ssh_auth_file -%}
  239. {{ auth }}
  240. {% endfor -%}
  241. {% else %}
  242. - contents: |
  243. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  244. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  245. {%- endfor %}
  246. {% endif %}
  247. {% endif %}
  248. {% if 'ssh_auth' in user %}
  249. {% for auth in user['ssh_auth'] %}
  250. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  251. ssh_auth.present:
  252. - user: {{ name }}
  253. - name: {{ auth }}
  254. - require:
  255. - file: user_keydir_{{ name }}
  256. - user: users_{{ name }}_user
  257. {% endfor %}
  258. {% endif %}
  259. {% if 'ssh_keys_pillar' in user %}
  260. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  261. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  262. file.managed:
  263. - name: {{ home }}/.ssh/{{ key_name }}
  264. - user: {{ name }}
  265. - group: {{ user_group }}
  266. - mode: 600
  267. - show_diff: False
  268. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  269. - require:
  270. - user: users_{{ name }}_user
  271. {% for group in user.get('groups', []) %}
  272. - group: users_{{ name }}_{{ group }}_group
  273. {% endfor %}
  274. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  275. file.managed:
  276. - name: {{ home }}/.ssh/{{ key_name }}.pub
  277. - user: {{ name }}
  278. - group: {{ user_group }}
  279. - mode: 644
  280. - show_diff: False
  281. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  282. - require:
  283. - user: users_{{ name }}_user
  284. {% for group in user.get('groups', []) %}
  285. - group: users_{{ name }}_{{ group }}_group
  286. {% endfor %}
  287. {% endfor %}
  288. {% endif %}
  289. {% if 'ssh_auth_sources' in user %}
  290. {% for pubkey_file in user['ssh_auth_sources'] %}
  291. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  292. ssh_auth.present:
  293. - user: {{ name }}
  294. - source: {{ pubkey_file }}
  295. - require:
  296. - file: users_{{ name }}_user
  297. - user: users_{{ name }}_user
  298. {% endfor %}
  299. {% endif %}
  300. {% if 'ssh_auth_sources.absent' in user %}
  301. {% for pubkey_file in user['ssh_auth_sources.absent'] %}
  302. users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
  303. ssh_auth.absent:
  304. - user: {{ name }}
  305. - source: {{ pubkey_file }}
  306. - require:
  307. - file: users_{{ name }}_user
  308. - user: users_{{ name }}_user
  309. {% endfor %}
  310. {% endif %}
  311. {% if 'ssh_auth.absent' in user %}
  312. {% for auth in user['ssh_auth.absent'] %}
  313. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  314. ssh_auth.absent:
  315. - user: {{ name }}
  316. - name: {{ auth }}
  317. - require:
  318. - file: users_{{ name }}_user
  319. - user: users_{{ name }}_user
  320. {% endfor %}
  321. {% endif %}
  322. {% if 'ssh_config' in user %}
  323. users_ssh_config_{{ name }}:
  324. file.managed:
  325. - name: {{ home }}/.ssh/config
  326. - user: {{ name }}
  327. - group: {{ user_group }}
  328. - mode: 640
  329. - contents: |
  330. # Managed by Saltstack
  331. # Do Not Edit
  332. {% for label, setting in user.ssh_config.items() %}
  333. # {{ label }}
  334. Host {{ setting.get('hostname') }}
  335. {%- for opts in setting.get('options') %}
  336. {{ opts }}
  337. {%- endfor %}
  338. {% endfor -%}
  339. {% endif %}
  340. {% if 'ssh_known_hosts' in user %}
  341. {% for hostname, host in user['ssh_known_hosts'].items() %}
  342. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  343. ssh_known_hosts.present:
  344. - user: {{ name }}
  345. - name: {{ hostname }}
  346. {% if 'port' in host %}
  347. - port: {{ host['port'] }}
  348. {% endif -%}
  349. {% if 'fingerprint' in host %}
  350. - fingerprint: {{ host['fingerprint'] }}
  351. {% endif -%}
  352. {% if 'key' in host %}
  353. - key: {{ host['key'] }}
  354. {% endif -%}
  355. {% if 'enc' in host %}
  356. - enc: {{ host['enc'] }}
  357. {% endif -%}
  358. {% if 'hash_known_hosts' in host %}
  359. - hash_known_hosts: {{ host['hash_known_hosts'] }}
  360. {% endif -%}
  361. {% if 'timeout' in host %}
  362. - timeout: {{ host['timeout'] }}
  363. {% endif -%}
  364. {% if 'fingerprint_hash_type' in host %}
  365. - fingerprint_hash_type: {{ host['fingerprint_hash_type'] }}
  366. {% endif -%}
  367. {% endfor %}
  368. {% endif %}
  369. {% if 'ssh_known_hosts.absent' in user %}
  370. {% for host in user['ssh_known_hosts.absent'] %}
  371. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  372. ssh_known_hosts.absent:
  373. - user: {{ name }}
  374. - name: {{ host }}
  375. {% endfor %}
  376. {% endif %}
  377. {% endif %}
  378. {% set sudoers_d_filename = name|replace('.','_') %}
  379. {% if 'sudouser' in user and user['sudouser'] %}
  380. users_sudoer-{{ name }}:
  381. file.managed:
  382. - replace: False
  383. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  384. - user: root
  385. - group: {{ users.root_group }}
  386. - mode: '0440'
  387. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  388. #{#%
  389. {% if 'sudo_rules' in user %}
  390. {% for rule in user['sudo_rules'] %}
  391. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  392. cmd.run:
  393. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  394. - stateful: True
  395. - shell: {{ users.visudo_shell }}
  396. - env:
  397. # Specify the rule via an env var to avoid shell quoting issues.
