Saltstack Official Users Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

484 lines
14KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudouser' in user and user['sudouser'] %}
  12. {%- do used_sudo.append(1) %}
  13. {%- endif %}
  14. {%- if 'google_auth' in user %}
  15. {%- do used_googleauth.append(1) %}
  16. {%- endif %}
  17. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  18. {%- do used_user_files.append(1) %}
  19. {%- endif %}
  20. {%- endfor %}
  21. {%- if used_sudo or used_googleauth or used_user_files %}
  22. include:
  23. {%- if used_sudo %}
  24. - users.sudo
  25. {%- endif %}
  26. {%- if used_googleauth %}
  27. - users.googleauth
  28. {%- endif %}
  29. {%- if used_user_files %}
  30. - users.user_files
  31. {%- endif %}
  32. {%- endif %}
  33. {% for name, user in pillar.get('users', {}).items()
  34. if user.absent is not defined or not user.absent %}
  35. {%- if user == None -%}
  36. {%- set user = {} -%}
  37. {%- endif -%}
  38. {%- set current = salt.user.info(name) -%}
  39. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
  40. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  41. {%- set user_group = user.prime_group.name -%}
  42. {%- else -%}
  43. {%- set user_group = name -%}
  44. {%- endif %}
  45. {% for group in user.get('groups', []) %}
  46. users_{{ name }}_{{ group }}_group:
  47. group.present:
  48. - name: {{ group }}
  49. {% if group == 'sudo' %}
  50. - system: True
  51. {% endif %}
  52. {% endfor %}
  53. users_{{ name }}_user:
  54. {% if user.get('createhome', True) %}
  55. file.directory:
  56. - name: {{ home }}
  57. - user: {{ name }}
  58. - group: {{ user_group }}
  59. - mode: {{ user.get('user_dir_mode', '0750') }}
  60. - require:
  61. - user: users_{{ name }}_user
  62. - group: {{ user_group }}
  63. {%- endif %}
  64. group.present:
  65. - name: {{ user_group }}
  66. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  67. - gid: {{ user['prime_group']['gid'] }}
  68. {%- elif 'uid' in user %}
  69. - gid: {{ user['uid'] }}
  70. {%- endif %}
  71. {% if 'system' in user and user['system'] %}
  72. - system: True
  73. {% endif %}
  74. user.present:
  75. - name: {{ name }}
  76. - home: {{ home }}
  77. - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}
  78. {% if 'uid' in user -%}
  79. - uid: {{ user['uid'] }}
  80. {% endif -%}
  81. {% if 'password' in user -%}
  82. - password: '{{ user['password'] }}'
  83. {% endif -%}
  84. {% if user.get('empty_password') -%}
  85. - empty_password: {{ user.get('empty_password') }}
  86. {% endif -%}
  87. {% if 'enforce_password' in user -%}
  88. - enforce_password: {{ user['enforce_password'] }}
  89. {% endif -%}
  90. {% if user.get('system', False) -%}
  91. - system: True
  92. {% endif -%}
  93. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  94. - gid: {{ user['prime_group']['gid'] }}
  95. {% else -%}
  96. - gid_from_name: True
  97. {% endif -%}
  98. {% if 'fullname' in user %}
  99. - fullname: {{ user['fullname'] }}
  100. {% endif -%}
  101. {% if 'roomnumber' in user %}
  102. - roomnumber: {{ user['roomnumber'] }}
  103. {% endif %}
  104. {% if 'workphone' in user %}
  105. - workphone: {{ user['workphone'] }}
  106. {% endif %}
  107. {% if 'homephone' in user %}
  108. - homephone: {{ user['workphone'] }}
  109. {% endif %}
  110. {% if not user.get('createhome', True) %}
  111. - createhome: False
  112. {% endif %}
  113. {% if 'expire' in user -%}
  114. {% if grains['kernel'].endswith('BSD') and
  115. user['expire'] < 157766400 %}
  116. {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
  117. - expire: {{ user['expire'] * 86400 }}
  118. {% elif grains['kernel'] == 'Linux' and
  119. user['expire'] > 84006 %}
  120. {# 2932896 days since epoch equals 9999-12-31 #}
