salt
/
users-formula
feito fork de ExternalMirrors/users-formula
Observar 1
Favorito 0
Fork 0
Código Versões 0 Atividade
Saltstack Official Users Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
124 Commits
2 Branches
Tag: 622b846d7f
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 622b846d7f
${ noResults }
users-formula/users/init.sls

343 linhas
9.7KB
Original Anotar Histórico 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. 

  6. {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  7. {%- if user == None -%}

  8. {%- set user = {} -%}

  9. {%- endif -%}

  10. {%- if 'sudouser' in user and user['sudouser'] %}

  11. {%- do used_sudo.append(1) %}

  12. {%- endif %}

  13. {%- if 'google_auth' in user %}

  14. {%- do used_googleauth.append(1) %}

  15. {%- endif %}

  16. {%- endfor %}

  17. 

  18. {%- if used_sudo or used_googleauth %}

  19. include:

  20. {%- if used_sudo %}

  21.   - users.sudo

  22. {%- endif %}

  23. {%- if used_googleauth %}

  24.   - users.googleauth

  25. {%- endif %}

  26. {%- endif %}

  27. 

  28. {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}

  29. {%- if user == None -%}

  30. {%- set user = {} -%}

  31. {%- endif -%}

  32. {%- set home = user.get('home', "/home/%s" % name) -%}

  33. 

  34. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  35. {%- set user_group = user.prime_group.name -%}

  36. {%- else -%}

  37. {%- set user_group = name -%}

  38. {%- endif %}

  39. 

  40. {% for group in user.get('groups', []) %}

  41. users_{{ name }}_{{ group }}_group:

  42.   group:

  43.     - name: {{ group }}

  44.     - present

  45. {% endfor %}

  46. 

  47. users_{{ name }}_user:

  48.   {% if user.get('createhome', True) %}

  49.   file.directory:

  50.     - name: {{ home }}

  51.     - user: {{ name }}

  52.     - group: {{ user_group }}

  53.     - mode: {{ user.get('user_dir_mode', '0750') }}

  54.     - require:

  55.       - user: {{ name }}

  56.       - group: {{ user_group }}

  57.   {%- endif %}

  58.   group.present:

  59.     - name: {{ user_group }}

  60.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  61.     - gid: {{ user['prime_group']['gid'] }}

  62.     {%- elif 'uid' in user %}

  63.     - gid: {{ user['uid'] }}

  64.     {%- endif %}

  65.   user.present:

  66.     - name: {{ name }}

  67.     - home: {{ home }}

  68.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  69.     {% if 'uid' in user -%}

  70.     - uid: {{ user['uid'] }}

  71.     {% endif -%}

  72.     {% if 'password' in user -%}

  73.     - password: '{{ user['password'] }}'

  74.     {% endif -%}

  75.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  76.     - gid: {{ user['prime_group']['gid'] }}

  77.     {% else -%}

  78.     - gid_from_name: True

  79.     {% endif -%}

  80.     {% if 'fullname' in user %}

  81.     - fullname: {{ user['fullname'] }}

  82.     {% endif -%}

  83.     {% if not user.get('createhome', True) %}

  84.     - createhome: False

  85.     {% endif %}

  86.     {% if 'expire' in user -%}

  87.     - expire: {{ user['expire'] }}

  88.     {% endif -%}

  89.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  90.     - groups:

  91.       - {{ user_group }}

  92.       {% for group in user.get('groups', []) -%}

  93.       - {{ group }}

  94.       {% endfor %}

  95.     - require:

  96.       - group: {{ user_group }}

  97.       {% for group in user.get('groups', []) -%}

  98.       - group: {{ group }}

  99.       {% endfor %}

  100. 

  101. users_user_keydir_{{ name }}:

  102.   file.directory:

  103.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  104.     - user: {{ name }}

  105.     - group: {{ user_group }}

  106.     - makedirs: True

  107.     - mode: 700

  108.     - require:

  109.       - user: {{ name }}

  110.       - group: {{ user_group }}

  111.       {%- for group in user.get('groups', []) %}

  112.       - group: {{ group }}

  113.       {%- endfor %}

  114. 

