salt
/
users-formula
フォーク元 ExternalMirrors/users-formula
ウォッチ 1
スター 0
フォーク 0
コード リリース 0 アクティビティ
Saltstack Official Users Formula
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
199 コミット
2 ブランチ
ツリー: fa02b954a5
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'fa02b954a5' から
${ noResults }
users-formula/users/init.sls

480 行
14KB
Raw Blame 履歴 

  1. # vim: sts=2 ts=2 sw=2 et ai

  2. {% from "users/map.jinja" import users with context %}

  3. {% set used_sudo = [] %}

  4. {% set used_googleauth = [] %}

  5. {% set used_user_files = [] %}

  6. 

  7. {%- for name, user in pillar.get('users', {}).items()

  8.         if user.absent is not defined or not user.absent %}

  9. {%- if user == None -%}

  10. {%- set user = {} -%}

  11. {%- endif -%}

  12. {%- if 'sudouser' in user and user['sudouser'] %}

  13. {%- do used_sudo.append(1) %}

  14. {%- endif %}

  15. {%- if 'google_auth' in user %}

  16. {%- do used_googleauth.append(1) %}

  17. {%- endif %}

  18. {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}

  19. {%- do used_user_files.append(1) %}

  20. {%- endif %}

  21. {%- endfor %}

  22. 

  23. {%- if used_sudo or used_googleauth or used_user_files %}

  24. include:

  25. {%- if used_sudo %}

  26.   - users.sudo

  27. {%- endif %}

  28. {%- if used_googleauth %}

  29.   - users.googleauth

  30. {%- endif %}

  31. {%- if used_user_files %}

  32.   - users.user_files

  33. {%- endif %}

  34. {%- endif %}

  35. 

  36. {% for name, user in pillar.get('users', {}).items()

  37.         if user.absent is not defined or not user.absent %}

  38. {%- if user == None -%}

  39. {%- set user = {} -%}

  40. {%- endif -%}

  41. {%- set home = user.get('home', "/home/%s" % name) -%}

  42. 

  43. {%- if 'prime_group' in user and 'name' in user['prime_group'] %}

  44. {%- set user_group = user.prime_group.name -%}

  45. {%- else -%}

  46. {%- set user_group = name -%}

  47. {%- endif %}

  48. 

  49. {% for group in user.get('groups', []) %}

  50. users_{{ name }}_{{ group }}_group:

  51.   group.present:

  52.     - name: {{ group }}

  53.     {% if group == 'sudo' %}

  54.     - system: True

  55.     {% endif %}

  56. {% endfor %}

  57. 

  58. users_{{ name }}_user:

  59.   {% if user.get('createhome', True) %}

  60.   file.directory:

  61.     - name: {{ home }}

  62.     - user: {{ user.get('user_dir_user', name) }}

  63.     - group: {{ user.get('user_dir_group', user_group) }}

  64.     - mode: {{ user.get('user_dir_mode', '0750') }}

  65.     - require:

  66.       - user: users_{{ name }}_user

  67.       - group: {{ user_group }}

  68.   {%- endif %}

  69.   group.present:

  70.     - name: {{ user_group }}

  71.     {%- if 'prime_group' in user and 'gid' in user['prime_group'] %}

  72.     - gid: {{ user['prime_group']['gid'] }}

  73.     {%- elif 'uid' in user %}

  74.     - gid: {{ user['uid'] }}

  75.     {%- endif %}

  76.   user.present:

  77.     - name: {{ name }}

  78.     - home: {{ home }}

  79.     - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}

  80.     {% if 'uid' in user -%}

  81.     - uid: {{ user['uid'] }}

  82.     {% endif -%}

  83.     {% if 'password' in user -%}

  84.     - password: '{{ user['password'] }}'