  121. - expire: {{ (user['expire'] / 86400) | int}}
  122. {% else %}
  123. - expire: {{ user['expire'] }}
  124. {% endif %}
  125. {% endif -%}
  126. - remove_groups: {{ user.get('remove_groups', 'False') }}
  127. - groups:
  128. - {{ user_group }}
  129. {% for group in user.get('groups', []) -%}
  130. - {{ group }}
  131. {% endfor %}
  132. - require:
  133. - group: {{ user_group }}
  134. {% for group in user.get('groups', []) -%}
  135. - group: {{ group }}
  136. {% endfor %}
  137. {% if 'ssh_keys' in user or
  138. 'ssh_auth' in user or
  139. 'ssh_auth_file' in user or
  140. 'ssh_auth_pillar' in user or
  141. 'ssh_auth.absent' in user or
  142. 'ssh_config' in user %}
  143. user_keydir_{{ name }}:
  144. file.directory:
  145. - name: {{ home }}/.ssh
  146. - user: {{ name }}
  147. - group: {{ user_group }}
  148. - makedirs: True
  149. - mode: 700
  150. - require:
  151. - user: {{ name }}
  152. - group: {{ user_group }}
  153. {%- for group in user.get('groups', []) %}
  154. - group: {{ group }}
  155. {%- endfor %}
  156. {% endif %}
  157. {% if 'ssh_keys' in user %}
  158. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  159. users_user_{{ name }}_private_key:
  160. file.managed:
  161. - name: {{ home }}/.ssh/{{ key_type }}
  162. - user: {{ name }}
  163. - group: {{ user_group }}
  164. - mode: 600
  165. - show_diff: False
  166. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  167. - require:
  168. - user: users_{{ name }}_user
  169. {% for group in user.get('groups', []) %}
  170. - group: users_{{ name }}_{{ group }}_group
  171. {% endfor %}
  172. users_user_{{ name }}_public_key:
  173. file.managed:
  174. - name: {{ home }}/.ssh/{{ key_type }}.pub
  175. - user: {{ name }}
  176. - group: {{ user_group }}
  177. - mode: 644
  178. - show_diff: False
  179. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  180. - require:
  181. - user: users_{{ name }}_user
  182. {% for group in user.get('groups', []) %}
  183. - group: users_{{ name }}_{{ group }}_group
  184. {% endfor %}
  185. {% endif %}
  186. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  187. users_authorized_keys_{{ name }}:
  188. file.managed:
  189. - name: {{ home }}/.ssh/authorized_keys
  190. - user: {{ name }}
  191. - group: {{ user_group }}
  192. - mode: 600
  193. {% if 'ssh_auth_file' in user %}
  194. - contents: |
  195. {% for auth in user.ssh_auth_file -%}
  196. {{ auth }}
  197. {% endfor -%}
  198. {% else %}
  199. {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
  200. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  201. {%- endfor %}
  202. {% endif %}
  203. {% endif %}
  204. {% if 'ssh_auth' in user %}
  205. {% for auth in user['ssh_auth'] %}
  206. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  207. ssh_auth.present:
  208. - user: {{ name }}
  209. - name: {{ auth }}
  210. - require:
  211. - file: user_keydir_{{ name }}
  212. - user: users_{{ name }}_user
  213. {% endfor %}
  214. {% endif %}
  215. {% if 'ssh_keys_pillar' in user %}
  216. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  217. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  218. file.managed:
  219. - name: {{ home }}/.ssh/{{ key_name }}
  220. - user: {{ name }}
  221. - group: {{ user_group }}
  222. - mode: 600
  223. - show_diff: False
  224. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  225. - require:
  226. - user: users_{{ name }}_user
  227. {% for group in user.get('groups', []) %}
  228. - group: users_{{ name }}_{{ group }}_group
  229. {% endfor %}
  230. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  231. file.managed:
  232. - name: {{ home }}/.ssh/{{ key_name }}.pub
  233. - user: {{ name }}
  234. - group: {{ user_group }}
  235. - mode: 644
