Saltstack Official Users Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

352 lines
10.0KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
  6. {%- if user == None -%}
  7. {%- set user = {} -%}
  8. {%- endif -%}
  9. {%- if 'sudouser' in user and user['sudouser'] %}
  10. {%- do used_sudo.append(1) %}
  11. {%- endif %}
  12. {%- if 'google_auth' in user %}
  13. {%- do used_googleauth.append(1) %}
  14. {%- endif %}
  15. {%- endfor %}
  16. {%- if used_sudo or used_googleauth %}
  17. include:
  18. {%- if used_sudo %}
  19. - users.sudo
  20. {%- endif %}
  21. {%- if used_googleauth %}
  22. - users.googleauth
  23. {%- endif %}
  24. {%- endif %}
  25. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
  26. {%- if user == None -%}
  27. {%- set user = {} -%}
  28. {%- endif -%}
  29. {%- set home = user.get('home', "/home/%s" % name) -%}
  30. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  31. {%- set user_group = user.prime_group.name -%}
  32. {%- else -%}
  33. {%- set user_group = name -%}
  34. {%- endif %}
  35. {% for group in user.get('groups', []) %}
  36. users_{{ name }}_{{ group }}_group:
  37. group:
  38. - name: {{ group }}
  39. - present
  40. {% endfor %}
  41. users_{{ name }}_user:
  42. {% if user.get('createhome', True) %}
  43. file.directory:
  44. - name: {{ home }}
  45. - user: {{ name }}
  46. - group: {{ user_group }}
  47. - mode: {{ user.get('user_dir_mode', '0750') }}
  48. - require:
  49. - user: users_{{ name }}_user
  50. - group: {{ user_group }}
  51. {%- endif %}
  52. group.present:
  53. - name: {{ user_group }}
  54. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  55. - gid: {{ user['prime_group']['gid'] }}
  56. {%- elif 'uid' in user %}
  57. - gid: {{ user['uid'] }}
  58. {%- endif %}
  59. user.present:
  60. - name: {{ name }}
  61. - home: {{ home }}
  62. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  63. {% if 'uid' in user -%}
  64. - uid: {{ user['uid'] }}
  65. {% endif -%}
  66. {% if 'password' in user -%}
  67. - password: '{{ user['password'] }}'
  68. {% endif -%}
  69. {% if 'enforce_password' in user -%}
  70. - enforce_password: '{{ user['enforce_password'] }}'
  71. {% endif -%}
  72. {% if user.get('system', False) -%}
  73. - system: True
  74. {% endif -%}
  75. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  76. - gid: {{ user['prime_group']['gid'] }}
  77. {% else -%}
  78. - gid_from_name: True
  79. {% endif -%}
  80. {% if 'fullname' in user %}
  81. - fullname: {{ user['fullname'] }}
  82. {% endif -%}
  83. {% if not user.get('createhome', True) %}
  84. - createhome: False
  85. {% endif %}
  86. {% if 'expire' in user -%}
  87. - expire: {{ user['expire'] }}
  88. {% endif -%}
  89. - remove_groups: {{ user.get('remove_groups', 'False') }}
  90. - groups:
  91. - {{ user_group }}
  92. {% for group in user.get('groups', []) -%}
  93. - {{ group }}
  94. {% endfor %}
  95. - require:
  96. - group: {{ user_group }}
  97. {% for group in user.get('groups', []) -%}
  98. - group: {{ group }}
  99. {% endfor %}
  100. {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %}
  101. user_keydir_{{ name }}:
  102. file.directory:
  103. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  104. - user: {{ name }}
  105. - group: {{ user_group }}
  106. - makedirs: True
  107. - mode: 700
  108. - require:
  109. - user: {{ name }}
  110. - group: {{ user_group }}
  111. {%- for group in user.get('groups', []) %}
  112. - group: {{ group }}
  113. {%- endfor %}
  114. {% endif %}
  115. {% if 'ssh_keys' in user %}
  116. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  117. users_user_{{ name }}_private_key:
  118. file.managed:
  119. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  120. - user: {{ name }}
  121. - group: {{ user_group }}
  122. - mode: 600
  123. - show_diff: False
