Saltstack Official Users Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

90 lines
2.8KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=sls
  3. {##
  4. Name: users/sudo.sls
  5. Description:
  6. This file sets up sudoers
  7. #}
  8. {% from "users/map.jinja" import users_settings with context %}
  9. # Ensure availability of bash
  10. users-bashpackage-group-dir:
  11. pkg.installed:
  12. - name: {{ users_settings.bash_package }}
  13. group.present:
  14. - name: sudo
  15. - system: True
  16. file.directory:
  17. - name: {{ users_settings.sudoers_dir }}
  18. users-sudo-package:
  19. pkg.installed:
  20. - name: {{ users_settings.sudo_package }}
  21. - require:
  22. - group: users_sudo-group
  23. - file: {{ users_settings.sudoers_dir }}
  24. file.append:
  25. - name: {{ users_settings.sudoers_file }}
  26. - text:
  27. - Defaults env_reset
  28. - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  29. - '#includedir {{ users_settings.sudoers_dir }}'
  30. {% for name, user in users_settings.items() %}
  31. {% if user.absent is not defined or not user.absent or user != None %}
  32. {% if 'sudouser' in user and user['sudouser'] %}
  33. users-sudoer-{{ name }}:
  34. file.managed:
  35. - name: {{ users.sudoers_dir }}/{{ name }}
  36. - user: root
  37. - group: {{ users.root_group }}
  38. - mode: '0440'
  39. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}
  40. {% if 'sudo_rules' in user %}
  41. {% for rule in user['sudo_rules'] %}
  42. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
  43. cmd.run:
  44. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  45. - stateful: True
  46. - shell: {{ users.visudo_shell }}
  47. - env:
  48. # Specify the rule via an env var to avoid shell quoting issues.
  49. - rule: "{{ name }} {{ rule }}"
  50. {% endfor %}
  51. {% endif %}
  52. {% if 'sudo_defaults' in user %}
  53. {% for entry in user['sudo_defaults'] %}
  54. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
  55. cmd.run:
  56. - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
  57. - stateful: True
  58. - shell: {{ users.visudo_shell }}
  59. - env:
  60. # Specify the rule via an env var to avoid shell quoting issues.
  61. - rule: "Defaults:{{ name }} {{ entry }}"
  62. {% endfor %}
  63. {% endif %}
  64. users_{{ users.sudoers_dir }}/{{ name }}:
  65. file.managed:
  66. - name: {{ users.sudoers_dir }}/{{ name }}
  67. - contents: |
  68. {%- if 'sudo_defaults' in user %}
  69. {%- for entry in user['sudo_defaults'] %}
  70. Defaults:{{ name }} {{ entry }}
  71. {%- endfor %}
  72. {%- endif %}
  73. {%- if 'sudo_rules' in user %}
  74. {%- for rule in user['sudo_rules'] %}
  75. {{ name }} {{ rule }}
  76. {%- endfor %}
  77. {%- endif %}
  78. {% endif %}
  79. {% else %}
  80. users_{{ users.sudoers_dir }}/{{ name }}:
  81. file.absent:
  82. - name: {{ users.sudoers_dir }}/{{ name }}
  83. {% endif %}
  84. {% endif %}
  85. {% endfor %}