  85.     {% endif -%}

  86.     {% if user.get('empty_password') -%}

  87.     - empty_password: {{ user.get('empty_password') }}

  88.     {% endif -%}

  89.     {% if 'enforce_password' in user -%}

  90.     - enforce_password: {{ user['enforce_password'] }}

  91.     {% endif -%}

  92.     {% if user.get('system', False) -%}

  93.     - system: True

  94.     {% endif -%}

  95.     {% if 'prime_group' in user and 'gid' in user['prime_group'] -%}

  96.     - gid: {{ user['prime_group']['gid'] }}

  97.     {% else -%}

  98.     - gid_from_name: True

  99.     {% endif -%}

  100.     {% if 'fullname' in user %}

  101.     - fullname: {{ user['fullname'] }}

  102.     {% endif -%}

  103.     {% if 'roomnumber' in user %}

  104.     - roomnumber: {{ user['roomnumber'] }}

  105.     {% endif %}

  106.     {% if 'workphone' in user %}

  107.     - workphone: {{ user['workphone'] }}

  108.     {% endif %}

  109.     {% if 'homephone' in user %}

  110.     - homephone: {{ user['workphone'] }}

  111.     {% endif %}

  112.     {% if not user.get('createhome', True) %}

  113.     - createhome: False

  114.     {% endif %}

  115.     {% if 'expire' in user -%}

  116.         {% if grains['kernel'].endswith('BSD') and

  117.             user['expire'] < 157766400 %}

  118.         {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}

  119.     - expire: {{ user['expire'] * 86400 }}

  120.         {% elif grains['kernel'] == 'Linux' and

  121.             user['expire'] > 84006 %}

  122.         {# 2932896 days since epoch equals 9999-12-31 #}

  123.     - expire: {{ (user['expire'] / 86400) | int}}

  124.         {% else %}

  125.     - expire: {{ user['expire'] }}

  126.         {% endif %}

  127.     {% endif -%}

  128.     - remove_groups: {{ user.get('remove_groups', 'False') }}

  129.     - groups:

  130.       - {{ user_group }}

  131.       {% for group in user.get('groups', []) -%}

  132.       - {{ group }}

  133.       {% endfor %}

  134.     - require:

  135.       - group: {{ user_group }}

  136.       {% for group in user.get('groups', []) -%}

  137.       - group: {{ group }}

  138.       {% endfor %}

  139. 

  140. 

  141.   {% if 'ssh_keys' in user or

  142.       'ssh_auth' in user or

  143.       'ssh_auth_file' in user or

  144.       'ssh_auth_pillar' in user or

  145.       'ssh_auth.absent' in user or

  146.       'ssh_config' in user %}

  147. user_keydir_{{ name }}:

  148.   file.directory:

  149.     - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh

  150.     - user: {{ name }}

  151.     - group: {{ user_group }}

  152.     - makedirs: True

  153.     - mode: 700

  154.     - require:

  155.       - user: {{ name }}

  156.       - group: {{ user_group }}

  157.       {%- for group in user.get('groups', []) %}

  158.       - group: {{ group }}

  159.       {%- endfor %}

  160.   {% endif %}

  161. 

  162.   {% if 'ssh_keys' in user %}

  163.   {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}

  164. users_user_{{ name }}_private_key:

  165.   file.managed:

  166.     - name: {{ user.get('home',

  167.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}

  168.     - user: {{ name }}

  169.     - group: {{ user_group }}

  170.     - mode: 600

  171.     - show_diff: False

  172.     - contents_pillar: users:{{ name }}:ssh_keys:privkey

  173.     - require:

  174.       - user: users_{{ name }}_user

  175.       {% for group in user.get('groups', []) %}

  176.       - group: users_{{ name }}_{{ group }}_group

  177.       {% endfor %}

  178. users_user_{{ name }}_public_key:

  179.   file.managed:

  180.     - name: {{ user.get('home',

  181.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub

  182.     - user: {{ name }}

  183.     - group: {{ user_group }}

  184.     - mode: 644

  185.     - show_diff: False

  186.     - contents_pillar: users:{{ name }}:ssh_keys:pubkey

  187.     - require:

  188.       - user: users_{{ name }}_user

  189.       {% for group in user.get('groups', []) %}

  190.       - group: users_{{ name }}_{{ group }}_group

  191.       {% endfor %}

  192.   {% endif %}

  193. 

  194. {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}

  195. users_authorized_keys_{{ name }}:

  196.   file.managed:

  197.     - name: {{ home }}/.ssh/authorized_keys

  198.     - user: {{ name }}

  199.     - group: {{ user_group }}

  200.     - mode: 600

  201. {% if 'ssh_auth_file' in user %}

  202.     - contents: |

  203.         {% for auth in user.ssh_auth_file -%}

  204.         {{ auth }}

  205.         {% endfor -%}

  206. {% else %}

  207.     - contents: |

  208.         {%- for key_name, pillar_name in user['ssh_auth_pillar'].iteritems() %}

  209.         {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}

  210.         {%- endfor %}

  211. {% endif %}

  212. {% endif %}

  213. 

  214. {% if 'ssh_auth' in user %}

  215. {% for auth in user['ssh_auth'] %}

  216. users_ssh_auth_{{ name }}_{{ loop.index0 }}:

  217.   ssh_auth.present:

  218.     - user: {{ name }}

  219.     - name: {{ auth }}

  220.     - require:

  221.         - file: users_{{ name }}_user

  222.         - user: users_{{ name }}_user

  223. {% endfor %}

  224. {% endif %}

  225. 