  236. - show_diff: False
  237. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  238. - require:
  239. - user: users_{{ name }}_user
  240. {% for group in user.get('groups', []) %}
  241. - group: users_{{ name }}_{{ group }}_group
  242. {% endfor %}
  243. {% endfor %}
  244. {% endif %}
  245. {% if 'ssh_auth_sources' in user %}
  246. {% for pubkey_file in user['ssh_auth_sources'] %}
  247. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  248. ssh_auth.present:
  249. - user: {{ name }}
  250. - source: {{ pubkey_file }}
  251. - require:
  252. - file: users_{{ name }}_user
  253. - user: users_{{ name }}_user
  254. {% endfor %}
  255. {% endif %}
  256. {% if 'ssh_auth.absent' in user %}
  257. {% for auth in user['ssh_auth.absent'] %}
  258. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  259. ssh_auth.absent:
  260. - user: {{ name }}
  261. - name: {{ auth }}
  262. - require:
  263. - file: users_{{ name }}_user
  264. - user: users_{{ name }}_user
  265. {% endfor %}
  266. {% endif %}
  267. {% if 'ssh_config' in user %}
  268. users_ssh_config_{{ name }}:
  269. file.managed:
  270. - name: {{ home }}/.ssh/config
  271. - user: {{ name }}
  272. - group: {{ user_group }}
  273. - mode: 640
  274. - contents: |
  275. # Managed by Saltstack
  276. # Do Not Edit
  277. {% for label, setting in user.ssh_config.items() %}
  278. # {{ label }}
  279. Host {{ setting.get('hostname') }}
  280. {%- for opts in setting.get('options') %}
  281. {{ opts }}
  282. {%- endfor %}
  283. {% endfor -%}
  284. {% endif %}
  285. {% if 'ssh_known_hosts' in user %}
  286. {% for hostname, host in user['ssh_known_hosts'].items() %}
  287. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  288. ssh_known_hosts.present:
  289. - user: {{ name }}
  290. - name: {{ hostname }}
  291. {% if 'port' in host %}
  292. - port: {{ host['port'] }}
  293. {% endif -%}
  294. {% if 'fingerprint' in host %}
  295. - fingerprint: {{ host['fingerprint'] }}
  296. {% endif -%}
  297. {% if 'key' in host %}
  298. - key: {{ host['key'] }}
  299. {% endif -%}
  300. {% if 'enc' in host %}
  301. - enc: {{ host['enc'] }}
  302. {% endif -%}
  303. {% if 'hash_hostname' in host %}
  304. - hash_hostname: {{ host['hash_hostname'] }}
  305. {% endif -%}
  306. {% endfor %}
  307. {% endif %}
  308. {% if 'ssh_known_hosts.absent' in user %}
  309. {% for host in user['ssh_known_hosts.absent'] %}
  310. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  311. ssh_known_hosts.absent:
  312. - user: {{ name }}
  313. - name: {{ host }}
  314. {% endfor %}
  315. {% endif %}
  316. {% if 'sudouser' in user and user['sudouser'] %}
  317. users_sudoer-{{ name }}:
  318. file.managed:
  319. - name: {{ users.sudoers_dir }}/{{ name }}
  320. - user: root
  321. - group: {{ users.root_group }}
  322. - mode: '0440'
  323. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  324. #{#%
  325. {% if 'sudo_rules' in user %}
  326. {% for rule in user['sudo_rules'] %}
  327. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  328. cmd.run:
  329. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  330. - stateful: True
  331. - shell: {{ users.visudo_shell }}
  332. - env:
  333. # Specify the rule via an env var to avoid shell quoting issues.
  334. - rule: "{{ name }} {{ rule }}"
  335. - require_in:
  336. - file: users_{{ users.sudoers_dir }}/{{ name }}
  337. {% endfor %}
  338. {% endif %}
  339. {% if 'sudo_defaults' in user %}
  340. {% for entry in user['sudo_defaults'] %}
  341. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  342. cmd.run:
  343. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  344. - stateful: True
  345. - shell: {{ users.visudo_shell }}
  346. - env:
  347. # Specify the rule via an env var to avoid shell quoting issues.
