salt
/
users-formula
sforkowany z ExternalMirrors/users-formula
Obserwuj 1
Polub 0
Forkuj 0
Kod Wydania 0 Aktywność
Saltstack Official Users Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
234 Commity
2 Gałęzie
Drzewo: e486032283
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'e486032283'
${ noResults }
users-formula/users/init.sls

517 lines
15KB
Czysty Wina Historia 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {% for group, setting in salt['pillar.get']('groups', {}).iteritems() %}

  8. users_group_{{ setting.get('state', "present") }}_{{ group }}:

  9.   group.{{ setting.get('state', "present") }}:

  10.     - name: {{ group }}

  11.     {%- if setting.get('gid') %}

  12.     - gid: {{setting.get('gid')  }}

  13.     {%- endif %}

  14.     - system: {{ setting.get('system',"False") }}

  15. {% endfor %}

  16. 

  17. {%- for name, user in pillar.get('users', {}).items()

  18.         if user.absent is not defined or not user.absent %}

  19. {%- if user == None -%}

  20. {%- set user = {} -%}

  21. {%- endif -%}

  22. {%- if 'sudouser' in user and user['sudouser'] %}

  23. {%- do used_sudo.append(1) %}

  24. {%- endif %}

  25. {%- if 'google_auth' in user %}

  26. {%- do used_googleauth.append(1) %}

  27. {%- endif %}

  28. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  29. {%- do used_user_files.append(1) %}

  30. {%- endif %}

  31. {%- endfor %}

  32. 

  33. {%- if used_sudo or used_googleauth or used_user_files %}

  34. include:

  35. {%- if used_sudo %}

  36.   - users.sudo

  37. {%- endif %}

  38. {%- if used_googleauth %}

  39.   - users.googleauth

  40. {%- endif %}

  41. {%- if used_user_files %}

  42.   - users.user_files

  43. {%- endif %}

  44. {%- endif %}

  45. 

  46. {% for name, user in pillar.get('users', {}).items()

  47.         if user.absent is not defined or not user.absent %}

  48. {%- if user == None -%}

  49. {%- set user = {} -%}

  50. {%- endif -%}

  51. {%- set current = salt.user.info(name) -%}

  52. {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}

  53. 

  54. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  55. {%- set user_group = user.prime_group.name -%}

  56. {%- else -%}

  57. {%- set user_group = name -%}

  58. {%- endif %}

  59. 

  60. {% for group in user.get('groups', []) %}

  61. users_{{ name }}_{{ group }}_group:

  62.   group.present:

  63.     - name: {{ group }}

  64.     {% if group == 'sudo' %}

  65.     - system: True

  66.     {% endif %}

  67. {% endfor %}

  68. 

  69. users_{{ name }}_user:

  70.   {% if user.get('createhome', True) %}

  71.   file.directory:

  72.     - name: {{ home }}

  73.     - user: {{ user.get('homedir_owner', name) }}

  74.     - group: {{ user.get('homedir_group', user_group) }}

  75.     - mode: {{ user.get('user_dir_mode', '0750') }}

  76.     - require:

  77.       - user: users_{{ name }}_user

  78.       - group: {{ user_group }}

  79.   {%- endif %}

  80.   group.present:

  81.     - name: {{ user_group }}

  82.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  83.     - gid: {{ user['prime_group']['gid'] }}

  84.     {%- elif 'uid' in user %}

  85.     - gid: {{ user['uid'] }}

  86.     {%- endif %}

  87.     {% if 'system' in user and user['system'] %}

  88.     - system: True

  89.     {% endif %}

  90.   user.present:

  91.     - name: {{ name }}

  92.     {% if user.get('createhome', True) -%}

  93.     - home: {{ home }}

  94.     {% endif -%}

  95.     - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }}

  96.     {% if 'uid' in user -%}

  97.     - uid: {{ user['uid'] }}

  98.     {% endif -%}

  99.     {% if 'password' in user -%}

  100.     - password: '{{ user['password'] }}'

  101.     {% endif -%}

  102.     {% if user.get('empty_password') -%}

  103.     - empty_password: {{ user.get('empty_password') }}

  104.     {% endif -%}

  105.     {% if 'enforce_password' in user -%}

  106.     - enforce_password: {{ user['enforce_password'] }}

  107.     {% endif -%}

  108.     {% if 'hash_password' in user -%}

  109.     - hash_password: {{ user['hash_password'] }}

  110.     {% endif -%}

  111.     {% if user.get('system', False) -%}

  112.     - system: True

  113.     {% endif -%}

  114.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  115.     - gid: {{ user['prime_group']['gid'] }}