  226. {% if 'ssh_keys_pillar' in user %}

  227. {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}

  228. user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:

  229.   file.managed:

  230.     - name: {{ user.get('home',

  231.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}

  232.     - user: {{ name }}

  233.     - group: {{ user_group }}

  234.     - mode: 600

  235.     - show_diff: False

  236.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey

  237.     - require:

  238.       - user: users_{{ name }}_user

  239.       {% for group in user.get('groups', []) %}

  240.       - group: users_{{ name }}_{{ group }}_group

  241.       {% endfor %}

  242. user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:

  243.   file.managed:

  244.     - name: {{ user.get('home',

  245.                   '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub

  246.     - user: {{ name }}

  247.     - group: {{ user_group }}

  248.     - mode: 644

  249.     - show_diff: False

  250.     - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey

  251.     - require:

  252.       - user: users_{{ name }}_user

  253.       {% for group in user.get('groups', []) %}

  254.       - group: users_{{ name }}_{{ group }}_group

  255.       {% endfor %}

  256. {% endfor %}

  257. {% endif %}

  258. 

  259. {% if 'ssh_auth_sources' in user %}

  260. {% for pubkey_file in user['ssh_auth_sources'] %}

  261. users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:

  262.   ssh_auth.present:

  263.     - user: {{ name }}

  264.     - source: {{ pubkey_file }}

  265.     - require:

  266.         - file: users_{{ name }}_user

  267.         - user: users_{{ name }}_user

  268. {% endfor %}

  269. {% endif %}

  270. 

  271. {% if 'ssh_auth.absent' in user %}

  272. {% for auth in user['ssh_auth.absent'] %}

  273. users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:

  274.   ssh_auth.absent:

  275.     - user: {{ name }}

  276.     - name: {{ auth }}

  277.     - require:

  278.         - file: users_{{ name }}_user

  279.         - user: users_{{ name }}_user

  280. {% endfor %}

  281. {% endif %}

  282. 

  283. {% if 'ssh_config' in user %}

  284. users_ssh_config_{{ name }}:

  285.   file.managed:

  286.     - name: {{ home }}/.ssh/config

  287.     - user: {{ name }}

  288.     - group: {{ user_group }}

  289.     - mode: 640

  290.     - contents: |

  291.         # Managed by Saltstack

  292.         # Do Not Edit

  293.         {% for label, setting in user.ssh_config.items() %}

  294.         # {{ label }}

  295.         Host {{ setting.get('hostname') }}

  296.           {%- for opts in setting.get('options') %}

  297.           {{ opts }}

  298.           {%- endfor %}

  299.         {% endfor -%}

  300. {% endif %}

  301. 

  302. {% if 'ssh_known_hosts' in user %}

  303. {% for hostname, host in user['ssh_known_hosts'].items() %}

  304. users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:

  305.   ssh_known_hosts.present:

  306.     - user: {{ name }}

  307.     - name: {{ hostname }}

  308.     {% if 'port' in host %}

  309.     - port: {{ host['port'] }}

  310.     {% endif -%}

  311.     {% if 'fingerprint' in host %}

  312.     - fingerprint: {{ host['fingerprint'] }}

  313.     {% endif -%}

  314.     {% if 'key' in host %}

  315.     - key: {{ host['key'] }}

  316.     {% endif -%}

  317.     {% if 'enc' in host %}

  318.     - enc: {{ host['enc'] }}

  319.     {% endif -%}

  320.     {% if 'hash_hostname' in host %}

  321.     - hash_hostname: {{ host['hash_hostname'] }}

  322.     {% endif -%}

  323. {% endfor %}

  324. {% endif %}

  325. 

  326. {% if 'ssh_known_hosts.absent' in user %}

  327. {% for host in user['ssh_known_hosts.absent'] %}

  328. users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:

  329.   ssh_known_hosts.absent:

  330.     - user: {{ name }}

  331.     - name: {{ host }}

  332. {% endfor %}

  333. {% endif %}

  334. 

  335. {% if 'sudouser' in user and user['sudouser'] %}

  336. 

  337. users_sudoer-{{ name }}:

  338.   file.managed:

  339.     - name: {{ users.sudoers_dir }}/{{ name }}

  340.     - user: root

  341.     - group: {{ users.root_group }}

  342.     - mode: '0440'

  343. {% if 'sudo_rules' in user or 'sudo_defaults' in user %}

  344. #{#%

  345. {% if 'sudo_rules' in user %}

  346. {% for rule in user['sudo_rules'] %}

  347. "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":

  348.   cmd.run:

  349.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  350.     - stateful: True

  351.     - shell: {{ users.visudo_shell }}

  352.     - env:

  353.       # Specify the rule via an env var to avoid shell quoting issues.

