Saltstack Official Users Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

421 line
12KB

  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {% from "users/map.jinja" import users with context %}
  3. {% set used_sudo = [] %}
  4. {% set used_googleauth = [] %}
  5. {% set used_user_files = [] %}
  6. {%- for name, user in pillar.get('users', {}).items()
  7. if user.absent is not defined or not user.absent %}
  8. {%- if user == None -%}
  9. {%- set user = {} -%}
  10. {%- endif -%}
  11. {%- if 'sudouser' in user and user['sudouser'] %}
  12. {%- do used_sudo.append(1) %}
  13. {%- endif %}
  14. {%- if 'google_auth' in user %}
  15. {%- do used_googleauth.append(1) %}
  16. {%- endif %}
  17. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
  18. {%- do used_user_files.append(1) %}
  19. {%- endif %}
  20. {%- endfor %}
  21. {%- if used_sudo or used_googleauth or used_user_files %}
  22. include:
  23. {%- if used_sudo %}
  24. - users.sudo
  25. {%- endif %}
  26. {%- if used_googleauth %}
  27. - users.googleauth
  28. {%- endif %}
  29. {%- if used_user_files %}
  30. - users.user_files
  31. {%- endif %}
  32. {%- endif %}
  33. {% for name, user in pillar.get('users', {}).items()
  34. if user.absent is not defined or not user.absent %}
  35. {%- if user == None -%}
  36. {%- set user = {} -%}
  37. {%- endif -%}
  38. {%- set home = user.get('home', "/home/%s" % name) -%}
  39. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
  40. {%- set user_group = user.prime_group.name -%}
  41. {%- else -%}
  42. {%- set user_group = name -%}
  43. {%- endif %}
  44. {% for group in user.get('groups', []) %}
  45. users_{{ name }}_{{ group }}_group:
  46. group:
  47. - name: {{ group }}
  48. - present
  49. {% endfor %}
  50. users_{{ name }}_user:
  51. {% if user.get('createhome', True) %}
  52. file.directory:
  53. - name: {{ home }}
  54. - user: {{ name }}
  55. - group: {{ user_group }}
  56. - mode: {{ user.get('user_dir_mode', '0750') }}
  57. - require:
  58. - user: users_{{ name }}_user
  59. - group: {{ user_group }}
  60. {%- endif %}
  61. group.present:
  62. - name: {{ user_group }}
  63. {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
  64. - gid: {{ user['prime_group']['gid'] }}
  65. {%- elif 'uid' in user %}
  66. - gid: {{ user['uid'] }}
  67. {%- endif %}
  68. user.present:
  69. - name: {{ name }}
  70. - home: {{ home }}
  71. - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
  72. {% if 'uid' in user -%}
  73. - uid: {{ user['uid'] }}
  74. {% endif -%}
  75. {% if 'password' in user -%}
  76. - password: '{{ user['password'] }}'
  77. {% endif -%}
  78. {% if 'enforce_password' in user -%}
  79. - enforce_password: {{ user['enforce_password'] }}
  80. {% endif -%}
  81. {% if user.get('system', False) -%}
  82. - system: True
  83. {% endif -%}
  84. {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
  85. - gid: {{ user['prime_group']['gid'] }}
  86. {% else -%}
  87. - gid_from_name: True
  88. {% endif -%}
  89. {% if 'fullname' in user %}
  90. - fullname: {{ user['fullname'] }}
  91. {% endif -%}
  92. {% if not user.get('createhome', True) %}
  93. - createhome: False
  94. {% endif %}
  95. {% if 'expire' in user -%}
  96. - expire: {{ user['expire'] }}
  97. {% endif -%}
  98. - remove_groups: {{ user.get('remove_groups', 'False') }}
  99. - groups:
  100. - {{ user_group }}
  101. {% for group in user.get('groups', []) -%}
  102. - {{ group }}
  103. {% endfor %}
  104. - require:
  105. - group: {{ user_group }}
  106. {% for group in user.get('groups', []) -%}
  107. - group: {{ group }}
  108. {% endfor %}
  109. {% if 'ssh_keys' in user or
  110. 'ssh_auth' in user or
  111. 'ssh_auth_file' in user or
  112. 'ssh_auth.absent' in user or
  113. 'ssh_config' in user %}
  114. user_keydir_{{ name }}:
  115. file.directory:
  116. - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
  117. - user: {{ name }}
  118. - group: {{ user_group }}
  119. - makedirs: True
  120. - mode: 700
  121. - require:
  122. - user: {{ name }}
  123. - group: {{ user_group }}
  124. {%- for group in user.get('groups', []) %}
  125. - group: {{ group }}
  126. {%- endfor %}
  127. {% endif %}
  128. {% if 'ssh_keys' in user %}
  129. {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
  130. users_user_{{ name }}_private_key:
  131. file.managed:
  132. - name: {{ user.get('home',
  133. '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
  134. - user: {{ name }}
  135. - group: {{ user_group }}
  136. - mode: 600
  137. - show_diff: False
  138. - contents_pillar: users:{{ name }}:ssh_keys:privkey
  139. - require:
  140. - user: users_{{ name }}_user
  141. {% for group in user.get('groups', []) %}
  142. - group: users_{{ name }}_{{ group }}_group
  143. {% endfor %}
  144. users_user_{{ name }}_public_key:
  145. file.managed:
  146. - name: {{ user.get('home',
  147. '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
  148. - user: {{ name }}
  149. - group: {{ user_group }}
  150. - mode: 644
  151. - show_diff: False
  152. - contents_pillar: users:{{ name }}:ssh_keys:pubkey
  153. - require:
  154. - user: users_{{ name }}_user
  155. {% for group in user.get('groups', []) %}
  156. - group: users_{{ name }}_{{ group }}_group
  157. {% endfor %}
  158. {% endif %}
  159. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
  160. users_authorized_keys_{{ name }}:
  161. file.managed:
  162. - name: {{ home }}/.ssh/authorized_keys
  163. - user: {{ name }}
  164. - group: {{ name }}
  165. - mode: 600
  166. {% if 'ssh_auth_file' in user %}
  167. - contents: |
  168. {% for auth in user.ssh_auth_file -%}
  169. {{ auth }}
  170. {% endfor -%}
  171. {% else %}
  172. - contents: |
  173. {%- for key_name, pillar_name in user['ssh_auth_pillar'].iteritems() %}
  174. {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
  175. {%- endfor %}
  176. {% endif %}
  177. {% endif %}
  178. {% if 'ssh_auth' in user %}
  179. {% for auth in user['ssh_auth'] %}
  180. users_ssh_auth_{{ name }}_{{ loop.index0 }}:
  181. ssh_auth.present:
  182. - user: {{ name }}
  183. - name: {{ auth }}
  184. - require:
  185. - file: users_{{ name }}_user
  186. - user: users_{{ name }}_user
  187. {% endfor %}
  188. {% endif %}
  189. {% if 'ssh_keys_pillar' in user %}
  190. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
  191. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
  192. file.managed:
  193. - name: {{ user.get('home',
  194. '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
  195. - user: {{ name }}
  196. - group: {{ user_group }}
  197. - mode: 600
  198. - show_diff: False
  199. - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
  200. - require:
  201. - user: users_{{ name }}_user
  202. {% for group in user.get('groups', []) %}
  203. - group: users_{{ name }}_{{ group }}_group
  204. {% endfor %}
  205. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
  206. file.managed:
  207. - name: {{ user.get('home',
  208. '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
  209. - user: {{ name }}
  210. - group: {{ user_group }}
  211. - mode: 644
  212. - show_diff: False
  213. - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
  214. - require:
  215. - user: users_{{ name }}_user
  216. {% for group in user.get('groups', []) %}
  217. - group: users_{{ name }}_{{ group }}_group
  218. {% endfor %}
  219. {% endfor %}
  220. {% endif %}
  221. {% if 'ssh_auth_sources' in user %}
  222. {% for pubkey_file in user['ssh_auth_sources'] %}
  223. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
  224. ssh_auth.present:
  225. - user: {{ name }}
  226. - source: {{ pubkey_file }}
  227. - require:
  228. - file: users_{{ name }}_user
  229. - user: users_{{ name }}_user
  230. {% endfor %}
  231. {% endif %}
  232. {% if 'ssh_auth.absent' in user %}
  233. {% for auth in user['ssh_auth.absent'] %}
  234. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
  235. ssh_auth.absent:
  236. - user: {{ name }}
  237. - name: {{ auth }}
  238. - require:
  239. - file: users_{{ name }}_user
  240. - user: users_{{ name }}_user
  241. {% endfor %}
  242. {% endif %}
  243. {% if 'ssh_config' in user %}
  244. users_ssh_config_{{ name }}:
  245. file.managed:
  246. - name: {{ home }}/.ssh/config
  247. - user: {{ name }}
  248. - group: {{ user_group }}
  249. - mode: 640
  250. - contents: |
  251. # Managed by Saltstack
  252. # Do Not Edit
  253. {% for label, setting in user.ssh_config.items() %}
  254. # {{ label }}
  255. Host {{ setting.get('hostname') }}
  256. {%- for opts in setting.get('options') %}
  257. {{ opts }}
  258. {%- endfor %}
  259. {% endfor -%}
  260. {% endif %}
  261. {% if 'ssh_known_hosts' in user %}
  262. {% for hostname, host in user['ssh_known_hosts'].items() %}
  263. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
  264. ssh_known_hosts.present:
  265. - user: {{ name }}
  266. - name: {{ hostname }}
  267. {% if 'port' in host %}
  268. - port: {{ host['port'] }}
  269. {% endif -%}
  270. {% if 'fingerprint' in host %}
  271. - fingerprint: {{ host['fingerprint'] }}
  272. {% endif -%}
  273. {% if 'key' in host %}
  274. - key: {{ host['key'] }}
  275. {% endif -%}
  276. {% if 'enc' in host %}
  277. - enc: {{ host['enc'] }}
  278. {% endif -%}
  279. {% endfor %}
  280. {% endif %}
  281. {% if 'ssh_known_hosts.absent' in user %}
  282. {% for host in user['ssh_known_hosts.absent'] %}
  283. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
  284. ssh_known_hosts.absent:
  285. - user: {{ name }}
  286. - name: {{ host }}
  287. {% endfor %}
  288. {% endif %}
  289. {% if 'sudouser' in user and user['sudouser'] %}
  290. users_sudoer-{{ name }}:
  291. file.managed:
  292. - name: {{ users.sudoers_dir }}/{{ name }}
  293. - user: root
  294. - group: {{ users.root_group }}
  295. - mode: '0440'
  296. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  297. {% if 'sudo_rules' in user %}
  298. {% for rule in user['sudo_rules'] %}
  299. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  300. cmd.run:
  301. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  302. - stateful: True
  303. - shell: {{ users.visudo_shell }}
  304. - env:
  305. # Specify the rule via an env var to avoid shell quoting issues.