  124. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  125. - require:
  126. - user: users_{{ name }}_user
  127. {% for group in user.get('groups', []) %}
  128. - group: users_{{ name }}_{{ group }}_group
  129. {% endfor %}
  130. users_user_{{ name }}_public_key:
  131. file.managed:
  132. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  133. - user: {{ name }}
  134. - group: {{ user_group }}
  135. - mode: 644
  136. - show_diff: False
  137. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  138. - require:
  139. - user: users_{{ name }}_user
  140. {% for group in user.get('groups', []) %}
  141. - group: users_{{ name }}_{{ group }}_group
  142. {% endfor %}
  143. {% endif %}
  144. {% if 'ssh_auth_file' in user %}
  145. users_authorized_keys_{{ name }}:
  146. file.managed:
  147. - name: {{ home }}/.ssh/authorized_keys
  148. - user: {{ name }}
  149. - group: {{ name }}
  150. - mode: 600
  151. - contents: |
  152. {% for auth in user.ssh_auth_file -%}
  153. {{ auth }}
  154. {% endfor -%}
  155. {% endif %}
  156. {% if 'ssh_auth' in user %}
  157. {% for auth in user['ssh_auth'] %}
  158. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  159. ssh_auth.present:
  160. - user: {{ name }}
  161. - name: {{ auth }}
  162. - require:
  163. - file: users_{{ name }}_user
  164. - user: users_{{ name }}_user
  165. {% endfor %}
  166. {% endif %}
  167. {% if 'ssh_keys_pillar' in user %}
  168. {% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %}
  169. users_ssh_keys_files_{{ name }}_{{ key_name }}_pub:
  170. file.managed:
  171. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
  172. }}.pub
  173. - contents: |
  174. {{ pillar[pillar_name][key_name]['pubkey'] }}
  175. users_ssh_keys_files_{{ name }}_{{ key_name }}_priv:
  176. file.managed:
  177. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name
  178. }}
  179. - contents: |
  180. {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}
  181. {% endfor %}
  182. {% endif %}
  183. {% if 'ssh_auth_sources' in user %}
  184. {% for pubkey_file in user['ssh_auth_sources'] %}
  185. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  186. ssh_auth.present:
  187. - user: {{ name }}
  188. - source: {{ pubkey_file }}
  189. - require:
  190. - file: users_{{ name }}_user
  191. - user: users_{{ name }}_user
  192. {% endfor %}
  193. {% endif %}
  194. {% if 'ssh_auth.absent' in user %}
  195. {% for auth in user['ssh_auth.absent'] %}
  196. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  197. ssh_auth.absent:
  198. - user: {{ name }}
  199. - name: {{ auth }}
  200. - require:
  201. - file: users_{{ name }}_user
  202. - user: users_{{ name }}_user
  203. {% endfor %}
  204. {% endif %}
  205. {% if 'ssh_config' in user %}
  206. users_ssh_config_{{ name }}:
  207. file.managed:
  208. - name: {{ home }}/.ssh/config
  209. - user: {{ name }}
  210. - group: {{ user_group }}
  211. - mode: 640
  212. - contents: |
  213. # Managed by Saltstack
  214. # Do Not Edit
  215. {% for label, setting in user.ssh_config.items() %}
  216. # {{ label }}
  217. Host {{ setting.get('hostname') }}
  218. {%- for opts in setting.get('options') %}
  219. {{ opts }}
  220. {%- endfor %}
  221. {% endfor -%}
  222. {% endif %}
  223. {% if 'sudouser' in user and user['sudouser'] %}
  224. users_sudoer-{{ name }}:
  225. file.managed:
  226. - name: {{ users.sudoers_dir }}/{{ name }}
  227. - user: root
  228. - group: {{ users.root_group }}
  229. - mode: '0440'
  230. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  231. {% if 'sudo_rules' in user %}
  232. {% for rule in user['sudo_rules'] %}
  233. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  234. cmd.run:
  235. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  236. - stateful: True
  237. - shell: {{ users.visudo_shell }}
  238. - env:
  239. # Specify the rule via an env var to avoid shell quoting issues.