  116.     {% elif 'prime_group' in user and 'name' in user['prime_group'] %}

  117.     - gid: {{ user['prime_group']['name'] }}

  118.     {% else -%}

  119.     - gid_from_name: True

  120.     {% endif -%}

  121.     {% if 'fullname' in user %}

  122.     - fullname: {{ user['fullname'] }}

  123.     {% endif -%}

  124.     {% if 'roomnumber' in user %}

  125.     - roomnumber: {{ user['roomnumber'] }}

  126.     {% endif %}

  127.     {% if 'workphone' in user %}

  128.     - workphone: {{ user['workphone'] }}

  129.     {% endif %}

  130.     {% if 'homephone' in user %}

  131.     - homephone: {{ user['workphone'] }}

  132.     {% endif %}

  133.     {% if not user.get('createhome', True) %}

  134.     - createhome: False

  135.     {% endif %}

  136.     {% if 'expire' in user -%}

  137.         {% if grains['kernel'].endswith('BSD') and

  138.             user['expire'] < 157766400 %}

  139.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  140.     - expire: {{ user['expire'] * 86400 }}

  141.         {% elif grains['kernel'] == 'Linux' and

  142.             user['expire'] > 84006 %}

  143.         {# 2932896 days since epoch equals 9999-12-31 #}

  144.     - expire: {{ (user['expire'] / 86400) | int}}

  145.         {% else %}

  146.     - expire: {{ user['expire'] }}

  147.         {% endif %}

  148.     {% endif -%}

  149.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  150.     - groups:

  151.       - {{ user_group }}

  152.       {% for group in user.get('groups', []) -%}

  153.       - {{ group }}

  154.       {% endfor %}

  155.     {% if 'optional_groups' in user %}

  156.     - optional_groups:

  157.       {% for optional_group in user['optional_groups'] -%}

  158.       - {{optional_group}}

  159.       {% endfor %}

  160.     {% endif %}

  161.     - require:

  162.       - group: {{ user_group }}

  163.       {% for group in user.get('groups', []) -%}

  164.       - group: {{ group }}

  165.       {% endfor %}

  166. 

  167. 

  168.   {% if 'ssh_keys' in user or

  169.       'ssh_auth' in user or

  170.       'ssh_auth_file' in user or

  171.       'ssh_auth_pillar' in user or

  172.       'ssh_auth.absent' in user or

  173.       'ssh_config' in user %}

  174. user_keydir_{{ name }}:

  175.   file.directory:

  176.     - name: {{ home }}/.ssh

  177.     - user: {{ name }}

  178.     - group: {{ user_group }}

  179.     - makedirs: True

  180.     - mode: 700

  181.     - require:

  182.       - user: {{ name }}

  183.       - group: {{ user_group }}

  184.       {%- for group in user.get('groups', []) %}

  185.       - group: {{ group }}

  186.       {%- endfor %}

  187.   {% endif %}

  188. 

  189.   {% if 'ssh_keys' in user %}

  190.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  191. users_user_{{ name }}_private_key:

  192.   file.managed:

  193.     - name: {{ home }}/.ssh/{{ key_type }}

  194.     - user: {{ name }}

  195.     - group: {{ user_group }}

  196.     - mode: 600

  197.     - show_diff: False

  198.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  199.     - require:

  200.       - user: users_{{ name }}_user

  201.       {% for group in user.get('groups', []) %}

  202.       - group: users_{{ name }}_{{ group }}_group

  203.       {% endfor %}

  204. users_user_{{ name }}_public_key:

  205.   file.managed:

  206.     - name: {{ home }}/.ssh/{{ key_type }}.pub

  207.     - user: {{ name }}

  208.     - group: {{ user_group }}

  209.     - mode: 644

  210.     - show_diff: False

  211.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  212.     - require:

  213.       - user: users_{{ name }}_user

  214.       {% for group in user.get('groups', []) %}

  215.       - group: users_{{ name }}_{{ group }}_group

  216.       {% endfor %}

  217.   {% endif %}

  218. 

  219. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  220. users_authorized_keys_{{ name }}:

  221.   file.managed:

  222.     - name: {{ home }}/.ssh/authorized_keys

  223.     - user: {{ name }}

  224.     - group: {{ user_group }}

  225.     - mode: 600

  226. {% if 'ssh_auth_file' in user %}

  227.     - contents: |

  228.         {% for auth in user.ssh_auth_file -%}

  229.         {{ auth }}

  230.         {% endfor -%}

  231. {% else %}

  232.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}

  233.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  234.         {%- endfor %}

  235. {% endif %}

  236. {% endif %}

  237. 

  238. {% if 'ssh_auth' in user %}

  239. {% for auth in user['ssh_auth'] %}

  240. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  241.   ssh_auth.present:

  242.     - user: {{ name }}

  243.     - name: {{ auth }}

  244.     - require:

  245.         - file: user_keydir_{{ name }}

  246.         - user: users_{{ name }}_user

  247. {% endfor %}

  248. {% endif %}

  249. 

