diff --git a/README.rst b/README.rst index 4d784d7..543a712 100644 --- a/README.rst +++ b/README.rst @@ -19,7 +19,7 @@ Available states ``users`` --------- -Configure a user's home directory, group, the user itself, secondary groups, +Configures a user's home directory, group, the user itself, secondary groups, and associated keys. Also configures sudo access, and absent users. ``users.sudo`` @@ -31,21 +31,21 @@ is configured. ``users.bashrc`` ---------------- -Ensures the bashrc file exists in the users home directory. Set manage_bashrc: -True in pillar per user. Defaults to False +Ensures the bashrc file exists in the users home directory. Sets 'manage_bashrc: +True' in pillar per user. Defaults to False. ``users.profile`` ---------------- -Ensures the profile file exists in the users home directory. Set manage_profile: -True in pillar per user. Defaults to False +Ensures the profile file exists in the users home directory. Sets 'manage_profile: +True' in pillar per user. Defaults to False. ``users.vimrc`` --------------- -Ensures the vimrc file exists in the users home directory. Set manage_vimrc: -True in pillar per user. Defaults to False -This depends on the vim-formula to be installed +Ensures the vimrc file exists in the users home directory. Sets 'manage_vimrc: +True' in pillar per user. Defaults to False. +This depends on the vim-formula to be installed. ``users.user_files`` --------------- diff --git a/pillar.example b/pillar.example index 4e55a7c..fedcaaf 100644 --- a/pillar.example +++ b/pillar.example @@ -11,9 +11,11 @@ users: # WARNING: If 'empty_password' is set to True, the 'password' statement # will be ignored by enabling password-less login for the user. empty_password: False + system: False home: /custom/buser homedir_owner: buser homedir_group: primarygroup + user_dir_mode: 750 createhome: True roomnumber: "A-1" workphone: "(555) 555-5555" @@ -36,11 +38,15 @@ users: sudo_defaults: - '!requiretty' shell: /bin/bash + remove_groups: False prime_group: name: primarygroup gid: 500 groups: - users + optional_groups: + - some_groups_that_might + - not_exist_on_all_minions ssh_key_type: rsa # You can inline the private keys ... ssh_keys: diff --git a/users/bashrc.sls b/users/bashrc.sls index fc268f4..4d4ca4d 100644 --- a/users/bashrc.sls +++ b/users/bashrc.sls @@ -3,10 +3,11 @@ include: - users {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- set current = salt.user.info(name) -%} {%- if user == None -%} {%- set user = {} -%} {%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} +{%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%} {%- set manage = user.get('manage_bashrc', False) -%} {%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- set user_group = user.prime_group.name -%} diff --git a/users/init.sls b/users/init.sls index 3bc45ad..15c40d4 100644 --- a/users/init.sls +++ b/users/init.sls @@ -38,7 +38,8 @@ include: {%- if user == None -%} {%- set user = {} -%} {%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} +{%- set current = salt.user.info(name) -%} +{%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%} {%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- set user_group = user.prime_group.name -%} @@ -73,10 +74,13 @@ users_{{ name }}_user: {%- elif 'uid' in user %} - gid: {{ user['uid'] }} {%- endif %} + {% if 'system' in user and user['system'] %} + - system: True + {% endif %} user.present: - name: {{ name }} - home: {{ home }} - - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }} + - shell: {{ user.get('shell', current.get('shell', users.get('shell', '/bin/bash'))) }} {% if 'uid' in user -%} - uid: {{ user['uid'] }} {% endif -%} @@ -131,6 +135,12 @@ users_{{ name }}_user: {% for group in user.get('groups', []) -%} - {{ group }} {% endfor %} + {% if 'optional_groups' in user %} + - optional_groups: + {% for optional_group in user['optional_groups'] -%} + - {{optional_group}} + {% endfor %} + {% endif %} - require: - group: {{ user_group }} {% for group in user.get('groups', []) -%} @@ -146,7 +156,7 @@ users_{{ name }}_user: 'ssh_config' in user %} user_keydir_{{ name }}: file.directory: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh + - name: {{ home }}/.ssh - user: {{ name }} - group: {{ user_group }} - makedirs: True @@ -163,8 +173,7 @@ user_keydir_{{ name }}: {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} users_user_{{ name }}_private_key: file.managed: - - name: {{ user.get('home', - '/home/{0}'.format(name)) }}/.ssh/{{ key_type }} + - name: {{ home }}/.ssh/{{ key_type }} - user: {{ name }} - group: {{ user_group }} - mode: 600 @@ -177,8 +186,7 @@ users_user_{{ name }}_private_key: {% endfor %} users_user_{{ name }}_public_key: file.managed: - - name: {{ user.get('home', - '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub + - name: {{ home }}/.ssh/{{ key_type }}.pub - user: {{ name }} - group: {{ user_group }} - mode: 644 @@ -204,9 +212,8 @@ users_authorized_keys_{{ name }}: {{ auth }} {% endfor -%} {% else %} - - contents: | - {%- for key_name, pillar_name in user['ssh_auth_pillar'].iteritems() %} - {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }} + {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %} + - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey {%- endfor %} {% endif %} {% endif %} @@ -218,7 +225,7 @@ users_ssh_auth_{{ name }}_{{ loop.index0 }}: - user: {{ name }} - name: {{ auth }} - require: - - file: users_{{ name }}_user + - file: user_keydir_{{ name }} - user: users_{{ name }}_user {% endfor %} {% endif %} @@ -227,8 +234,7 @@ users_ssh_auth_{{ name }}_{{ loop.index0 }}: {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %} user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key: file.managed: - - name: {{ user.get('home', - '/home/{0}'.format(name)) }}/.ssh/{{ key_name }} + - name: {{ home }}/.ssh/{{ key_name }} - user: {{ name }} - group: {{ user_group }} - mode: 600 @@ -241,8 +247,7 @@ user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key: {% endfor %} user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key: file.managed: - - name: {{ user.get('home', - '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub + - name: {{ home }}/.ssh/{{ key_name }}.pub - user: {{ name }} - group: {{ user_group }} - mode: 644 @@ -336,6 +341,7 @@ users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}: users_sudoer-{{ name }}: file.managed: + - replace: False - name: {{ users.sudoers_dir }}/{{ name }} - user: root - group: {{ users.root_group }} @@ -374,6 +380,7 @@ users_sudoer-{{ name }}: users_{{ users.sudoers_dir }}/{{ name }}: file.managed: + - replace: True - name: {{ users.sudoers_dir }}/{{ name }} - contents: | {%- if 'sudo_defaults' in user %} @@ -382,6 +389,11 @@ users_{{ users.sudoers_dir }}/{{ name }}: {%- endfor %} {%- endif %} {%- if 'sudo_rules' in user %} + ######################################################################## + # File managed by Salt (users-formula). + # Your changes will be overwritten. + ######################################################################## + # {%- for rule in user['sudo_rules'] %} {{ name }} {{ rule }} {%- endfor %} @@ -389,10 +401,10 @@ users_{{ users.sudoers_dir }}/{{ name }}: - require: - file: users_sudoer-defaults - file: users_sudoer-{{ name }} - cmd.wait: + cmd.wait: - name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 ) - - watch: - - file: {{ users.sudoers_dir }}/{{ name }} + - watch: + - file: {{ users.sudoers_dir }}/{{ name }} {% endif %} {% else %} users_{{ users.sudoers_dir }}/{{ name }}: @@ -466,7 +478,8 @@ users_{{ users.sudoers_dir }}/{{ name }}: {% for user in pillar.get('absent_users', []) %} users_absent_user_2_{{ user }}: - user.absent + user.absent: + - name: {{ name }} users_2_{{ users.sudoers_dir }}/{{ user }}: file.absent: - name: {{ users.sudoers_dir }}/{{ user }} diff --git a/users/profile.sls b/users/profile.sls index b62c096..55ac8e2 100644 --- a/users/profile.sls +++ b/users/profile.sls @@ -3,10 +3,11 @@ include: - users {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- set current = salt.user.info(name) -%} {%- if user == None -%} {%- set user = {} -%} {%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} +{%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%} {%- set manage = user.get('manage_profile', False) -%} {%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- set user_group = user.prime_group.name -%} diff --git a/users/user_files.sls b/users/user_files.sls index 95c1281..461628b 100644 --- a/users/user_files.sls +++ b/users/user_files.sls @@ -5,9 +5,10 @@ include: {% set userfile_dirs = salt['cp.list_master_dirs'](prefix='users/files/user/') -%} {%- for username, user in salt['pillar.get']('users', {}).items() if (user.absent is not defined or not user.absent) -%} +{%- set current = salt.user.info(username) -%} {%- set user_files = salt['pillar.get'](('users:' ~ username ~ ':user_files'), {'enabled': False}) -%} {%- set user_group = salt['pillar.get'](('users:' ~ username ~ ':prime_group:name'), username) -%} -{%- set user_home = salt['pillar.get'](('users:' ~ username ~ ':home'), '/home/' ~ username ) -%} +{%- set user_home = salt['pillar.get'](('users:' ~ username ~ ':home'), current.get('home', '/home/' ~ username )) -%} {%- if user_files.enabled -%} {%- if user_files.source is defined -%} diff --git a/users/vimrc.sls b/users/vimrc.sls index e678bb6..5404738 100644 --- a/users/vimrc.sls +++ b/users/vimrc.sls @@ -4,10 +4,11 @@ include: - vim {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- set current = salt.user.info(name) -%} {%- if user == None -%} {%- set user = {} -%} {%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} +{%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%} {%- set manage = user.get('manage_vimrc', False) -%} {%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- set user_group = user.prime_group.name -%}