  398. - rule: "{{ name }} {{ rule }}"
  399. - require_in:
  400. - file: users_{{ users.sudoers_dir }}/{{ name }}
  401. {% endfor %}
  402. {% endif %}
  403. {% if 'sudo_defaults' in user %}
  404. {% for entry in user['sudo_defaults'] %}
  405. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  406. cmd.run:
  407. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  408. - stateful: True
  409. - shell: {{ users.visudo_shell }}
  410. - env:
  411. # Specify the rule via an env var to avoid shell quoting issues.
  412. - rule: "Defaults:{{ name }} {{ entry }}"
  413. - require_in:
  414. - file: users_{{ users.sudoers_dir }}/{{ name }}
  415. {% endfor %}
  416. {% endif %}
  417. #%#}
  418. users_{{ users.sudoers_dir }}/{{ name }}:
  419. file.managed:
  420. - replace: True
  421. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  422. - contents: |
  423. {%- if 'sudo_defaults' in user %}
  424. {%- for entry in user['sudo_defaults'] %}
  425. Defaults:{{ name }} {{ entry }}
  426. {%- endfor %}
  427. {%- endif %}
  428. {%- if 'sudo_rules' in user %}
  429. ########################################################################
  430. # File managed by Salt (users-formula).
  431. # Your changes will be overwritten.
  432. ########################################################################
  433. #
  434. {%- for rule in user['sudo_rules'] %}
  435. {{ name }} {{ rule }}
  436. {%- endfor %}
  437. {%- endif %}
  438. - require:
  439. - file: users_sudoer-defaults
  440. - file: users_sudoer-{{ name }}
  441. cmd.wait:
  442. - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
  443. - watch:
  444. - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  445. {% endif %}
  446. {% else %}
  447. users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
  448. file.absent:
  449. - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
  450. {% endif %}
  451. {%- if 'google_auth' in user %}
  452. {%- for svc in user['google_auth'] %}
  453. users_googleauth-{{ svc }}-{{ name }}:
  454. file.managed:
  455. - replace: false
  456. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  457. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  458. - user: root
  459. - group: {{ users.root_group }}
  460. - mode: 400
  461. - require:
  462. - pkg: users_googleauth-package
  463. {%- endfor %}
  464. {%- endif %}
  465. # this doesn't work (Salt bug), therefore need to run state.apply twice
  466. #include:
  467. # - users
  468. #
  469. #git:
  470. # pkg.installed:
  471. # - require_in:
  472. # - sls: users
  473. #
  474. {% if salt['cmd.has_exec']('git') %}
  475. {% if 'gitconfig' in user %}
  476. {% for key, value in user['gitconfig'].items() %}
  477. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  478. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  479. git.config_set:
  480. {% else %}
  481. git.config:
  482. {% endif %}
  483. - name: {{ key }}
  484. - value: "{{ value }}"
  485. - user: {{ name }}
  486. {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  487. - global: True
  488. {% else %}
  489. - is_global: True
  490. {% endif %}
  491. {% endfor %}
  492. {% endif %}
  493. {% if 'gitconfig.absent' in user and grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
  494. {% for key in user.get('gitconfig.absent') %}
  495. users_{{ name }}_user_gitconfig_absent_{{ key }}:
  496. git.config_unset:
  497. - name: '{{ key }}'
  498. - user: {{ name }}
  499. - global: True
  500. - all: True
  501. {% endfor %}
  502. {% endif %}
  503. {% endif %}
  504. {% endfor %}
  505. {% for name, user in pillar.get('users', {}).items()
  506. if user.absent is defined and user.absent %}
  507. users_absent_user_{{ name }}:
  508. {% if 'purge' in user or 'force' in user %}
  509. user.absent:
  510. - name: {{ name }}
  511. {% if 'purge' in user %}
  512. - purge: {{ user['purge'] }}
  513. {% endif %}
  514. {% if 'force' in user %}
  515. - force: {{ user['force'] }}
  516. {% endif %}
  517. {% else %}
  518. user.absent:
  519. - name: {{ name }}
  520. {% endif -%}
  521. users_{{ users.sudoers_dir }}/{{ name }}:
  522. file.absent:
  523. - name: {{ users.sudoers_dir }}/{{ name }}
  524. {% endfor %}
  525. {% for user in pillar.get('absent_users', []) %}
  526. users_absent_user_2_{{ user }}:
  527. user.absent:
  528. - name: {{ user }}
  529. users_2_{{ users.sudoers_dir }}/{{ user }}:
  530. file.absent:
  531. - name: {{ users.sudoers_dir }}/{{ user }}
  532. {% endfor %}
  533. {% for group in pillar.get('absent_groups', []) %}
  534. users_absent_group_{{ group }}:
  535. group.absent:
  536. - name: {{ group }}
  537. {% endfor %}