  250. {% if 'ssh_keys_pillar' in user %}

  251. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  252. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  253.   file.managed:

  254.     - name: {{ home }}/.ssh/{{ key_name }}

  255.     - user: {{ name }}

  256.     - group: {{ user_group }}

  257.     - mode: 600

  258.     - show_diff: False

  259.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  260.     - require:

  261.       - user: users_{{ name }}_user

  262.       {% for group in user.get('groups', []) %}

  263.       - group: users_{{ name }}_{{ group }}_group

  264.       {% endfor %}

  265. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  266.   file.managed:

  267.     - name: {{ home }}/.ssh/{{ key_name }}.pub

  268.     - user: {{ name }}

  269.     - group: {{ user_group }}

  270.     - mode: 644

  271.     - show_diff: False

  272.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  273.     - require:

  274.       - user: users_{{ name }}_user

  275.       {% for group in user.get('groups', []) %}

  276.       - group: users_{{ name }}_{{ group }}_group

  277.       {% endfor %}

  278. {% endfor %}

  279. {% endif %}

  280. 

  281. {% if 'ssh_auth_sources' in user %}

  282. {% for pubkey_file in user['ssh_auth_sources'] %}

  283. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  284.   ssh_auth.present:

  285.     - user: {{ name }}

  286.     - source: {{ pubkey_file }}

  287.     - require:

  288.         - file: users_{{ name }}_user

  289.         - user: users_{{ name }}_user

  290. {% endfor %}

  291. {% endif %}

  292. 

  293. {% if 'ssh_auth.absent' in user %}

  294. {% for auth in user['ssh_auth.absent'] %}

  295. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  296.   ssh_auth.absent:

  297.     - user: {{ name }}

  298.     - name: {{ auth }}

  299.     - require:

  300.         - file: users_{{ name }}_user

  301.         - user: users_{{ name }}_user

  302. {% endfor %}

  303. {% endif %}

  304. 

  305. {% if 'ssh_config' in user %}

  306. users_ssh_config_{{ name }}:

  307.   file.managed:

  308.     - name: {{ home }}/.ssh/config

  309.     - user: {{ name }}

  310.     - group: {{ user_group }}

  311.     - mode: 640

  312.     - contents: |

  313.         # Managed by Saltstack

  314.         # Do Not Edit

  315.         {% for label, setting in user.ssh_config.items() %}

  316.         # {{ label }}

  317.         Host {{ setting.get('hostname') }}

  318.           {%- for opts in setting.get('options') %}

  319.           {{ opts }}

  320.           {%- endfor %}

  321.         {% endfor -%}

  322. {% endif %}

  323. 

  324. {% if 'ssh_known_hosts' in user %}

  325. {% for hostname, host in user['ssh_known_hosts'].items() %}

  326. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  327.   ssh_known_hosts.present:

  328.     - user: {{ name }}

  329.     - name: {{ hostname }}

  330.     {% if 'port' in host %}

  331.     - port: {{ host['port'] }}

  332.     {% endif -%}

  333.     {% if 'fingerprint' in host %}

  334.     - fingerprint: {{ host['fingerprint'] }}

  335.     {% endif -%}

  336.     {% if 'key' in host %}

  337.     - key: {{ host['key'] }}

  338.     {% endif -%}

  339.     {% if 'enc' in host %}

  340.     - enc: {{ host['enc'] }}

  341.     {% endif -%}

  342.     {% if 'hash_hostname' in host %}

  343.     - hash_hostname: {{ host['hash_hostname'] }}

  344.     {% endif -%}

  345. {% endfor %}

  346. {% endif %}

  347. 

  348. {% if 'ssh_known_hosts.absent' in user %}

  349. {% for host in user['ssh_known_hosts.absent'] %}

  350. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  351.   ssh_known_hosts.absent:

  352.     - user: {{ name }}

  353.     - name: {{ host }}

  354. {% endfor %}

  355. {% endif %}

  356. 

  357. {% if 'sudouser' in user and user['sudouser'] %}

  358. 

  359. users_sudoer-{{ name }}:

  360.   file.managed:

  361.     - replace: False

  362.     - name: {{ users.sudoers_dir }}/{{ name }}

  363.     - user: root

  364.     - group: {{ users.root_group }}

  365.     - mode: '0440'

  366. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  367. #{#%

  368. {% if 'sudo_rules' in user %}

  369. {% for rule in user['sudo_rules'] %}

  370. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  371.   cmd.run:

  372.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  373.     - stateful: True

  374.     - shell: {{ users.visudo_shell }}

  375.     - env:

  376.       # Specify the rule via an env var to avoid shell quoting issues.