  306. - rule: "{{ name }} {{ rule }}"
  307. - require_in:
  308. - file: users_{{ users.sudoers_dir }}/{{ name }}
  309. {% endfor %}
  310. {% endif %}
  311. {% if 'sudo_defaults' in user %}
  312. {% for entry in user['sudo_defaults'] %}
  313. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  314. cmd.run:
  315. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  316. - stateful: True
  317. - shell: {{ users.visudo_shell }}
  318. - env:
  319. # Specify the rule via an env var to avoid shell quoting issues.
  320. - rule: "Defaults:{{ name }} {{ entry }}"
  321. - require_in:
  322. - file: users_{{ users.sudoers_dir }}/{{ name }}
  323. {% endfor %}
  324. {% endif %}
  325. users_{{ users.sudoers_dir }}/{{ name }}:
  326. file.managed:
  327. - name: {{ users.sudoers_dir }}/{{ name }}
  328. - contents: |
  329. {%- if 'sudo_defaults' in user %}
  330. {%- for entry in user['sudo_defaults'] %}
  331. Defaults:{{ name }} {{ entry }}
  332. {%- endfor %}
  333. {%- endif %}
  334. {%- if 'sudo_rules' in user %}
  335. {%- for rule in user['sudo_rules'] %}
  336. {{ name }} {{ rule }}
  337. {%- endfor %}
  338. {%- endif %}
  339. - require:
  340. - file: users_sudoer-defaults
  341. - file: users_sudoer-{{ name }}
  342. {% endif %}
  343. {% else %}
  344. users_{{ users.sudoers_dir }}/{{ name }}:
  345. file.absent:
  346. - name: {{ users.sudoers_dir }}/{{ name }}
  347. {% endif %}
  348. {%- if 'google_auth' in user %}
  349. {%- for svc in user['google_auth'] %}
  350. users_googleauth-{{ svc }}-{{ name }}:
  351. file.managed:
  352. - replace: false
  353. - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
  354. - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
  355. - user: root
  356. - group: {{ users.root_group }}
  357. - mode: 400
  358. - require:
  359. - pkg: users_googleauth-package
  360. {%- endfor %}
  361. {%- endif %}
  362. {% endfor %}
  363. {% for name, user in pillar.get('users', {}).items()
  364. if user.absent is defined and user.absent %}
  365. users_absent_user_{{ name }}:
  366. {% if 'purge' in user or 'force' in user %}
  367. user.absent:
  368. - name: {{ name }}
  369. {% if 'purge' in user %}
  370. - purge: {{ user['purge'] }}
  371. {% endif %}
  372. {% if 'force' in user %}
  373. - force: {{ user['force'] }}
  374. {% endif %}
  375. {% else %}
  376. user.absent:
  377. - name: {{ name }}
  378. {% endif -%}
  379. users_{{ users.sudoers_dir }}/{{ name }}:
  380. file.absent:
  381. - name: {{ users.sudoers_dir }}/{{ name }}
  382. {% endfor %}
  383. {% for user in pillar.get('absent_users', []) %}
  384. users_absent_user_2_{{ user }}:
  385. user.absent
  386. users_2_{{ users.sudoers_dir }}/{{ user }}:
  387. file.absent:
  388. - name: {{ users.sudoers_dir }}/{{ user }}
  389. {% endfor %}
  390. {% for group in pillar.get('absent_groups', []) %}
  391. users_absent_group_{{ group }}:
  392. group.absent:
  393. - name: {{ group }}
  394. {% endfor %}