  240. - rule: "{{ name }} {{ rule }}"
  241. - require_in:
  242. - file: users_{{ users.sudoers_dir }}/{{ name }}
  243. {% endfor %}
  244. {% endif %}
  245. {% if 'sudo_defaults' in user %}
  246. {% for entry in user['sudo_defaults'] %}
  247. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  248. cmd.run:
  249. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  250. - stateful: True
  251. - shell: {{ users.visudo_shell }}
  252. - env:
  253. # Specify the rule via an env var to avoid shell quoting issues.
  254. - rule: "Defaults:{{ name }} {{ entry }}"
  255. - require_in:
  256. - file: users_{{ users.sudoers_dir }}/{{ name }}
  257. {% endfor %}
  258. {% endif %}
  259. users_{{ users.sudoers_dir }}/{{ name }}:
  260. file.managed:
  261. - name: {{ users.sudoers_dir }}/{{ name }}
  262. - contents: |
  263. {%- if 'sudo_defaults' in user %}
  264. {%- for entry in user['sudo_defaults'] %}
  265. Defaults:{{ name }} {{ entry }}
  266. {%- endfor %}
  267. {%- endif %}
  268. {%- if 'sudo_rules' in user %}
  269. {%- for rule in user['sudo_rules'] %}
  270. {{ name }} {{ rule }}
  271. {%- endfor %}
  272. {%- endif %}
  273. - require:
  274. - file: users_sudoer-defaults
  275. - file: users_sudoer-{{ name }}
  276. {% endif %}
  277. {% else %}
  278. users_{{ users.sudoers_dir }}/{{ name }}:
  279. file.absent:
  280. - name: {{ users.sudoers_dir }}/{{ name }}
  281. {% endif %}
  282. {%- if 'google_auth' in user %}
  283. {%- for svc in user['google_auth'] %}
  284. users_googleauth-{{ svc }}-{{ name }}:
  285. file.managed:
  286. - replace: false
  287. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  288. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  289. - user: root
  290. - group: {{ users.root_group }}
  291. - mode: 400
  292. - require:
  293. - pkg: users_googleauth-package
  294. {%- endfor %}
  295. {%- endif %}
  296. {% endfor %}
  297. {% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}
  298. users_absent_user_{{ name }}:
  299. {% if 'purge' in user or 'force' in user %}
  300. user.absent:
  301. - name: {{ name }}
  302. {% if 'purge' in user %}
  303. - purge: {{ user['purge'] }}
  304. {% endif %}
  305. {% if 'force' in user %}
  306. - force: {{ user['force'] }}
  307. {% endif %}
  308. {% else %}
  309. user.absent:
  310. - name: {{ name }}
  311. {% endif -%}
  312. users_{{ users.sudoers_dir }}/{{ name }}:
  313. file.absent:
  314. - name: {{ users.sudoers_dir }}/{{ name }}
  315. {% endfor %}
  316. {% for user in pillar.get('absent_users', []) %}
  317. users_absent_user_2_{{ user }}:
  318. user.absent
  319. users_2_{{ users.sudoers_dir }}/{{ user }}:
  320. file.absent:
  321. - name: {{ users.sudoers_dir }}/{{ user }}
  322. {% endfor %}
  323. {% for group in pillar.get('absent_groups', []) %}
  324. users_absent_group_{{ group }}:
  325. group.absent:
  326. - name: {{ group }}
  327. {% endfor %}