  377.       - rule: "{{ name }} {{ rule }}"

  378.     - require_in:

  379.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  380. {% endfor %}

  381. {% endif %}

  382. {% if 'sudo_defaults' in user %}

  383. {% for entry in user['sudo_defaults'] %}

  384. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  385.   cmd.run:

  386.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  387.     - stateful: True

  388.     - shell: {{ users.visudo_shell }}

  389.     - env:

  390.       # Specify the rule via an env var to avoid shell quoting issues.

  391.       - rule: "Defaults:{{ name }} {{ entry }}"

  392.     - require_in:

  393.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  394. {% endfor %}

  395. {% endif %}

  396. #%#}

  397. 

  398. users_{{ users.sudoers_dir }}/{{ name }}:

  399.   file.managed:

  400.     - replace: True

  401.     - name: {{ users.sudoers_dir }}/{{ name }}

  402.     - contents: |

  403.       {%- if 'sudo_defaults' in user %}

  404.       {%- for entry in user['sudo_defaults'] %}

  405.         Defaults:{{ name }} {{ entry }}

  406.       {%- endfor %}

  407.       {%- endif %}

  408.       {%- if 'sudo_rules' in user %}

  409.         ########################################################################

  410.         # File managed by Salt (users-formula).

  411.         # Your changes will be overwritten.

  412.         ########################################################################

  413.         #

  414.       {%- for rule in user['sudo_rules'] %}

  415.         {{ name }} {{ rule }}

  416.       {%- endfor %}

  417.       {%- endif %}

  418.     - require:

  419.       - file: users_sudoer-defaults

  420.       - file: users_sudoer-{{ name }}

  421.   cmd.wait:

  422.     - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )

  423.     - watch:

  424.       - file: {{ users.sudoers_dir }}/{{ name }}

  425. {% endif %}

  426. {% else %}

  427. users_{{ users.sudoers_dir }}/{{ name }}:

  428.   file.absent:

  429.     - name: {{ users.sudoers_dir }}/{{ name }}

  430. {% endif %}

  431. 

  432. {%- if 'google_auth' in user %}

  433. {%- for svc in user['google_auth'] %}

  434. users_googleauth-{{ svc }}-{{ name }}:

  435.   file.managed:

  436.     - replace: false

  437.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  438.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  439.     - user: root

  440.     - group: {{ users.root_group }}

  441.     - mode: 400

  442.     - require:

  443.       - pkg: users_googleauth-package

  444. {%- endfor %}

  445. {%- endif %}

  446. 

  447. #

  448. # if not salt['cmd.has_exec']('git')

  449. # fails even if git is installed

  450. #

  451. # this doesn't work (Salt bug), therefore need to run state.apply twice

  452. #include:

  453. #  - users

  454. #

  455. #git:

  456. #  pkg.installed:

  457. #    - require_in:

  458. #      - sls: users

  459. #

  460. {% if 'gitconfig' in user %}

  461. {% for key, value in user['gitconfig'].items() %}

  462. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  463.   {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  464.   git.config_set:

  465.   {% else %}

  466.   git.config:

  467.   {% endif %}

  468.     - name: {{ key }}

  469.     - value: "{{ value }}"

  470.     - user: {{ name }}

  471.     {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  472.     - global: True

  473.     {% else %}

  474.     - is_global: True

  475.     {% endif %}

  476. {% endfor %}

  477. {% endif %}

  478. 

  479. {% endfor %}

  480. 

  481. 

  482. {% for name, user in pillar.get('users', {}).items()

  483.         if user.absent is defined and user.absent %}

  484. users_absent_user_{{ name }}:

  485. {% if 'purge' in user or 'force' in user %}

  486.   user.absent:

  487.     - name: {{ name }}

  488.     {% if 'purge' in user %}

  489.     - purge: {{ user['purge'] }}

  490.     {% endif %}

  491.     {% if 'force' in user %}

  492.     - force: {{ user['force'] }}

  493.     {% endif %}

  494. {% else %}

  495.   user.absent:

  496.     - name: {{ name }}

  497. {% endif -%}

  498. users_{{ users.sudoers_dir }}/{{ name }}:

  499.   file.absent:

  500.     - name: {{ users.sudoers_dir }}/{{ name }}

  501. {% endfor %}

  502. 

  503. {% for user in pillar.get('absent_users', []) %}

  504. users_absent_user_2_{{ user }}:

  505.   user.absent:

  506.     - name: {{ user }}

  507. users_2_{{ users.sudoers_dir }}/{{ user }}:

  508.   file.absent:

  509.     - name: {{ users.sudoers_dir }}/{{ user }}

  510. {% endfor %}

  511. 

  512. {% for group in pillar.get('absent_groups', []) %}

  513. users_absent_group_{{ group }}:

  514.   group.absent:

  515.     - name: {{ group }}

  516. {% endfor %}