  115.   {% if 'ssh_keys' in user %}

  116.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  117. users_user_{{ name }}_private_key:

  118.   file.managed:

  119.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  120.     - user: {{ name }}

  121.     - group: {{ user_group }}

  122.     - mode: 600

  123.     - show_diff: False

  124.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  125.     - require:

  126.       - user: users_{{ name }}_user

  127.       {% for group in user.get('groups', []) %}

  128.       - group: users_{{ name }}_{{ group }}_group

  129.       {% endfor %}

  130. users_user_{{ name }}_public_key:

  131.   file.managed:

  132.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  133.     - user: {{ name }}

  134.     - group: {{ user_group }}

  135.     - mode: 644

  136.     - show_diff: False

  137.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  138.     - require:

  139.       - user: users_{{ name }}_user

  140.       {% for group in user.get('groups', []) %}

  141.       - group: users_{{ name }}_{{ group }}_group

  142.       {% endfor %}

  143.   {% endif %}

  144. 

  145. {% if 'ssh_auth_file' in user %}

  146. users_authorized_keys_{{ name }}:

  147.   file.managed:

  148.     - name: {{ home }}/.ssh/authorized_keys

  149.     - user: {{ name }}

  150.     - group: {{ name }}

  151.     - mode: 600

  152.     - contents: |

  153.         {% for auth in user.ssh_auth_file -%}

  154.         {{ auth }}

  155.         {% endfor -%}

  156. {% endif %}

  157. 

  158. {% if 'ssh_auth' in user %}

  159. {% for auth in user['ssh_auth'] %}

  160. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  161.   ssh_auth.present:

  162.     - user: {{ name }}

  163.     - name: {{ auth }}

  164.     - require:

  165.         - file: users_{{ name }}_user

  166.         - user: users_{{ name }}_user

  167. {% endfor %}

  168. {% endif %}

  169. 

  170. {% if 'ssh_keys_pillar' in user %}

  171. {% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems()  %}

  172. users_ssh_keys_files_{{ name }}_{{ key_name }}_pub:

  173.   file.managed:

  174.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name

  175.     }}.pub

  176.     - contents: |

  177.         {{ pillar[pillar_name][key_name]['pubkey'] }}

  178. users_ssh_keys_files_{{ name }}_{{ key_name }}_priv:

  179.   file.managed:

  180.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name

  181.     }}

  182.     - contents: |

  183.         {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }}

  184. {% endfor %}

  185. {% endif %}

  186. 

  187. {% if 'ssh_auth_sources' in user %}

  188. {% for pubkey_file in user['ssh_auth_sources'] %}

  189. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  190.   ssh_auth.present:

  191.     - user: {{ name }}

  192.     - source: {{ pubkey_file }}

  193.     - require:

  194.         - file: users_{{ name }}_user

  195.         - user: users_{{ name }}_user

  196. {% endfor %}

  197. {% endif %}

  198. 

  199. {% if 'ssh_auth.absent' in user %}

  200. {% for auth in user['ssh_auth.absent'] %}

  201. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  202.   ssh_auth.absent:

  203.     - user: {{ name }}

  204.     - name: {{ auth }}

  205.     - require:

  206.         - file: users_{{ name }}_user

  207.         - user: users_{{ name }}_user

  208. {% endfor %}

  209. {% endif %}

  210. 

  211. {% if 'ssh_config' in user %}

  212. users_ssh_config_{{ name }}:

  213.   file.managed:

  214.     - name: {{ home }}/.ssh/config

  215.     - user: {{ name }}

  216.     - group: {{ user_group }}

  217.     - mode: 640

  218.     - contents: |

  219.         # Managed by Saltstack

  220.         # Do Not Edit

  221.         {% for label, setting in user.ssh_config.items() %}

  222.         # {{ label }}

  223.         Host {{ setting.get('hostname') }}

  224.           {%- for opts in setting.get('options') %}

  225.           {{ opts }}

  226.           {%- endfor %}

  227.         {% endfor -%}

  228. {% endif %}

  229. 