  348. - rule: "Defaults:{{ name }} {{ entry }}"
  349. - require_in:
  350. - file: users_{{ users.sudoers_dir }}/{{ name }}
  351. {% endfor %}
  352. {% endif %}
  353. #%#}
  354. users_{{ users.sudoers_dir }}/{{ name }}:
  355. file.managed:
  356. - name: {{ users.sudoers_dir }}/{{ name }}
  357. - contents: |
  358. {%- if 'sudo_defaults' in user %}
  359. {%- for entry in user['sudo_defaults'] %}
  360. Defaults:{{ name }} {{ entry }}
  361. {%- endfor %}
  362. {%- endif %}
  363. {%- if 'sudo_rules' in user %}
  364. ########################################################################
  365. # File managed by Salt (users-formula).
  366. # Your changes will be overwritten.
  367. ########################################################################
  368. #
  369. {%- for rule in user['sudo_rules'] %}
  370. {{ name }} {{ rule }}
  371. {%- endfor %}
  372. {%- endif %}
  373. - require:
  374. - file: users_sudoer-defaults
  375. - file: users_sudoer-{{ name }}
  376. cmd.wait:
  377. - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )
  378. - watch:
  379. - file: {{ users.sudoers_dir }}/{{ name }}
  380. {% endif %}
  381. {% else %}
  382. users_{{ users.sudoers_dir }}/{{ name }}:
  383. file.absent:
  384. - name: {{ users.sudoers_dir }}/{{ name }}
  385. {% endif %}
  386. {%- if 'google_auth' in user %}
  387. {%- for svc in user['google_auth'] %}
  388. users_googleauth-{{ svc }}-{{ name }}:
  389. file.managed:
  390. - replace: false
  391. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  392. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  393. - user: root
  394. - group: {{ users.root_group }}
  395. - mode: 400
  396. - require:
  397. - pkg: users_googleauth-package
  398. {%- endfor %}
  399. {%- endif %}
  400. {% if 'gitconfig' in user %}
  401. {% if not salt['cmd.has_exec']('git') %}
  402. skip_{{ name }}_gitconfig_since_git_not_installed:
  403. test.fail_without_changes:
  404. - name: "Git configuration for user {{ name }} has been skipped because Git is not installed."
  405. {% else %}
  406. {% for key, value in user['gitconfig'].items() %}
  407. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
  408. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  409. git.config_set:
  410. {% else %}
  411. git.config:
  412. {% endif %}
  413. - name: {{ key }}
  414. - value: "{{ value }}"
  415. - user: {{ name }}
  416. {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}
  417. - global: True
  418. {% else %}
  419. - is_global: True
  420. {% endif %}
  421. {% endfor %}
  422. {% endif %}
  423. {% endif %}
  424. {% endfor %}
  425. {% for name, user in pillar.get('users', {}).items()
  426. if user.absent is defined and user.absent %}
  427. users_absent_user_{{ name }}:
  428. {% if 'purge' in user or 'force' in user %}
  429. user.absent:
  430. - name: {{ name }}
  431. {% if 'purge' in user %}
  432. - purge: {{ user['purge'] }}
  433. {% endif %}
  434. {% if 'force' in user %}
  435. - force: {{ user['force'] }}
  436. {% endif %}
  437. {% else %}
  438. user.absent:
  439. - name: {{ name }}
  440. {% endif -%}
  441. users_{{ users.sudoers_dir }}/{{ name }}:
  442. file.absent:
  443. - name: {{ users.sudoers_dir }}/{{ name }}
  444. {% endfor %}
  445. {% for user in pillar.get('absent_users', []) %}
  446. users_absent_user_2_{{ user }}:
  447. user.absent
  448. users_2_{{ users.sudoers_dir }}/{{ user }}:
  449. file.absent:
  450. - name: {{ users.sudoers_dir }}/{{ user }}
  451. {% endfor %}
  452. {% for group in pillar.get('absent_groups', []) %}
  453. users_absent_group_{{ group }}:
  454. group.absent:
  455. - name: {{ group }}
  456. {% endfor %}