  354.       - rule: "{{ name }} {{ rule }}"

  355.     - require_in:

  356.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  357. {% endfor %}

  358. {% endif %}

  359. {% if 'sudo_defaults' in user %}

  360. {% for entry in user['sudo_defaults'] %}

  361. "validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":

  362.   cmd.run:

  363.     - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'

  364.     - stateful: True

  365.     - shell: {{ users.visudo_shell }}

  366.     - env:

  367.       # Specify the rule via an env var to avoid shell quoting issues.

  368.       - rule: "Defaults:{{ name }} {{ entry }}"

  369.     - require_in:

  370.       - file: users_{{ users.sudoers_dir }}/{{ name }}

  371. {% endfor %}

  372. {% endif %}

  373. #%#}

  374. 

  375. users_{{ users.sudoers_dir }}/{{ name }}:

  376.   file.managed:

  377.     - name: {{ users.sudoers_dir }}/{{ name }}

  378.     - contents: |

  379.       {%- if 'sudo_defaults' in user %}

  380.       {%- for entry in user['sudo_defaults'] %}

  381.         Defaults:{{ name }} {{ entry }}

  382.       {%- endfor %}

  383.       {%- endif %}

  384.       {%- if 'sudo_rules' in user %}

  385.       {%- for rule in user['sudo_rules'] %}

  386.         {{ name }} {{ rule }}

  387.       {%- endfor %}

  388.       {%- endif %}

  389.     - require:

  390.       - file: users_sudoer-defaults

  391.       - file: users_sudoer-{{ name }}

  392.   cmd.wait:                                                                           

  393.     - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 )

  394.     - watch:                                                                         

  395.       - file: {{ users.sudoers_dir }}/{{ name }}   

  396. {% endif %}

  397. {% else %}

  398. users_{{ users.sudoers_dir }}/{{ name }}:

  399.   file.absent:

  400.     - name: {{ users.sudoers_dir }}/{{ name }}

  401. {% endif %}

  402. 

  403. {%- if 'google_auth' in user %}

  404. {%- for svc in user['google_auth'] %}

  405. users_googleauth-{{ svc }}-{{ name }}:

  406.   file.managed:

  407.     - replace: false

  408.     - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}

  409.     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'

  410.     - user: root

  411.     - group: {{ users.root_group }}

  412.     - mode: 400

  413.     - require:

  414.       - pkg: users_googleauth-package

  415. {%- endfor %}

  416. {%- endif %}

  417. 

  418. {% if 'gitconfig' in user %}

  419. {% if not salt['cmd.has_exec']('git') %}

  420. skip_{{ name }}_gitconfig_since_git_not_installed:

  421.   test.fail_without_changes:

  422.     - name: "Git configuration for user {{ name }} has been skipped because Git is not installed."

  423. {% else %}

  424. {% for key, value in user['gitconfig'].items() %}

  425. users_{{ name }}_user_gitconfig_{{ loop.index0 }}:

  426.   {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  427.   git.config_set:

  428.   {% else %}

  429.   git.config:

  430.   {% endif %}

  431.     - name: {{ key }}

  432.     - value: "{{ value }}"

  433.     - user: {{ name }}

  434.     {% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %}

  435.     - global: True

  436.     {% else %}

  437.     - is_global: True

  438.     {% endif %}

  439. {% endfor %}

  440. {% endif %}

  441. {% endif %}

  442. 

  443. {% endfor %}

  444. 

  445. 

  446. {% for name, user in pillar.get('users', {}).items()

  447.         if user.absent is defined and user.absent %}

  448. users_absent_user_{{ name }}:

  449. {% if 'purge' in user or 'force' in user %}

  450.   user.absent:

  451.     - name: {{ name }}

  452.     {% if 'purge' in user %}

  453.     - purge: {{ user['purge'] }}

  454.     {% endif %}

  455.     {% if 'force' in user %}

  456.     - force: {{ user['force'] }}

  457.     {% endif %}

  458. {% else %}

  459.   user.absent:

  460.     - name: {{ name }}

  461. {% endif -%}

  462. users_{{ users.sudoers_dir }}/{{ name }}:

  463.   file.absent:

  464.     - name: {{ users.sudoers_dir }}/{{ name }}

  465. {% endfor %}

  466. 

  467. {% for user in pillar.get('absent_users', []) %}

  468. users_absent_user_2_{{ user }}:

  469.   user.absent

  470. users_2_{{ users.sudoers_dir }}/{{ user }}:

  471.   file.absent:

  472.     - name: {{ users.sudoers_dir }}/{{ user }}

  473. {% endfor %}

  474. 

  475. {% for group in pillar.get('absent_groups', []) %}

  476. users_absent_group_{{ group }}:

  477.   group.absent:

  478.     - name: {{ group }}

  479. {% endfor %}