  230. {% if 'sudouser' in user and user['sudouser'] %}

  231. 

  232. users_sudoer-{{ name }}:

  233.   file.managed:

  234.     - name: {{ users.sudoers_dir }}/{{ name }}

  235.     - user: root

  236.     - group: {{ users.root_group }}

  237.     - mode: '0440'

  238. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  239. {% if 'sudo_rules' in user %}

  240. {% for rule in user['sudo_rules'] %}

  241. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  242.   cmd.run:

  243.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  244.     - stateful: True

  245.     - shell: {{ users.visudo_shell }}

  246.     - env:

  247.       # Specify the rule via an env var to avoid shell quoting issues.

  248.       - rule: "{{ name }} {{ rule }}"

  249.     - require_in:

  250.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  251. {% endfor %}

  252. {% endif %}

  253. {% if 'sudo_defaults' in user %}

  254. {% for entry in user['sudo_defaults'] %}

  255. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  256.   cmd.run:

  257.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  258.     - stateful: True

  259.     - shell: {{ users.visudo_shell }}

  260.     - env:

  261.       # Specify the rule via an env var to avoid shell quoting issues.

  262.       - rule: "Defaults:{{ name }} {{ entry }}"

  263.     - require_in:

  264.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  265. {% endfor %}

  266. {% endif %}

  267. 

  268. users_{{ users.sudoers_dir }}/{{ name }}:

  269.   file.managed:

  270.     - name: {{ users.sudoers_dir }}/{{ name }}

  271.     - contents: |

  272.       {%- if 'sudo_defaults' in user %}

  273.       {%- for entry in user['sudo_defaults'] %}

  274.         Defaults:{{ name }} {{ entry }}

  275.       {%- endfor %}

  276.       {%- endif %}

  277.       {%- if 'sudo_rules' in user %}

  278.       {%- for rule in user['sudo_rules'] %}

  279.         {{ name }} {{ rule }}

  280.       {%- endfor %}

  281.       {%- endif %}

  282.     - require:

  283.       - file: users_sudoer-defaults

  284.       - file: users_sudoer-{{ name }}

  285. {% endif %}

  286. {% else %}

  287. users_{{ users.sudoers_dir }}/{{ name }}:

  288.   file.absent:

  289.     - name: {{ users.sudoers_dir }}/{{ name }}

  290. {% endif %}

  291. 

  292. {%- if 'google_auth' in user %}

  293. {%- for svc in user['google_auth'] %}

  294. users_googleauth-{{ svc }}-{{ name }}:

  295.   file.managed:

  296.     - replace: false

  297.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  298.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  299.     - user: root

  300.     - group: {{ users.root_group }}

  301.     - mode: 600

  302.     - require:

  303.       - pkg: users_googleauth-package

  304. {%- endfor %}

  305. {%- endif %}

  306. 

  307. {% endfor %}

  308. 

  309. {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

  310. users_absent_user_{{ name }}:

  311. {% if 'purge' in user or 'force' in user %}

  312.   user.absent:

  313.     - name: {{ name }}

  314.     {% if 'purge' in user %}

  315.     - purge: {{ user['purge'] }}

  316.     {% endif %}

  317.     {% if 'force' in user %}

  318.     - force: {{ user['force'] }}

  319.     {% endif %}

  320. {% else %}

  321.   user.absent:

  322.     - name: {{ name }}

  323. {% endif -%}

  324. users_{{ users.sudoers_dir }}/{{ name }}:

  325.   file.absent:

  326.     - name: {{ users.sudoers_dir }}/{{ name }}

  327. {% endfor %}

  328. 

  329. {% for user in pillar.get('absent_users', []) %}

  330. users_absent_user_2_{{ user }}:

  331.   user.absent

  332. users_2_{{ users.sudoers_dir }}/{{ user }}:

  333.   file.absent:

  334.     - name: {{ users.sudoers_dir }}/{{ user }}

  335. {% endfor %}

  336. 

  337. {% for group in pillar.get('absent_groups', []) %}

  338. users_absent_group_{{ group }}:

  339.   group.absent:

  340.     - name: {{ group }}

  341. {% endfor %}