salt
/
users-formula
派生自 ExternalMirrors/users-formula
关注 1
点赞 0
派生 0
代码 版本发布 0 动态
Saltstack Official Users Formula
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
60 提交
2 分支
目录树: 2032369f0b
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '2032369f0b'
${ noResults }
users-formula/users/init.sls

194 行
4.9KB
原始文件 Blame 文件历史 

  1. include:

  2.   - users.sudo

  3. 

  4. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  5. {%- if user == None -%}

  6. {%- set user = {} -%}

  7. {%- endif -%}

  8. {%- set home = user.get('home', "/home/%s" % name) -%}

  9. 

  10. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  11. {%- set user_group = user.prime_group.name -%}

  12. {%- else -%}

  13. {%- set user_group = name -%}

  14. {%- endif %}

  15. 

  16. {% for group in user.get('groups', []) %}

  17. {{ name }}_{{ group }}_group:

  18.   group:

  19.     - name: {{ group }}

  20.     - present

  21. {% endfor %}

  22. 

  23. {{ name }}_user:

  24.   file.directory:

  25.     - name: {{ home }}

  26.     - user: {{ name }}

  27.     - group: {{ user_group }}

  28.     - mode: 0755

  29.     - require:

  30.       - user: {{ name }}

  31.       - group: {{ user_group }}

  32.   group.present:

  33.     - name: {{ user_group }}

  34.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  35.     - gid: {{ user['prime_group']['gid'] }}

  36.     {%- elif 'uid' in user %}

  37.     - gid: {{ user['uid'] }}

  38.     {%- endif %}

  39.   user.present:

  40.     - name: {{ name }}

  41.     - home: {{ home }}

  42.     - shell: {{ user.get('shell', '/bin/bash') }}

  43.     {% if 'uid' in user -%}

  44.     - uid: {{ user['uid'] }}

  45.     {% endif -%}

  46.     {% if 'password' in user -%}

  47.     - password: {{ user['password'] }}

  48.     {% endif -%}

  49.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  50.     - gid: {{ user['prime_group']['gid'] }}

  51.     {% else -%}

  52.     - gid_from_name: True

  53.     {% endif -%}

  54.     {% if 'fullname' in user %}

  55.     - fullname: {{ user['fullname'] }}

  56.     {% endif -%}

  57.     - groups:

  58.       - {{ user_group }}

  59.       {% for group in user.get('groups', []) -%}

  60.       - {{ group }}

  61.       {% endfor %}

  62.     - require:

  63.       - group: {{ user_group }}

  64.       {% for group in user.get('groups', []) -%}

  65.       - group: {{ group }}

  66.       {% endfor %}

  67. 

  68. user_keydir_{{ name }}:

  69.   file.directory:

  70.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  71.     - user: {{ name }}

  72.     - group: {{ user_group }}

  73.     - makedirs: True

  74.     - mode: 700

  75.     - require:

  76.       - user: {{ name }}

  77.       - group: {{ user_group }}

  78.       {%- for group in user.get('groups', []) %}

  79.       - group: {{ group }}

  80.       {%- endfor %}

  81. 

  82.   {% if 'ssh_keys' in user %}

  83.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  84. user_{{ name }}_private_key:

  85.   file.managed:

  86.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  87.     - user: {{ name }}

  88.     - group: {{ user_group }}

  89.     - mode: 600

  90.     - show_diff: False

  91.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  92.     - require:

  93.       - user: {{ name }}_user

  94.       {% for group in user.get('groups', []) %}

  95.       - group: {{ name }}_{{ group }}_group

  96.       {% endfor %}

  97. user_{{ name }}_public_key:

  98.   file.managed:

  99.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  100.     - user: {{ name }}

  101.     - group: {{ user_group }}

  102.     - mode: 644

  103.     - show_diff: False

  104.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  105.     - require:

  106.       - user: {{ name }}_user

  107.       {% for group in user.get('groups', []) %}

  108.       - group: {{ name }}_{{ group }}_group

  109.       {% endfor %}

  110.   {% endif %}

  111. 

  112. 

  113. {% if 'ssh_auth' in user %}

  114. {% for auth in user['ssh_auth'] %}

  115. ssh_auth_{{ name }}_{{ loop.index0 }}:

  116.   ssh_auth.present:

  117.     - user: {{ name }}

  118.     - name: {{ auth }}

  119.     - require:

  120.         - file: {{ name }}_user

  121.         - user: {{ name }}_user

  122. {% endfor %}

  123. {% endif %}

  124. 

  125. 

  126. {% if 'sudouser' in user and user['sudouser'] %}

  127. sudoer-{{ name }}:

  128.   file.managed:

  129.     - name: /etc/sudoers.d/{{ name }}

  130.     - user: root

  131.     - group: root

  132.     - mode: '0440'

  133. {% if 'sudo_rules' in user %}

  134. {% for rule in user['sudo_rules'] %}

  135. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  136.   cmd.run:

  137.     - name: 'visudo -cf - <<<"$rule"'

  138.     - env:

  139.       # Specify the rule via an env var to avoid shell quoting issues.

  140.       - rule: "{{ name }} {{ rule }}"

  141.     - require_in:

  142.       - file: /etc/sudoers.d/{{ name }}

  143. {% endfor %}

  144. 

  145. /etc/sudoers.d/{{ name }}:

  146.   file.managed:

  147.     - contents: |

  148.       {%- for rule in user['sudo_rules'] %}

  149.         {{ name }} {{ rule }}

  150.       {%- endfor %}

  151.     - require:

  152.       - file: sudoer-defaults

  153.       - file: sudoer-{{ name }}

  154. {% endif %}

  155. {% else %}

  156. /etc/sudoers.d/{{ name }}:

  157.   file.absent:

  158.     - name: /etc/sudoers.d/{{ name }}

  159. {% endif %}

  160. 

  161. {% endfor %}

  162. 

  163. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

  164. {{ name }}:

  165. {% if 'purge' in user or 'force' in user %}

  166.   user.absent:

  167.     {% if 'purge' in user %}

  168.     - purge: {{ user['purge'] }}

  169.     {% endif %}

  170.     {% if 'force' in user %}

  171.     - force: {{ user['force'] }}

  172.     {% endif %}

  173. {% else %}

  174.   user.absent

  175. {% endif -%}

  176. /etc/sudoers.d/{{ name }}:

  177.   file.absent:

  178.     - name: /etc/sudoers.d/{{ name }}

  179. {% endfor %}

  180. 

  181. {% for user in pillar.get('absent_users', []) %}

  182. {{ user }}:

  183.   user.absent

  184. /etc/sudoers.d/{{ user }}:

  185.   file.absent:

  186.     - name: /etc/sudoers.d/{{ user }}

  187. {% endfor %}

  188. 

  189. {% for group in pillar.get('absent_groups', []) %}

  190. {{ group }}:

  191.   group.absent

  192. {% endfor %}